From 9d391c092570909a9631c514600d2588b2cd5310 Mon Sep 17 00:00:00 2001 From: Jonathan Liu Date: Sat, 3 Dec 2022 20:56:18 +1100 Subject: Add Memtest86+ to x86_64 UEFI GRUB boot menu Implements #203. --- CHANGELOG.rst | 1 + archiso/mkarchiso | 11 +++++++++++ configs/releng/grub/grub.cfg | 5 +++++ configs/releng/packages.x86_64 | 1 + 4 files changed, 18 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 0e9d737..5115cb1 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -7,6 +7,7 @@ Changelog Added ----- +- Add Memtest86+ to x86_64 UEFI GRUB boot menu. Changed ------- diff --git a/archiso/mkarchiso b/archiso/mkarchiso index caeb21e..9b917ab 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -712,6 +712,14 @@ _make_bootmode_uefi-x64.grub.esp() { mcopy -i "${efibootimg}" "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" ::/shellx64.efi fi + # Add other aditional/extra files to ${install_dir}/boot/ + if [[ -e "${pacstrap_dir}/boot/memtest86+/memtest.efi" ]]; then + install -m 0644 -- "${pacstrap_dir}/boot/memtest86+/memtest.efi" "${isofs_dir}/${install_dir}/boot/memtest.efi" + install -d -m 0755 -- "${isofs_dir}/${install_dir}/boot/licenses/memtest86+/" + install -m 0644 -- "${pacstrap_dir}/usr/share/licenses/common/GPL2/license.txt" \ + "${isofs_dir}/${install_dir}/boot/licenses/memtest86+/" + fi + _msg_info "Done! GRUB set up for UEFI booting successfully." } @@ -997,6 +1005,9 @@ _validate_requirements_bootmode_uefi-x64.grub.esp() { if [[ ! " ${pkg_list[*]} " =~ ' edk2-shell ' ]]; then _msg_info "'edk2-shell' is not in the package list. The ISO will not contain a bootable UEFI shell." fi + if [[ ! " ${pkg_list[*]} " =~ ' memtest86+-efi ' ]]; then + _msg_info "Validating '${bootmode}': 'memtest86+-efi' is not in the package list. Memory testing will not be available from GRUB." + fi } _validate_requirements_bootmode_uefi-x64.grub.eltorito() { diff --git a/configs/releng/grub/grub.cfg b/configs/releng/grub/grub.cfg index 43fad0e..79ea2d2 100644 --- a/configs/releng/grub/grub.cfg +++ b/configs/releng/grub/grub.cfg @@ -46,6 +46,11 @@ menuentry "Arch Linux install medium with speakup screen reader (x86_64, UEFI)" if [ "${grub_platform}" == "efi" ]; then if [ "${grub_cpu}" == "x86_64" ]; then + menuentry "Run Memtest86+ (RAM test)" --class memtest86 --class gnu --class tool { + set gfxpayload=800x600,1024x768 + search --fs-uuid --no-floppy --set=root --label %ARCHISO_LABEL% + linux /%INSTALL_DIR%/boot/memtest.efi + } menuentry "UEFI Shell" { insmod chain search --no-floppy --set=root --label %ARCHISO_LABEL% diff --git a/configs/releng/packages.x86_64 b/configs/releng/packages.x86_64 index 02ef538..5771920 100644 --- a/configs/releng/packages.x86_64 +++ b/configs/releng/packages.x86_64 @@ -60,6 +60,7 @@ man-pages mc mdadm memtest86+ +memtest86+-efi mkinitcpio mkinitcpio-archiso mkinitcpio-nfs-utils -- cgit v1.2.3-54-g00ecf From 4ee6fdc1eab278485e13590c47c33db27de4efe5 Mon Sep 17 00:00:00 2001 From: nl6720 Date: Tue, 6 Dec 2022 12:27:35 +0200 Subject: mkarchiso: disable shellcheck warning when searching an array The warning about SC2076 does not apply here. --- archiso/mkarchiso | 1 + 1 file changed, 1 insertion(+) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 9b917ab..30c1e06 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1005,6 +1005,7 @@ _validate_requirements_bootmode_uefi-x64.grub.esp() { if [[ ! " ${pkg_list[*]} " =~ ' edk2-shell ' ]]; then _msg_info "'edk2-shell' is not in the package list. The ISO will not contain a bootable UEFI shell." fi + # shellcheck disable=SC2076 if [[ ! " ${pkg_list[*]} " =~ ' memtest86+-efi ' ]]; then _msg_info "Validating '${bootmode}': 'memtest86+-efi' is not in the package list. Memory testing will not be available from GRUB." fi -- cgit v1.2.3-54-g00ecf From d31f38843ac0cb803561b0dbe976a3189ac0191c Mon Sep 17 00:00:00 2001 From: nl6720 Date: Sat, 26 Nov 2022 21:35:38 +0200 Subject: mkarchiso: do not try to use an non existent GPG public key file The `bootstrap` build mode never calls `_export_gpg_publickey`, so even if the GPG key is passed with the `-g` option and thus the `gpg_key` variable is set, the `${work_dir}/pubkey.gpg` file will not exist. This has not caused any issue so far because the `ARCHISO_GNUPG_FD` file descriptor opens the file for both reading and writing, which means the file gets created if it does not exist. Assign the exported public key file name to a `gpg_publickey` variable in `_export_gpg_publickey` and check for it when the file is used. Since the exist status of the gpg command cannot be checked, look for the exported public key file instead. --- CHANGELOG.rst | 2 ++ archiso/mkarchiso | 12 +++++++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5115cb1..982c722 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -12,6 +12,8 @@ Added Changed ------- +- Check if the GPG public key file was successfully placed in the work directory before trying to use it. + Removed ------- diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 30c1e06..9000044 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -335,8 +335,8 @@ _make_custom_airootfs() { _make_packages() { _msg_info "Installing packages to '${pacstrap_dir}/'..." - if [[ -n "${gpg_key}" ]]; then - exec {ARCHISO_GNUPG_FD}<>"${work_dir}/pubkey.gpg" + if [[ -v gpg_publickey ]]; then + exec {ARCHISO_GNUPG_FD}<>"$gpg_publickey" export ARCHISO_GNUPG_FD fi if [[ -v cert_list[0] ]]; then @@ -364,7 +364,7 @@ _make_packages() { exec {ARCHISO_TLSCA_FD}<&- unset ARCHISO_TLSCA_FD fi - if [[ -n "${gpg_key}" ]]; then + if [[ -v gpg_publickey ]]; then exec {ARCHISO_GNUPG_FD}<&- unset ARCHISO_GNUPG_FD fi @@ -1614,8 +1614,10 @@ _set_overrides() { } _export_gpg_publickey() { - rm -f -- "${work_dir}/pubkey.gpg" - gpg --batch --no-armor --output "${work_dir}/pubkey.gpg" --export "${gpg_key}" + gpg_publickey="${work_dir}/pubkey.gpg" + rm -f -- "$gpg_publickey" + gpg --batch --no-armor --output "$gpg_publickey" --export "${gpg_key}" + [[ -s "$gpg_publickey" ]] || return } _make_version() { -- cgit v1.2.3-54-g00ecf From 2c3420204e25c31b6768f8e30ade348db757b722 Mon Sep 17 00:00:00 2001 From: nl6720 Date: Sat, 26 Nov 2022 20:00:40 +0200 Subject: mkarchiso: open the ARCHISO_GNUPG_FD, ARCHISO_TLS_FD and ARCHISO_TLSCA_FD file descriptors only for reading Nothing should ever be written to these files, so let's make sure it cannot happen. --- CHANGELOG.rst | 2 ++ archiso/mkarchiso | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 982c722..4fa88db 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -13,6 +13,8 @@ Changed ------- - Check if the GPG public key file was successfully placed in the work directory before trying to use it. +- Open the file descriptors for code signing certificates and GPG public key as read only. Nothing from the within the + ``pacstrap`` invoked chroot should ever be allowed to write outside of it. Removed ------- diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 9000044..7a3fd1c 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -336,15 +336,15 @@ _make_packages() { _msg_info "Installing packages to '${pacstrap_dir}/'..." if [[ -v gpg_publickey ]]; then - exec {ARCHISO_GNUPG_FD}<>"$gpg_publickey" + exec {ARCHISO_GNUPG_FD}<"$gpg_publickey" export ARCHISO_GNUPG_FD fi if [[ -v cert_list[0] ]]; then - exec {ARCHISO_TLS_FD}<>"${cert_list[0]}" + exec {ARCHISO_TLS_FD}<"${cert_list[0]}" export ARCHISO_TLS_FD fi if [[ -v cert_list[2] ]]; then - exec {ARCHISO_TLSCA_FD}<>"${cert_list[2]}" + exec {ARCHISO_TLSCA_FD}<"${cert_list[2]}" export ARCHISO_TLSCA_FD fi -- cgit v1.2.3-54-g00ecf From 2da65f64adfbce72671cdd7e482b55f1f83d135d Mon Sep 17 00:00:00 2001 From: nl6720 Date: Sat, 26 Nov 2022 21:18:15 +0200 Subject: mkarchiso: check if the code signing files specified with option -c exist Look for the files in `*_validate_options` and error out early if they do not exist. --- CHANGELOG.rst | 1 + archiso/mkarchiso | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 4fa88db..400628a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -15,6 +15,7 @@ Changed - Check if the GPG public key file was successfully placed in the work directory before trying to use it. - Open the file descriptors for code signing certificates and GPG public key as read only. Nothing from the within the ``pacstrap`` invoked chroot should ever be allowed to write outside of it. +- Error out early if any of the code signing certificate files passed with option ``-c`` do not exist. Removed ------- diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 7a3fd1c..8449f51 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1522,7 +1522,7 @@ _read_profile() { # Validate set options _validate_options() { - local validation_error=0 _buildmode + local validation_error=0 _buildmode certfile _msg_info "Validating options..." @@ -1532,6 +1532,14 @@ _validate_options() { _msg_error "File '${pacman_conf}' does not exist." 0 fi + # Check if the code signing certificate files exist + for certfile in "${cert_list[@]}"; do + if [[ ! -e "$certfile" ]]; then + (( validation_error=validation_error+1 )) + _msg_error "Code signing certificate '${certfile}' does not exist." 0 + fi + done + # Check if the specified buildmodes are supported for _buildmode in "${buildmodes[@]}"; do if typeset -f "_build_buildmode_${_buildmode}" &> /dev/null; then -- cgit v1.2.3-54-g00ecf From dedfe0364cd665a12bb7a4d6fdb3b978d02026ab Mon Sep 17 00:00:00 2001 From: nl6720 Date: Wed, 7 Dec 2022 08:46:59 +0200 Subject: configs/releng/syslinux/archiso_pxe-linux.cfg: replace checksum and verify with cms_verify=y Specify `cms_verify=y` in SYSLINUX/PXELINUX configuration to use OpenSSL CMS based method for verifying the root file system image against the code signing certificates in the initramfs. `checksum` and `verify` are removed since they essentially serve the same purpose and performing all the checks just needlessly delays boot. Additionally, the removal of `verify` allows to build the ISO without gpg, i.e. without using `mkarchiso`'s `-g` and `-G` options. Fixes #200 --- configs/releng/syslinux/archiso_pxe-linux.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configs/releng/syslinux/archiso_pxe-linux.cfg b/configs/releng/syslinux/archiso_pxe-linux.cfg index d812402..0eb1705 100644 --- a/configs/releng/syslinux/archiso_pxe-linux.cfg +++ b/configs/releng/syslinux/archiso_pxe-linux.cfg @@ -6,7 +6,7 @@ ENDTEXT MENU LABEL Arch Linux install medium (x86_64, NBD) LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% archiso_nbd_srv=${pxeserver} checksum verify +APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% archiso_nbd_srv=${pxeserver} cms_verify=y SYSAPPEND 3 LABEL arch64_nfs @@ -17,7 +17,7 @@ ENDTEXT MENU LABEL Arch Linux install medium (x86_64, NFS) LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -APPEND archisobasedir=%INSTALL_DIR% archiso_nfs_srv=${pxeserver}:/run/archiso/bootmnt checksum verify +APPEND archisobasedir=%INSTALL_DIR% archiso_nfs_srv=${pxeserver}:/run/archiso/bootmnt cms_verify=y SYSAPPEND 3 LABEL arch64_http @@ -28,5 +28,5 @@ ENDTEXT MENU LABEL Arch Linux install medium (x86_64, HTTP) LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -APPEND archisobasedir=%INSTALL_DIR% archiso_http_srv=http://${pxeserver}/ checksum verify +APPEND archisobasedir=%INSTALL_DIR% archiso_http_srv=http://${pxeserver}/ cms_verify=y SYSAPPEND 3 -- cgit v1.2.3-54-g00ecf From 55a1b132a0bb6865d327726afdf21bc7e2d105db Mon Sep 17 00:00:00 2001 From: nl6720 Date: Sat, 17 Dec 2022 19:34:04 +0200 Subject: configs/baseline/profiledef.sh: use LZMA compression for the EROFS image Now that xz 5.4 is out and erofs-utils is built with LZMA support, it is possible to compress the EROFS image with LZMA for higher compression. `mkfs.erofs` trows a few warnings about using experimental features, but they should not be an issue. Nothing changes for the releng profile, for now at least. --- CHANGELOG.rst | 2 ++ configs/baseline/profiledef.sh | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 400628a..4966b84 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,6 +16,8 @@ Changed - Open the file descriptors for code signing certificates and GPG public key as read only. Nothing from the within the ``pacstrap`` invoked chroot should ever be allowed to write outside of it. - Error out early if any of the code signing certificate files passed with option ``-c`` do not exist. +- Use LZMA compressed EROFS image for the baseline profile. Now that xz 5.4 is out and erofs-utils is built with LZMA + support, using a higher compression is possible. Removed ------- diff --git a/configs/baseline/profiledef.sh b/configs/baseline/profiledef.sh index 4115581..ed486ca 100644 --- a/configs/baseline/profiledef.sh +++ b/configs/baseline/profiledef.sh @@ -14,7 +14,7 @@ bootmodes=('bios.syslinux.mbr' 'bios.syslinux.eltorito' arch="x86_64" pacman_conf="pacman.conf" airootfs_image_type="erofs" -airootfs_image_tool_options=('-zlz4hc,12' -E ztailpacking) +airootfs_image_tool_options=('-zlzma,9' -E ztailpacking) file_permissions=( ["/etc/shadow"]="0:0:400" ) -- cgit v1.2.3-54-g00ecf From 6e1be91961967a6485901ac431f6f6b06675b750 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 22 Dec 2022 10:41:41 +0100 Subject: archiso/mkarchiso: write "uninitialized" to /etc/machine-id This is a new value introduced in systemd v247. It makes sure a new machine-id is generated, but is handled as first boot as well. See "First Boot Semantics" in machine-id(5) for details. --- CHANGELOG.rst | 3 +++ archiso/mkarchiso | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 4966b84..19a4d91 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -18,6 +18,9 @@ Changed - Error out early if any of the code signing certificate files passed with option ``-c`` do not exist. - Use LZMA compressed EROFS image for the baseline profile. Now that xz 5.4 is out and erofs-utils is built with LZMA support, using a higher compression is possible. +- Add ``/etc/machine-id`` with special value ``uninitialized``. The final id is generated at boot time, and systemd's + first-boot mechanim (see ``First Boot Semantics`` in ``machine-id(5)``) applies. No functional change unless that + ``ConditionFirstBoot=yes`` is true and passive unit ``first-boot-complete.target`` activates for ordering. Removed ------- diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 8449f51..7331bb0 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -163,9 +163,10 @@ _cleanup_pacstrap_dir() { [[ -d "${pacstrap_dir}/var/tmp" ]] && find "${pacstrap_dir}/var/tmp" -mindepth 1 -delete # Delete package pacman related files. find "${work_dir}" \( -name '*.pacnew' -o -name '*.pacsave' -o -name '*.pacorig' \) -delete - # Create an empty /etc/machine-id + # Create /etc/machine-id with special value 'uninitialized': the final id is + # generated on first boot, systemd's first-boot mechanism applies (see machine-id(5)) rm -f -- "${pacstrap_dir}/etc/machine-id" - printf '' > "${pacstrap_dir}/etc/machine-id" + printf 'uninitialized\n' > "${pacstrap_dir}/etc/machine-id" _msg_info "Done!" } -- cgit v1.2.3-54-g00ecf From cca3eee83323ae94d9cab2ddb4e7f9b1e3235f30 Mon Sep 17 00:00:00 2001 From: Alexander Speshilov Date: Thu, 22 Dec 2022 20:58:49 +0000 Subject: fix typo in README.profile.rst --- docs/README.profile.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/README.profile.rst b/docs/README.profile.rst index efcb861..f1fd717 100644 --- a/docs/README.profile.rst +++ b/docs/README.profile.rst @@ -137,7 +137,7 @@ The following *custom template identifiers* are understood and will be replaced respective variables in ``profiledef.sh``: * ``%ARCHISO_LABEL%``: Set this using the ``iso_label`` variable in ``profiledef.sh``. -* ``%INSTALL_DIR%``: Set this using the ``iso_label`` variable in ``profiledef.sh``. +* ``%INSTALL_DIR%``: Set this using the ``install_dir`` variable in ``profiledef.sh``. * ``%ARCH%``: Set this using the ``arch`` variable in ``profiledef.sh``. -- cgit v1.2.3-54-g00ecf From cd621f5f4a180ddbf5b6ddf2eb53c9d17cd9a14c Mon Sep 17 00:00:00 2001 From: nl6720 Date: Sat, 24 Dec 2022 10:33:18 +0200 Subject: Add changelog for 69 --- CHANGELOG.rst | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 19a4d91..f4ad972 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -7,6 +7,19 @@ Changelog Added ----- + +Changed +------- + +Removed +------- + +[69] - 2022-12-24 +================= + +Added +----- + - Add Memtest86+ to x86_64 UEFI GRUB boot menu. Changed @@ -22,9 +35,6 @@ Changed first-boot mechanim (see ``First Boot Semantics`` in ``machine-id(5)``) applies. No functional change unless that ``ConditionFirstBoot=yes`` is true and passive unit ``first-boot-complete.target`` activates for ordering. -Removed -------- - [68] - 2022-10-30 ================= -- cgit v1.2.3-54-g00ecf