Merge branch 'issues/132'

* issues/132: gitlab-ci: Also build a baseline netboot target archiso/mkarchiso: Generalize handling of ucodes

Merge branch 'issues/132'
* issues/132: gitlab-ci: Also build a baseline netboot target archiso/mkarchiso: Generalize handling of ucodes
7d120315 · David Runge · 33e4ff62 · 97b7aeba · 7d120315 · 7d120315
Verified Commit 7d120315 authored Jun 30, 2021 by David Runge
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -44,8 +44,6 @@ build_short:
  extends: .build
  parallel:
    matrix:
-      # baseline does not support netboot with codesinging
-      # https://gitlab.archlinux.org/archlinux/archiso/-/issues/132
      - BUILD_SCRIPT_ARGS: baseline bootstrap
      - BUILD_SCRIPT_ARGS: releng bootstrap
@@ -56,5 +54,6 @@ build_long:
  parallel:
    matrix:
      - BUILD_SCRIPT_ARGS: baseline iso
+      - BUILD_SCRIPT_ARGS: baseline netboot
      - BUILD_SCRIPT_ARGS: releng iso
      - BUILD_SCRIPT_ARGS: releng netboot
--- a/archiso/mkarchiso
+++ b/archiso/mkarchiso
@@ -37,6 +37,8 @@ airootfs_image_tool_options=()
 cert_list=()
 sign_netboot_artifacts=""
 declare -A file_permissions=()
+# adapted from GRUB_EARLY_INITRD_LINUX_STOCK in https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in
+readonly ucodes=('intel-uc.img' 'intel-ucode.img' 'amd-uc.img' 'amd-ucode.img' 'early_ucode.cpio' 'microcode.cpio')
 # Show an INFO message
@@ -395,7 +397,7 @@ _make_boot_on_iso9660() {
    install -m 0644 -- "${pacstrap_dir}/boot/initramfs-"*".img" "${isofs_dir}/${install_dir}/boot/${arch}/"
    install -m 0644 -- "${pacstrap_dir}/boot/vmlinuz-"* "${isofs_dir}/${install_dir}/boot/${arch}/"
-    for ucode_image in {intel-uc.img,intel-ucode.img,amd-uc.img,amd-ucode.img,early_ucode.cpio,microcode.cpio}; do
+    for ucode_image in "${ucodes[@]}"; do
        if [[ -e "${pacstrap_dir}/boot/${ucode_image}" ]]; then
            install -m 0644 -- "${pacstrap_dir}/boot/${ucode_image}" "${isofs_dir}/${install_dir}/boot/"
            if [[ -e "${pacstrap_dir}/usr/share/licenses/${ucode_image%.*}/" ]]; then
@@ -494,11 +496,9 @@ _make_boot_on_fat() {
        "::/${install_dir}" "::/${install_dir}/boot" "::/${install_dir}/boot/${arch}"
    mcopy -i "${work_dir}/efiboot.img" "${pacstrap_dir}/boot/vmlinuz-"* \
        "${pacstrap_dir}/boot/initramfs-"*".img" "::/${install_dir}/boot/${arch}/"
-    for ucode_image in \
+    for ucode_image in "${ucodes[@]}"; do
-        "${pacstrap_dir}/boot/"{intel-uc.img,intel-ucode.img,amd-uc.img,amd-ucode.img,early_ucode.cpio,microcode.cpio}
+        if [[ -e "${pacstrap_dir}/boot/${ucode_image}" ]]; then
-    do
+            all_ucode_images+=("${pacstrap_dir}/boot/${ucode_image}")
-        if [[ -e "${ucode_image}" ]]; then
-            all_ucode_images+=("${ucode_image}")
        fi
    done
    if (( ${#all_ucode_images[@]} )); then
@@ -509,9 +509,15 @@ _make_boot_on_fat() {
 # Prepare efiboot.img::/EFI for EFI boot mode
 _make_bootmode_uefi-x64.systemd-boot.esp() {
-    local efiboot_imgsize="0"
+    local _file efiboot_imgsize="0"
+    local _available_ucodes=()
    _msg_info "Setting up systemd-boot for UEFI booting..."
+    for _file in "${ucodes[@]}"; do
+        if [[ -e "${pacstrap_dir}/boot/${_file}" ]]; then
+            _available_ucodes+=("${pacstrap_dir}/boot/${_file}")
+        fi
+    done
    # the required image size in KiB (rounded up to the next full MiB with an additional MiB for reserved sectors)
    efiboot_imgsize="$(du -bc \
        "${pacstrap_dir}/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \
@@ -519,7 +525,7 @@ _make_bootmode_uefi-x64.systemd-boot.esp() {
        "${profile}/efiboot/" \
        "${pacstrap_dir}/boot/vmlinuz-"* \
        "${pacstrap_dir}/boot/initramfs-"*".img" \
-        "${pacstrap_dir}/boot/"{intel-uc.img,intel-ucode.img,amd-uc.img,amd-ucode.img,early_ucode.cpio,microcode.cpio} \
+        "${_available_ucodes[@]}" \
        2>/dev/null | awk 'function ceil(x){return int(x)+(x>int(x))}
            function byte_to_kib(x){return x/1024}
            function mib_to_kib(x){return x*1024}
@@ -670,9 +676,15 @@ _export_netboot_artifacts() {
 # sign build artifacts for netboot
 _sign_netboot_artifacts() {
    local _file _dir
+    local _files_to_sign=()
    _msg_info "Signing netboot artifacts..."
-    _dir="${isofs_dir}/${install_dir}/"
+    _dir="${isofs_dir}/${install_dir}/boot/"
-    for _file in "${_dir}/boot/"*ucode.img "${_dir}/boot/${arch}/vmlinuz-"* "${_dir}/boot/${arch}/initramfs-"*.img; do
+    for _file in "${ucodes[@]}"; do
+        if [[ -e "${_dir}${_file}" ]]; then
+            _files_to_sign+=("${_dir}${_file}")
+        fi
+    done
+    for _file in "${_files_to_sign[@]}" "${_dir}${arch}/vmlinuz-"* "${_dir}${arch}/initramfs-"*.img; do
        openssl cms \
            -sign \
            -binary \