From fc373136b4f363cf11b946dfe29cce914dd2234d Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 18 Jun 2022 15:45:12 +0000 Subject: [PATCH 001/105] Update --- configs/releng/grub/grub.cfg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configs/releng/grub/grub.cfg b/configs/releng/grub/grub.cfg index a85090d..8f67685 100644 --- a/configs/releng/grub/grub.cfg +++ b/configs/releng/grub/grub.cfg @@ -23,7 +23,7 @@ fi # "/" is "100 5" # # Message: "s for blind" -play 500 500 1 300 1 500 1 300 1 500 1 300 1 100 5 500 1 300 1 500 1 300 1 100 2 500 1 300 1 500 1 300 1 600 3 300 1 500 1 300 1 100 5 600 3 300 1 500 1 300 1 500 1 300 1 500 1 300 1 100 2 500 1 300 1 600 3 300 1 500 1 300 1 500 1 300 1 100 2 500 1 300 1 500 1 300 1 100 2 500 1 300 1 500 1 300 1 100 2 600 3 300 1 500 1 300 1 100 2 600 3 300 1 500 1 300 1 500 1 300 1 +play 1500 500 1 300 1 500 1 300 1 500 1 300 1 100 5 500 1 300 1 500 1 300 1 100 5 500 1 300 1 500 1 300 1 800 7 300 1 500 1 300 1 100 5 800 7 300 1 500 1 300 1 500 1 300 1 500 1 300 1 100 5 500 1 300 1 800 7 300 1 500 1 300 1 500 1 300 1 100 5 500 1 300 1 500 1 300 1 100 2 500 1 300 1 500 1 300 1 100 5 800 7 300 1 500 1 300 1 100 5 800 7 300 1 500 1 300 1 500 1 300 1 menuentry "Arch Linux install medium (x86_64, UEFI)" { set gfxpayload=keep @@ -67,4 +67,4 @@ menuentry "System shutdown" { menuentry "System restart" { echo "System rebooting..." reboot -} \ No newline at end of file +} -- GitLab From 7b3d18375718f8cc144074364ed4f70d7969b849 Mon Sep 17 00:00:00 2001 From: Tallero Tallero Date: Sat, 3 Sep 2022 05:00:44 +0000 Subject: [PATCH 002/105] Physical attacks mitigations --- .gitlab-ci.yml | 29 +- AUTHORS.rst | 1 + CHANGELOG.rst | 38 + archiso/mkarchiso | 1532 +++++++++++++---- configs/baseline/airootfs/etc/mkinitcpio.conf | 2 +- .../systemd-gpt-auto-generator | 0 .../airootfs/run/archiso/keys/.gitkeep | 0 .../entries/01-archiso-x86_64-linux.conf | 9 +- .../entries/02-archiso-x86_64-ram-linux.conf | 9 +- configs/baseline/grub/grub.cfg | 30 +- configs/baseline/profiledef.sh | 16 +- configs/baseline/syslinux/syslinux-linux.cfg | 8 +- configs/releng/airootfs/etc/mkinitcpio.conf | 2 +- .../setup-persistent-storage.service | 1 + .../system/setup-persistent-storage.service | 9 + .../releng/airootfs/run/archiso/keys/.gitkeep | 0 .../usr/local/bin/setup-persistent-storage | 139 ++ .../entries/01-archiso-x86_64-linux.conf | 8 +- .../02-archiso-x86_64-speech-linux.conf | 8 +- .../entries/03-archiso-x86_64-ram-linux.conf | 8 +- .../04-archiso-x86_64-ram-speech-linux.conf | 8 +- configs/releng/grub/grub.cfg | 34 +- configs/releng/packages.x86_64 | 1 + configs/releng/profiledef.sh | 20 +- configs/releng/syslinux/archiso_pxe-linux.cfg | 24 +- configs/releng/syslinux/archiso_sys-linux.cfg | 24 +- docs/README.profile.rst | 12 + 27 files changed, 1553 insertions(+), 419 deletions(-) create mode 100644 configs/baseline/airootfs/etc/systemd/system/system-generators/systemd-gpt-auto-generator create mode 100644 configs/baseline/airootfs/run/archiso/keys/.gitkeep create mode 120000 configs/releng/airootfs/etc/systemd/system/multi-user.target.wants/setup-persistent-storage.service create mode 100644 configs/releng/airootfs/etc/systemd/system/setup-persistent-storage.service create mode 100644 configs/releng/airootfs/run/archiso/keys/.gitkeep create mode 100755 configs/releng/airootfs/usr/local/bin/setup-persistent-storage diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index cb89eb5..17ac5ff 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -2,20 +2,6 @@ # # SPDX-License-Identifier: GPL-3.0-or-later -# NOTE: most functionality (apart from building) is abstracted by this include -include: - - project: 'archlinux/ci-scripts' - ref: master - file: '/prepare_archiso_vm.yml' - -variables: - BUILD_SCRIPT: ./.gitlab/ci/build_archiso.sh - PACKAGE_LIST: arch-install-scripts bash dosfstools e2fsprogs erofs-utils gnupg grub jq libarchive libisoburn mtools openssl qemu-headless squashfs-tools zsync - QEMU_BUILD_TIMEOUT: 2400 - QEMU_COPY_ARTIFACTS_TIMEOUT: 120 - QEMU_VM_MEMORY: 3072 - ARCHISO_COW_SPACE_SIZE: 2g - stages: - check - build @@ -33,6 +19,19 @@ check: stage: check interruptible: true +.build: + artifacts: + reports: + metrics: output/metrics.txt + before_script: + - pacman -Sy --needed --noconfirm archlinux-keyring + - pacman -Syu --needed --noconfirm arch-install-scripts bash dosfstools e2fsprogs erofs-utils gnupg grub jq libarchive libisoburn mtools openssl qemu-headless squashfs-tools zsync + script: + - ./.gitlab/ci/build_archiso.sh ${BUILD_SCRIPT_ARGS} + stage: build + tags: + - vm + build_short: extends: .build parallel: @@ -59,8 +58,6 @@ build_long: - BUILD_SCRIPT_ARGS: baseline netboot - BUILD_SCRIPT_ARGS: releng iso - BUILD_SCRIPT_ARGS: releng netboot - tags: - - fast-single-thread only: refs: - master diff --git a/AUTHORS.rst b/AUTHORS.rst index aa287ec..b03b91e 100644 --- a/AUTHORS.rst +++ b/AUTHORS.rst @@ -35,3 +35,4 @@ Archiso Authors * nl6720 * Øyvind Heggstad * plain linen +* Pellegrino Prevete diff --git a/CHANGELOG.rst b/CHANGELOG.rst index c3029c4..5a02caa 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -5,6 +5,44 @@ Changelog [XX] - YYYY-MM-DD ================= +Added +----- +- Add support for LUKS2 image disks: + - ``+luks`` airootfs image types; + - ``keys`` buildmode; + - ``encryption_key`` parameter. +- Upgraded storage handling function functions: + - Set overwrite flag in ``mtools`` commands. + - Refactor ``run_`` functions. +- Add support for persistent partition on ISO: + - ''persistent_size'' parameter; + +Changed +------- + +Removed +------- + +[66] - 2022-08-28 +================= + +Added +----- + +- Add ``efibootimg`` to ``mkarchiso`` to abstract the FAT image path. +- Unset ``LANGUAGE`` since ``LC_ALL=C.UTF-8``, unlike ``LC_ALL=C``, does not override ``LANGUAGE``. +- Copy all files from the ``grub`` directory to ISO9660 and the FAT image, not just only ``grub.cfg``. +- Touching ``/usr/lib/clock-epoch`` to to help ``systemd`` with screwed or broken RTC. + +Changed +------- + +- Disable GRUB's shim_lock verifier and preload more modules. This allows reusing the GRUB EFI binaries when repacking + the ISO to support Secure Boot with custom signatures. + +[65] - 2022-06-30 +================= + Added ----- diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 0c6a1ea..26a72b5 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -3,10 +3,16 @@ # SPDX-License-Identifier: GPL-3.0-or-later set -e -u +shopt -s extglob # Control the environment umask 0022 export LC_ALL="C.UTF-8" +if [[ -v LANGUAGE ]]; then + # LC_ALL=C.UTF-8, unlike LC_ALL=C, does not override LANGUAGE. + # See https://sourceware.org/bugzilla/show_bug.cgi?id=16621 and https://savannah.gnu.org/bugs/?62815 + unset LANGUAGE +fi [[ -v SOURCE_DATE_EPOCH ]] || printf -v SOURCE_DATE_EPOCH '%(%s)T' -1 export SOURCE_DATE_EPOCH @@ -21,25 +27,41 @@ work_dir="" out_dir="" gpg_key="" gpg_sender="" +gpg_home="" iso_name="" iso_label="" iso_publisher="" iso_application="" iso_version="" +isofs_dir="" install_dir="" arch="" pacman_conf="" packages="" bootstrap_packages="" pacstrap_dir="" +keys_dir="" buildmodes=() bootmodes=() airootfs_image_type="" airootfs_image_tool_options=() +airootfs_img_dir="" +xorriso_options=() +xorrisofs_options=() +keys_image_type="" +keys_image_tool_options=() +dongle_isofs_dir="" +dongle_xorriso_options=() +dongle_xorrisofs_options=() cert_list=() sign_netboot_artifacts="" declare -A file_permissions=() +efibootimg="" efiboot_files=() +encryption_key="" +persistent_size_kib="" +persistent_image_type="" +persistentimg="" # adapted from GRUB_EARLY_INITRD_LINUX_STOCK in https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in readonly ucodes=('intel-uc.img' 'intel-ucode.img' 'amd-uc.img' 'amd-ucode.img' 'early_ucode.cpio' 'microcode.cpio') @@ -95,6 +117,7 @@ usage: ${app_name} [options] Passed to gpg as the value for --default-key -G Set the PGP signer (must include an email address) Passed to gpg as the value for --sender + -H Set the gpg home directory. -h This message -m [mode ..] Build mode(s) to use (valid modes are: 'bootstrap', 'iso' and 'netboot'). Multiple build modes are provided as quoted, space delimited list. @@ -103,7 +126,7 @@ usage: ${app_name} [options] -p [package ..] Package(s) to install. Multiple packages are provided as quoted, space delimited list. -v Enable verbose output - -w Set the working directory + -w Set the working directory (can't be a bind mount). Default: '${work_dir}' profile_dir: Directory of the archiso profile to build @@ -115,7 +138,7 @@ ENDUSAGETEXT # Shows configuration options. _show_config() { local build_date - printf -v build_date '%(%FT%R%z)T' "${SOURCE_DATE_EPOCH}" + TZ=UTC printf -v build_date '%(%FT%R%z)T' "${SOURCE_DATE_EPOCH}" _msg_info "${app_name} configuration settings" _msg_info " Architecture: ${arch}" _msg_info " Working directory: ${work_dir}" @@ -126,6 +149,8 @@ _show_config() { _msg_info " Build modes: ${buildmodes[*]}" _msg_info " GPG key: ${gpg_key:-None}" _msg_info " GPG signer: ${gpg_sender:-None}" + _msg_info " GPG Home: ${gpg_home:-None}" + _msg_info " Encryption Key: ${encryption_key:-None}" _msg_info "Code signing certificates: ${cert_list[*]:-None}" _msg_info " Profile: ${profile}" _msg_info "Pacman configuration file: ${pacman_conf}" @@ -140,132 +165,461 @@ _show_config() { # Cleanup airootfs _cleanup_pacstrap_dir() { + local _images=("initramfs-*img" "vmlinuz-*" "${ucodes[@]}") + local _root="${pacstrap_dir}" + local _boot="${_root}/boot" + local _log="${pacstrap_dir}/var/log" + local _machine_id="${pacstrap_dir}/etc/machine-id" + local _pacman_db="${_root}/var/lib/pacman" + local _pacman_cache="${_root}/var/cache/pacman/pkg" + local _tmp="${pacstrap_dir}/var/tmp" + local _cp_opts=('-af' '--no-preserve=ownership,mode') _msg_info "Cleaning up in pacstrap location..." - # Delete all files in /boot - [[ -d "${pacstrap_dir}/boot" ]] && find "${pacstrap_dir}/boot" -mindepth 1 -delete + # Move kernel, initramfs and microcodes for later usage + install -d -m 0755 "${work_dir}/boot" + for _query in "${_images[@]}"; do + find "${_boot}" -iname "${_query}" -exec cp "${_cp_opts[@]}" {} "${work_dir}/boot" \; + done + [[ -d "${_boot}" ]] && find "${_boot}" -maxdepth 1 -type f -delete # Delete pacman database sync cache files (*.tar.gz) - [[ -d "${pacstrap_dir}/var/lib/pacman" ]] && find "${pacstrap_dir}/var/lib/pacman" -maxdepth 1 -type f -delete + [[ -d "${_pacman_db}" ]] && find "${_pacman_db}" -maxdepth 1 -type f -delete # Delete pacman database sync cache - [[ -d "${pacstrap_dir}/var/lib/pacman/sync" ]] && find "${pacstrap_dir}/var/lib/pacman/sync" -delete - # Delete pacman package cache - [[ -d "${pacstrap_dir}/var/cache/pacman/pkg" ]] && find "${pacstrap_dir}/var/cache/pacman/pkg" -type f -delete + [[ -d "${_pacman_db}/sync" ]] && find "${_pacman_db}/sync" -delete + # Delete pacman cache files + [[ -d "${_pacman_cache}" ]] && find "${_pacman_cache}" -type f -delete # Delete all log files, keeps empty dirs. - [[ -d "${pacstrap_dir}/var/log" ]] && find "${pacstrap_dir}/var/log" -type f -delete + [[ -d "${_log}" ]] && find "${_log}" -type f -delete # Delete all temporary files and dirs - [[ -d "${pacstrap_dir}/var/tmp" ]] && find "${pacstrap_dir}/var/tmp" -mindepth 1 -delete + [[ -d "${_tmp}" ]] && find "${_tmp}" -mindepth 1 -delete # Delete package pacman related files. find "${work_dir}" \( -name '*.pacnew' -o -name '*.pacsave' -o -name '*.pacorig' \) -delete - # Create an empty /etc/machine-id - rm -f -- "${pacstrap_dir}/etc/machine-id" - printf '' > "${pacstrap_dir}/etc/machine-id" - + if [[ "${persistent_size_kib}" != "" ]]; then + dbus-uuidgen --ensure="${_machine_id}" + else + # Create an empty /etc/machine-id + rm -f -- "${_machine_id}" + printf '' > "${_machine_id}" + fi _msg_info "Done!" } -# Create a squashfs image and place it in the ISO 9660 file system. -# $@: options to pass to mksquashfs +# Create a squashfs image from a file system image or directory. _run_mksquashfs() { - local mksquashfs_options=() image_path="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" - rm -f -- "${image_path}" + local _directory_or_fs="${1}" + local _image_path="${2}" + local mksquashfs_options=("${_mkfs_options[@]}") [[ ! "${quiet}" == "y" ]] || mksquashfs_options+=('-no-progress' '-quiet') - mksquashfs "$@" "${image_path}" -noappend "${airootfs_image_tool_options[@]}" "${mksquashfs_options[@]}" + _msg_info "Creating SQUASHFS image, this may take some time..." + mksquashfs "${_directory_or_fs}" "${_image_path}" -noappend "${mksquashfs_options[@]}" +} + +# Create an ext4 image of given size (in KB) from a directory. +_run_mkext4() { + local _dir="${1}" + local _image_path="${1}.img" + local _size="${2}" + local _epoch="${3}" + local _label="${4}" + local _writable="${5}" + local ext4_hash_seed _fsuuid mkfs_ext4_options=() + _fsuuid="$(_epoch_to_uuid "${_epoch}")" + + _msg_info "Creating ext4 image" + _msg_info "Size: ${_size} KB" + _msg_info "Directory: ${_dir}" + _msg_info "Image path: ${_image_path}" + _msg_info "UUID: ${_fsuuid}" + _msg_info "Label: ${_label}" + _msg_info "this may take a while..." + + ext4_hash_seed="$(uuidgen --sha1 --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 \ + --name "${_epoch} ext4 hash seed")" + mkfs_ext4_options=('-d' "${_dir}" + '-O' '^has_journal,^resize_inode' + '-E' "lazy_itable_init=0,root_owner=0:0,hash_seed=${ext4_hash_seed}" + '-m' '0' + '-F' + '-U' 'clear') + [[ "${_label}" != "" ]] && mkfs_ext4_options+=('-L' "${_label}") + [[ ! "${quiet}" == "y" ]] || mkfs_ext4_options+=('-q') + rm -f -- "${_image_path}" + E2FSPROGS_FAKE_TIME="${_epoch}" mkfs.ext4 "${mkfs_ext4_options[@]}" -- "${_image_path}" "${_size}K" + tune2fs -c 0 -i 0 -- "${_image_path}" > /dev/null + if [ "${_writable}" != "true" ]; then + tunefs -O read-only "${_image_path}" + fi + _msg_info "Done!" +} + +# Create an EROFS image given a directory. +_run_mkerofs() { + local _image_path="${1}" + local _dir="${2}" + local _epoch="${3}" + local fsuuid + fsuuid="$(uuidgen --sha1 --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 --name "${_epoch}")" + [[ ! "${quiet}" == "y" ]] || mkfs_erofs_options+=('--quiet') + _msg_info "Creating EROFS image" + _msg_info "Directory: ${_dir}" + _msg_info "Image path: ${_image_path}" + _msg_info "UUID: ${fsuuid}" + _msg_info "this may take a while..." + mkfs_erofs_options+=('-U' "${fsuuid}" "${_mkfs_options[@]}") + mkfs.erofs "${mkfs_erofs_options[@]}" -- "${_image_path}" "${_dir}" + _msg_info "Done!" +} + +# Create and open a LUKS image of the size of the pacstrap directory plus 200MB. +_run_mkluks() { + local _encryption_key + local _image_path="${1}" + local _size="${2}" + local _encryption_key="${3}" + local _epoch="${4}" + local _label="${5}" + local _writable="${6}" + local _activation_opts=() _format_opts=() _key_msg="" _mapper + local _cryptsetup_opts=('--type' 'luks2') + _mapper=$(basename "${_image_path}")".map" + image_device="/dev/mapper/${_mapper}" + _key_opts=() + _fsuuid="$(uuidgen --sha1 --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 --name "${_epoch}")" + + if [[ "${_encryption_key}" != "" ]]; then + _key_opts=("--key-file=${_encryption_key}") + _cryptsetup_opts+=("${_key_opts[@]}") + _key_msg="with key $(basename "${_encryption_key}")" + fi + + _activation_opts+=("${_cryptsetup_opts[@]}") + _format_opts+=("${_cryptsetup_opts[@]}" \ + '--integrity' 'hmac-sha512' \ + '--sector-size' '4096' \ + '--key-size' '512' \ + '--pbkdf-memory' 256) + + if [ "${_writable}" != "true" ]; then + _msg_info "Integrity journal disabled" + _activation_opts+=('--persistent' \ + '--integrity-no-journal' \ + '--key-size' '512') + fi + + _msg_info "Creating LUKS image $(basename "${_image_path}") with cryptsetup (${_size}KB) ${_key_msg}" + fallocate -l "${_size}K" "${_image_path}" + while ! eval "cryptsetup -q -y luksFormat ${_format_opts[*]} ${_image_path}"; do + sleep 1 + done + + _msg_info "Setting label ${_label}" + while ! eval "cryptsetup config ${_cryptsetup_opts[*]} ${_image_path} --label ${_label}"; do + _close_luks_device "${image_device}" + done + + _msg_info "Setting UUID ${_fsuuid}" + while ! eval "cryptsetup -q -y luksUUID --uuid ${_fsuuid} ${_image_path}"; do + _close_luks_device "${image_device}" + done + + _close_luks_device "${image_device}" + + _msg_info "Opening device on mapper ${_mapper}" + while ! eval "cryptsetup ${_activation_opts[*]} open ${_image_path} ${_mapper}"; do + _close_luks_device "${image_device}" + done + _msg_info "Done!" +} + +# Close a LUKS device mapper +_close_luks_device() { + local _device="${1}" + local _mapper + _mapper=$(basename "${_device}") + blockdev --flushbufs "${_device}" || true + cryptsetup luksClose "${_mapper}" || true + if [ -e "${_device}" ]; then + dmsetup remove "${_device}" || true + fi + sync +} + +# Ask the user for a passphrase if not specified +_mkluks_common() { + local _out="${work_dir}/${iso_label}.key" + if [ "${encryption_key}" = "" ]; then + echo -n "Airootfs password:" + read -rs password + echo "${password}" > "${_out}" + encryption_key="${_out}" + fi +} + +# Steps shared by _mkairootfs_fs_type functions +_mkairootfs_common() { + [[ -e "${pacstrap_dir}" ]] || _msg_error "The path '${pacstrap_dir}' does not exist" 1 + install -d -m 0755 -- "${airootfs_img_dir}" + image_path="${airootfs_img_dir}/airootfs."$(_get_fs_ext "airootfs") + rm -f -- "${image_path}" + _mkfs_options=("${airootfs_image_tool_options[@]}") } # Create an ext4 image containing the root file system and pack it inside a squashfs image. # Save the squashfs image on the ISO 9660 file system. _mkairootfs_ext4+squashfs() { - local ext4_hash_seed mkfs_ext4_options=() - [[ -e "${pacstrap_dir}" ]] || _msg_error "The path '${pacstrap_dir}' does not exist" 1 - - _msg_info "Creating ext4 image of 32 GiB and copying '${pacstrap_dir}/' to it..." - - ext4_hash_seed="$(uuidgen --sha1 --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 \ - --name "${SOURCE_DATE_EPOCH} ext4 hash seed")" - mkfs_ext4_options=( - '-d' "${pacstrap_dir}" - '-O' '^has_journal,^resize_inode' - '-E' "lazy_itable_init=0,root_owner=0:0,hash_seed=${ext4_hash_seed}" - '-m' '0' - '-F' - '-U' 'clear' - ) - [[ ! "${quiet}" == "y" ]] || mkfs_ext4_options+=('-q') - rm -f -- "${pacstrap_dir}.img" - E2FSPROGS_FAKE_TIME="${SOURCE_DATE_EPOCH}" mkfs.ext4 "${mkfs_ext4_options[@]}" -- "${pacstrap_dir}.img" 32G - tune2fs -c 0 -i 0 -- "${pacstrap_dir}.img" > /dev/null + _mkairootfs_common + _run_mkext4 "${pacstrap_dir}" "$(_get_internal_size "${airootfs_size}")" \ + "${SOURCE_DATE_EPOCH}" "airootfs" + _run_mksquashfs "${pacstrap_dir}.img" "${image_path}" _msg_info "Done!" + rm -- "${pacstrap_dir}.img" +} - install -d -m 0755 -- "${isofs_dir}/${install_dir}/${arch}" - _msg_info "Creating SquashFS image, this may take some time..." - _run_mksquashfs "${pacstrap_dir}.img" +# Create an ext4 image containing the root file system and pack it inside a squashfs image. +# Pack the squash image inside the LUKS image and save it on the ISO 9660 file system. +_mkairootfs_ext4+squashfs+luks() { + _mkairootfs_common + _mkluks_common + _run_mkluks "${image_path}" "${airootfs_size}" "${encryption_key}" \ + "${SOURCE_DATE_EPOCH}" "${iso_label}" + _run_mkext4 "${pacstrap_dir}" "$(_get_internal_size "${airootfs_size}")" \ + "${SOURCE_DATE_EPOCH}" "airootfs" + _run_mksquashfs "${pacstrap_dir}.img" "${image_device}" + sync + _close_luks_device "${image_device}" _msg_info "Done!" rm -- "${pacstrap_dir}.img" } # Create a squashfs image containing the root file system and saves it on the ISO 9660 file system. _mkairootfs_squashfs() { - [[ -e "${pacstrap_dir}" ]] || _msg_error "The path '${pacstrap_dir}' does not exist" 1 + _mkairootfs_common + _run_mksquashfs "${pacstrap_dir}" "${image_path}" +} - install -d -m 0755 -- "${isofs_dir}/${install_dir}/${arch}" - _msg_info "Creating SquashFS image, this may take some time..." - _run_mksquashfs "${pacstrap_dir}" +# Create a squashfs image containing the root file system and saves it on the LUKS image. +# Saves the LUKS image on the ISO 9660 file system. +_mkairootfs_squashfs+luks() { + _mkairootfs_common + _mkluks_common + _run_mkluks "${image_path}" "${airootfs_size}" "${encryption_key}" \ + "${SOURCE_DATE_EPOCH}" "${iso_label}" + _run_mksquashfs "${pacstrap_dir}" "${image_device}" + sync + _close_luks_device "${image_device}" } # Create an EROFS image containing the root file system and saves it on the ISO 9660 file system. _mkairootfs_erofs() { - local fsuuid mkfs_erofs_options=() - [[ -e "${pacstrap_dir}" ]] || _msg_error "The path '${pacstrap_dir}' does not exist" 1 + _mkairootfs_common + _run_mkerofs "${image_path}" "${pacstrap_dir}" "${SOURCE_DATE_EPOCH}" + _msg_info "Done!" +} + +# Create an EROFS image containing the root file system and saves it on the LUKS image. +# Save the LUKS image on the ISO 9660 file system. +_mkairootfs_erofs+luks() { + _mkairootfs_common + _mkluks_common + _run_mkluks "${image_path}" "${airootfs_size}" "${encryption_key}" \ + "${SOURCE_DATE_EPOCH}" "${iso_label}" + _run_mkerofs "${image_device}" "${pacstrap_dir}" "${SOURCE_DATE_EPOCH}" + sync + _close_luks_device "${image_device}" +} - install -d -m 0755 -- "${isofs_dir}/${install_dir}/${arch}" - local image_path="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" +# Steps shared by _mkkeys+fs_type functions +_mkkeys_common() { + image_path="${dongle_isofs_dir}/keys."$(_get_fs_ext "keys") rm -f -- "${image_path}" - [[ ! "${quiet}" == "y" ]] || mkfs_erofs_options+=('--quiet') - # Generate reproducible file system UUID from SOURCE_DATE_EPOCH - fsuuid="$(uuidgen --sha1 --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 --name "${SOURCE_DATE_EPOCH}")" - mkfs_erofs_options+=('-U' "${fsuuid}" "${airootfs_image_tool_options[@]}") - _msg_info "Creating EROFS image, this may take some time..." - mkfs.erofs "${mkfs_erofs_options[@]}" -- "${image_path}" "${pacstrap_dir}" + _mkfs_options=("${keys_image_tool_options[@]}") + keys_epoch=$((SOURCE_DATE_EPOCH + 42 * 69)) +} + +# Create an ext4 image containing the keys file system and pack it inside a squashfs image. +# Save the squashfs image on the ISO 9660 file system. +_mkkeys_ext4+squashfs() { + _mkkeys_common + _run_mkext4 "${keys_dir}" "$(_get_internal_size "${keys_size}")" \ + "${keys_epoch}" "keys" + _run_mksquashfs "${keys_dir}.img" "${image_path}" + _msg_info "Done!" + rm -- "${keys_dir}.img" +} + +# Create an ext4 image containing the keys file system and pack it inside a squashfs image. +# Pack the squash image inside the LUKS image and save it on the ISO 9660 file system. +_mkkeys_ext4+squashfs+luks() { + _mkkeys_common + _run_mkluks "${image_path}" "${keys_size}" "" \ + "${keys_epoch}" "${iso_label}_KEYS" + _run_mkext4 "${keys_dir}" "$(_get_internal_size "${keys_size}")" \ + "${keys_epoch}" "keys" + _run_mksquashfs "${keys_dir}.img" "${image_device}" + sync + _close_luks_device "${image_device}" + _msg_info "Done!" + rm -- "${keys_dir}.img" +} + +# Create a squashfs image containing the keys file system and saves it on the LUKS image. +# Saves the LUKS image on the ISO 9660 file system. +_mkkeys_squashfs+luks() { + _mkkeys_common + _run_mkluks "${image_path}" "${airootfs_size}" "" \ + "${keys_epoch}" "${iso_label}_KEYS" + _run_mksquashfs "${keys_dir}" "${image_device}" + sync + _close_luks_device "${image_device}" +} + +# Create a squashfs image containing the root file system and saves it on the ISO 9660 file system. +_mkkeys_squashfs() { + _mkkeys_common + _run_mksquashfs "${keys_dir}" "${image_path}" +} + +# Create an EROFS image containing the keys file system and saves it on the ISO 9660 file system. +_mkkeys_erofs() { + _mkkeys_common + _run_mkerofs "${image_path}" "${keys_dir}" "${keys_epoch}" + _msg_info "Done!" +} + +# Create an EROFS image containing the keys file system and saves it on the LUKS image. +# Save the LUKS image on the ISO 9660 file system. +_mkkeys_erofs+luks() { + _mkkeys_common + _run_mkluks "${image_path}" "${keys_size}" \ + "${keys_epoch}" "${iso_label}_KEYS" + _run_mkerofs "${image_device}" "${keys_dir}" "${keys_epoch}" + sync + _close_luks_device "${image_device}" +} + +# Steps shared by _mkpersistent+fs_type functions +_mkpersistent_common() { + image_path="${persistentimg}" + rm -f -- "${image_path}" + persistent_epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) + writable="true" +} + +# Create an ext4 image to be used as the persistent ISO partition. +_mkpersistent_ext4() { + _mkpersistent_common + persistent_guid="0FC63DAF-8483-4772-8E79-3D69D8477DE4" + _run_mkext4 "${persistent_dir}" "${persistent_size_kib}" \ + "${persistent_epoch}" "${iso_label}_PERSISTENT" "${writable}" + mv "${persistent_dir}.img" "${image_path}" + sync _msg_info "Done!" } -# Create checksum file for the rootfs image. +# Create an ext4 fs inside a LUKS container to be used as the persistent ISO partition. +_mkpersistent_ext4+luks() { + _mkpersistent_common + persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" + _run_mkluks "${image_path}" "${persistent_size_kib}" "${encryption_key}" \ + "${persistent_epoch}" "${iso_label}_PERSISTENT" "${writable}" + _run_mkext4 "${persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ + "${persistent_epoch}" "persistent" "${writable}" + dd if="${persistent_dir}.img" of="${image_device}" + sync + _close_luks_device "${image_device}" + _msg_info "Done!" + rm -- "${persistent_dir}.img" +} + +# Create checksum for a given file. _mkchecksum() { - _msg_info "Creating checksum file for self-test..." - cd -- "${isofs_dir}/${install_dir}/${arch}" - if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then - sha512sum airootfs.sfs > airootfs.sha512 - elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then - sha512sum airootfs.erofs > airootfs.sha512 + local _file + local _dir + local _name + _file="${1}" + _dir=$(dirname "${_file}") + _name=$(basename "${_file%.*}") + + cd -- "${_dir}" + if [[ -e "${_file}" ]]; then + _msg_info "Creating checksum of ${_file} for self-test..." + sha512sum "$(basename "${_file}")" > "${_name}.sha512" fi cd -- "${OLDPWD}" - _msg_info "Done!" } -# GPG sign the root file system image. +# GPG sign a file. _mksignature() { - local airootfs_image_filename gpg_options=() - _msg_info "Signing rootfs image..." - if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then - airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" - elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then - airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" - fi - rm -f -- "${airootfs_image_filename}.sig" + local _file="${1}" + local gpg_options=() + rm -f -- "${_file}.sig" # Add gpg sender option if the value is provided [[ -z "${gpg_sender}" ]] || gpg_options+=('--sender' "${gpg_sender}") - # always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect - gpg --batch --no-armor --no-include-key-block --output "${airootfs_image_filename}.sig" --detach-sign \ - --default-key "${gpg_key}" "${gpg_options[@]}" "${airootfs_image_filename}" + if [ -e "${_file}" ]; then + _msg_info "Signing $(basename "${_file}")..." + # always use the .sig file extension, as that is what + # mkinitcpio-archiso's hooks expect + _msg_info "GPG home: ${gpg_home}" + if [ "${gpg_home}" != "" ]; then + GNUPGHOME="${gpg_home}" gpg --batch --no-armor --no-include-key-block \ + --output "${_file}.sig" --detach-sign \ + --homedir "${gpg_home}" \ + --default-key "${gpg_key}" "${gpg_options[@]}" "${_file}" + else + gpg --batch --no-armor --no-include-key-block \ + --output "${_file}.sig" --detach-sign \ + --default-key "${gpg_key}" "${gpg_options[@]}" "${_file}" + fi + fi _msg_info "Done!" } +# Get image extension. +_get_fs_ext() { + local _image="${1}" + local _fs_type + _fs_type=$(_get_fs_type "${_image}") + if [ "${_fs_type}" = "squashfs" ]; then + echo "sfs" + else + echo "${_fs_type}" + fi +} + +# Get image extension. +_get_fs_type() { + local _image="${1}" + local _no_luks + _no_luks=$(eval echo \$"{${_image}_image_type%%+luks}") + echo "${_no_luks##*"+"}" +} + +_get_internal_size() { + local _size="${1}" + if [[ "${_size}" -lt 50000 ]]; then + ratio=70 + elif [[ "${_size}" -gt 50000 ]] && [[ "${_size}" -lt 200000 ]]; then + ratio=75 + elif [[ "${_size}" -gt 200000 ]] && [[ "${_size}" -lt 1000000 ]]; then + ratio=80 + elif [[ "${_size}" -gt 200000 ]] && [[ "${_size}" -lt 5000000 ]]; then + ratio=80 + else + ratio=85 + fi + echo $(((_size * ratio)/100)) +} + # Helper function to run functions only one time. # $1: function name _run_once() { if [[ ! -e "${work_dir}/${run_once_mode}.${1}" ]]; then "$1" touch "${work_dir}/${run_once_mode}.${1}" + else + if [ "${quiet}" != "y" ]; then + _msg_info "Command ${1} already run" + fi fi } @@ -291,7 +645,7 @@ _make_pacman_conf() { # see `man 8 pacman` for further info pacman-conf --config "${pacman_conf}" | \ sed "/CacheDir/d;/DBPath/d;/HookDir/d;/LogFile/d;/RootDir/d;/\[options\]/a CacheDir = ${_cache_dirs} - /\[options\]/a HookDir = ${pacstrap_dir}/etc/pacman.d/hooks/" > "${work_dir}/${buildmode}.pacman.conf" + /\[options\]/a HookDir = ${pacstrap_dir}/etc/pacman.d/hooks/" > "${work_dir}/${buildmode}.pacman.conf" } # Prepare working directory and copy custom root file system files. @@ -302,6 +656,7 @@ _make_custom_airootfs() { install -d -m 0755 -o 0 -g 0 -- "${pacstrap_dir}" if [[ -d "${profile}/airootfs" ]]; then + _build_archiso_hooks _msg_info "Copying custom airootfs files..." cp -af --no-preserve=ownership,mode -- "${profile}/airootfs/." "${pacstrap_dir}" # Set ownership and mode for files and directories @@ -390,103 +745,202 @@ _make_customize_airootfs() { } # Set up boot loaders -_make_bootmodes() { +_make_bootmodes_iso() { + local bootmode + for bootmode in "${bootmodes[@]}"; do + _run_once "_make_bootmode_${bootmode}_iso" + done +} + +# Set up boot loaders +_make_bootmodes_dongle() { local bootmode for bootmode in "${bootmodes[@]}"; do - _run_once "_make_bootmode_${bootmode}" + _run_once "_make_bootmode_${bootmode}_dongle" done } # Copy kernel and initramfs to ISO 9660 _make_boot_on_iso9660() { - local ucode_image - _msg_info "Preparing kernel and initramfs for the ISO 9660 file system..." - install -d -m 0755 -- "${isofs_dir}/${install_dir}/boot/${arch}" - install -m 0644 -- "${pacstrap_dir}/boot/initramfs-"*".img" "${isofs_dir}/${install_dir}/boot/${arch}/" - install -m 0644 -- "${pacstrap_dir}/boot/vmlinuz-"* "${isofs_dir}/${install_dir}/boot/${arch}/" + isofs_dir="${work_dir}/iso" + _make_boot_on_iso "${isofs_dir}" +} + +# Copy kernel and initramfs to dongle ISO 9660 +_make_boot_on_dongle() { + dongle_isofs_dir="${work_dir}/dongle_iso" + _make_boot_on_iso "${dongle_isofs_dir}" +} + +# Copy kernel and initramfs to ISO 9660 +_make_boot_on_iso() { + local bootable_dir="${1}" + local _query _src ucode_image + local _cp_opts=('-af' '--no-preserve=ownership,mode') + local boot_dir="${bootable_dir}/${install_dir}/boot" + local kernel_dir="${bootable_dir}/${install_dir}/boot/${arch}" + local licenses_src="${pacstrap_dir}/usr/share/licenses" + local licenses_dest="${boot_dir}/licenses" + local images=("initramfs-*.img" "vmlinuz-*") + _msg_info "Preparing kernel and initramfs for the ISO 9660 file system in ${bootable_dir}..." + + install -d -m 0755 -- "${kernel_dir}" + for _query in "${images[@]}"; do + find "${work_dir}" -iname "${_query}" -exec cp "${_cp_opts[@]}" {} "${kernel_dir}" \; + find "${kernel_dir}" -iname "${_query}" -exec chmod 0644 {} \; + done for ucode_image in "${ucodes[@]}"; do - if [[ -e "${pacstrap_dir}/boot/${ucode_image}" ]]; then - install -m 0644 -- "${pacstrap_dir}/boot/${ucode_image}" "${isofs_dir}/${install_dir}/boot/" - if [[ -e "${pacstrap_dir}/usr/share/licenses/${ucode_image%.*}/" ]]; then - install -d -m 0755 -- "${isofs_dir}/${install_dir}/boot/licenses/${ucode_image%.*}/" - install -m 0644 -- "${pacstrap_dir}/usr/share/licenses/${ucode_image%.*}/"* \ - "${isofs_dir}/${install_dir}/boot/licenses/${ucode_image%.*}/" - fi + find "${work_dir}" -iname "${ucode_image}" -exec cp "${_cp_opts[@]}" {} "${boot_dir}" \; + find "${boot_dir}" -iname "${_query}" -exec chmod 0644 {} \; + if [[ -e "${licenses_src}/${ucode_image%.*}/" ]]; then + install -d -m 0755 -- "${licenses_dest}/${ucode_image%.*}/" + install -m 0644 -- "${licenses_src}/${ucode_image%.*}/"* "${licenses_dest}/${ucode_image%.*}/" fi done _msg_info "Done!" } +_build_archiso_hooks() { + local _hooks=() _mkinitcpio_conf="${profile}/airootfs/etc/mkinitcpio.conf" + if [[ "${airootfs_image_type}" == *luks ]] || [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then + _hooks+=("encrypt") + fi + _hooks+=("archiso") + + cp "${_mkinitcpio_conf}" "${work_dir}/mkinitcpio.conf" + sed "s|%ARCHISO_HOOKS%|${_hooks[*]}|g" "${work_dir}/mkinitcpio.conf" > "${_mkinitcpio_conf}" +} + +_get_dongle_uuid() { + #shellcheck disable=SC2005 + echo "$(_epoch_to_uuid $((SOURCE_DATE_EPOCH + 42 * 69)))" +} + +_get_archiso_uuid() { + #shellcheck disable=SC2005 + echo "$(_epoch_to_uuid "${SOURCE_DATE_EPOCH}")" +} + +# Produce kernel parameters. +_get_kernel_params() { + local _kparams=() + _kparams+=("archisobasedir=${install_dir}" + "archisolabel=${iso_label}" + "archisouuid=$(_get_archiso_uuid)" + "$(_get_crypto_params)") + if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then + _kparams+=("sigdevice=UUID=$(_get_dongle_uuid):iso9660:$(_get_airootfs_path).sig" + "verify=y") + fi + echo "${_kparams[@]}" +} + +# Produce the 'encrypt' hook's kernel parameters needed to boot an encrypted ISO. +_get_crypto_params() { + declare -a _cparams + local _keys_fs_type _keys_path + _keys_fs_type="$(_get_fs_type "keys")" + _keys_path="keys.$(_get_fs_ext "keys")" + _cparams=() + if [[ "${airootfs_image_type}" == *luks ]]; then + _cparams+=("root=/dev/mapper/root" + "cryptdevice=UUID=$(_get_archiso_uuid),$(_get_airootfs_path):root:readonly") + if [ "${encryption_key}" != "" ]; then + _cparams+=("cryptkey=UUID=$(_get_dongle_uuid):iso9660,${_keys_fs_type}:${_keys_path},airootfs.key") + fi + fi + echo "${_cparams[@]}" +} + # Prepare syslinux for booting from MBR (isohybrid) _make_bootmode_bios.syslinux.mbr() { + bootable_dir="${1}" + bootable="${2}" _msg_info "Setting up SYSLINUX for BIOS booting from a disk..." - install -d -m 0755 -- "${isofs_dir}/syslinux" + install -d -m 0755 -- "${bootable_dir}/syslinux" for _cfg in "${profile}/syslinux/"*.cfg; do - sed "s|%ARCHISO_LABEL%|${iso_label}|g; - s|%INSTALL_DIR%|${install_dir}|g; - s|%ARCH%|${arch}|g" \ - "${_cfg}" > "${isofs_dir}/syslinux/${_cfg##*/}" + _build_bootloader_config "${_cfg}" > "${bootable_dir}/syslinux/${_cfg##*/}" done if [[ -e "${profile}/syslinux/splash.png" ]]; then - install -m 0644 -- "${profile}/syslinux/splash.png" "${isofs_dir}/syslinux/" + install -m 0644 -- "${profile}/syslinux/splash.png" "${bootable_dir}/syslinux/" fi - install -m 0644 -- "${pacstrap_dir}/usr/lib/syslinux/bios/"*.c32 "${isofs_dir}/syslinux/" - install -m 0644 -- "${pacstrap_dir}/usr/lib/syslinux/bios/lpxelinux.0" "${isofs_dir}/syslinux/" - install -m 0644 -- "${pacstrap_dir}/usr/lib/syslinux/bios/memdisk" "${isofs_dir}/syslinux/" + install -m 0644 -- "${pacstrap_dir}/usr/lib/syslinux/bios/"*.c32 "${bootable_dir}/syslinux/" + install -m 0644 -- "${pacstrap_dir}/usr/lib/syslinux/bios/lpxelinux.0" "${bootable_dir}/syslinux/" + install -m 0644 -- "${pacstrap_dir}/usr/lib/syslinux/bios/memdisk" "${bootable_dir}/syslinux/" - _run_once _make_boot_on_iso9660 + if [[ "${bootable}" == "iso" ]]; then + _run_once _make_boot_on_iso9660 + elif [[ "${bootable}" == "dongle" ]]; then + _run_once _make_boot_on_dongle + fi - if [[ -e "${isofs_dir}/syslinux/hdt.c32" ]]; then - install -d -m 0755 -- "${isofs_dir}/syslinux/hdt" + if [[ -e "${bootable_dir}/syslinux/hdt.c32" ]]; then + install -d -m 0755 -- "${bootable_dir}/syslinux/hdt" if [[ -e "${pacstrap_dir}/usr/share/hwdata/pci.ids" ]]; then gzip -cn9 "${pacstrap_dir}/usr/share/hwdata/pci.ids" > \ - "${isofs_dir}/syslinux/hdt/pciids.gz" + "${bootable_dir}/syslinux/hdt/pciids.gz" fi find "${pacstrap_dir}/usr/lib/modules" -name 'modules.alias' -print -exec gzip -cn9 '{}' ';' -quit > \ - "${isofs_dir}/syslinux/hdt/modalias.gz" + "${bootable_dir}/syslinux/hdt/modalias.gz" fi # Add other aditional/extra files to ${install_dir}/boot/ if [[ -e "${pacstrap_dir}/boot/memtest86+/memtest.bin" ]]; then # rename for PXE: https://wiki.archlinux.org/title/Syslinux#Using_memtest - install -m 0644 -- "${pacstrap_dir}/boot/memtest86+/memtest.bin" "${isofs_dir}/${install_dir}/boot/memtest" - install -d -m 0755 -- "${isofs_dir}/${install_dir}/boot/licenses/memtest86+/" + install -m 0644 -- "${pacstrap_dir}/boot/memtest86+/memtest.bin" "${bootable_dir}/${install_dir}/boot/memtest" + install -d -m 0755 -- "${bootable_dir}/${install_dir}/boot/licenses/memtest86+/" install -m 0644 -- "${pacstrap_dir}/usr/share/licenses/common/GPL2/license.txt" \ - "${isofs_dir}/${install_dir}/boot/licenses/memtest86+/" + "${bootable_dir}/${install_dir}/boot/licenses/memtest86+/" fi _msg_info "Done! SYSLINUX set up for BIOS booting from a disk successfully." } +_make_bootmode_bios.syslinux.mbr_iso() { + _make_bootmode_bios.syslinux.mbr "${isofs_dir}" "iso" +} + +_make_bootmode_bios.syslinux.mbr_dongle() { + _make_bootmode_bios.syslinux.mbr "${dongle_isofs_dir}" "dongle" +} + # Prepare syslinux for El-Torito booting _make_bootmode_bios.syslinux.eltorito() { + local bootable_dir="${1}" _msg_info "Setting up SYSLINUX for BIOS booting from an optical disc..." - install -d -m 0755 -- "${isofs_dir}/syslinux" - install -m 0644 -- "${pacstrap_dir}/usr/lib/syslinux/bios/isolinux.bin" "${isofs_dir}/syslinux/" - install -m 0644 -- "${pacstrap_dir}/usr/lib/syslinux/bios/isohdpfx.bin" "${isofs_dir}/syslinux/" + install -d -m 0755 -- "${bootable_dir}/syslinux" + install -m 0644 -- "${pacstrap_dir}/usr/lib/syslinux/bios/isolinux.bin" "${bootable_dir}/syslinux/" + install -m 0644 -- "${pacstrap_dir}/usr/lib/syslinux/bios/isohdpfx.bin" "${bootable_dir}/syslinux/" + _msg_info "Done! SYSLINUX set up for BIOS booting from an optical disc successfully." +} + +_make_bootmode_bios.syslinux.eltorito_iso() { + _make_bootmode_bios.syslinux.eltorito "${isofs_dir}" # ISOLINUX and SYSLINUX installation is shared - _run_once _make_bootmode_bios.syslinux.mbr + _run_once _make_bootmode_bios.syslinux.mbr_iso - _msg_info "Done! SYSLINUX set up for BIOS booting from an optical disc successfully." +} + +_make_bootmode_bios.syslinux.eltorito_dongle() { + _make_bootmode_bios.syslinux.eltorito "${dongle_isofs_dir}" + # ISOLINUX and SYSLINUX installation is shared + _run_once _make_bootmode_bios.syslinux.mbr_dongle } # Copy kernel and initramfs to FAT image _make_boot_on_fat() { - local ucode_image all_ucode_images=() + local _images _ucode_image _msg_info "Preparing kernel and initramfs for the FAT file system..." - mmd -i "${work_dir}/efiboot.img" \ + _images=("initramfs-*.img" "vmlinuz-*") + mmd -D o -i "${efibootimg}" \ "::/${install_dir}" "::/${install_dir}/boot" "::/${install_dir}/boot/${arch}" - mcopy -i "${work_dir}/efiboot.img" "${pacstrap_dir}/boot/vmlinuz-"* \ - "${pacstrap_dir}/boot/initramfs-"*".img" "::/${install_dir}/boot/${arch}/" - for ucode_image in "${ucodes[@]}"; do - if [[ -e "${pacstrap_dir}/boot/${ucode_image}" ]]; then - all_ucode_images+=("${pacstrap_dir}/boot/${ucode_image}") - fi + for _query in "${_images[@]}"; do + find "${work_dir}" -iname "${_query}" -exec mcopy -D "o" -i "${efibootimg}" {} "::/${install_dir}/boot/${arch}/" \; + done + for _ucode_image in "${ucodes[@]}"; do + find "${work_dir}" -iname "${_ucode_image}" -exec mcopy -D "o" -i "${efibootimg}" {} "::/${install_dir}/boot/" \; done - if (( ${#all_ucode_images[@]} )); then - mcopy -i "${work_dir}/efiboot.img" "${all_ucode_images[@]}" "::/${install_dir}/boot/" - fi _msg_info "Done!" } @@ -509,32 +963,69 @@ _make_efibootimg() { )" # The FAT image must be created with mkfs.fat not mformat, as some systems have issues with mformat made images: # https://lists.gnu.org/archive/html/grub-devel/2019-04/msg00099.html - rm -f -- "${work_dir}/efiboot.img" + rm -f -- "${efibootimg}" _msg_info "Creating FAT image of size: ${imgsize_kib} KiB..." if [[ "${quiet}" == "y" ]]; then # mkfs.fat does not have a -q/--quiet option, so redirect stdout to /dev/null instead # https://github.com/dosfstools/dosfstools/issues/103 - mkfs.fat -C -n ARCHISO_EFI "${work_dir}/efiboot.img" "${imgsize_kib}" > /dev/null + mkfs.fat -C -n ARCHISO_EFI "${efibootimg}" "${imgsize_kib}" > /dev/null else - mkfs.fat -C -n ARCHISO_EFI "${work_dir}/efiboot.img" "${imgsize_kib}" + mkfs.fat -C -n ARCHISO_EFI "${efibootimg}" "${imgsize_kib}" fi # Create the default/fallback boot path in which a boot loaders will be placed later. - mmd -i "${work_dir}/efiboot.img" ::/EFI ::/EFI/BOOT + mmd -D o -i "${efibootimg}" ::/EFI ::/EFI/BOOT +} + +# Copy GRUB files to efiboot.img which is used by both IA32 UEFI and x64 UEFI. +_make_common_bootmode_grub_copy_to_efibootimg() { + local files_to_copy=() + files_to_copy+=("${work_dir}/grub/"*'.cfg') + if compgen -G "${profile}/grub/!(*.cfg)" &> /dev/null; then + files_to_copy+=("${profile}/grub/"!(*.cfg)) + fi + mcopy -D o -i "${efibootimg}" "${files_to_copy[@]}" ::/EFI/BOOT/ } -# Copy the grub.cfg file in efiboot.img which is used by both IA32 UEFI and x64 UEFI. -_make_efibootimg_grubcfg() { - mcopy -i "${work_dir}/efiboot.img" \ - "${work_dir}/grub.cfg" ::/EFI/BOOT/grub.cfg +_epoch_to_uuid() { + local _epoch="${1}" + local _uuid + TZ=UTC printf -v _uuid '%(%F-%H-%M-%S-00)T' "${_epoch}" + echo "${_uuid}" } -_make_bootmode_uefi-ia32.grub.esp() { - # Fill GRUB configuration files - sed "s|%ARCHISO_LABEL%|${iso_label}|g; +_get_bootable_uuid() { + local _uuid + _uuid="$(_get_archiso_uuid)" + if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then + _uuid=$(_get_dongle_uuid) + fi + echo "${_uuid}" +} + +# Fill a bootloader configuration template and copy the result in a file +_build_bootloader_config() { + local _template="${1}" + sed "s|%BOOTABLE_UUID%|$(_get_bootable_uuid)|g; + s|%ARCH%|${arch}|g; s|%INSTALL_DIR%|${install_dir}|g; - s|%ARCH%|${arch}|g" \ - "${profile}/grub/grub.cfg" > "${work_dir}/grub.cfg" + s|%KERNEL_PARAMS%|$(_get_kernel_params)|g" \ + "${_template}" +} + +# Prepare GRUB configuration files +_make_common_bootmode_grub_cfg(){ + local _cfg + + install -d -- "${work_dir}/grub" + + # Fill GRUB configuration files + for _cfg in "${profile}/grub/"*'.cfg'; do + _build_bootloader_config "${_cfg}" > "${work_dir}/grub/${_cfg##*/}" + done + # Add all GRUB files to the list of files used to calculate the required FAT image size. + efiboot_files+=("${work_dir}/grub/" + "${profile}/grub/"!(*.cfg)) IFS='' read -r -d '' grubembedcfg <<'EOF' || true if ! [ -d "$cmdpath" ]; then @@ -547,150 +1038,226 @@ fi configfile "${cmdpath}/grub.cfg" EOF printf '%s\n' "$grubembedcfg" > "${work_dir}/grub-embed.cfg" +} + +_make_common_bootmode_grub_copy_to_isofs_iso() { + isofs_dir="${work_dir}/iso" + _make_common_bootmode_grub_copy_to_isofs "${isofs_dir}" +} + +_make_common_bootmode_grub_copy_to_isofs_dongle() { + dongle_isofs_dir="${work_dir}/dongle_iso" + _make_common_bootmode_grub_copy_to_isofs "${dongle_isofs_dir}" +} + +_make_common_bootmode_grub_copy_to_isofs() { + local isofs_dir="${1}" + local files_to_copy=() + + files_to_copy+=("${work_dir}/grub/"*'.cfg') + if compgen -G "${profile}/grub/!(*.cfg)" &> /dev/null; then + files_to_copy+=("${profile}/grub/"!(*.cfg)) + fi + install -m 0644 -- "${files_to_copy[@]}" "${isofs_dir}/EFI/BOOT/" +} + +_get_grubmodules(){ + echo all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font \ + gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap \ + minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file \ + search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 \ + usbserial_usbdebug video xfs zstd +} + +_make_bootmode_uefi-ia32.grub.esp() { + local bootable="${1}" + local grubmodules=() + + # Prepare configuration files + _run_once _make_common_bootmode_grub_cfg # Create EFI binary + # Module list from https://bugs.archlinux.org/task/71382#comment202911 + grubmodules=(all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font \ + gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap \ + minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file \ + search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 \ + usbserial_usbdebug video xfs zstd) grub-mkstandalone -O i386-efi \ - --modules="part_gpt part_msdos fat iso9660" \ + --modules="$(_get_grubmodules)" \ --locales="en@quot" \ --themes="" \ --sbat=/usr/share/grub/sbat.csv \ + --disable-shim-lock \ -o "${work_dir}/BOOTIA32.EFI" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg" + # Add GRUB to the list of files used to calculate the required FAT image size. efiboot_files+=("${work_dir}/BOOTIA32.EFI" "${pacstrap_dir}/usr/share/edk2-shell/ia32/Shell_Full.efi") if [[ " ${bootmodes[*]} " =~ uefi-x64.systemd-boot.esp ]]; then # TODO: Remove this branch. - _run_once _make_bootmode_uefi-x64.systemd-boot.esp + _run_once "_make_bootmode_uefi-x64.systemd-boot.esp_${bootable}" elif [[ " ${bootmodes[*]} " =~ uefi-x64.grub.esp ]]; then - _run_once _make_bootmode_uefi-x64.grub.esp + _run_once "_make_bootmode_uefi-x64.grub.esp_${bootable}" else - efiboot_imgsize="$(du -bc "${efiboot_files[@]}" \ - 2>/dev/null | awk 'END { print $1 }')" + efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" 2>/dev/null | awk 'END { print $1 }')" # Create a FAT image for the EFI system partition _make_efibootimg "$efiboot_imgsize" fi # Copy GRUB EFI binary to the default/fallback boot path - mcopy -i "${work_dir}/efiboot.img" \ - "${work_dir}/BOOTIA32.EFI" ::/EFI/BOOT/BOOTIA32.EFI + mcopy -D o -i "${efibootimg}" "${work_dir}/BOOTIA32.EFI" ::/EFI/BOOT/BOOTIA32.EFI - # Copy GRUB configuration files - _run_once _make_efibootimg_grubcfg + # Copy GRUB files + _run_once _make_common_bootmode_grub_copy_to_efibootimg if [[ -e "${pacstrap_dir}/usr/share/edk2-shell/ia32/Shell_Full.efi" ]]; then - mcopy -i "${work_dir}/efiboot.img" \ - "${pacstrap_dir}/usr/share/edk2-shell/ia32/Shell_Full.efi" ::/shellia32.efi + mcopy -D o -i "${efibootimg}" "${pacstrap_dir}/usr/share/edk2-shell/ia32/Shell_Full.efi" ::/shellia32.efi fi _msg_info "Done! GRUB set up for UEFI booting successfully." } +_make_bootmode_uefi-ia32.grub.esp_iso() { + _make_bootmode_uefi-ia32.grub.esp "iso" +} + +_make_bootmode_uefi-ia32.grub.esp_dongle() { + _make_bootmode_uefi-ia32.grub.esp "dongle" +} + # Prepare GRUB for El Torito booting _make_bootmode_uefi-ia32.grub.eltorito() { + local bootable_dir="${1}" + local bootable="${2}" # El Torito UEFI boot requires an image containing the EFI system partition. # uefi-ia32.grub.eltorito has the same requirements as uefi-ia32.grub.esp - _run_once _make_bootmode_uefi-ia32.grub.esp + _run_once "_make_bootmode_uefi-ia32.grub.esp_${bootable}" + + # Prepare configuration files + _run_once _make_common_bootmode_grub_cfg # Additionally set up systemd-boot in ISO 9660. This allows creating a medium for the live environment by using # manual partitioning and simply copying the ISO 9660 file system contents. # This is not related to El Torito booting and no firmware uses these files. _msg_info "Preparing an /EFI directory for the ISO 9660 file system..." - install -d -m 0755 -- "${isofs_dir}/EFI/BOOT" + install -d -m 0755 -- "${bootable_dir}/EFI/BOOT" # Copy GRUB EFI binary to the default/fallback boot path - install -m 0644 -- "${work_dir}/BOOTIA32.EFI" \ - "${isofs_dir}/EFI/BOOT/BOOTIA32.EFI" + install -m 0644 -- "${work_dir}/BOOTIA32.EFI" "${bootable_dir}/EFI/BOOT/BOOTIA32.EFI" # Copy GRUB configuration files - install -m 0644 -- "${work_dir}/grub.cfg" "${isofs_dir}/EFI/BOOT/grub.cfg" + _run_once "_make_common_bootmode_grub_copy_to_isofs_${bootable}" # edk2-shell based UEFI shell if [[ -e "${pacstrap_dir}/usr/share/edk2-shell/ia32/Shell_Full.efi" ]]; then - install -m 0644 -- "${pacstrap_dir}/usr/share/edk2-shell/ia32/Shell_Full.efi" \ - "${isofs_dir}/shellia32.efi" + install -m 0644 -- "${pacstrap_dir}/usr/share/edk2-shell/ia32/Shell_Full.efi" "${bootable_dir}/shellia32.efi" fi _msg_info "Done!" } +_make_bootmode_uefi-ia32.grub.eltorito_iso() { + _make_bootmode_uefi-ia32.grub.eltorito "${isofs_dir}" "iso" +} + +_make_bootmode_uefi-ia32.grub.eltorito_dongle() { + _make_bootmode_uefi-ia32.grub.eltorito "${dongle_isofs_dir}" "dongle" +} + _make_bootmode_uefi-x64.grub.esp() { - # Fill Grub configuration files - sed "s|%ARCHISO_LABEL%|${iso_label}|g; - s|%INSTALL_DIR%|${install_dir}|g; - s|%ARCH%|${arch}|g" \ - "${profile}/grub/grub.cfg" > "${work_dir}/grub.cfg" + local grubmodules=() - IFS='' read -r -d '' grubembedcfg <<'EOF' || true -if ! [ -d "$cmdpath" ]; then - # On some firmware, GRUB has a wrong cmdpath when booted from an optical disc. - # https://gitlab.archlinux.org/archlinux/archiso/-/issues/183 - if regexp --set=1:isodevice '^(\([^)]+\))\/?[Ee][Ff][Ii]\/[Bb][Oo][Oo][Tt]\/?$' "$cmdpath"; then - cmdpath="${isodevice}/EFI/BOOT" - fi -fi -configfile "${cmdpath}/grub.cfg" -EOF - printf '%s\n' "$grubembedcfg" > "${work_dir}/grub-embed.cfg" + # Prepare configuration files + _run_once _make_common_bootmode_grub_cfg # Create EFI binary + # Module list from https://bugs.archlinux.org/task/71382#comment202911 + grubmodules=(all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font \ + gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap \ + minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file \ + search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 \ + usbserial_usbdebug video xfs zstd) grub-mkstandalone -O x86_64-efi \ - --modules="part_gpt part_msdos fat iso9660" \ + --modules="${grubmodules[*]}" \ --locales="en@quot" \ --themes="" \ --sbat=/usr/share/grub/sbat.csv \ + --disable-shim-lock \ -o "${work_dir}/BOOTx64.EFI" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg" # Add GRUB to the list of files used to calculate the required FAT image size. efiboot_files+=("${work_dir}/BOOTx64.EFI" "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi") - efiboot_imgsize="$(du -bc "${efiboot_files[@]}" \ - 2>/dev/null | awk 'END { print $1 }')" + efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" 2>/dev/null | awk 'END { print $1 }')" # Create a FAT image for the EFI system partition _make_efibootimg "$efiboot_imgsize" - # Copy grub EFI binary to the default/fallback boot path - mcopy -i "${work_dir}/efiboot.img" \ - "${work_dir}/BOOTx64.EFI" ::/EFI/BOOT/BOOTx64.EFI + # Copy GRUB EFI binary to the default/fallback boot path + mcopy -D o -i "${efibootimg}" "${work_dir}/BOOTx64.EFI" ::/EFI/BOOT/BOOTx64.EFI - _run_once _make_efibootimg_grubcfg + # Copy GRUB files + _run_once _make_common_bootmode_grub_copy_to_efibootimg if [[ -e "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" ]]; then - mcopy -i "${work_dir}/efiboot.img" \ - "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" ::/shellx64.efi + mcopy -D o -i "${efibootimg}" \ + "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" \ + "::/shellx64.efi" fi _msg_info "Done! GRUB set up for UEFI booting successfully." } +_make_bootmode_uefi-x64.grub.esp_iso() { + _make_bootmode_uefi-x64.grub.esp +} + +_make_bootmode_uefi-x64.grub.esp_dongle() { + _make_bootmode_uefi-x64.grub.esp +} + # Prepare GRUB for El Torito booting _make_bootmode_uefi-x64.grub.eltorito() { + local bootable_dir="${1}" + local bootable="${2}" # El Torito UEFI boot requires an image containing the EFI system partition. # uefi-x64.grub.eltorito has the same requirements as uefi-x64.grub.esp - _run_once _make_bootmode_uefi-x64.grub.esp + _run_once "_make_bootmode_uefi-x64.grub.esp_${bootable}" + + # Prepare configuration files + _run_once _make_common_bootmode_grub_cfg # Additionally set up systemd-boot in ISO 9660. This allows creating a medium for the live environment by using # manual partitioning and simply copying the ISO 9660 file system contents. # This is not related to El Torito booting and no firmware uses these files. _msg_info "Preparing an /EFI directory for the ISO 9660 file system..." - install -d -m 0755 -- "${isofs_dir}/EFI/BOOT" + install -d -m 0755 -- "${bootable_dir}/EFI/BOOT" # Copy GRUB EFI binary to the default/fallback boot path install -m 0644 -- "${work_dir}/BOOTx64.EFI" \ - "${isofs_dir}/EFI/BOOT/BOOTx64.EFI" + "${bootable_dir}/EFI/BOOT/BOOTx64.EFI" - # Copy GRUB configuration files - install -m 0644 -- "${work_dir}/grub.cfg" "${isofs_dir}/EFI/BOOT" + # Copy GRUB files + _run_once "_make_common_bootmode_grub_copy_to_isofs_${bootable}" # edk2-shell based UEFI shell if [[ -e "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" ]]; then - install -m 0644 -- "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" "${isofs_dir}/shellx64.efi" + install -m 0644 -- "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" "${bootable_dir}/shellx64.efi" fi _msg_info "Done!" } +_make_bootmode_uefi-x64.grub.eltorito_iso() { + _make_bootmode_uefi-x64.grub.eltorito "${isofs_dir}" "iso" +} + +_make_bootmode_uefi-x64.grub.eltorito_dongle() { + _make_bootmode_uefi-x64.grub.eltorito "${dongle_isofs_dir}" "dongle" +} + # Prepare systemd-boot for booting when written to a disk (isohybrid) _make_bootmode_uefi-x64.systemd-boot.esp() { local _file efiboot_imgsize @@ -709,28 +1276,25 @@ _make_bootmode_uefi-x64.systemd-boot.esp() { "${pacstrap_dir}/boot/vmlinuz-"* "${pacstrap_dir}/boot/initramfs-"*".img" "${_available_ucodes[@]}") - efiboot_imgsize="$(du -bc "${efiboot_files[@]}" \ + efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" \ 2>/dev/null | awk 'END { print $1 }')" # Create a FAT image for the EFI system partition _make_efibootimg "$efiboot_imgsize" # Copy systemd-boot EFI binary to the default/fallback boot path - mcopy -i "${work_dir}/efiboot.img" \ + mcopy -D o -i "${efibootimg}" \ "${pacstrap_dir}/usr/lib/systemd/boot/efi/systemd-bootx64.efi" ::/EFI/BOOT/BOOTx64.EFI # Copy systemd-boot configuration files - mmd -i "${work_dir}/efiboot.img" ::/loader ::/loader/entries - mcopy -i "${work_dir}/efiboot.img" "${profile}/efiboot/loader/loader.conf" ::/loader/ + mmd -D o -i "${efibootimg}" ::/loader ::/loader/entries + mcopy -D o -i "${efibootimg}" "${profile}/efiboot/loader/loader.conf" ::/loader/ for _conf in "${profile}/efiboot/loader/entries/"*".conf"; do - sed "s|%ARCHISO_LABEL%|${iso_label}|g; - s|%INSTALL_DIR%|${install_dir}|g; - s|%ARCH%|${arch}|g" \ - "${_conf}" | mcopy -i "${work_dir}/efiboot.img" - "::/loader/entries/${_conf##*/}" - done + _build_bootloader_config "${_conf}" | mcopy -D o -i "${efibootimg}" - "::/loader/entries/${_conf##*/}" + done # shellx64.efi is picked up automatically when on / if [[ -e "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" ]]; then - mcopy -i "${work_dir}/efiboot.img" \ + mcopy -D o -i "${efibootimg}" \ "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" ::/shellx64.efi fi @@ -741,41 +1305,58 @@ _make_bootmode_uefi-x64.systemd-boot.esp() { _msg_info "Done! systemd-boot set up for UEFI booting successfully." } +_make_bootmode_uefi-x64.systemd-boot.esp_iso() { + _make_bootmode_uefi-x64.systemd-boot.esp +} + +_make_bootmode_uefi-x64.systemd-boot.esp_dongle() { + _make_bootmode_uefi-x64.systemd-boot.esp +} + # Prepare systemd-boot for El Torito booting _make_bootmode_uefi-x64.systemd-boot.eltorito() { + local bootable_dir="${1}" + local bootable="${2}" # El Torito UEFI boot requires an image containing the EFI system partition. # uefi-x64.systemd-boot.eltorito has the same requirements as uefi-x64.systemd-boot.esp - _run_once _make_bootmode_uefi-x64.systemd-boot.esp + _run_once "_make_bootmode_uefi-x64.systemd-boot.esp_${bootable}" # Additionally set up systemd-boot in ISO 9660. This allows creating a medium for the live environment by using # manual partitioning and simply copying the ISO 9660 file system contents. # This is not related to El Torito booting and no firmware uses these files. _msg_info "Preparing an /EFI directory for the ISO 9660 file system..." - install -d -m 0755 -- "${isofs_dir}/EFI/BOOT" + install -d -m 0755 -- "${bootable_dir}/EFI/BOOT" # Copy systemd-boot EFI binary to the default/fallback boot path install -m 0644 -- "${pacstrap_dir}/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \ - "${isofs_dir}/EFI/BOOT/BOOTx64.EFI" + "${bootable_dir}/EFI/BOOT/BOOTx64.EFI" # Copy systemd-boot configuration files - install -d -m 0755 -- "${isofs_dir}/loader/entries" - install -m 0644 -- "${profile}/efiboot/loader/loader.conf" "${isofs_dir}/loader/" + install -d -m 0755 -- "${bootable_dir}/loader/entries" + install -m 0644 -- "${profile}/efiboot/loader/loader.conf" "${bootable_dir}/loader/" for _conf in "${profile}/efiboot/loader/entries/"*".conf"; do - sed "s|%ARCHISO_LABEL%|${iso_label}|g; - s|%INSTALL_DIR%|${install_dir}|g; - s|%ARCH%|${arch}|g" \ - "${_conf}" > "${isofs_dir}/loader/entries/${_conf##*/}" - done + _build_bootloader_config "${_conf}" > "${bootable_dir}/loader/entries/${_conf##*/}" + done # edk2-shell based UEFI shell # shellx64.efi is picked up automatically when on / if [[ -e "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" ]]; then - install -m 0644 -- "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" "${isofs_dir}/shellx64.efi" + install -m 0644 -- "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" "${bootable_dir}/shellx64.efi" fi _msg_info "Done!" } +# Prepare systemd-boot for El Torito booting +_make_bootmode_uefi-x64.systemd-boot.eltorito_iso() { + _make_bootmode_uefi-x64.systemd-boot.eltorito "${isofs_dir}" "iso" +} + +# Prepare systemd-boot for El Torito booting +_make_bootmode_uefi-x64.systemd-boot.eltorito_dongle() { + _make_bootmode_uefi-x64.systemd-boot.eltorito "${dongle_isofs_dir}" "dongle" +} + _validate_requirements_bootmode_bios.syslinux.mbr() { # bios.syslinux.mbr requires bios.syslinux.eltorito # shellcheck disable=SC2076 @@ -908,7 +1489,7 @@ _validate_requirements_bootmode_uefi-x64.grub.esp() { _msg_error "Validating '${bootmode}': grub-install is not available on this host. Install 'grub'!" 0 fi - # Check if mkfs.fat is available + # Check if mkfs.fat is available if ! command -v mkfs.fat &> /dev/null; then (( validation_error=validation_error+1 )) _msg_error "Validating '${bootmode}': mkfs.fat is not available on this host. Install 'dosfstools'!" 0 @@ -955,12 +1536,57 @@ _validate_requirements_bootmode_uefi-x64.grub.eltorito() { _validate_requirements_bootmode_uefi-x64.grub.esp } +_get_airootfs_path(){ + echo "${install_dir}/${arch}/airootfs.$(_get_fs_ext "airootfs")" +} + +_get_airootfs_img(){ + echo "${airootfs_img_dir}/airootfs.$(_get_fs_ext "airootfs")" +} + # Build airootfs filesystem image _prepare_airootfs_image() { + local _sig_dir airootfs_size pacstrap_size + + pacstrap_size=$(du -s "${pacstrap_dir}" | cut -f 1) + airootfs_size=$((pacstrap_size+200000)) + _run_once "_mkairootfs_${airootfs_image_type}" - _mkchecksum + _mkchecksum "$(_get_airootfs_img)" + if [[ -n "${gpg_key}" ]]; then + _mksignature "$(_get_airootfs_img)" + if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then + dongle_isofs_dir="${work_dir}/dongle_iso" + _sig_dir="${dongle_isofs_dir}/${install_dir}/${arch}" + install -d -m711 "${_sig_dir}" + cp "$(_get_airootfs_img).sig" "${_sig_dir}" + fi + fi +} + +# Build keys filesystem image +_prepare_keys_image() { + keys_size=25000 + _run_once "_mkkeys_${keys_image_type}" + + _mkchecksum "${dongle_isofs_dir}/keys.$(_get_fs_ext "keys")" if [[ -n "${gpg_key}" ]]; then - _mksignature + _mksignature "${dongle_isofs_dir}/keys.$(_get_fs_ext "keys")" + fi +} + +# Build persistent filesystem image +_prepare_persistent_image() { + local persistent_dir_size + + if [ -d "${profile}/persistent" ]; then + cp -af --no-preserve=ownership,mode -- "${profile}/persistent/." "${persistent_dir}" + persistent_dir_size=$(du -s "${persistent_dir}" | cut -f 1) + persistent_size_kib=$(( persistent_dir_size > persistent_size_kib ? persistent_dir_size : persistent_size_kib )) + fi + + if [ "${persistent_size_kib}" != "" ]; then + _run_once "_mkpersistent_${persistent_image_type}" fi } @@ -978,13 +1604,13 @@ _sign_netboot_artifacts() { local _file _dir local _files_to_sign=() _msg_info "Signing netboot artifacts..." - _dir="${isofs_dir}/${install_dir}/boot/" + _dir="${isofs_dir}/${install_dir}/boot" for _file in "${ucodes[@]}"; do - if [[ -e "${_dir}${_file}" ]]; then - _files_to_sign+=("${_dir}${_file}") + if [[ -e "${_dir}/${_file}" ]]; then + _files_to_sign+=("${_dir}/${_file}") fi done - for _file in "${_files_to_sign[@]}" "${_dir}${arch}/vmlinuz-"* "${_dir}${arch}/initramfs-"*.img; do + for _file in "${_files_to_sign[@]}" "${_dir}/${arch}/vmlinuz-"* "${_dir}/${arch}/initramfs-"*.img; do openssl cms \ -sign \ -binary \ @@ -994,25 +1620,53 @@ _sign_netboot_artifacts() { -inkey "${cert_list[1]}" \ -outform DER \ -out "${_file}".ipxe.sig - done - _msg_info "Done!" + done + _msg_info "Done!" + } + + _validate_requirements_airootfs_image_type_squashfs() { + if ! command -v mksquashfs &> /dev/null; then + (( validation_error=validation_error+1 )) + _msg_error "Validating '${airootfs_image_type}': mksquashfs is not available on this host. Install 'squashfs-tools'!" 0 + fi + } + + _validate_requirements_airootfs_image_type_ext4() { + if ! { command -v mkfs.ext4 &> /dev/null && command -v tune2fs &> /dev/null; }; then + (( validation_error=validation_error+1 )) + _msg_error "Validating '${airootfs_image_type}': mkfs.ext4 and/or tune2fs is not available on this host. Install 'e2fsprogs'!" 0 + fi + } + + _validate_requirements_airootfs_image_type_ext4+squashfs() { + _validate_requirements_airootfs_image_type_ext4 + _validate_requirements_airootfs_image_type_squashfs } -_validate_requirements_airootfs_image_type_squashfs() { - if ! command -v mksquashfs &> /dev/null; then - (( validation_error=validation_error+1 )) - _msg_error "Validating '${airootfs_image_type}': mksquashfs is not available on this host. Install 'squashfs-tools'!" 0 +# +_resolve_encryption_key(){ + if [ ! -f "${encryption_key}" ]; then + if [ "${encryption_key}" = 'auto' ]; then + encryption_key="${work_dir}/${iso_label}.key" + [ ! -d "${work_dir}" ] && install -d "${work_dir}" + dd if=/dev/random bs=512 count=1 of="${encryption_key}" + elif [ "${encryption_key}" != 'auto' ]; then + _msg_error "File '${encryption_key}' does not exist." 0 + fi fi } -_validate_requirements_airootfs_image_type_ext4+squashfs() { - if ! { command -v mkfs.ext4 &> /dev/null && command -v tune2fs &> /dev/null; }; then - (( validation_error=validation_error+1 )) - _msg_error "Validating '${airootfs_image_type}': mkfs.ext4 and/or tune2fs is not available on this host. Install 'e2fsprogs'!" 0 - fi +_validate_requirements_airootfs_image_type_squashfs+luks() { + _validate_requirements_airootfs_image_type_luks _validate_requirements_airootfs_image_type_squashfs } +_validate_requirements_airootfs_image_type_ext4+squashfs+luks() { + _validate_requirements_airootfs_image_type_luks + _validate_requirements_airootfs_image_type_squashfs + _validate_requirements_airootfs_image_type_ext4 +} + _validate_requirements_airootfs_image_type_erofs() { if ! command -v mkfs.erofs &> /dev/null; then (( validation_error=validation_error+1 )) @@ -1020,6 +1674,19 @@ _validate_requirements_airootfs_image_type_erofs() { fi } +_validate_requirements_airootfs_image_type_luks() { + if ! command -v cryptsetup &> /dev/null && command -v mkfs.erofs &> /dev/null; then + (( validation_error=validation_error+1 )) + _msg_error "Validating '${airootfs_image_type}': cryptsetup is not available on this host. Install 'cryptsetup'!" 0 + fi + [[ -n "$encryption_key" ]] && _resolve_encryption_key +} + +_validate_requirements_airootfs_image_type_erofs+luks() { + _validate_requirements_airootfs_image_type_luks + _validate_requirements_airootfs_image_type_erofs +} + _validate_common_requirements_buildmode_all() { if ! command -v pacman &> /dev/null; then (( validation_error=validation_error+1 )) @@ -1033,6 +1700,9 @@ _validate_common_requirements_buildmode_all() { (( validation_error=validation_error+1 )) _msg_error "Validating build mode '${_buildmode}': gzip is not available on this host. Install 'gzip'!" 0 fi + if [[ ! " ${buildmodes[*]} " =~ ' dongle ' ]]; then + _msg_warning "Validating build mode '${_buildmode}': 'dongle' build mode not selected, the resulting image will be vulnerable to 'evil maids'." + fi } _validate_requirements_buildmode_bootstrap() { @@ -1089,6 +1759,11 @@ _validate_common_requirements_buildmode_iso_netboot() { fi } +_validate_requirements_buildmode_dongle() { + _validate_common_requirements_buildmode_all + [[ -n "$encryption_key" ]] && _resolve_encryption_key +} + _validate_requirements_buildmode_iso() { _validate_common_requirements_buildmode_iso_netboot _validate_common_requirements_buildmode_all @@ -1144,23 +1819,25 @@ _validate_requirements_buildmode_netboot() { fi } -# SYSLINUX El Torito -_add_xorrisofs_options_bios.syslinux.eltorito() { - xorrisofs_options+=( - # El Torito boot image for x86 BIOS - '-eltorito-boot' 'syslinux/isolinux.bin' - # El Torito boot catalog file - '-eltorito-catalog' 'syslinux/boot.cat' - # Required options to boot with ISOLINUX - '-no-emul-boot' '-boot-load-size' '4' '-boot-info-table' - ) +_add_xorrisofs_options_persistent_partition() { + local _xorrisofs_options=("$@") + if [[ "${persistent_image_type}" == *"luks" ]]; then + persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" + else + persistent_guid="0FC63DAF-8483-4772-8E79-3D69D8477DE4" + fi + _xorrisofs_options+=('-append_partition' '3' "${persistent_guid}" "${persistentimg}") + echo "${_xorrisofs_options[@]}" } # SYSLINUX MBR (isohybrid) _add_xorrisofs_options_bios.syslinux.mbr() { - xorrisofs_options+=( + local bootable_dir="${1}" + shift + local _xorrisofs_options=("$@") + _xorrisofs_options+=( # SYSLINUX MBR bootstrap code; does not work without "-eltorito-boot syslinux/isolinux.bin" - '-isohybrid-mbr' "${isofs_dir}/syslinux/isohdpfx.bin" + '-isohybrid-mbr' "${bootable_dir}/syslinux/isohdpfx.bin" # When GPT is used, create an additional partition in the MBR (besides 0xEE) for sectors 0–1 (MBR # bootstrap code area) and mark it as bootable # May allow booting on some systems @@ -1171,35 +1848,88 @@ _add_xorrisofs_options_bios.syslinux.mbr() { # https://dev.lovelyhq.com/libburnia/libisoburn/src/branch/master/doc/partition_offset.wiki '-partition_offset' '16' ) + echo "${_xorrisofs_options[@]}" +} + +_add_xorrisofs_options_bios.syslinux.mbr_iso() { + xorrisofs_options=("$(_add_xorrisofs_options_bios.syslinux.mbr "${isofs_dir}" "${xorrisofs_options[@]}")") +} + +_add_xorrisofs_options_bios.syslinux.mbr_dongle() { + dongle_xorrisofs_options=("$(_add_xorrisofs_options_bios.syslinux.mbr "${dongle_isofs_dir}" "${dongle_xorrisofs_options[@]}")") +} + +# SYSLINUX El Torito +_add_xorrisofs_options_bios.syslinux.eltorito() { + local _xorrisofs_options=("$@") + _xorrisofs_options+=(# El Torito boot image for x86 BIOS + '-eltorito-boot' 'syslinux/isolinux.bin' + # El Torito boot catalog file + '-eltorito-catalog' 'syslinux/boot.cat' + # Required options to boot with ISOLINUX + '-no-emul-boot' '-boot-load-size' '4' '-boot-info-table') + echo "${_xorrisofs_options[@]}" +} + +_add_xorrisofs_options_bios.syslinux.eltorito_iso() { + xorrisofs_options=("$(_add_xorrisofs_options_bios.syslinux.eltorito "${xorrisofs_options[@]}")") +} + +_add_xorrisofs_options_bios.syslinux.eltorito_dongle() { + dongle_xorrisofs_options=("$(_add_xorrisofs_options_bios.syslinux.eltorito "${dongle_xorrisofs_options[@]}")") } # GRUB in an attached EFI system partition _add_xorrisofs_options_uefi-ia32.grub.esp() { + local _xorrisofs_options=("$@") # TODO: how does the bootmodes systemd-boot vs x64.grub affect ${bootmodes[*]} tests in _add_xorrisofs_options_uefi-x64.systemd-boot.esp etc? # shellcheck disable=SC2076 if [[ ! " ${bootmodes[*]} " =~ ' uefi-x64.systemd-boot.esp ' && ! " ${bootmodes[*]} " =~ ' uefi-x64.grub.esp ' ]]; then # _add_xorrisofs_options_uefi-x64.systemd-boot.esp - _add_xorrisofs_options_uefi-x64.grub.esp + _xorrisofs_options=("$(_add_xorrisofs_options_uefi-x64.grub.esp "${_xorrisofs_options[@]}")") fi + echo "${_xorrisofs_options[@]}" +} + +_add_xorrisofs_options_uefi-ia32.grub.esp_iso() { + xorrisofs_options=("$(_add_xorrisofs_options_uefi-ia32.grub.esp "${xorrisofs_options[@]}")") +} + +_add_xorrisofs_options_uefi-ia32.grub.esp_dongle() { + dongle_xorrisofs_options=("$(_add_xorrisofs_options_uefi-ia32.grub.esp "${dongle_xorrisofs_options[@]}")") } # GRUB via El Torito _add_xorrisofs_options_uefi-ia32.grub.eltorito() { + local _xorrisofs_options=("$@") # shellcheck disable=SC2076 if [[ ! " ${bootmodes[*]} " =~ ' uefi-x64.systemd-boot.eltorito ' && ! " ${bootmodes[*]} " =~ ' uefi-x64.grub.eltorito ' ]]; then # _add_xorrisofs_options_uefi-x64.systemd-boot.eltorito - _add_xorrisofs_options_uefi-x64.grub.eltorito + _xorrisofs_options=("$(_add_xorrisofs_options_uefi-x64.grub.eltorito "${_xorrisofs_options[@]}")") fi + echo "${_xorrisofs_options[@]}" +} + +_add_xorrisofs_options_uefi-ia32.grub.eltorito_iso() { + xorrisofs_options=("$(_add_xorrisofs_options_uefi-ia32.grub.eltorito "${xorrisofs_options[@]}")") +} + +_add_xorrisofs_options_uefi-ia32.grub.eltorito_dongle() { + dongle_xorrisofs_options=("$(_add_xorrisofs_options_uefi-ia32.grub.eltorito "${dongle_xorrisofs_options[@]}")") } # systemd-boot in an attached EFI system partition _add_xorrisofs_options_uefi-x64.systemd-boot.esp() { + local _xorrisofs_options=("$@") # Move the first partition away from the start of the ISO, otherwise the GPT will not be valid and ISO 9660 # partition will not be mountable # shellcheck disable=SC2076 - [[ " ${xorrisofs_options[*]} " =~ ' -partition_offset ' ]] || xorrisofs_options+=('-partition_offset' '16') + [[ " ${_xorrisofs_options[*]} " =~ ' -partition_offset ' ]] || _xorrisofs_options+=('-partition_offset' '16') # Attach efiboot.img as a second partition and set its partition type to "EFI system partition" - xorrisofs_options+=('-append_partition' '2' 'C12A7328-F81F-11D2-BA4B-00A0C93EC93B' "${work_dir}/efiboot.img") + _xorrisofs_options+=('-append_partition' '2' 'C12A7328-F81F-11D2-BA4B-00A0C93EC93B' "${efibootimg}") + if [ "${persistent_size_kib}" != "" ]; then + _xorrisofs_options=("$(_add_xorrisofs_options_persistent_partition "${_xorrisofs_options[@]}")") + fi # Ensure GPT is used as some systems do not support UEFI booting without it # shellcheck disable=SC2076 if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then @@ -1210,67 +1940,91 @@ _add_xorrisofs_options_uefi-x64.systemd-boot.esp() { # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. - if [[ ! " ${xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then - xorrisofs_options+=('-isohybrid-gpt-basdat') + if [[ ! " ${_xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then + _xorrisofs_options+=('-isohybrid-gpt-basdat') fi fi else # Use valid GPT if BIOS booting support will not be required - xorrisofs_options+=('-appended_part_as_gpt') + _xorrisofs_options+=('-appended_part_as_gpt') fi + echo "${_xorrisofs_options[@]}" +} + +_add_xorrisofs_options_uefi-x64.systemd-boot.esp_iso() { + xorrisofs_options=("$(_add_xorrisofs_options_uefi-x64.systemd-boot.esp "${xorrisofs_options[@]}")") +} + +_add_xorrisofs_options_uefi-x64.systemd-boot.esp_dongle() { + dongle_xorrisofs_options=("$(_add_xorrisofs_options_uefi-x64.systemd-boot.esp "${dongle_xorrisofs_options[@]}")") } # systemd-boot via El Torito _add_xorrisofs_options_uefi-x64.systemd-boot.eltorito() { + local bootable_dir="${1}" + shift + local _xorrisofs_options=("$@") # shellcheck disable=SC2076 if [[ " ${bootmodes[*]} " =~ ' uefi-x64.systemd-boot.esp ' || " ${bootmodes[*]} " =~ ' uefi-ia32.grub.esp ' ]]; then # systemd-boot in an attached EFI system partition via El Torito - xorrisofs_options+=( - # Start a new El Torito boot entry for UEFI - '-eltorito-alt-boot' - # Set the second partition as the El Torito UEFI boot image - '-e' '--interval:appended_partition_2:all::' - # Boot image is not emulating floppy or hard disk; required for all known boot loaders - '-no-emul-boot' - ) - # A valid GPT prevents BIOS booting on some systems, use an invalid GPT instead. - if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then - # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the - # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', - # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. - if [[ ! " ${xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then - xorrisofs_options+=('-isohybrid-gpt-basdat') - fi + _xorrisofs_options+=( + # Start a new El Torito boot entry for UEFI + '-eltorito-alt-boot' + # Set the second partition as the El Torito UEFI boot image + '-e' '--interval:appended_partition_2:all::' + # Boot image is not emulating floppy or hard disk; required for all known boot loaders + '-no-emul-boot' + ) + # A valid GPT prevents BIOS booting on some systems, use an invalid GPT instead. + if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then + # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the + # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', + # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. + if [[ ! " ${_xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then + _xorrisofs_options+=('-isohybrid-gpt-basdat') fi + fi else # The ISO will not contain a GPT partition table, so to be able to reference efiboot.img, place it as a # file inside the ISO 9660 file system - install -d -m 0755 -- "${isofs_dir}/EFI/archiso" - cp -a -- "${work_dir}/efiboot.img" "${isofs_dir}/EFI/archiso/efiboot.img" + install -d -m 0755 -- "${bootable_dir}/EFI/archiso" + cp -a -- "${efibootimg}" "${bootable_dir}/EFI/archiso/efiboot.img" # systemd-boot in an embedded efiboot.img via El Torito - xorrisofs_options+=( + _xorrisofs_options+=( # Start a new El Torito boot entry for UEFI '-eltorito-alt-boot' # Set efiboot.img as the El Torito UEFI boot image '-e' 'EFI/archiso/efiboot.img' # Boot image is not emulating floppy or hard disk; required for all known boot loaders - '-no-emul-boot' - ) + '-no-emul-boot') fi # Specify where to save the El Torito boot catalog file in case it is not already set by bios.syslinux.eltorito # shellcheck disable=SC2076 - [[ " ${bootmodes[*]} " =~ ' bios.' ]] || xorrisofs_options+=('-eltorito-catalog' 'EFI/boot.cat') + [[ " ${bootmodes[*]} " =~ ' bios.' ]] || _xorrisofs_options+=('-eltorito-catalog' 'EFI/boot.cat') + echo "${_xorrisofs_options[@]}" +} + +_add_xorrisofs_options_uefi-x64.systemd-boot.eltorito_iso() { + xorrisofs_options=("$(_add_xorrisofs_options_uefi-x64.systemd-boot.eltorito "${isofs_dir}" "${xorrisofs_options[@]}")") +} + +_add_xorrisofs_options_uefi-x64.systemd-boot.eltorito_dongle() { + dongle_xorrisofs_options=("$(_add_xorrisofs_options_uefi-x64.systemd-boot.eltorito "${dongle_isofs_dir}" "${dongle_xorrisofs_options[@]}")") } # GRUB in an attached EFI system partition. # Same as _add_xorrisofs_options_uefi-x64.systemd-boot.esp. _add_xorrisofs_options_uefi-x64.grub.esp() { + local _xorrisofs_options=("$@") # Move the first partition away from the start of the ISO, otherwise the GPT will not be valid and ISO 9660 # partition will not be mountable # shellcheck disable=SC2076 - [[ " ${xorrisofs_options[*]} " =~ ' -partition_offset ' ]] || xorrisofs_options+=('-partition_offset' '16') + [[ " ${_xorrisofs_options[*]} " =~ ' -partition_offset ' ]] || _xorrisofs_options+=('-partition_offset' '16') # Attach efiboot.img as a second partition and set its partition type to "EFI system partition" - xorrisofs_options+=('-append_partition' '2' 'C12A7328-F81F-11D2-BA4B-00A0C93EC93B' "${work_dir}/efiboot.img") + _xorrisofs_options+=('-append_partition' '2' 'C12A7328-F81F-11D2-BA4B-00A0C93EC93B' "${efibootimg}") + if [ "${persistent_size_kib}" != "" ]; then + _xorrisofs_options=("$(_add_xorrisofs_options_persistent_partition "${_xorrisofs_options[@]}")") + fi # Ensure GPT is used as some systems do not support UEFI booting without it # shellcheck disable=SC2076 if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then @@ -1281,57 +2035,78 @@ _add_xorrisofs_options_uefi-x64.grub.esp() { # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. - if [[ ! " ${xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then - xorrisofs_options+=('-isohybrid-gpt-basdat') + if [[ ! " ${_xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then + _xorrisofs_options+=('-isohybrid-gpt-basdat') fi fi else # Use valid GPT if BIOS booting support will not be required - xorrisofs_options+=('-appended_part_as_gpt') + _xorrisofs_options+=('-appended_part_as_gpt') fi + echo "${_xorrisofs_options[@]}" +} + +_add_xorrisofs_options_uefi-x64.grub.esp_iso() { + xorrisofs_options=("$(_add_xorrisofs_options_uefi-x64.grub.esp "${xorrisofs_options[@]}")") +} + +_add_xorrisofs_options_uefi-x64.grub.esp_dongle() { + dongle_xorrisofs_options=("$(_add_xorrisofs_options_uefi-x64.grub.esp "${dongle_xorrisofs_options[@]}")") } # GRUB via El Torito # Same as _add_xorrisofs_options_uefi-x64.systemd-boot.eltorito. _add_xorrisofs_options_uefi-x64.grub.eltorito() { + local bootable_dir="${1}" + shift + local _xorrisofs_options=("$@") # shellcheck disable=SC2076 if [[ " ${bootmodes[*]} " =~ ' uefi-x64.grub.esp ' || " ${bootmodes[*]} " =~ ' uefi-ia32.grub.esp ' ]]; then # grub in an attached EFI system partition via El Torito - xorrisofs_options+=( - # Start a new El Torito boot entry for UEFI - '-eltorito-alt-boot' - # Set the second partition as the El Torito UEFI boot image - '-e' '--interval:appended_partition_2:all::' - # Boot image is not emulating floppy or hard disk; required for all known boot loaders - '-no-emul-boot' + _xorrisofs_options+=( + # Start a new El Torito boot entry for UEFI + '-eltorito-alt-boot' + # Set the second partition as the El Torito UEFI boot image + '-e' '--interval:appended_partition_2:all::' + # Boot image is not emulating floppy or hard disk; required for all known boot loaders + '-no-emul-boot' ) - # A valid GPT prevents BIOS booting on some systems, use an invalid GPT instead. - if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then - # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the - # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', - # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. - if [[ ! " ${xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then - xorrisofs_options+=('-isohybrid-gpt-basdat') - fi + # A valid GPT prevents BIOS booting on some systems, use an invalid GPT instead. + if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then + # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the + # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', + # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. + if [[ ! " ${_xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then + _xorrisofs_options+=('-isohybrid-gpt-basdat') fi + fi else # The ISO will not contain a GPT partition table, so to be able to reference efiboot.img, place it as a # file inside the ISO 9660 file system - install -d -m 0755 -- "${isofs_dir}/EFI/archiso" - cp -a -- "${work_dir}/efiboot.img" "${isofs_dir}/EFI/archiso/efiboot.img" + install -d -m 0755 -- "${bootable_dir}/EFI/archiso" + cp -a -- "${efibootimg}" "${bootable_dir}/EFI/archiso/efiboot.img" # grub in an embedded efiboot.img via El Torito - xorrisofs_options+=( - # Start a new El Torito boot entry for UEFI - '-eltorito-alt-boot' - # Set efiboot.img as the El Torito UEFI boot image - '-e' 'EFI/archiso/efiboot.img' - # Boot image is not emulating floppy or hard disk; required for all known boot loaders - '-no-emul-boot' + _xorrisofs_options+=( + # Start a new El Torito boot entry for UEFI + '-eltorito-alt-boot' + # Set efiboot.img as the El Torito UEFI boot image + '-e' 'EFI/archiso/efiboot.img' + # Boot image is not emulating floppy or hard disk; required for all known boot loaders + '-no-emul-boot' ) fi # Specify where to save the El Torito boot catalog file in case it is not already set by bios.syslinux.eltorito # shellcheck disable=SC2076 - [[ " ${bootmodes[*]} " =~ ' bios.' ]] || xorrisofs_options+=('-eltorito-catalog' 'EFI/boot.cat') + [[ " ${bootmodes[*]} " =~ ' bios.' ]] || _xorrisofs_options+=('-eltorito-catalog' 'EFI/boot.cat') + echo "${_xorrisofs_options[@]}" +} + +_add_xorrisofs_options_uefi-x64.grub.eltorito_iso() { + xorrisofs_options=("$(_add_xorrisofs_options_uefi-x64.grub.eltorito "${isofs_dir}" "${xorrisofs_options[@]}")") +} + +_add_xorrisofs_options_uefi-x64.grub.eltorito_dongle() { + dongle_xorrisofs_options=("$(_add_xorrisofs_options_uefi-x64.grub.eltorito "${dongle_isofs_dir}" "${dongle_xorrisofs_options[@]}")") } # Build bootstrap image @@ -1350,9 +2125,57 @@ _build_bootstrap_image() { cd -- "${OLDPWD}" } +_build_dongle_image() { + local bootmode dongle_xorriso_cmd_line dongle_xorriso_options=() dongle_xorrisofs_options=() + dongle_isofs_dir="${work_dir}/dongle_iso" + + # Add required xorrisofs options for each boot mode + for bootmode in "${bootmodes[@]}"; do + "_add_xorrisofs_options_${bootmode}_dongle" + done + + [[ -d "${out_dir}" ]] || install -d -- "${out_dir}" + + if [[ "${quiet}" == "y" ]]; then + # The when xorriso is run in mkisofs compatibility mode (xorrisofs), the mkisofs option -quiet is interpreted + # too late (e.g. messages about SOURCE_DATE_EPOCH still get shown). + # Instead use native xorriso option to silence the output. + dongle_xorriso_options+=('-report_about' 'SORRY' "${dongle_xorriso_options[@]}") + fi + + # Update SORCE_DATE_EPOCH for dongle ISO UUID + SOURCE_DATE_EPOCH=$((SOURCE_DATE_EPOCH + 69 * 42)) + + rm -f -- "${out_dir}/${image_name}" + _msg_info "Creating ISO image..." + _msg_info "xorriso options: ${dongle_xorriso_options[*]}" + _msg_info "xorrisofs options: ${dongle_xorrisofs_options[*]}" + # shellcheck disable=SC2116 + dongle_xorriso_cmd_line=( + "${dongle_xorriso_options[@]}" + '-as' 'mkisofs' + '-iso-level' 3 + '-full-iso9660-filenames' + '-joliet' + '-joliet-long' + '-rational-rock' + '-volid' "${iso_label}_KEYS" + '-appid' "\"${iso_application} dongle CD\"" + '-publisher' "\"${iso_publisher}\"" + '-preparer' "\"prepared by ${app_name}\"" + "${dongle_xorrisofs_options[@]}" + '-output' "\"${out_dir}/${image_name}\"" + "${dongle_isofs_dir}/" + ) + eval "xorriso ${dongle_xorriso_cmd_line[*]}" + _msg_info "Done!" + du -h -- "${out_dir}/${image_name}" +} + # Build ISO _build_iso_image() { - local xorriso_options=() xorrisofs_options=() + local xorriso_cmd_line + isofs_dir="${work_dir}/iso" local bootmode [[ -d "${out_dir}" ]] || install -d -- "${out_dir}" @@ -1361,31 +2184,40 @@ _build_iso_image() { # The when xorriso is run in mkisofs compatibility mode (xorrisofs), the mkisofs option -quiet is interpreted # too late (e.g. messages about SOURCE_DATE_EPOCH still get shown). # Instead use native xorriso option to silence the output. - xorriso_options=('-report_about' 'SORRY' "${xorriso_options[@]}") + xorriso_options+=('-report_about' 'SORRY' "${xorriso_options[@]}") fi # Add required xorrisofs options for each boot mode for bootmode in "${bootmodes[@]}"; do - typeset -f "_add_xorrisofs_options_${bootmode}" &> /dev/null && "_add_xorrisofs_options_${bootmode}" + "_add_xorrisofs_options_${bootmode}_iso" done rm -f -- "${out_dir}/${image_name}" + # shellcheck disable=SC2116 + xorriso_cmd_line=( + "${xorriso_options[@]}" '-as' 'mkisofs' + '-iso-level' 3 + '-full-iso9660-filenames' + '-joliet' + '-joliet-long' + '-rational-rock' + '-volid' "${iso_label}" + '-appid' "\"${iso_application}\"" + '-publisher' "\"${iso_publisher}\"" + '-preparer' "\"prepared by ${app_name}\"" + "${xorrisofs_options[@]}" + '-output' "${out_dir}/${image_name}" + "${isofs_dir}/" + ) _msg_info "Creating ISO image..." - xorriso "${xorriso_options[@]}" -as mkisofs \ - -iso-level 3 \ - -full-iso9660-filenames \ - -joliet \ - -joliet-long \ - -rational-rock \ - -volid "${iso_label}" \ - -appid "${iso_application}" \ - -publisher "${iso_publisher}" \ - -preparer "prepared by ${app_name}" \ - "${xorrisofs_options[@]}" \ - -output "${out_dir}/${image_name}" \ - "${isofs_dir}/" + _msg_info "xorriso args: ${xorriso_cmd_line[*]}" + eval "xorriso ${xorriso_cmd_line[*]}" _msg_info "Done!" du -h -- "${out_dir}/${image_name}" + + if [[ "${airootfs_image_type}" == *"luks"* ]] && [[ ! " ${buildmodes[*]} " =~ ' dongle ' ]]; then + cp "${encryption_key}" "${out_dir}" + fi } # Read profile's values from profiledef.sh @@ -1502,6 +2334,7 @@ _set_overrides() { fi [[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key" [[ ! -v override_gpg_sender ]] || gpg_sender="$override_gpg_sender" + [[ ! -v override_gpg_home ]] || gpg_home="$override_gpg_home" if [[ -v override_cert_list ]]; then sign_netboot_artifacts="y" fi @@ -1514,12 +2347,27 @@ _set_overrides() { # Set variables that do not have overrides [[ -n "$airootfs_image_type" ]] || airootfs_image_type="squashfs" + [[ -n "$keys_image_type" ]] || keys_image_type="squashfs+luks" + [[ -n "$persistent_image_type" ]] || persistent_image_type="ext4+luks" [[ -n "$iso_name" ]] || iso_name="${app_name}" + [[ -n "$isofs_dir" ]] || isofs_dir="${work_dir}/iso" + [[ -n "$airootfs_img_dir" ]] || airootfs_img_dir="${isofs_dir}/${install_dir}/${arch}" + [[ -n "$dongle_isofs_dir" ]] || dongle_isofs_dir="${work_dir}/dongle_iso" + [[ -n "$efibootimg" ]] || efibootimg="${work_dir}/efiboot.img" + [[ -n "$persistentimg" ]] || persistentimg="${work_dir}/persistent."$(_get_fs_ext "persistent") } _export_gpg_publickey() { rm -f -- "${work_dir}/pubkey.gpg" - gpg --batch --no-armor --output "${work_dir}/pubkey.gpg" --export "${gpg_key}" + if [ "${gpg_home}" != "" ]; then + GNUPGHOME="${gpg_home}" gpg --homedir "${gpg_home}" \ + --batch --no-armor --output "${work_dir}/pubkey.gpg" \ + --export "${gpg_key}" + else + gpg "${_gpg_options[@]}" \ + --batch --no-armor --output "${work_dir}/pubkey.gpg" \ + --export "${gpg_key}" + fi } _make_version() { @@ -1551,6 +2399,11 @@ _make_version() { [[ ! -e "${_os_release}" ]] || sed -i '/^IMAGE_ID=/d;/^IMAGE_VERSION=/d' "${_os_release}" printf 'IMAGE_ID=%s\nIMAGE_VERSION=%s\n' "${iso_name}" "${iso_version}" >> "${_os_release}" fi + + # Touch /usr/lib/clock-epoch to give another hint on date and time + # for systems with screwed or broken RTC. + touch -m -d"@${SOURCE_DATE_EPOCH}" -- "${pacstrap_dir}/usr/lib/clock-epoch" + _msg_info "Done!" } @@ -1560,7 +2413,13 @@ _make_pkglist() { "bootstrap") pacman -Q --sysroot "${pacstrap_dir}" > "${pacstrap_dir}/pkglist.${arch}.txt" ;; - "iso"|"netboot") + "iso") + install -d -m 0755 -- "${isofs_dir}/${install_dir}" + if [[ ! "${airootfs_image_type}" == *"luks"* ]]; then + pacman -Q --sysroot "${pacstrap_dir}" > "${isofs_dir}/${install_dir}/pkglist.${arch}.txt" + fi + ;; + "netboot") install -d -m 0755 -- "${isofs_dir}/${install_dir}" pacman -Q --sysroot "${pacstrap_dir}" > "${isofs_dir}/${install_dir}/pkglist.${arch}.txt" ;; @@ -1568,6 +2427,29 @@ _make_pkglist() { _msg_info "Done!" } +# build the base for an ISO and/or a netboot target +_build_dongle_base() { + local run_once_mode="base" + local _sig_dir + _sig_dir="${dongle_isofs_dir}/${install_dir}/${arch}" + keys_dir="${work_dir}/keys" + + [[ -d "${keys_dir}" ]] || install -d -- "${keys_dir}" + [[ -d "${dongle_isofs_dir}" ]] || install -d -- "${dongle_isofs_dir}" + + if [ "${encryption_key}" != "" ]; then + cp "${encryption_key}" "${keys_dir}/airootfs.key" + fi + + if [[ "${airootfs_image_type}" == *"luks"* ]] && [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then + _run_once _prepare_keys_image + fi + + _run_once _make_boot_on_dongle + _make_bootmodes_dongle +} + + # build the base for an ISO and/or a netboot target _build_iso_base() { local run_once_mode="base" @@ -1577,9 +2459,15 @@ _build_iso_base() { # Set up essential directory paths pacstrap_dir="${work_dir}/${arch}/airootfs" isofs_dir="${work_dir}/iso" + keys_dir="${work_dir}/keys" + airootfs_img_dir="${isofs_dir}/${install_dir}/${arch}" + persistent_dir="${work_dir}/persistent" # Create working directory - [[ -d "${work_dir}" ]] || install -d -- "${work_dir}" + [[ -d "${airootfs_img_dir}" ]] || install -d -- "${airootfs_img_dir}" + [[ -d "${keys_dir}" ]] || install -d -- "${keys_dir}" + [[ -d "${persistent_dir}" ]] || install -d -- "${persistent_dir}" + # Write build date to file or if the file exists, read it from there if [[ -e "${work_dir}/build_date" ]]; then SOURCE_DATE_EPOCH="$(<"${work_dir}/build_date")" @@ -1595,10 +2483,11 @@ _build_iso_base() { _run_once _make_version _run_once _make_customize_airootfs _run_once _make_pkglist + _run_once _prepare_persistent_image if [[ "${buildmode}" == 'netboot' ]]; then _run_once _make_boot_on_iso9660 else - _make_bootmodes + _make_bootmodes_iso fi _run_once _cleanup_pacstrap_dir _run_once _prepare_airootfs_image @@ -1641,10 +2530,20 @@ _build_buildmode_netboot() { _build_buildmode_iso() { local image_name="${iso_name}-${iso_version}-${arch}.iso" local run_once_mode="${buildmode}" + efibootimg="${work_dir}/efiboot.img" _build_iso_base _run_once _build_iso_image } +# Build the dongle ISO buildmode +_build_buildmode_dongle() { + local image_name="${iso_name}-dongle-${iso_version}-${arch}.iso" + local run_once_mode="${buildmode}" + efibootimg="${work_dir}/efiboot.img" + _build_dongle_base + _run_once _build_dongle_image +} + # build all buildmodes _build() { local buildmode @@ -1655,7 +2554,7 @@ _build() { done } -while getopts 'c:p:C:L:P:A:D:w:m:o:g:G:vh?' arg; do +while getopts 'c:p:C:L:P:A:D:w:m:o:g:G:H:vh?' arg; do case "${arg}" in p) read -r -a override_pkg_list <<< "${OPTARG}" ;; C) override_pacman_conf="${OPTARG}" ;; @@ -1669,6 +2568,7 @@ while getopts 'c:p:C:L:P:A:D:w:m:o:g:G:vh?' arg; do o) override_out_dir="${OPTARG}" ;; g) override_gpg_key="${OPTARG}" ;; G) override_gpg_sender="${OPTARG}" ;; + H) override_gpg_home="${OPTARG}" ;; v) override_quiet="n" ;; h|?) _usage 0 ;; *) diff --git a/configs/baseline/airootfs/etc/mkinitcpio.conf b/configs/baseline/airootfs/etc/mkinitcpio.conf index 34b1a06..4dec74d 100644 --- a/configs/baseline/airootfs/etc/mkinitcpio.conf +++ b/configs/baseline/airootfs/etc/mkinitcpio.conf @@ -49,7 +49,7 @@ FILES=() # ## NOTE: If you have /usr on a separate partition, you MUST include the # usr, fsck and shutdown hooks. -HOOKS=(base udev modconf archiso block filesystems) +HOOKS=(base udev modconf %ARCHISO_HOOKS% block filesystems) # COMPRESSION # Use this to compress the initramfs image. By default, gzip compression diff --git a/configs/baseline/airootfs/etc/systemd/system/system-generators/systemd-gpt-auto-generator b/configs/baseline/airootfs/etc/systemd/system/system-generators/systemd-gpt-auto-generator new file mode 100644 index 0000000..e69de29 diff --git a/configs/baseline/airootfs/run/archiso/keys/.gitkeep b/configs/baseline/airootfs/run/archiso/keys/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/configs/baseline/efiboot/loader/entries/01-archiso-x86_64-linux.conf b/configs/baseline/efiboot/loader/entries/01-archiso-x86_64-linux.conf index 11624b6..814678d 100644 --- a/configs/baseline/efiboot/loader/entries/01-archiso-x86_64-linux.conf +++ b/configs/baseline/efiboot/loader/entries/01-archiso-x86_64-linux.conf @@ -1,4 +1,5 @@ -title Arch Linux (x86_64, UEFI) -linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -options archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% +title Arch Linux (%ARCH%, UEFI) +sort-key 01 +linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux +initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img +options %KERNEL_PARAMS% diff --git a/configs/baseline/efiboot/loader/entries/02-archiso-x86_64-ram-linux.conf b/configs/baseline/efiboot/loader/entries/02-archiso-x86_64-ram-linux.conf index d66f5a6..f37a001 100644 --- a/configs/baseline/efiboot/loader/entries/02-archiso-x86_64-ram-linux.conf +++ b/configs/baseline/efiboot/loader/entries/02-archiso-x86_64-ram-linux.conf @@ -1,4 +1,5 @@ -title Arch Linux (x86_64, UEFI) Copy to RAM -linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -options archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram +title Arch Linux (%ARCH%, UEFI) Copy to RAM +sort-key 02 +linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux +initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img +options %KERNEL_PARAMS% copytoram diff --git a/configs/baseline/grub/grub.cfg b/configs/baseline/grub/grub.cfg index 3df0b98..d634277 100644 --- a/configs/baseline/grub/grub.cfg +++ b/configs/baseline/grub/grub.cfg @@ -1,12 +1,12 @@ +# Load partition table and file system modules insmod part_gpt insmod part_msdos insmod fat insmod iso9660 +# Use graphics-mode output insmod all_video - insmod font - if loadfont "${prefix}/fonts/unicode.pf2" ; then insmod gfxterm set gfxmode="auto" @@ -14,20 +14,30 @@ if loadfont "${prefix}/fonts/unicode.pf2" ; then terminal_output gfxterm fi +# Enable serial console +if serial --unit=0 --speed=115200; then + terminal_input --append serial + terminal_output --append serial +fi + +# Set default menu entry default=archlinux timeout=15 timeout_style=menu -menuentry "Arch Linux (x86_64, UEFI)" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' { + +# Menu entries + +menuentry "Arch Linux (%ARCH%, UEFI)" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' { set gfxpayload=keep - search --no-floppy --set=root --label %ARCHISO_LABEL% - linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% - initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img + search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% + linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% + initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } -menuentry "Arch Linux (x86_64, UEFI) Copy to RAM" --class arch --class gnu-linux --class gnu --class os --id 'archlinux-copy-to-ram' { +menuentry "Arch Linux (%ARCH%, UEFI) Copy to RAM" --class arch --class gnu-linux --class gnu --class os --id 'archlinux-copy-to-ram' { set gfxpayload=keep - search --no-floppy --set=root --label %ARCHISO_LABEL% - linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram - initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img + search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% + linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% copytoram + initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } diff --git a/configs/baseline/profiledef.sh b/configs/baseline/profiledef.sh index 4115581..ff4c1a5 100644 --- a/configs/baseline/profiledef.sh +++ b/configs/baseline/profiledef.sh @@ -7,14 +7,22 @@ iso_publisher="Arch Linux " iso_application="Arch Linux baseline" iso_version="$(date +%Y.%m.%d)" install_dir="arch" -buildmodes=('iso') -bootmodes=('bios.syslinux.mbr' 'bios.syslinux.eltorito' - 'uefi-ia32.grub.esp' 'uefi-x64.grub.esp' - 'uefi-ia32.grub.eltorito' 'uefi-x64.grub.eltorito') +buildmodes=('iso' 'dongle') +bootmodes=('bios.syslinux.mbr' + 'bios.syslinux.eltorito' + 'uefi-ia32.grub.esp' + 'uefi-ia32.grub.eltorito' + 'uefi-x64.systemd-boot.esp' + 'uefi-x64.systemd-boot.eltorito') arch="x86_64" pacman_conf="pacman.conf" airootfs_image_type="erofs" airootfs_image_tool_options=('-zlz4hc,12' -E ztailpacking) +encryption_key="auto" +persistent_size=10000 +keys_image_type="erofs" +keys_image_tool_options=('-zlz4hc,12' -E ztailpacking) file_permissions=( ["/etc/shadow"]="0:0:400" + ["/run/archiso/keys"]="0:0:700" ) diff --git a/configs/baseline/syslinux/syslinux-linux.cfg b/configs/baseline/syslinux/syslinux-linux.cfg index 6bfd0c3..274515a 100644 --- a/configs/baseline/syslinux/syslinux-linux.cfg +++ b/configs/baseline/syslinux/syslinux-linux.cfg @@ -1,11 +1,11 @@ LABEL arch -MENU LABEL Arch Linux (x86_64, BIOS) +MENU LABEL Arch Linux (%ARCH%, BIOS) LINUX /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux INITRD /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img -APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% +APPEND %KERNEL_PARAMS% LABEL arch-ram -MENU LABEL Arch Linux (x86_64, BIOS) Copy to RAM +MENU LABEL Arch Linux (%ARCH%, BIOS) Copy to RAM LINUX /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux INITRD /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img -APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram +APPEND %KERNEL_PARAMS% copytoram diff --git a/configs/releng/airootfs/etc/mkinitcpio.conf b/configs/releng/airootfs/etc/mkinitcpio.conf index f57dbdd..1e8601a 100644 --- a/configs/releng/airootfs/etc/mkinitcpio.conf +++ b/configs/releng/airootfs/etc/mkinitcpio.conf @@ -49,7 +49,7 @@ FILES=() # ## NOTE: If you have /usr on a separate partition, you MUST include the # usr, fsck and shutdown hooks. -HOOKS=(base udev modconf memdisk archiso archiso_loop_mnt archiso_pxe_common archiso_pxe_nbd archiso_pxe_http archiso_pxe_nfs archiso_kms block filesystems keyboard) +HOOKS=(base udev modconf memdisk keyboard %ARCHISO_HOOKS% archiso_loop_mnt archiso_pxe_common archiso_pxe_nbd archiso_pxe_http archiso_pxe_nfs archiso_kms block filesystems) # COMPRESSION # Use this to compress the initramfs image. By default, gzip compression diff --git a/configs/releng/airootfs/etc/systemd/system/multi-user.target.wants/setup-persistent-storage.service b/configs/releng/airootfs/etc/systemd/system/multi-user.target.wants/setup-persistent-storage.service new file mode 120000 index 0000000..875f862 --- /dev/null +++ b/configs/releng/airootfs/etc/systemd/system/multi-user.target.wants/setup-persistent-storage.service @@ -0,0 +1 @@ +/etc/systemd/system/setup-persistent-storage.service \ No newline at end of file diff --git a/configs/releng/airootfs/etc/systemd/system/setup-persistent-storage.service b/configs/releng/airootfs/etc/systemd/system/setup-persistent-storage.service new file mode 100644 index 0000000..823cb1e --- /dev/null +++ b/configs/releng/airootfs/etc/systemd/system/setup-persistent-storage.service @@ -0,0 +1,9 @@ +[Unit] +Description=Setup an encrypted persistent storage on the USB drive + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/setup-persistent-storage + +[Install] +WantedBy=multi-user.target diff --git a/configs/releng/airootfs/run/archiso/keys/.gitkeep b/configs/releng/airootfs/run/archiso/keys/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/configs/releng/airootfs/usr/local/bin/setup-persistent-storage b/configs/releng/airootfs/usr/local/bin/setup-persistent-storage new file mode 100755 index 0000000..743f959 --- /dev/null +++ b/configs/releng/airootfs/usr/local/bin/setup-persistent-storage @@ -0,0 +1,139 @@ +#!/bin/bash + +grub_cfg="/run/archiso/bootmnt/EFI/BOOT/grub.cfg" +archisouuid="$(grep "archisouuid=" < "${grub_cfg}" | head -1 | awk '{print $5}' | sed 's/archisouuid=//g')" +archisolabel="$(grep "archisolabel=" < "${grub_cfg}" | head -1 | awk '{print $5}' | sed 's/archisouuid=//g')" +guid="0FC63DAF-8483-4772-8E79-3D69D8477DE4" + +_find_iso() { + for disk in /dev/disk/by-diskseq/*; do + disk_uuid=$(blkid -o value -s UUID "${disk}") + disk_type=$(blkid -o value -s TYPE "${disk}") + #shellcheck disable=SC2154 + if [ "${disk_uuid}" = "${archisouuid}" ] && [ "${disk_type}" = "iso9660" ]; then + break + fi + done +} + +_get_avail_space() { + disk_avail="$(parted "${disk}" unit MB print free | grep 'Free Space' | tail -n1 | awk '{print $3}' | sed 's/MB//g')" + mem_avail=$(( $(grep MemAvailable <"/proc/meminfo" | awk '{print $2}') / 1000)) + avail=$(( disk_avail < mem_avail ? disk_avail : mem_avail )) +} + +_mount_keys_device() { + keys_device="/dev/disk/by-label/${archisolabel}_KEYS" + mkdir /ckey /ckey2 + chmod 700 /ckey /ckey2 + mount "${keys_device}" "/ckey" + cryptsetup --type luks2 open "/ckey/keys.erofs" "keys.map" + mount -t erofs "/dev/mapper/keys.map" "/ckey2" +} + +_unmount_keys_device() { + umount "/ckey2" + _close_luks_device "/dev/mapper/keys.map" + umount "/ckey" +} + +_resolve_encryption_key() { + local passwd_path="/tmp/persistent.passwd" + if [ "${encryption_key}" = "" ]; then + echo -n "Enter a new password for the persistent partition:" + read -rs password + echo "${password}" > "${passwd_path}" + encryption_key="${passwd_path}" + elif [ ! -f "${encryption_key}" ]; then + if [ "${encryption_key}" = "auto" ]; then + encryption_key="${passwd_path}" + dd if="/dev/random" bs=32 count=1 of="${encryption_key}" + echo "The encryption key has been saved to ${encryption_key}" + elif [ "${encryption_key}" = "airootfs" ]; then + _mount_keys_device + mkdir /tmp/keys + chmod 700 /tmp/keys + cp /ckey2/airootfs.key /tmp/keys/storage.key + encryption_key="/tmp/keys/storage.key" + else + echo "File ${encryption_key} does not exist." + exit 0 + fi + fi +} + +_luks_format(){ + mapper=$(basename "${image_path}")".map" + image_device="/dev/mapper/${mapper}" + cryptsetup_opts=('--type' 'luks2') + if [ "${encryption_key}" != "" ]; then + cryptsetup_opts+=("--key-file=${encryption_key}") + fi + cryptsetup_opts+=('--integrity' 'cmac-aes' \ + '--sector-size' '4096' \ + '--pbkdf-memory' 256) + while ! eval "cryptsetup -q -y luksFormat ${cryptsetup_opts[*]} ${image_path}"; do + sleep 1 + done + while ! eval "cryptsetup open ${image_path} ${mapper}"; do + _close_luks_device "${image_device}" + done +} + +_close_luks_device() { + local device="${1}" + local mapper + mapper=$(basename "${device}") + blockdev --flushbufs "${device}" + cryptsetup luksClose "${mapper}" || true + if [ -e "${device}" ]; then + dmsetup remove "${device}" || true + fi + sync +} + +_make_persistent() { + encryption_key="${1}" + image_path="/tmp/persistent.img" + passwd_path="/tmp/persistent.passwd" + mount -o remount,rw,size=1E "/run/archiso/cowspace" + fallocate -l "${avail}M" "${image_path}" + losetup "/dev/loop314" "${image_path}" + luks_format + mkfs.ext4 -O '^has_journal,^resize_inode' \ + -E 'lazy_itable_init=0,root_owner=0:0' \ + -m '0' -F -U 'clear' -- "${image_device}" + tune2fs -c 0 -i 0 - "${image_device}" > /dev/null + sync + _close_luks_device "${image_device}" + losetup -d "/dev/loop314" + # rm "${encryption_key}" +} + +_add_persistent() { + xorriso -indev "${disk}" -outdev "${disk}" -append_partition 3 "${guid}" "${image_path}" -boot_image any replay +} + +_validate_requirements() { + partitions=$(partx -g "${disk}" | wl -l) + if [ "${partitions}" -gt 2 ]; then + exit 0 + fi + _resolve_encryption_key +} + +_refresh_partitions() { + partprobe "${disk}" +} + +_start() { + local encryption_key="${1}" + _find_iso + _validate_requirements + _get_avail_space + _make_persistent "${encryption_key}" + _add_persistent + _refresh_partitions +} + +_start "${1}" diff --git a/configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf b/configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf index 1c2a7a8..7e0ab93 100644 --- a/configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf +++ b/configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf @@ -1,7 +1,7 @@ -title Arch Linux install medium (x86_64, UEFI) +title Arch Linux install medium (%ARCH%, UEFI) sort-key 01 -linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux +linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux initrd /%INSTALL_DIR%/boot/intel-ucode.img initrd /%INSTALL_DIR%/boot/amd-ucode.img -initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -options archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% +initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +options %KERNEL_PARAMS% diff --git a/configs/releng/efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf b/configs/releng/efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf index 64253d3..f0d4ddc 100644 --- a/configs/releng/efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf +++ b/configs/releng/efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf @@ -1,7 +1,7 @@ -title Arch Linux install medium (x86_64, UEFI) with speech +title Arch Linux install medium (%ARCH%, UEFI) with speech sort-key 02 -linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux +linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux initrd /%INSTALL_DIR%/boot/intel-ucode.img initrd /%INSTALL_DIR%/boot/amd-ucode.img -initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -options archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% accessibility=on +initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +options %KERNEL_PARAMS% accessibility=on diff --git a/configs/releng/efiboot/loader/entries/03-archiso-x86_64-ram-linux.conf b/configs/releng/efiboot/loader/entries/03-archiso-x86_64-ram-linux.conf index 3e26651..63a552d 100644 --- a/configs/releng/efiboot/loader/entries/03-archiso-x86_64-ram-linux.conf +++ b/configs/releng/efiboot/loader/entries/03-archiso-x86_64-ram-linux.conf @@ -1,7 +1,7 @@ -title Arch Linux install medium (x86_64, UEFI, Copy to RAM) +title Arch Linux install medium (%ARCH%, UEFI, Copy to RAM) sort-key 03 -linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux +linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux initrd /%INSTALL_DIR%/boot/intel-ucode.img initrd /%INSTALL_DIR%/boot/amd-ucode.img -initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -options archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram +initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +options %KERNEL_PARAMS% copytoram diff --git a/configs/releng/efiboot/loader/entries/04-archiso-x86_64-ram-speech-linux.conf b/configs/releng/efiboot/loader/entries/04-archiso-x86_64-ram-speech-linux.conf index 0d67999..0f64f5c 100644 --- a/configs/releng/efiboot/loader/entries/04-archiso-x86_64-ram-speech-linux.conf +++ b/configs/releng/efiboot/loader/entries/04-archiso-x86_64-ram-speech-linux.conf @@ -1,7 +1,7 @@ -title Arch Linux install medium (x86_64, UEFI, Copy to RAM) with speech +title Arch Linux install medium (%ARCH%, UEFI, Copy to RAM) with speech sort-key 04 -linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux +linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux initrd /%INSTALL_DIR%/boot/intel-ucode.img initrd /%INSTALL_DIR%/boot/amd-ucode.img -initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -options archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram accessibility=on +initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +options %KERNEL_PARAMS% copytoram accessibility=on diff --git a/configs/releng/grub/grub.cfg b/configs/releng/grub/grub.cfg index 9b78603..c5b5afc 100644 --- a/configs/releng/grub/grub.cfg +++ b/configs/releng/grub/grub.cfg @@ -1,12 +1,12 @@ +# Load partition table and file system modules insmod part_gpt insmod part_msdos insmod fat insmod iso9660 +# Use graphics-mode output insmod all_video - insmod font - if loadfont "${prefix}/fonts/unicode.pf2" ; then insmod gfxterm set gfxmode="auto" @@ -14,39 +14,47 @@ if loadfont "${prefix}/fonts/unicode.pf2" ; then terminal_output gfxterm fi +# Enable serial console +if serial --unit=0 --speed=115200; then + terminal_input --append serial + terminal_output --append serial +fi + +# Set default menu entry default=archlinux timeout=15 timeout_style=menu # GRUB init tune for accessibility -# play 600 988 1 1319 4 -menuentry "Arch Linux install medium (x86_64, UEFI)" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' { +# Menu entries + +menuentry "Arch Linux install medium (%ARCH%, UEFI)" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' { set gfxpayload=keep - search --no-floppy --set=root --label %ARCHISO_LABEL% - linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% - initrd /%INSTALL_DIR%/boot/intel-ucode.img /%INSTALL_DIR%/boot/amd-ucode.img /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img + search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% + linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% + initrd /%INSTALL_DIR%/boot/intel-ucode.img /%INSTALL_DIR%/boot/amd-ucode.img /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } -menuentry "Arch Linux install medium with speakup screen reader (x86_64, UEFI)" --hotkey s --class arch --class gnu-linux --class gnu --class os --id 'archlinux-accessibility' { +menuentry "Arch Linux install medium with speakup screen reader (%ARCH%, UEFI)" --hotkey s --class arch --class gnu-linux --class gnu --class os --id 'archlinux-accessibility' { set gfxpayload=keep - search --no-floppy --set=root --label %ARCHISO_LABEL% - linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% accessibility=on - initrd /%INSTALL_DIR%/boot/intel-ucode.img /%INSTALL_DIR%/boot/amd-ucode.img /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img + search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% + linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% accessibility=on + initrd /%INSTALL_DIR%/boot/intel-ucode.img /%INSTALL_DIR%/boot/amd-ucode.img /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } if [ "${grub_platform}" == "efi" ]; then if [ "${grub_cpu}" == "x86_64" ]; then menuentry "UEFI Shell" { insmod chain - search --no-floppy --set=root --label %ARCHISO_LABEL% + search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% chainloader /shellx64.efi } elif [ "${grub_cpu}" == "i386" ]; then menuentry "UEFI Shell" { insmod chain - search --no-floppy --set=root --label %ARCHISO_LABEL% + search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% chainloader /shellia32.efi } fi diff --git a/configs/releng/packages.x86_64 b/configs/releng/packages.x86_64 index 8a0c80d..fc0d3e7 100644 --- a/configs/releng/packages.x86_64 +++ b/configs/releng/packages.x86_64 @@ -121,4 +121,5 @@ wpa_supplicant wvdial xfsprogs xl2tpd +xorriso zsh diff --git a/configs/releng/profiledef.sh b/configs/releng/profiledef.sh index 4b4e68c..e5e3487 100644 --- a/configs/releng/profiledef.sh +++ b/configs/releng/profiledef.sh @@ -7,19 +7,27 @@ iso_publisher="Arch Linux " iso_application="Arch Linux Live/Rescue CD" iso_version="$(date +%Y.%m.%d)" install_dir="arch" -buildmodes=('iso') -bootmodes=('bios.syslinux.mbr' 'bios.syslinux.eltorito' - 'uefi-ia32.grub.esp' 'uefi-x64.grub.esp' - 'uefi-ia32.grub.eltorito' 'uefi-x64.grub.eltorito') +buildmodes=('iso' 'dongle') +bootmodes=('bios.syslinux.mbr' + 'bios.syslinux.eltorito' + 'uefi-ia32.grub.esp' + 'uefi-ia32.grub.eltorito' + 'uefi-x64.systemd-boot.esp' + 'uefi-x64.systemd-boot.eltorito') arch="x86_64" pacman_conf="pacman.conf" -airootfs_image_type="squashfs" -airootfs_image_tool_options=('-comp' 'xz' '-Xbcj' 'x86' '-b' '1M' '-Xdict-size' '1M') +airootfs_image_type="erofs" +airootfs_image_tool_options=('-zlz4hc,12' -E ztailpacking) +encryption_key="auto" +keys_image_type="erofs" +keys_image_tool_options=('-zlz4hc,12') file_permissions=( ["/etc/shadow"]="0:0:400" ["/root"]="0:0:750" ["/root/.automated_script.sh"]="0:0:755" + ["/run/archiso/keys"]="0:0:700" ["/usr/local/bin/choose-mirror"]="0:0:755" ["/usr/local/bin/Installation_guide"]="0:0:755" ["/usr/local/bin/livecd-sound"]="0:0:755" + ["/usr/local/bin/setup-persistent-storage"]="0:0:755" ) diff --git a/configs/releng/syslinux/archiso_pxe-linux.cfg b/configs/releng/syslinux/archiso_pxe-linux.cfg index d812402..b5e300f 100644 --- a/configs/releng/syslinux/archiso_pxe-linux.cfg +++ b/configs/releng/syslinux/archiso_pxe-linux.cfg @@ -3,10 +3,10 @@ TEXT HELP Boot the Arch Linux install medium using NBD. It allows you to install Arch Linux or perform system maintenance. ENDTEXT -MENU LABEL Arch Linux install medium (x86_64, NBD) -LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% archiso_nbd_srv=${pxeserver} checksum verify +MENU LABEL Arch Linux install medium (%ARCH%, NBD) +LINUX ::/%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +APPEND %KERNEL_PARAMS% archiso_nbd_srv=${pxeserver} checksum verify SYSAPPEND 3 LABEL arch64_nfs @@ -14,10 +14,10 @@ TEXT HELP Boot the Arch Linux live medium using NFS. It allows you to install Arch Linux or perform system maintenance. ENDTEXT -MENU LABEL Arch Linux install medium (x86_64, NFS) -LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -APPEND archisobasedir=%INSTALL_DIR% archiso_nfs_srv=${pxeserver}:/run/archiso/bootmnt checksum verify +MENU LABEL Arch Linux install medium (%ARCH%, NFS) +LINUX ::/%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +APPEND %KERNEL_PARAMS% archiso_nfs_srv=${pxeserver}:/run/archiso/bootmnt checksum verify SYSAPPEND 3 LABEL arch64_http @@ -25,8 +25,8 @@ TEXT HELP Boot the Arch Linux live medium using HTTP. It allows you to install Arch Linux or perform system maintenance. ENDTEXT -MENU LABEL Arch Linux install medium (x86_64, HTTP) -LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -APPEND archisobasedir=%INSTALL_DIR% archiso_http_srv=http://${pxeserver}/ checksum verify +MENU LABEL Arch Linux install medium (%ARCH%, HTTP) +LINUX ::/%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +APPEND %KERNEL_PARAMS% archiso_http_srv=http://${pxeserver}/ checksum verify SYSAPPEND 3 diff --git a/configs/releng/syslinux/archiso_sys-linux.cfg b/configs/releng/syslinux/archiso_sys-linux.cfg index 0d85fcc..e47f3fa 100644 --- a/configs/releng/syslinux/archiso_sys-linux.cfg +++ b/configs/releng/syslinux/archiso_sys-linux.cfg @@ -3,10 +3,10 @@ TEXT HELP Boot the Arch Linux install medium on BIOS. It allows you to install Arch Linux or perform system maintenance. ENDTEXT -MENU LABEL Arch Linux install medium (x86_64, BIOS) -LINUX /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% +MENU LABEL Arch Linux install medium (%ARCH%, BIOS) +LINUX /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +APPEND %KERNEL_PARAMS% # Accessibility boot option LABEL arch64speech @@ -14,10 +14,10 @@ TEXT HELP Boot the Arch Linux install medium on BIOS with speakup screen reader. It allows you to install Arch Linux or perform system maintenance with speech feedback. ENDTEXT -MENU LABEL Arch Linux install medium (x86_64, BIOS) with ^speech -LINUX /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% accessibility=on +MENU LABEL Arch Linux install medium (%ARCH%, BIOS) with ^speech +LINUX /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +APPEND %KERNEL_PARAMS% accessibility=on # Copy to RAM boot option LABEL arch64ram @@ -25,7 +25,7 @@ TEXT HELP Boot the Arch Linux install medium on BIOS with Copy-to-RAM option It allows you to install Arch Linux or perform system maintenance. ENDTEXT -MENU LABEL Arch Linux install medium (x86_64, BIOS, Copy to RAM) -LINUX /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram +MENU LABEL Arch Linux install medium (%ARCH%, BIOS, Copy to RAM) +LINUX /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +APPEND %KERNEL_PARAMS% copytoram diff --git a/docs/README.profile.rst b/docs/README.profile.rst index efcb861..d4da0d8 100644 --- a/docs/README.profile.rst +++ b/docs/README.profile.rst @@ -39,6 +39,7 @@ The image file is constructed from some of the variables in ``profiledef.sh``: ` understood: - ``bootstrap``: Build a compressed file containing a minimal system to bootstrap from + - ``keys``: Build a "keys" ISO that is able to boot encrypted bootable ISO images. - ``iso``: Build a bootable ISO image (implicit default, if no ``buildmodes`` are set) - ``netboot``: Build artifacts required for netboot using iPXE * ``bootmodes``: A list of strings, that state the supported boot modes of the resulting image. Only the following are @@ -60,10 +61,21 @@ The image file is constructed from some of the variables in ``profiledef.sh``: ` * ``airootfs_image_type``: The image type to create. The following options are understood (defaults to ``squashfs``): - ``squashfs``: Create a squashfs image directly from the airootfs work directory + - ``squashfs+luks``: Create a LUKS image containing a squashfs generated directly from the airootfs work directory - ``ext4+squashfs``: Create an ext4 partition, copy the airootfs work directory to it and create a squashfs image from it + - ``ext4+squashfs+luks``: Create an ext4 partition, copy the airootfs work directory to it and create a LUKS containing a squashfs image generated from it - ``erofs``: Create an EROFS image for the airootfs work directory + - ``erofs+luks``: Create a LUKS image containing an EROFS image for the airootfs work directory * ``airootfs_image_tool_options``: An array of options to pass to the tool to create the airootfs image. ``mksquashfs`` and ``mkfs.erofs`` are supported. See ``mksquashfs --help`` or ``mkfs.erofs --help`` for all possible options +* ``encryption_key``: If pointing to a file, it will use as encryption key for the airootfs; if "auto" will generate a key + at build time; if empty, will prompt for password. +* ``persistent_size_kib``: Size in KB of the persistent partition. +* ``persistent_image_type``: The type of the persistent portion of the ISO. + - ``ext4``: Create an ext4 partition. + - ``ext4+luks``: Create a LUKS container with an ext4 partition inside. +* ``keys_image_type``: Same as ``airootfs_image_type`` for the "keys" ISO. +* ``keys_image_tool_options``: Same as ``airootfs_image_tool_options`` for the "keys" ISO. * ``file_permissions``: An associative array that lists files and/or directories who need specific ownership or permissions. The array's keys contain the path and the value is a colon separated list of owner UID, owner GID and access mode. E.g. ``file_permissions=(["/etc/shadow"]="0:0:400")``. When directories are listed with a trailing backslash (``/``) **all** files and directories contained within the listed directory will have the same owner UID, owner GID, and access mode applied recursively. -- GitLab From 3833f08b22ba7f3951d49a0bf3fd5bf7968cf5b5 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 07:11:13 +0200 Subject: [PATCH 003/105] last fix --- archiso/mkarchiso | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 26a72b5..7ef0197 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -2364,8 +2364,7 @@ _export_gpg_publickey() { --batch --no-armor --output "${work_dir}/pubkey.gpg" \ --export "${gpg_key}" else - gpg "${_gpg_options[@]}" \ - --batch --no-armor --output "${work_dir}/pubkey.gpg" \ + gpg --batch --no-armor --output "${work_dir}/pubkey.gpg" \ --export "${gpg_key}" fi } -- GitLab From 2c19cfc50c4c564c2072e27d5f763a8b86bef9b1 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 21:26:27 +0200 Subject: [PATCH 004/105] maybe these were moved --- archiso/mkarchiso | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 7ef0197..6d065d6 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1260,7 +1260,7 @@ _make_bootmode_uefi-x64.grub.eltorito_dongle() { # Prepare systemd-boot for booting when written to a disk (isohybrid) _make_bootmode_uefi-x64.systemd-boot.esp() { - local _file efiboot_imgsize + local _file efiboot_imgsize _results local _available_ucodes=() _msg_info "Setting up systemd-boot for UEFI booting..." @@ -1273,9 +1273,12 @@ _make_bootmode_uefi-x64.systemd-boot.esp() { efiboot_files+=("${pacstrap_dir}/usr/lib/systemd/boot/efi/systemd-bootx64.efi" "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" "${profile}/efiboot/" - "${pacstrap_dir}/boot/vmlinuz-"* - "${pacstrap_dir}/boot/initramfs-"*".img" "${_available_ucodes[@]}") + _images=("initramfs-*.img" "vmlinuz-*") + for _query in "${_images[@]}"; do + _efiboot_files=($(find "${work_dir}" -iname "${_query}" -exec echo {} \;)) + done + efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" \ 2>/dev/null | awk 'END { print $1 }')" # Create a FAT image for the EFI system partition -- GitLab From 120605076f85cc01f7510182f4999b8a4b57b8cf Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 21:27:08 +0200 Subject: [PATCH 005/105] maybe these were moved --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 6d065d6..83ae6f2 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1276,7 +1276,7 @@ _make_bootmode_uefi-x64.systemd-boot.esp() { "${_available_ucodes[@]}") _images=("initramfs-*.img" "vmlinuz-*") for _query in "${_images[@]}"; do - _efiboot_files=($(find "${work_dir}" -iname "${_query}" -exec echo {} \;)) + _efiboot_files+=($(find "${work_dir}" -iname "${_query}" -exec echo {} \;)) done efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" \ -- GitLab From 1bc87ae13a82f8a7737517f89e68451e771f42a1 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 21:33:46 +0200 Subject: [PATCH 006/105] maybe these were moved --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 83ae6f2..5a51af2 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1276,7 +1276,7 @@ _make_bootmode_uefi-x64.systemd-boot.esp() { "${_available_ucodes[@]}") _images=("initramfs-*.img" "vmlinuz-*") for _query in "${_images[@]}"; do - _efiboot_files+=($(find "${work_dir}" -iname "${_query}" -exec echo {} \;)) + mapfile -t _efiboot_files < <(find "${work_dir}" -iname "${_query}" -exec echo {} \;) done efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" \ -- GitLab From 2bc0870efd01f7b1b1d2ce2c3da531d5eac93981 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 21:39:38 +0200 Subject: [PATCH 007/105] maybe these were moved --- archiso/mkarchiso | 2 ++ 1 file changed, 2 insertions(+) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 5a51af2..cdf5d55 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -955,6 +955,8 @@ _make_efibootimg() { imgsize_bytes=$((2*1024*1024)) fi + imgsize_bytes=$((imgsize_bytes*1.1)) + # Convert from bytes to KiB and round up to the next full MiB with an additional MiB for reserved sectors. imgsize_kib="$(awk 'function ceil(x){return int(x)+(x>int(x))} function byte_to_kib(x){return x/1024} -- GitLab From d98d01666d0ae8f6b19b2fe24a22057d7c914d4a Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 21:41:41 +0200 Subject: [PATCH 008/105] maybe these were moved --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index cdf5d55..bdb90fc 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -955,7 +955,7 @@ _make_efibootimg() { imgsize_bytes=$((2*1024*1024)) fi - imgsize_bytes=$((imgsize_bytes*1.1)) + imgsize_bytes=$((imgsize_bytes * 12 / 10)) # Convert from bytes to KiB and round up to the next full MiB with an additional MiB for reserved sectors. imgsize_kib="$(awk 'function ceil(x){return int(x)+(x>int(x))} -- GitLab From 7a14d32892affb3e7eba96802a2a68164409206e Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 21:47:07 +0200 Subject: [PATCH 009/105] maybe these were moved --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index bdb90fc..debe17a 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1278,7 +1278,7 @@ _make_bootmode_uefi-x64.systemd-boot.esp() { "${_available_ucodes[@]}") _images=("initramfs-*.img" "vmlinuz-*") for _query in "${_images[@]}"; do - mapfile -t _efiboot_files < <(find "${work_dir}" -iname "${_query}" -exec echo {} \;) + mapfile -t efiboot_files < <(find "${work_dir}" -iname "${_query}" -exec echo {} \;) done efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" \ -- GitLab From 033f8610850a1174dff75b8d04f807e1a318a0ac Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 21:49:50 +0200 Subject: [PATCH 010/105] maybe these were moved --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index debe17a..01c51b3 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -955,7 +955,7 @@ _make_efibootimg() { imgsize_bytes=$((2*1024*1024)) fi - imgsize_bytes=$((imgsize_bytes * 12 / 10)) + imgsize_bytes=$((imgsize_bytes * 14 / 10)) # Convert from bytes to KiB and round up to the next full MiB with an additional MiB for reserved sectors. imgsize_kib="$(awk 'function ceil(x){return int(x)+(x>int(x))} -- GitLab From ce510cc4b8c9c626f4c9c18acfed03f49222cdb0 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 22:16:49 +0200 Subject: [PATCH 011/105] maybe these were moved --- archiso/mkarchiso | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 01c51b3..66ffefb 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1278,11 +1278,11 @@ _make_bootmode_uefi-x64.systemd-boot.esp() { "${_available_ucodes[@]}") _images=("initramfs-*.img" "vmlinuz-*") for _query in "${_images[@]}"; do - mapfile -t efiboot_files < <(find "${work_dir}" -iname "${_query}" -exec echo {} \;) + mapfile -t efiboot_files < <(find "${work_dir}" -iname "${_query}" -exec echo {} \; -quit) done - - efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" \ - 2>/dev/null | awk 'END { print $1 }')" + + efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" 2>/dev/null | awk 'END { print $1 }')" + efiboot_imgsize=$((efiboot_imgsize * 3)) # Create a FAT image for the EFI system partition _make_efibootimg "$efiboot_imgsize" -- GitLab From a8eab2e930d581d2f5558a613510ad46b34ca8f2 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 22:23:37 +0200 Subject: [PATCH 012/105] maybe these were moved --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 66ffefb..d858ffd 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1282,7 +1282,7 @@ _make_bootmode_uefi-x64.systemd-boot.esp() { done efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" 2>/dev/null | awk 'END { print $1 }')" - efiboot_imgsize=$((efiboot_imgsize * 3)) + efiboot_imgsize=$((efiboot_imgsize * 10)) # Create a FAT image for the EFI system partition _make_efibootimg "$efiboot_imgsize" -- GitLab From 570c058ce4a4e7533076ae8019741bc3b54993b7 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 22:28:15 +0200 Subject: [PATCH 013/105] maybe these were moved --- archiso/mkarchiso | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index d858ffd..b50bb21 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -952,10 +952,10 @@ _make_efibootimg() { if (( imgsize_bytes < 2*1024*1024 )); then _msg_info "Validating '${bootmode}': efiboot.img size is ${imgsize_bytes} bytes is less than 2 MiB! Bumping up to 2 MiB" - imgsize_bytes=$((2*1024*1024)) + imgsize_bytes=$((20*1024*1024)) fi - imgsize_bytes=$((imgsize_bytes * 14 / 10)) + imgsize_bytes=$((imgsize_bytes * 10)) # Convert from bytes to KiB and round up to the next full MiB with an additional MiB for reserved sectors. imgsize_kib="$(awk 'function ceil(x){return int(x)+(x>int(x))} @@ -1282,7 +1282,6 @@ _make_bootmode_uefi-x64.systemd-boot.esp() { done efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" 2>/dev/null | awk 'END { print $1 }')" - efiboot_imgsize=$((efiboot_imgsize * 10)) # Create a FAT image for the EFI system partition _make_efibootimg "$efiboot_imgsize" -- GitLab From 9c0b2200169112731673f924bd0c2ead5aeedb15 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 22:48:37 +0200 Subject: [PATCH 014/105] try to fix efiboot_imgsize issue --- archiso/mkarchiso | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index b50bb21..168589b 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -179,7 +179,7 @@ _cleanup_pacstrap_dir() { # Move kernel, initramfs and microcodes for later usage install -d -m 0755 "${work_dir}/boot" for _query in "${_images[@]}"; do - find "${_boot}" -iname "${_query}" -exec cp "${_cp_opts[@]}" {} "${work_dir}/boot" \; + find "${_boot}" -iname "${_query}" -exec cp "${_cp_opts[@]}" {} "${work_dir}/boot" -quit \; done [[ -d "${_boot}" ]] && find "${_boot}" -maxdepth 1 -type f -delete # Delete pacman database sync cache files (*.tar.gz) @@ -786,8 +786,8 @@ _make_boot_on_iso() { install -d -m 0755 -- "${kernel_dir}" for _query in "${images[@]}"; do - find "${work_dir}" -iname "${_query}" -exec cp "${_cp_opts[@]}" {} "${kernel_dir}" \; - find "${kernel_dir}" -iname "${_query}" -exec chmod 0644 {} \; + find "${work_dir}" -iname "${_query}" -exec cp "${_cp_opts[@]}" {} "${kernel_dir}" -quit \; + find "${kernel_dir}" -iname "${_query}" -exec chmod 0644 {} -quit \; done for ucode_image in "${ucodes[@]}"; do @@ -936,7 +936,7 @@ _make_boot_on_fat() { mmd -D o -i "${efibootimg}" \ "::/${install_dir}" "::/${install_dir}/boot" "::/${install_dir}/boot/${arch}" for _query in "${_images[@]}"; do - find "${work_dir}" -iname "${_query}" -exec mcopy -D "o" -i "${efibootimg}" {} "::/${install_dir}/boot/${arch}/" \; + find "${work_dir}" -iname "${_query}" -exec mcopy -D "o" -i "${efibootimg}" {} "::/${install_dir}/boot/${arch}/" -quit \; done for _ucode_image in "${ucodes[@]}"; do find "${work_dir}" -iname "${_ucode_image}" -exec mcopy -D "o" -i "${efibootimg}" {} "::/${install_dir}/boot/" \; @@ -955,7 +955,7 @@ _make_efibootimg() { imgsize_bytes=$((20*1024*1024)) fi - imgsize_bytes=$((imgsize_bytes * 10)) + # imgsize_bytes=$((imgsize_bytes * 10)) # Convert from bytes to KiB and round up to the next full MiB with an additional MiB for reserved sectors. imgsize_kib="$(awk 'function ceil(x){return int(x)+(x>int(x))} -- GitLab From 1c8c86b1cf058634a3a16e52717808d7e4ba5201 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 22:52:51 +0200 Subject: [PATCH 015/105] try to fix efiboot_imgsize issue --- archiso/mkarchiso | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 168589b..b72767e 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -786,8 +786,8 @@ _make_boot_on_iso() { install -d -m 0755 -- "${kernel_dir}" for _query in "${images[@]}"; do - find "${work_dir}" -iname "${_query}" -exec cp "${_cp_opts[@]}" {} "${kernel_dir}" -quit \; - find "${kernel_dir}" -iname "${_query}" -exec chmod 0644 {} -quit \; + find "${work_dir}" -iname "${_query}" -exec cp "${_cp_opts[@]}" {} "${kernel_dir}" \; -quit + find "${kernel_dir}" -iname "${_query}" -exec chmod 0644 {} \; done for ucode_image in "${ucodes[@]}"; do @@ -881,7 +881,7 @@ _make_bootmode_bios.syslinux.mbr() { gzip -cn9 "${pacstrap_dir}/usr/share/hwdata/pci.ids" > \ "${bootable_dir}/syslinux/hdt/pciids.gz" fi - find "${pacstrap_dir}/usr/lib/modules" -name 'modules.alias' -print -exec gzip -cn9 '{}' ';' -quit > \ + find "${pacstrap_dir}/usr/lib/modules" -name 'modules.alias' -print -exec gzip -cn9 '{}' ';' > \ "${bootable_dir}/syslinux/hdt/modalias.gz" fi @@ -936,7 +936,7 @@ _make_boot_on_fat() { mmd -D o -i "${efibootimg}" \ "::/${install_dir}" "::/${install_dir}/boot" "::/${install_dir}/boot/${arch}" for _query in "${_images[@]}"; do - find "${work_dir}" -iname "${_query}" -exec mcopy -D "o" -i "${efibootimg}" {} "::/${install_dir}/boot/${arch}/" -quit \; + find "${work_dir}" -iname "${_query}" -exec mcopy -D "o" -i "${efibootimg}" {} "::/${install_dir}/boot/${arch}/" \; -quit done for _ucode_image in "${ucodes[@]}"; do find "${work_dir}" -iname "${_ucode_image}" -exec mcopy -D "o" -i "${efibootimg}" {} "::/${install_dir}/boot/" \; -- GitLab From b890ab67202d2784a8c1cc9b34bb3357c3679121 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sat, 3 Sep 2022 22:54:25 +0200 Subject: [PATCH 016/105] try to fix efiboot_imgsize issue --- archiso/mkarchiso | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index b72767e..e552167 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -955,7 +955,8 @@ _make_efibootimg() { imgsize_bytes=$((20*1024*1024)) fi - # imgsize_bytes=$((imgsize_bytes * 10)) + # Where it spills? + imgsize_bytes=$((imgsize_bytes * 10)) # Convert from bytes to KiB and round up to the next full MiB with an additional MiB for reserved sectors. imgsize_kib="$(awk 'function ceil(x){return int(x)+(x>int(x))} -- GitLab From b99a9f98f8810362dfd55214ecd0ff22b3b8101d Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sun, 4 Sep 2022 17:31:55 +0000 Subject: [PATCH 017/105] fix -quit --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index e552167..0f2efa8 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -179,7 +179,7 @@ _cleanup_pacstrap_dir() { # Move kernel, initramfs and microcodes for later usage install -d -m 0755 "${work_dir}/boot" for _query in "${_images[@]}"; do - find "${_boot}" -iname "${_query}" -exec cp "${_cp_opts[@]}" {} "${work_dir}/boot" -quit \; + find "${_boot}" -iname "${_query}" -exec cp "${_cp_opts[@]}" {} "${work_dir}/boot" \; -quit done [[ -d "${_boot}" ]] && find "${_boot}" -maxdepth 1 -type f -delete # Delete pacman database sync cache files (*.tar.gz) -- GitLab From 073dfe02e0e74ad1742a100e57869e98eaf4cc33 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sun, 4 Sep 2022 20:12:26 +0000 Subject: [PATCH 018/105] fix ISO label for the dongle --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 0f2efa8..fc08682 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -2164,7 +2164,7 @@ _build_dongle_image() { '-joliet' '-joliet-long' '-rational-rock' - '-volid' "${iso_label}_KEYS" + '-volid' "${iso_label}_DONGLE" '-appid' "\"${iso_application} dongle CD\"" '-publisher' "\"${iso_publisher}\"" '-preparer' "\"prepared by ${app_name}\"" -- GitLab From c546386b3ea639eb0cbba581ac4ff074d063868e Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sun, 4 Sep 2022 21:50:07 +0000 Subject: [PATCH 019/105] let's have persistent partition have a separate ephemeral encryption key saved on the rootfs --- archiso/mkarchiso | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index fc08682..56e0553 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -520,7 +520,7 @@ _mkpersistent_ext4() { _mkpersistent_ext4+luks() { _mkpersistent_common persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" - _run_mkluks "${image_path}" "${persistent_size_kib}" "${encryption_key}" \ + _run_mkluks "${image_path}" "${persistent_size_kib}" "${persistent_encryption_key}" \ "${persistent_epoch}" "${iso_label}_PERSISTENT" "${writable}" _run_mkext4 "${persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ "${persistent_epoch}" "persistent" "${writable}" @@ -1590,6 +1590,17 @@ _prepare_persistent_image() { persistent_size_kib=$(( persistent_dir_size > persistent_size_kib ? persistent_dir_size : persistent_size_kib )) fi + if [[ "${airootfs_image_type}" == *luks ]] || [[ "${buildmode}" = 'dongle' ]]; then + persistent_encryption_key="${work_dir}/${iso_label}_PERSISTENT.key" + dd if=/dev/random bs=512 count=1 of="${persistent_encryption_key}" + install -d -m700 "${pacstrap_dir}/etc/keys" + install -D -m400 "${persistent_encryption_key}" "${pacstrap_dir}/etc/keys" + else + _msg_info "WARNING: root file system is not encrypted." + _msg_info "Enter persistent partition password:" + persistent_encryption_key="" + fi + if [ "${persistent_size_kib}" != "" ]; then _run_once "_mkpersistent_${persistent_image_type}" fi -- GitLab From 911bc1f13cf3d94436bb8b53e01bca70b1196b3d Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sun, 4 Sep 2022 23:02:05 +0000 Subject: [PATCH 020/105] let's have persistent partition have a separate ephemeral encryption key saved on the rootfs --- archiso/mkarchiso | 19 ++++++++++--------- configs/baseline/profiledef.sh | 1 + 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 56e0553..ebe1fc5 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1590,15 +1590,16 @@ _prepare_persistent_image() { persistent_size_kib=$(( persistent_dir_size > persistent_size_kib ? persistent_dir_size : persistent_size_kib )) fi - if [[ "${airootfs_image_type}" == *luks ]] || [[ "${buildmode}" = 'dongle' ]]; then - persistent_encryption_key="${work_dir}/${iso_label}_PERSISTENT.key" - dd if=/dev/random bs=512 count=1 of="${persistent_encryption_key}" - install -d -m700 "${pacstrap_dir}/etc/keys" - install -D -m400 "${persistent_encryption_key}" "${pacstrap_dir}/etc/keys" - else - _msg_info "WARNING: root file system is not encrypted." - _msg_info "Enter persistent partition password:" - persistent_encryption_key="" + if [[ "${persistent_image_type}" == *luks ]]; then + if [[ "${airootfs_image_type}" == *luks ]] || [[ "${buildmode}" = 'dongle' ]]; then + persistent_encryption_key="${work_dir}/${iso_label}_PERSISTENT.key" + dd if=/dev/random bs=512 count=1 of="${persistent_encryption_key}" + install -d -m700 "${pacstrap_dir}/etc/keys" + install -D -m400 "${persistent_encryption_key}" "${pacstrap_dir}/etc/keys" + else + _msg_warning "root file system is not encrypted, you will have to insert a password for persistent partition." + persistent_encryption_key="" + fi fi if [ "${persistent_size_kib}" != "" ]; then diff --git a/configs/baseline/profiledef.sh b/configs/baseline/profiledef.sh index ff4c1a5..df560aa 100644 --- a/configs/baseline/profiledef.sh +++ b/configs/baseline/profiledef.sh @@ -20,6 +20,7 @@ airootfs_image_type="erofs" airootfs_image_tool_options=('-zlz4hc,12' -E ztailpacking) encryption_key="auto" persistent_size=10000 +persistent_image_type=ext4+luks keys_image_type="erofs" keys_image_tool_options=('-zlz4hc,12' -E ztailpacking) file_permissions=( -- GitLab From 2019694cf64b4055625ff9040ae404b8ed7099fb Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sun, 4 Sep 2022 23:04:00 +0000 Subject: [PATCH 021/105] let's have persistent partition have a separate ephemeral encryption key saved on the rootfs --- configs/baseline/profiledef.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configs/baseline/profiledef.sh b/configs/baseline/profiledef.sh index df560aa..d109599 100644 --- a/configs/baseline/profiledef.sh +++ b/configs/baseline/profiledef.sh @@ -20,7 +20,7 @@ airootfs_image_type="erofs" airootfs_image_tool_options=('-zlz4hc,12' -E ztailpacking) encryption_key="auto" persistent_size=10000 -persistent_image_type=ext4+luks +persistent_image_type="ext4+luks" keys_image_type="erofs" keys_image_tool_options=('-zlz4hc,12' -E ztailpacking) file_permissions=( -- GitLab From a218b6687a2b295370cb6f7830672503bcb74d7d Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sun, 4 Sep 2022 23:14:52 +0000 Subject: [PATCH 022/105] add 'persistent' home directory --- configs/baseline/persistent/home/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 configs/baseline/persistent/home/.gitkeep diff --git a/configs/baseline/persistent/home/.gitkeep b/configs/baseline/persistent/home/.gitkeep new file mode 100644 index 0000000..e69de29 -- GitLab From bbc3134550270a15b0c8b68e28ac833b9010064b Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sun, 4 Sep 2022 23:23:27 +0000 Subject: [PATCH 023/105] fix prepare_persistent_image --- archiso/mkarchiso | 23 +++++++++++------------ configs/baseline/profiledef.sh | 2 +- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index ebe1fc5..5e9c578 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1590,19 +1590,18 @@ _prepare_persistent_image() { persistent_size_kib=$(( persistent_dir_size > persistent_size_kib ? persistent_dir_size : persistent_size_kib )) fi - if [[ "${persistent_image_type}" == *luks ]]; then - if [[ "${airootfs_image_type}" == *luks ]] || [[ "${buildmode}" = 'dongle' ]]; then - persistent_encryption_key="${work_dir}/${iso_label}_PERSISTENT.key" - dd if=/dev/random bs=512 count=1 of="${persistent_encryption_key}" - install -d -m700 "${pacstrap_dir}/etc/keys" - install -D -m400 "${persistent_encryption_key}" "${pacstrap_dir}/etc/keys" - else - _msg_warning "root file system is not encrypted, you will have to insert a password for persistent partition." - persistent_encryption_key="" - fi - fi - if [ "${persistent_size_kib}" != "" ]; then + if [[ "${persistent_image_type}" == *luks ]]; then + if [[ "${airootfs_image_type}" == *luks ]] || [[ "${buildmode}" = 'dongle' ]]; then + persistent_encryption_key="${work_dir}/${iso_label}_PERSISTENT.key" + dd if=/dev/random bs=512 count=1 of="${persistent_encryption_key}" + install -d -m700 "${pacstrap_dir}/etc/keys" + install -D -m400 "${persistent_encryption_key}" "${pacstrap_dir}/etc/keys" + else + _msg_warning "root file system is not encrypted, you will have to insert a password for persistent partition." + persistent_encryption_key="" + fi + fi _run_once "_mkpersistent_${persistent_image_type}" fi } diff --git a/configs/baseline/profiledef.sh b/configs/baseline/profiledef.sh index d109599..9d1a681 100644 --- a/configs/baseline/profiledef.sh +++ b/configs/baseline/profiledef.sh @@ -19,7 +19,7 @@ pacman_conf="pacman.conf" airootfs_image_type="erofs" airootfs_image_tool_options=('-zlz4hc,12' -E ztailpacking) encryption_key="auto" -persistent_size=10000 +persistent_size_kib=10000000 persistent_image_type="ext4+luks" keys_image_type="erofs" keys_image_tool_options=('-zlz4hc,12' -E ztailpacking) -- GitLab From 1bbf22acf602f1e65459dfce5d2813c2f2ee1f2f Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sun, 4 Sep 2022 23:27:14 +0000 Subject: [PATCH 024/105] 500MB persistent storage --- configs/baseline/profiledef.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configs/baseline/profiledef.sh b/configs/baseline/profiledef.sh index 9d1a681..722f04c 100644 --- a/configs/baseline/profiledef.sh +++ b/configs/baseline/profiledef.sh @@ -19,7 +19,7 @@ pacman_conf="pacman.conf" airootfs_image_type="erofs" airootfs_image_tool_options=('-zlz4hc,12' -E ztailpacking) encryption_key="auto" -persistent_size_kib=10000000 +persistent_size_kib=500000 persistent_image_type="ext4+luks" keys_image_type="erofs" keys_image_tool_options=('-zlz4hc,12' -E ztailpacking) -- GitLab From eaf037f116298b843397dec8179b07b5411d63f8 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sun, 4 Sep 2022 23:33:02 +0000 Subject: [PATCH 025/105] warning for dongle buildmode without root file system encryption --- archiso/mkarchiso | 3 +++ 1 file changed, 3 insertions(+) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 5e9c578..d2dbd02 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1778,6 +1778,9 @@ _validate_common_requirements_buildmode_iso_netboot() { _validate_requirements_buildmode_dongle() { _validate_common_requirements_buildmode_all [[ -n "$encryption_key" ]] && _resolve_encryption_key + if [[ ! "${airootfs_image_type}" == *luks ]]; then + _msg_warning "If you enable the dongle then you probably should encrypt the root file system too." + fi } _validate_requirements_buildmode_iso() { -- GitLab From f1deec1706d37da93cbed9f814e0aab592e87800 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sun, 4 Sep 2022 23:34:33 +0000 Subject: [PATCH 026/105] warning for dongle buildmode without root file system encryption --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index d2dbd02..faecfed 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1779,7 +1779,7 @@ _validate_requirements_buildmode_dongle() { _validate_common_requirements_buildmode_all [[ -n "$encryption_key" ]] && _resolve_encryption_key if [[ ! "${airootfs_image_type}" == *luks ]]; then - _msg_warning "If you enable the dongle then you probably should encrypt the root file system too." + _msg_warning "Dongle buildmode active but root file system encryption disabled." fi } -- GitLab From f974b87d9ebb9b0560391acabdae0b6da10b5955 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 14:12:09 +0200 Subject: [PATCH 027/105] add compatible crypttab to baseline and add sed when needed --- archiso/mkarchiso | 66 +++++++++++++++++++------- configs/baseline/airootfs/etc/crypttab | 4 ++ 2 files changed, 52 insertions(+), 18 deletions(-) create mode 100644 configs/baseline/airootfs/etc/crypttab diff --git a/archiso/mkarchiso b/archiso/mkarchiso index faecfed..ce4d519 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1582,8 +1582,12 @@ _prepare_keys_image() { # Build persistent filesystem image _prepare_persistent_image() { - local persistent_dir_size - + local persistent_dir_size persistent_epoch persistent_uuid + local _crypttab="${profile}/airootfs/etc/crypttab" + persistent_epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) + persistent_uuid="$(uuidgen --sha1 \ + --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 \ + --name "${persistent_epoch}")" if [ -d "${profile}/persistent" ]; then cp -af --no-preserve=ownership,mode -- "${profile}/persistent/." "${persistent_dir}" persistent_dir_size=$(du -s "${persistent_dir}" | cut -f 1) @@ -1592,8 +1596,10 @@ _prepare_persistent_image() { if [ "${persistent_size_kib}" != "" ]; then if [[ "${persistent_image_type}" == *luks ]]; then +${profile}/airootfs/crypttab + sed "s|%PERSISTENT_UUID%|${persistent_uuid}|g" "${_crypttab}" > "${pacstrap_dir}/etc/crypttab" if [[ "${airootfs_image_type}" == *luks ]] || [[ "${buildmode}" = 'dongle' ]]; then - persistent_encryption_key="${work_dir}/${iso_label}_PERSISTENT.key" + persistent_encryption_key="${work_dir}/persistent.key" dd if=/dev/random bs=512 count=1 of="${persistent_encryption_key}" install -d -m700 "${pacstrap_dir}/etc/keys" install -D -m400 "${persistent_encryption_key}" "${pacstrap_dir}/etc/keys" @@ -1638,28 +1644,40 @@ _sign_netboot_artifacts() { -out "${_file}".ipxe.sig done _msg_info "Done!" - } +} - _validate_requirements_airootfs_image_type_squashfs() { - if ! command -v mksquashfs &> /dev/null; then - (( validation_error=validation_error+1 )) - _msg_error "Validating '${airootfs_image_type}': mksquashfs is not available on this host. Install 'squashfs-tools'!" 0 - fi - } +_validate_requirements_airootfs_image_type_squashfs() { + if ! command -v mksquashfs &> /dev/null; then + (( validation_error=validation_error+1 )) + _msg_error "Validating '${airootfs_image_type}': mksquashfs is not available on this host. Install 'squashfs-tools'!" 0 + fi +} - _validate_requirements_airootfs_image_type_ext4() { - if ! { command -v mkfs.ext4 &> /dev/null && command -v tune2fs &> /dev/null; }; then - (( validation_error=validation_error+1 )) - _msg_error "Validating '${airootfs_image_type}': mkfs.ext4 and/or tune2fs is not available on this host. Install 'e2fsprogs'!" 0 - fi - } +_validate_requirements_airootfs_image_type_ext4() { + if ! { command -v mkfs.ext4 &> /dev/null && command -v tune2fs &> /dev/null; }; then + (( validation_error=validation_error+1 )) + _msg_error "Validating '${airootfs_image_type}': mkfs.ext4 and/or tune2fs is not available on this host. Install 'e2fsprogs'!" 0 + fi +} - _validate_requirements_airootfs_image_type_ext4+squashfs() { +_validate_requirements_airootfs_image_type_ext4+squashfs() { _validate_requirements_airootfs_image_type_ext4 _validate_requirements_airootfs_image_type_squashfs } -# +_validate_requirements_persistent_image_type_ext4() { + _validate_requirements_airootfs_image_type_ext4 +} + +_validate_requirements_persistent_image_type_ext4+luks() { + _validate_requirements_airootfs_image_type_luks + _validate_requirements_persistent_image_type_ext4 + if [ ! -e "${profile}/airootfs/etc/crypttab" ]; then + (( validation_error=validation_error+1 )) + _msg_error "Validating '${persistent_image_type}' for persistent partition: crypttab not found!" 0 + fi +} + _resolve_encryption_key(){ if [ ! -f "${encryption_key}" ]; then if [ "${encryption_key}" = 'auto' ]; then @@ -1808,6 +1826,18 @@ _validate_requirements_buildmode_iso() { (( validation_error=validation_error+1 )) _msg_error "Validating build mode '${_buildmode}': awk is not available on this host. Install 'awk'!" 0 fi + + # Check if the profile supports the specified persistent_image_type + if typeset -f "_mkpersistent_${persistent_image_type}" &> /dev/null; then + if typeset -f "_validate_requirements_persistent_image_type_${persistent_image_type}" &> /dev/null; then + "_validate_requirements_persistent_image_type_${persistent_image_type}" + else + _msg_warning "Function '_validate_requirements_persistent_image_type_${persistent_image_type}' does not exist. Validating the requirements of '${persistent_image_type}' airootfs image type will not be possible." + fi + else + (( validation_error=validation_error+1 )) + _msg_error "Unsupported image type for persistent partition: '${persistent_image_type}'" 0 + fi } _validate_requirements_buildmode_netboot() { diff --git a/configs/baseline/airootfs/etc/crypttab b/configs/baseline/airootfs/etc/crypttab new file mode 100644 index 0000000..5960ee1 --- /dev/null +++ b/configs/baseline/airootfs/etc/crypttab @@ -0,0 +1,4 @@ +# Configuration for encrypted block devices. +# See crypttab(5) for details. + + persistent /dev/disk/by-uuid/%PERSISTENT_UUID% /etc/keys/persistent.key x-systemd.device-timeout=3 -- GitLab From d7c75038ea781ab83b62c2d37fc05fe6bcdaa897 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 14:13:46 +0200 Subject: [PATCH 028/105] add compatible crypttab to baseline and add sed when needed --- archiso/mkarchiso | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index ce4d519..b6b22aa 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1583,7 +1583,7 @@ _prepare_keys_image() { # Build persistent filesystem image _prepare_persistent_image() { local persistent_dir_size persistent_epoch persistent_uuid - local _crypttab="${profile}/airootfs/etc/crypttab" + local crypttab="${profile}/airootfs/etc/crypttab" persistent_epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) persistent_uuid="$(uuidgen --sha1 \ --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 \ @@ -1596,8 +1596,7 @@ _prepare_persistent_image() { if [ "${persistent_size_kib}" != "" ]; then if [[ "${persistent_image_type}" == *luks ]]; then -${profile}/airootfs/crypttab - sed "s|%PERSISTENT_UUID%|${persistent_uuid}|g" "${_crypttab}" > "${pacstrap_dir}/etc/crypttab" + sed "s|%PERSISTENT_UUID%|${persistent_uuid}|g" "${crypttab}" > "${pacstrap_dir}/etc/crypttab" if [[ "${airootfs_image_type}" == *luks ]] || [[ "${buildmode}" = 'dongle' ]]; then persistent_encryption_key="${work_dir}/persistent.key" dd if=/dev/random bs=512 count=1 of="${persistent_encryption_key}" -- GitLab From bed36057bf10ec7816a91bc3152da103458f2cdb Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 14:47:28 +0200 Subject: [PATCH 029/105] add compatible crypttab to baseline and add sed when needed --- archiso/mkarchiso | 2 ++ 1 file changed, 2 insertions(+) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index b6b22aa..123f4b5 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1606,6 +1606,8 @@ _prepare_persistent_image() { _msg_warning "root file system is not encrypted, you will have to insert a password for persistent partition." persistent_encryption_key="" fi + else + sed '/%PERSISTENT_UUID%/d' "${crypttab}" > "${pacstrap_dir}/etc/crypttab" fi _run_once "_mkpersistent_${persistent_image_type}" fi -- GitLab From 9156517739bbf735889da190680f1b5e309a4f19 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 15:16:29 +0200 Subject: [PATCH 030/105] add mount units --- .../airootfs/etc/systemd/system/home.automount | 9 +++++++++ .../airootfs/etc/systemd/system/home.mount | 14 ++++++++++++++ .../system/multi-user.target.wants/home.automount | 1 + .../run-archiso-persistent.automount | 1 + .../system/run-archiso-persistent.automount | 9 +++++++++ .../systemd/system/run-archiso-persistent.mount | 12 ++++++++++++ 6 files changed, 46 insertions(+) create mode 100644 configs/baseline/airootfs/etc/systemd/system/home.automount create mode 100644 configs/baseline/airootfs/etc/systemd/system/home.mount create mode 120000 configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/home.automount create mode 120000 configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/run-archiso-persistent.automount create mode 100644 configs/baseline/airootfs/etc/systemd/system/run-archiso-persistent.automount create mode 100644 configs/baseline/airootfs/etc/systemd/system/run-archiso-persistent.mount diff --git a/configs/baseline/airootfs/etc/systemd/system/home.automount b/configs/baseline/airootfs/etc/systemd/system/home.automount new file mode 100644 index 0000000..25a86a8 --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/home.automount @@ -0,0 +1,9 @@ +[Unit] +Description=Home partition automount + +[Automount] +Where=/home +TimeoutIdleSec=3min + +[Install] +WantedBy=multi-user.target diff --git a/configs/baseline/airootfs/etc/systemd/system/home.mount b/configs/baseline/airootfs/etc/systemd/system/home.mount new file mode 100644 index 0000000..da0b752 --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/home.mount @@ -0,0 +1,14 @@ +[Unit] +Description=Home bind mount +RequiresMountsFor=/run/archiso/persistent + +[Mount] +What=/run/archiso/persistent/home +Where=/home +Type=None +Options=bind,nofail +DirectoryMode=0711 +TimeoutSec=5 + +[Install] +WantedBy=multi-user.target diff --git a/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/home.automount b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/home.automount new file mode 120000 index 0000000..85b9bf8 --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/home.automount @@ -0,0 +1 @@ +/etc/systemd/system/home.automount \ No newline at end of file diff --git a/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/run-archiso-persistent.automount b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/run-archiso-persistent.automount new file mode 120000 index 0000000..a94d01b --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/run-archiso-persistent.automount @@ -0,0 +1 @@ +/etc/systemd/system/run-archiso-persistent.automount \ No newline at end of file diff --git a/configs/baseline/airootfs/etc/systemd/system/run-archiso-persistent.automount b/configs/baseline/airootfs/etc/systemd/system/run-archiso-persistent.automount new file mode 100644 index 0000000..91206ae --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/run-archiso-persistent.automount @@ -0,0 +1,9 @@ +[Unit] +Description=Persistent partition automount + +[Automount] +Where=/run/archiso/persistent +TimeoutIdleSec=3min + +[Install] +WantedBy=multi-user.target diff --git a/configs/baseline/airootfs/etc/systemd/system/run-archiso-persistent.mount b/configs/baseline/airootfs/etc/systemd/system/run-archiso-persistent.mount new file mode 100644 index 0000000..5e32adf --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/run-archiso-persistent.mount @@ -0,0 +1,12 @@ +[Unit] +Description=Persistent mount + +[Mount] +What=/dev/mapper/persistent +Where=/run/archiso/persistent +Type=ext4 +Options=rw,noatime,nofail +TimeoutSec=5 + +[Install] +WantedBy=multi-user.target -- GitLab From 6a3e4c67062e4ad7922fae8a9b723698dc35a6d0 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 15:17:29 +0200 Subject: [PATCH 031/105] add .gitkeep --- configs/baseline/airootfs/run/archiso/persistent/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 configs/baseline/airootfs/run/archiso/persistent/.gitkeep diff --git a/configs/baseline/airootfs/run/archiso/persistent/.gitkeep b/configs/baseline/airootfs/run/archiso/persistent/.gitkeep new file mode 100644 index 0000000..e69de29 -- GitLab From e64ea40f5c192dd2fbe23603ed7653bdc77a2ca5 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 15:17:43 +0200 Subject: [PATCH 032/105] add .gitkeep --- configs/baseline/airootfs/home/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 configs/baseline/airootfs/home/.gitkeep diff --git a/configs/baseline/airootfs/home/.gitkeep b/configs/baseline/airootfs/home/.gitkeep new file mode 100644 index 0000000..e69de29 -- GitLab From aae5f4dca679b2806d16f5074ef65e87caeccaf9 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 15:18:37 +0200 Subject: [PATCH 033/105] add permissions for known mounts --- configs/baseline/profiledef.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configs/baseline/profiledef.sh b/configs/baseline/profiledef.sh index 722f04c..e112a14 100644 --- a/configs/baseline/profiledef.sh +++ b/configs/baseline/profiledef.sh @@ -25,5 +25,7 @@ keys_image_type="erofs" keys_image_tool_options=('-zlz4hc,12' -E ztailpacking) file_permissions=( ["/etc/shadow"]="0:0:400" + ["/home"]="0:0:711" ["/run/archiso/keys"]="0:0:700" + ["/run/archiso/persistent"]="0:0:711" ) -- GitLab From ba9b1591a08f3270b4721d890e3106a58a469a24 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 16:56:19 +0200 Subject: [PATCH 034/105] switch ext4 superblock to 4096 --- archiso/mkarchiso | 1 + 1 file changed, 1 insertion(+) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 123f4b5..98c4dcb 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -240,6 +240,7 @@ _run_mkext4() { '-E' "lazy_itable_init=0,root_owner=0:0,hash_seed=${ext4_hash_seed}" '-m' '0' '-F' + '-b' 4096 '-U' 'clear') [[ "${_label}" != "" ]] && mkfs_ext4_options+=('-L' "${_label}") [[ ! "${quiet}" == "y" ]] || mkfs_ext4_options+=('-q') -- GitLab From 4b6743a475268e4576e002c8f3ab6dac37553214 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 17:19:14 +0200 Subject: [PATCH 035/105] add .gitkeep for systemd/home --- configs/baseline/airootfs/var/lib/systemd/home/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 configs/baseline/airootfs/var/lib/systemd/home/.gitkeep diff --git a/configs/baseline/airootfs/var/lib/systemd/home/.gitkeep b/configs/baseline/airootfs/var/lib/systemd/home/.gitkeep new file mode 100644 index 0000000..e69de29 -- GitLab From b74ef9d7815c06d6e633aeddd4f1cb387861556a Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 17:28:33 +0200 Subject: [PATCH 036/105] add systemd/home units --- .../var-lib-systemd-home.automount | 1 + .../systemd/system/var-lib-systemd-home.automount | 9 +++++++++ .../etc/systemd/system/var-lib-systemd-home.mount | 14 ++++++++++++++ 3 files changed, 24 insertions(+) create mode 120000 configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/var-lib-systemd-home.automount create mode 100644 configs/baseline/airootfs/etc/systemd/system/var-lib-systemd-home.automount create mode 100644 configs/baseline/airootfs/etc/systemd/system/var-lib-systemd-home.mount diff --git a/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/var-lib-systemd-home.automount b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/var-lib-systemd-home.automount new file mode 120000 index 0000000..f84a074 --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/var-lib-systemd-home.automount @@ -0,0 +1 @@ +/etc/systemd/system/var-lib-systemd-home.automount \ No newline at end of file diff --git a/configs/baseline/airootfs/etc/systemd/system/var-lib-systemd-home.automount b/configs/baseline/airootfs/etc/systemd/system/var-lib-systemd-home.automount new file mode 100644 index 0000000..6469f08 --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/var-lib-systemd-home.automount @@ -0,0 +1,9 @@ +[Unit] +Description=systemd-homed credentials automount + +[Automount] +Where=/var/lib/systemd/home +TimeoutIdleSec=3min + +[Install] +WantedBy=multi-user.target diff --git a/configs/baseline/airootfs/etc/systemd/system/var-lib-systemd-home.mount b/configs/baseline/airootfs/etc/systemd/system/var-lib-systemd-home.mount new file mode 100644 index 0000000..2fd891b --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/var-lib-systemd-home.mount @@ -0,0 +1,14 @@ +[Unit] +Description=Systemd home credentials bind mount +RequiresMountsFor=/run/archiso/persistent + +[Mount] +What=/run/archiso/persistent/var/lib/systemd/home +Where=/var/lib/systemd/home +Type=None +Options=bind,nofail +DirectoryMode=0755 +TimeoutSec=5 + +[Install] +WantedBy=multi-user.target -- GitLab From a9e9fc25b75e6a73ba83d034aa497a3be2ed071d Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 17:41:10 +0200 Subject: [PATCH 037/105] enable systemd-homed --- .../systemd/system/multi-user.target.wants/systemd-homed.service | 1 + 1 file changed, 1 insertion(+) create mode 120000 configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/systemd-homed.service diff --git a/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/systemd-homed.service b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/systemd-homed.service new file mode 120000 index 0000000..7ccdeb9 --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/systemd-homed.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/systemd-homed.service \ No newline at end of file -- GitLab From a661e783c16901944843279eb0cd5c797e6d7fa2 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 17:50:56 +0200 Subject: [PATCH 038/105] add first-boot-user-setup --- .../multi-user.target.wants/setup-first-user.service | 1 + .../etc/systemd/system/setup-first-user.service | 12 ++++++++++++ 2 files changed, 13 insertions(+) create mode 120000 configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/setup-first-user.service create mode 100644 configs/baseline/airootfs/etc/systemd/system/setup-first-user.service diff --git a/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/setup-first-user.service b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/setup-first-user.service new file mode 120000 index 0000000..8e5ce47 --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/setup-first-user.service @@ -0,0 +1 @@ +/etc/systemd/system/setup-first-user.service \ No newline at end of file diff --git a/configs/baseline/airootfs/etc/systemd/system/setup-first-user.service b/configs/baseline/airootfs/etc/systemd/system/setup-first-user.service new file mode 100644 index 0000000..5380701 --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/setup-first-user.service @@ -0,0 +1,12 @@ +[Unit] +Description=Set up an user if not found on the system +After=systemd-homed.service + +[Service] +Type=oneshot +ExecStart=/usr/bin/homectl create user +ExecStop= +RemainAfterExit=no + +[Install] +WantedBy=multi-user.target -- GitLab From 64b508e406c9894ddfcf2bade6cb290f53d4dd1f Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 18:07:11 +0200 Subject: [PATCH 039/105] setup user-setup executable --- ...r.service => first-boot-user-setup.service} | 2 +- .../first-boot-user-setup.service | 1 + .../setup-first-user.service | 1 - .../baseline/airootfs/usr/local/bin/user-setup | 18 ++++++++++++++++++ 4 files changed, 20 insertions(+), 2 deletions(-) rename configs/baseline/airootfs/etc/systemd/system/{setup-first-user.service => first-boot-user-setup.service} (81%) create mode 120000 configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/first-boot-user-setup.service delete mode 120000 configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/setup-first-user.service create mode 100755 configs/baseline/airootfs/usr/local/bin/user-setup diff --git a/configs/baseline/airootfs/etc/systemd/system/setup-first-user.service b/configs/baseline/airootfs/etc/systemd/system/first-boot-user-setup.service similarity index 81% rename from configs/baseline/airootfs/etc/systemd/system/setup-first-user.service rename to configs/baseline/airootfs/etc/systemd/system/first-boot-user-setup.service index 5380701..3470309 100644 --- a/configs/baseline/airootfs/etc/systemd/system/setup-first-user.service +++ b/configs/baseline/airootfs/etc/systemd/system/first-boot-user-setup.service @@ -4,7 +4,7 @@ After=systemd-homed.service [Service] Type=oneshot -ExecStart=/usr/bin/homectl create user +ExecStart=/usr/local/bin/user-setup user ExecStop= RemainAfterExit=no diff --git a/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/first-boot-user-setup.service b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/first-boot-user-setup.service new file mode 120000 index 0000000..f28ef13 --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/first-boot-user-setup.service @@ -0,0 +1 @@ +/etc/systemd/system/first-boot-user-setup.service \ No newline at end of file diff --git a/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/setup-first-user.service b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/setup-first-user.service deleted file mode 120000 index 8e5ce47..0000000 --- a/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/setup-first-user.service +++ /dev/null @@ -1 +0,0 @@ -/etc/systemd/system/setup-first-user.service \ No newline at end of file diff --git a/configs/baseline/airootfs/usr/local/bin/user-setup b/configs/baseline/airootfs/usr/local/bin/user-setup new file mode 100755 index 0000000..eebe6e7 --- /dev/null +++ b/configs/baseline/airootfs/usr/local/bin/user-setup @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +_homectl="/usr/bin/homectl" + +_does_exist(){ + local _user="${1}" + echo "$(${_homectl} list | awk '{print $1}' | grep -q "\b${_user}\b")" +} + +_user_setup(){ + local _user=${1} + if ! _does_exist "${_user}"; then + "${_homectl}" create "${_user}" + fi +} + +_user="${1}" +_user_setup "${_user}" -- GitLab From d58dc6b77c700a5e111e4e9136933da24e2bcea2 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 18:10:24 +0200 Subject: [PATCH 040/105] setup user-setup executable --- configs/baseline/airootfs/usr/local/bin/user-setup | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/configs/baseline/airootfs/usr/local/bin/user-setup b/configs/baseline/airootfs/usr/local/bin/user-setup index eebe6e7..ec4c260 100755 --- a/configs/baseline/airootfs/usr/local/bin/user-setup +++ b/configs/baseline/airootfs/usr/local/bin/user-setup @@ -2,14 +2,12 @@ _homectl="/usr/bin/homectl" -_does_exist(){ - local _user="${1}" - echo "$(${_homectl} list | awk '{print $1}' | grep -q "\b${_user}\b")" -} - _user_setup(){ local _user=${1} - if ! _does_exist "${_user}"; then + local _does_exist + _does_exist="$(${_homectl} list | awk '{print $1}' | grep -q "\b${_user}\b")" + + if ! "${_does_exist}"; then "${_homectl}" create "${_user}" fi } -- GitLab From 89ab11165fc62de15418a4b296a344c62f1d8786 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 18:34:55 +0200 Subject: [PATCH 041/105] setup user-setup executable --- configs/baseline/profiledef.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/configs/baseline/profiledef.sh b/configs/baseline/profiledef.sh index e112a14..650686e 100644 --- a/configs/baseline/profiledef.sh +++ b/configs/baseline/profiledef.sh @@ -28,4 +28,5 @@ file_permissions=( ["/home"]="0:0:711" ["/run/archiso/keys"]="0:0:700" ["/run/archiso/persistent"]="0:0:711" + ["/usr/local/bin/user-setup"]="0:0:755" ) -- GitLab From 88080c62cda77ebda75e13e71b22ef53f38b2e38 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 20:10:47 +0200 Subject: [PATCH 042/105] add .gitkeep for systemd-homed directory --- configs/baseline/airootfs/var/lib/bluetooth/.gitkeep | 0 configs/baseline/persistent/var/lib/bluetooth/.gitkeep | 0 configs/baseline/persistent/var/lib/systemd/home/.gitkeep | 0 configs/baseline/profiledef.sh | 1 + 4 files changed, 1 insertion(+) create mode 100644 configs/baseline/airootfs/var/lib/bluetooth/.gitkeep create mode 100644 configs/baseline/persistent/var/lib/bluetooth/.gitkeep create mode 100644 configs/baseline/persistent/var/lib/systemd/home/.gitkeep diff --git a/configs/baseline/airootfs/var/lib/bluetooth/.gitkeep b/configs/baseline/airootfs/var/lib/bluetooth/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/configs/baseline/persistent/var/lib/bluetooth/.gitkeep b/configs/baseline/persistent/var/lib/bluetooth/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/configs/baseline/persistent/var/lib/systemd/home/.gitkeep b/configs/baseline/persistent/var/lib/systemd/home/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/configs/baseline/profiledef.sh b/configs/baseline/profiledef.sh index 650686e..bf1aebe 100644 --- a/configs/baseline/profiledef.sh +++ b/configs/baseline/profiledef.sh @@ -29,4 +29,5 @@ file_permissions=( ["/run/archiso/keys"]="0:0:700" ["/run/archiso/persistent"]="0:0:711" ["/usr/local/bin/user-setup"]="0:0:755" + ["/var/lib/bluetooth"]="0:0:755" ) -- GitLab From 111c4cf40bf6624bfa3c4a60984dbaf0abc30b72 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 20:14:12 +0200 Subject: [PATCH 043/105] add bluetooth automount --- .../var-lib-bluetooth.automount | 1 + .../etc/systemd/system/var-lib-bluetooth.automount | 9 +++++++++ .../etc/systemd/system/var-lib-bluetooth.mount | 14 ++++++++++++++ 3 files changed, 24 insertions(+) create mode 120000 configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/var-lib-bluetooth.automount create mode 100644 configs/baseline/airootfs/etc/systemd/system/var-lib-bluetooth.automount create mode 100644 configs/baseline/airootfs/etc/systemd/system/var-lib-bluetooth.mount diff --git a/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/var-lib-bluetooth.automount b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/var-lib-bluetooth.automount new file mode 120000 index 0000000..5a67852 --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/var-lib-bluetooth.automount @@ -0,0 +1 @@ +/etc/systemd/system/var-lib-bluetooth.automount \ No newline at end of file diff --git a/configs/baseline/airootfs/etc/systemd/system/var-lib-bluetooth.automount b/configs/baseline/airootfs/etc/systemd/system/var-lib-bluetooth.automount new file mode 100644 index 0000000..1ee9556 --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/var-lib-bluetooth.automount @@ -0,0 +1,9 @@ +[Unit] +Description=Bluetooth data automount + +[Automount] +Where=/var/lib/bluetooth +TimeoutIdleSec=3min + +[Install] +WantedBy=multi-user.target diff --git a/configs/baseline/airootfs/etc/systemd/system/var-lib-bluetooth.mount b/configs/baseline/airootfs/etc/systemd/system/var-lib-bluetooth.mount new file mode 100644 index 0000000..d659a67 --- /dev/null +++ b/configs/baseline/airootfs/etc/systemd/system/var-lib-bluetooth.mount @@ -0,0 +1,14 @@ +[Unit] +Description=Bluetooth data directory bind mount +RequiresMountsFor=/run/archiso/persistent + +[Mount] +What=/run/archiso/persistent/var/lib/bluetooth +Where=/var/lib/bluetooth +Type=None +Options=bind,nofail +DirectoryMode=0755 +TimeoutSec=5 + +[Install] +WantedBy=multi-user.target -- GitLab From ea7b5c3502d6bfe0d72db3785d52cd79f538f1d8 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 5 Sep 2022 20:47:04 +0200 Subject: [PATCH 044/105] prepare grub for luks support --- archiso/mkarchiso | 13 +++++++++---- configs/baseline/grub/grub.cfg | 2 ++ configs/releng/airootfs/etc/mkinitcpio.conf | 2 +- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 98c4dcb..e3d4f21 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -657,7 +657,7 @@ _make_custom_airootfs() { install -d -m 0755 -o 0 -g 0 -- "${pacstrap_dir}" if [[ -d "${profile}/airootfs" ]]; then - _build_archiso_hooks + _build_archiso_mkinitcpio_conf _msg_info "Copying custom airootfs files..." cp -af --no-preserve=ownership,mode -- "${profile}/airootfs/." "${pacstrap_dir}" # Set ownership and mode for files and directories @@ -802,15 +802,20 @@ _make_boot_on_iso() { _msg_info "Done!" } -_build_archiso_hooks() { - local _hooks=() _mkinitcpio_conf="${profile}/airootfs/etc/mkinitcpio.conf" +_build_archiso_mkinitcpio_conf() { + local _hooks=() _mkinitcpio_conf="${profile}/airootfs/etc/mkinitcpio.conf" _modules=() if [[ "${airootfs_image_type}" == *luks ]] || [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then _hooks+=("encrypt") fi _hooks+=("archiso") + if [[ "${airootfs_image_type}" == *"ext4"* ]]; then + _modules+=("ext4") + fi + cp "${_mkinitcpio_conf}" "${work_dir}/mkinitcpio.conf" - sed "s|%ARCHISO_HOOKS%|${_hooks[*]}|g" "${work_dir}/mkinitcpio.conf" > "${_mkinitcpio_conf}" + sed "s|%ARCHISO_HOOKS%|${_hooks[*]}|g; + s|%ARCHISO_MODULES%|${_modules[*]}|g" "${work_dir}/mkinitcpio.conf" > "${_mkinitcpio_conf}" } _get_dongle_uuid() { diff --git a/configs/baseline/grub/grub.cfg b/configs/baseline/grub/grub.cfg index d634277..44775a5 100644 --- a/configs/baseline/grub/grub.cfg +++ b/configs/baseline/grub/grub.cfg @@ -1,4 +1,6 @@ # Load partition table and file system modules +insmod cryptodisk +insmod luks2 insmod part_gpt insmod part_msdos insmod fat diff --git a/configs/releng/airootfs/etc/mkinitcpio.conf b/configs/releng/airootfs/etc/mkinitcpio.conf index 1e8601a..e337e5b 100644 --- a/configs/releng/airootfs/etc/mkinitcpio.conf +++ b/configs/releng/airootfs/etc/mkinitcpio.conf @@ -4,7 +4,7 @@ # run. Advanced users may wish to specify all system modules # in this array. For instance: # MODULES=(piix ide_disk reiserfs) -MODULES=() +MODULES=(%ARCHISO_MODULES%) # BINARIES # This setting includes any additional binaries a given user may -- GitLab From 0dd3f4919c62e871b578dbfe5af8259f551a3c0d Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 15:44:56 +0200 Subject: [PATCH 045/105] prepare grub for luks support --- archiso/mkarchiso | 220 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 164 insertions(+), 56 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index e3d4f21..3d604c4 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -859,6 +859,82 @@ _get_crypto_params() { echo "${_cparams[@]}" } +# Prepare syslinux for booting from MBR (isohybrid) +_make_bootmode_bios.grub.mbr() { + bootable_dir="${1}" + bootable="${2}" + _msg_info "Setting up GRUB for BIOS booting from a disk..." + install -d -m 0755 -- "${bootable_dir}/grub" + _run_once _make_common_bootmode_grub_cfg + + grub-mkstandalone -O i386-pc \ + --modules="$(_get_grubmodules "bios")" \ + --locales="en@quot" \ + --themes="" \ + --fonts="" \ + --install-modules="$(_get_grubmodules "bios")" \ + --disable-shim-lock \ + --compress=xz \ + -o "${work_dir}/BOOTIA32.MBR" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg" + + install -D -m 0644 "${work_dir}/BOOTIA32.MBR" "${bootable_dir}/grub" + + if [[ "${bootable}" == "iso" ]]; then + _run_once _make_boot_on_iso9660 + elif [[ "${bootable}" == "dongle" ]]; then + _run_once _make_boot_on_dongle + fi + + _msg_info "Done! GRUB set up for BIOS booting from a disk successfully." +} + +_make_bootmode_bios.grub.mbr_iso() { + _make_bootmode_bios.grub.mbr "${isofs_dir}" "iso" +} + +_make_bootmode_bios.grub.mbr_dongle() { + _make_bootmode_bios.grub.mbr "${dongle_isofs_dir}" "dongle" +} + +# Prepare GRUB for El-Torito booting +_make_bootmode_bios.grub.eltorito() { + local bootable_dir="${1}" + _msg_info "Setting up GRUB for BIOS booting from an optical disc..." + install -d -m 0755 -- "${bootable_dir}/grub" + install -m 0644 -- "${pacstrap_dir}/usr/lib/grub/i386-pc/boot_hybrid.img" "${bootable_dir}/grub/" + _run_once _make_common_bootmode_grub_cfg + + grub-mkstandalone -O i386-pc-eltorito \ + --modules="$(_get_grubmodules "bios")" \ + --locales="en@quot" \ + --themes="" \ + --fonts="" \ + --install-modules="$(_get_grubmodules "bios")" \ + --disable-shim-lock \ + --compress=xz \ + -o "${work_dir}/BOOTIA32.ELTORITO" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg" + + install -m 0644 -- "${work_dir}/BOOTIA32.ELTORITO" "${bootable_dir}/grub" + + if [[ "${bootable}" == "iso" ]]; then + _run_once _make_boot_on_iso9660 + elif [[ "${bootable}" == "dongle" ]]; then + _run_once _make_boot_on_dongle + fi +} + +_make_bootmode_bios.grub.eltorito_iso() { + _make_bootmode_bios.grub.eltorito "${isofs_dir}" + # ISOLINUX and SYSLINUX installation is shared + _run_once _make_bootmode_bios.grub.mbr_iso +} + +_make_bootmode_bios.grub.eltorito_dongle() { + _make_bootmode_bios.grub.eltorito "${dongle_isofs_dir}" + # ISOLINUX and SYSLINUX installation is shared + _run_once _make_bootmode_bios.grub.mbr_dongle +} + # Prepare syslinux for booting from MBR (isohybrid) _make_bootmode_bios.syslinux.mbr() { bootable_dir="${1}" @@ -1070,28 +1146,29 @@ _make_common_bootmode_grub_copy_to_isofs() { install -m 0644 -- "${files_to_copy[@]}" "${isofs_dir}/EFI/BOOT/" } +# Module list from https://bugs.archlinux.org/task/71382#comment202911 _get_grubmodules(){ - echo all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font \ - gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap \ - minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file \ - search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 \ - usbserial_usbdebug video xfs zstd + local _mode="${1}" + _modules=(at_keyboard boot cat chain configfile cryptodisk echo ext2 fat + iso9660 keylayouts linux loadenv luks minicmd normal part_apple + part_gpt part_msdos read regexp search search_fs_file + search_fs_uuid usb) + if [ "${_mode}" == "efi" ]; then + _modules+=(all_video btrfs efifwsetup f2fs font gfxmenu gfxterm gzio halt + hfsplus jpeg loopback lsefi lsefimmap reboot png search_label + serial sleep tpm usbserial_common usbserial_ftdi usbserial_pl2303 + usbserial_usbdebug video xfs zstd) + fi + echo "${_modules[*]}" } _make_bootmode_uefi-ia32.grub.esp() { local bootable="${1}" - local grubmodules=() # Prepare configuration files _run_once _make_common_bootmode_grub_cfg # Create EFI binary - # Module list from https://bugs.archlinux.org/task/71382#comment202911 - grubmodules=(all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font \ - gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap \ - minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file \ - search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 \ - usbserial_usbdebug video xfs zstd) grub-mkstandalone -O i386-efi \ --modules="$(_get_grubmodules)" \ --locales="en@quot" \ @@ -1176,20 +1253,12 @@ _make_bootmode_uefi-ia32.grub.eltorito_dongle() { } _make_bootmode_uefi-x64.grub.esp() { - local grubmodules=() - # Prepare configuration files _run_once _make_common_bootmode_grub_cfg # Create EFI binary - # Module list from https://bugs.archlinux.org/task/71382#comment202911 - grubmodules=(all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font \ - gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap \ - minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file \ - search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 \ - usbserial_usbdebug video xfs zstd) grub-mkstandalone -O x86_64-efi \ - --modules="${grubmodules[*]}" \ + --modules="$(_get_grubmodules)" \ --locales="en@quot" \ --themes="" \ --sbat=/usr/share/grub/sbat.csv \ @@ -1368,6 +1437,26 @@ _make_bootmode_uefi-x64.systemd-boot.eltorito_dongle() { _make_bootmode_uefi-x64.systemd-boot.eltorito "${dongle_isofs_dir}" "dongle" } +_validate_common_requirements_bootmode_grub(){ + # Check if GRUB is available + if ! command -v grub-mkstandalone &> /dev/null; then + (( validation_error=validation_error+1 )) + _msg_error "Validating '${bootmode}': grub-mkstandalone is not available on this host. Install 'grub'!" 0 + fi +} + +_validate_common_requirements_bootmode_uefi(){ + # Check if mkfs.fat is available + if ! command -v mkfs.fat &> /dev/null; then + (( validation_error=validation_error+1 )) + _msg_error "Validating '${bootmode}': mkfs.fat is not available on this host. Install 'dosfstools'!" 0 + fi + # Check if mmd and mcopy are available + if ! { command -v mmd &> /dev/null && command -v mcopy &> /dev/null; }; then + _msg_error "Validating '${bootmode}': mmd and/or mcopy are not available on this host. Install 'mtools'!" 0 + fi +} + _validate_requirements_bootmode_bios.syslinux.mbr() { # bios.syslinux.mbr requires bios.syslinux.eltorito # shellcheck disable=SC2076 @@ -1402,7 +1491,7 @@ _validate_requirements_bootmode_bios.syslinux.mbr() { # Check for optional packages # shellcheck disable=SC2076 if [[ ! " ${pkg_list[*]} " =~ ' memtest86+ ' ]]; then - _msg_info "Validating '${bootmode}': 'memtest86+' is not in the package list. Memmory testing will not be available from syslinux." + _msg_info "Validating '${bootmode}': 'memtest86+' is not in the package list. Memory testing will not be available from syslinux." fi } @@ -1417,17 +1506,7 @@ _validate_requirements_bootmode_uefi-x64.systemd-boot.esp() { _msg_error "Validating '${bootmode}': cannot be used with bootmode uefi-x64.grub.esp!" 0 fi - # Check if mkfs.fat is available - if ! command -v mkfs.fat &> /dev/null; then - (( validation_error=validation_error+1 )) - _msg_error "Validating '${bootmode}': mkfs.fat is not available on this host. Install 'dosfstools'!" 0 - fi - - # Check if mmd and mcopy are available - if ! { command -v mmd &> /dev/null && command -v mcopy &> /dev/null; }; then - (( validation_error=validation_error+1 )) - _msg_error "Validating '${bootmode}': mmd and/or mcopy are not available on this host. Install 'mtools'!" 0 - fi + _validate_common_requirements_bootmode_uefi # Check if systemd-boot configuration files exist if [[ ! -d "${profile}/efiboot/loader/entries" ]]; then @@ -1467,13 +1546,8 @@ _validate_requirements_bootmode_uefi-x64.systemd-boot.eltorito() { } _validate_requirements_bootmode_uefi-ia32.grub.esp() { - # Check if GRUB is available - if ! command -v grub-mkstandalone &> /dev/null; then - (( validation_error=validation_error+1 )) - _msg_error "Validating '${bootmode}': grub-install is not available on this host. Install 'grub'!" 0 - fi - # shellcheck disable=SC2076 + _validate_common_requirements_bootmode_grub if [[ " ${bootmodes[*]} " =~ ' uefi-x64.systemd-boot.esp ' ]]; then _validate_requirements_bootmode_uefi-x64.systemd-boot.esp elif [[ " ${bootmodes[*]} " =~ ' uefi-x64.grub.esp ' ]]; then @@ -1489,28 +1563,13 @@ _validate_requirements_bootmode_uefi-ia32.grub.eltorito() { } _validate_requirements_bootmode_uefi-x64.grub.esp() { + _validate_common_requirements_bootmode_uefi + _validate_common_requirements_bootmode_grub # shellcheck disable=SC2076 if [[ " ${bootmodes[*]} " =~ ' uefi-x64.systemd-boot.esp ' ]]; then _msg_error "Validating '${bootmode}': cannot be used with bootmode uefi-x64.systemd-boot.esp!" 0 fi - # Check if GRUB is available - if ! command -v grub-mkstandalone &> /dev/null; then - (( validation_error=validation_error+1 )) - _msg_error "Validating '${bootmode}': grub-install is not available on this host. Install 'grub'!" 0 - fi - - # Check if mkfs.fat is available - if ! command -v mkfs.fat &> /dev/null; then - (( validation_error=validation_error+1 )) - _msg_error "Validating '${bootmode}': mkfs.fat is not available on this host. Install 'dosfstools'!" 0 - fi - - # Check if mmd and mcopy are available - if ! { command -v mmd &> /dev/null && command -v mcopy &> /dev/null; }; then - _msg_error "Validating '${bootmode}': mmd and/or mcopy are not available on this host. Install 'mtools'!" 0 - fi - # Check if GRUB configuration files exist if [[ ! -d "${profile}/grub" ]]; then (( validation_error=validation_error+1 )) @@ -1886,6 +1945,55 @@ _add_xorrisofs_options_persistent_partition() { echo "${_xorrisofs_options[@]}" } +# GRUB (isohybrid) +_add_xorrisofs_options_bios.grub.mbr() { + local bootable_dir="${1}" + shift + local _xorrisofs_options=("$@") + _xorrisofs_options+=( + # SYSLINUX MBR bootstrap code; does not work without "-eltorito-boot syslinux/isolinux.bin" + '-grub2-mbr' "${bootable_dir}/grub/boot_hybrid.img" + # When GPT is used, create an additional partition in the MBR (besides 0xEE) for sectors 0–1 (MBR + # bootstrap code area) and mark it as bootable + # May allow booting on some systems + # https://wiki.archlinux.org/title/Partitioning#Tricking_old_BIOS_into_booting_from_GPT + '--mbr-force-bootable' + # Move the first partition away from the start of the ISO to match the expectations of partition editors + # May allow booting on some systems + # https://dev.lovelyhq.com/libburnia/libisoburn/src/branch/master/doc/partition_offset.wiki + '-partition_offset' '16' + ) + echo "${_xorrisofs_options[@]}" +} + +_add_xorrisofs_options_bios.grub.mbr_iso() { + xorrisofs_options=("$(_add_xorrisofs_options_bios.grub.mbr "${isofs_dir}" "${xorrisofs_options[@]}")") +} + +_add_xorrisofs_options_bios.grub.mbr_dongle() { + dongle_xorrisofs_options=("$(_add_xorrisofs_options_bios.grub.mbr "${dongle_isofs_dir}" "${dongle_xorrisofs_options[@]}")") +} + +# GRUB El Torito +_add_xorrisofs_options_bios.grub.eltorito() { + local _xorrisofs_options=("$@") + _xorrisofs_options+=(# El Torito boot image for x86 BIOS + '-eltorito-boot' 'grub/BOOTIA32.ELTORITO' + # El Torito boot catalog file + # '-eltorito-catalog' 'syslinux/boot.cat' + # Required options to boot with GRUB + '-no-emul-boot' '-boot-load-size' '4' '-boot-info-table') + echo "${_xorrisofs_options[@]}" +} + +_add_xorrisofs_options_bios.grub.eltorito_iso() { + xorrisofs_options=("$(_add_xorrisofs_options_bios.grub.eltorito "${xorrisofs_options[@]}")") +} + +_add_xorrisofs_options_bios.grub.eltorito_dongle() { + dongle_xorrisofs_options=("$(_add_xorrisofs_options_bios.grub.eltorito "${dongle_xorrisofs_options[@]}")") +} + # SYSLINUX MBR (isohybrid) _add_xorrisofs_options_bios.syslinux.mbr() { local bootable_dir="${1}" -- GitLab From fe8da3043de8a4d5c6ab574d8cd9b2f93d702e49 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 15:45:24 +0200 Subject: [PATCH 046/105] replace syslinux with grub --- configs/baseline/profiledef.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configs/baseline/profiledef.sh b/configs/baseline/profiledef.sh index bf1aebe..3096e54 100644 --- a/configs/baseline/profiledef.sh +++ b/configs/baseline/profiledef.sh @@ -8,8 +8,8 @@ iso_application="Arch Linux baseline" iso_version="$(date +%Y.%m.%d)" install_dir="arch" buildmodes=('iso' 'dongle') -bootmodes=('bios.syslinux.mbr' - 'bios.syslinux.eltorito' +bootmodes=('bios.grub.mbr' + 'bios.grub.eltorito' 'uefi-ia32.grub.esp' 'uefi-ia32.grub.eltorito' 'uefi-x64.systemd-boot.esp' -- GitLab From 5dce995c565b01de82ee0a6139b933d6e59ea5e5 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 15:47:19 +0200 Subject: [PATCH 047/105] fix shellcheck --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 3d604c4..47df494 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1546,8 +1546,8 @@ _validate_requirements_bootmode_uefi-x64.systemd-boot.eltorito() { } _validate_requirements_bootmode_uefi-ia32.grub.esp() { - # shellcheck disable=SC2076 _validate_common_requirements_bootmode_grub + # shellcheck disable=SC2076 if [[ " ${bootmodes[*]} " =~ ' uefi-x64.systemd-boot.esp ' ]]; then _validate_requirements_bootmode_uefi-x64.systemd-boot.esp elif [[ " ${bootmodes[*]} " =~ ' uefi-x64.grub.esp ' ]]; then -- GitLab From c1befa4d73224040e61a5060e8c102b237b2f98b Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 16:27:45 +0200 Subject: [PATCH 048/105] add validate_requirements for bios.grub --- archiso/mkarchiso | 63 ++++++++++++++++++++++---------- configs/baseline/packages.x86_64 | 2 +- 2 files changed, 44 insertions(+), 21 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 47df494..194c034 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1443,6 +1443,26 @@ _validate_common_requirements_bootmode_grub(){ (( validation_error=validation_error+1 )) _msg_error "Validating '${bootmode}': grub-mkstandalone is not available on this host. Install 'grub'!" 0 fi + + # Check if GRUB configuration files exist + if [[ ! -d "${profile}/grub" ]]; then + (( validation_error=validation_error+1 )) + _msg_error "Validating '${bootmode}': The '${profile}/grub' directory is missing!" 0 + else + if [[ ! -e "${profile}/grub/grub.cfg" ]]; then + (( validation_error=validation_error+1 )) + _msg_error "Validating '${bootmode}': File '${profile}/grub/grub.cfg' not found!" 0 + fi + local conffile + for conffile in "${profile}/grub/"*'.cfg'; do + if [[ -e "${conffile}" ]]; then + break + else + (( validation_error=validation_error+1 )) + _msg_error "Validating '${bootmode}': No configuration file found in '${profile}/grub/'!" 0 + fi + done + fi } _validate_common_requirements_bootmode_uefi(){ @@ -1457,6 +1477,29 @@ _validate_common_requirements_bootmode_uefi(){ fi } +_validate_requirements_bootmode_bios.grub.mbr() { + # bios.syslinux.mbr requires bios.grub.eltorito + # actually I'm not sure this is true + # shellcheck disable=SC2076 + _validate_common_requirements_bootmode_grub + if [[ ! " ${bootmodes[*]} " =~ ' bios.grub.eltorito ' ]]; then + (( validation_error=validation_error+1 )) + _msg_error "Using 'bios.grub.mbr' boot mode without 'bios.grub.eltorito' is not supported." 0 + fi + + # Check if the grub package is in the package list + # shellcheck disable=SC2076 + if [[ ! " ${pkg_list[*]} " =~ ' grub ' ]]; then + (( validation_error=validation_error+1 )) + _msg_error "Validating '${bootmode}': The 'grub' package is missing from the package list!" 0 + fi +} + +_validate_requirements_bootmode_bios.grub.eltorito() { + # bios.grub.eltorito has the exact same requirements as bios.grub.mbr + _validate_requirements_bootmode_bios.grub.mbr +} + _validate_requirements_bootmode_bios.syslinux.mbr() { # bios.syslinux.mbr requires bios.syslinux.eltorito # shellcheck disable=SC2076 @@ -1570,26 +1613,6 @@ _validate_requirements_bootmode_uefi-x64.grub.esp() { _msg_error "Validating '${bootmode}': cannot be used with bootmode uefi-x64.systemd-boot.esp!" 0 fi - # Check if GRUB configuration files exist - if [[ ! -d "${profile}/grub" ]]; then - (( validation_error=validation_error+1 )) - _msg_error "Validating '${bootmode}': The '${profile}/grub' directory is missing!" 0 - else - if [[ ! -e "${profile}/grub/grub.cfg" ]]; then - (( validation_error=validation_error+1 )) - _msg_error "Validating '${bootmode}': File '${profile}/grub/grub.cfg' not found!" 0 - fi - local conffile - for conffile in "${profile}/grub/"*'.cfg'; do - if [[ -e "${conffile}" ]]; then - break - else - (( validation_error=validation_error+1 )) - _msg_error "Validating '${bootmode}': No configuration file found in '${profile}/grub/'!" 0 - fi - done - fi - # Check for optional packages # shellcheck disable=SC2076 if [[ ! " ${pkg_list[*]} " =~ ' edk2-shell ' ]]; then diff --git a/configs/baseline/packages.x86_64 b/configs/baseline/packages.x86_64 index cbb93b0..7a187ca 100644 --- a/configs/baseline/packages.x86_64 +++ b/configs/baseline/packages.x86_64 @@ -1,5 +1,6 @@ base cloud-init +grub hyperv linux mkinitcpio @@ -8,5 +9,4 @@ open-vm-tools openssh pv qemu-guest-agent -syslinux virtualbox-guest-utils-nox -- GitLab From 888abf6d3ded08910c35e15401bb1b3f72c76174 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 16:28:18 +0200 Subject: [PATCH 049/105] add validate_requirements for bios.grub --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 194c034..ee90a7a 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1480,8 +1480,8 @@ _validate_common_requirements_bootmode_uefi(){ _validate_requirements_bootmode_bios.grub.mbr() { # bios.syslinux.mbr requires bios.grub.eltorito # actually I'm not sure this is true - # shellcheck disable=SC2076 _validate_common_requirements_bootmode_grub + # shellcheck disable=SC2076 if [[ ! " ${bootmodes[*]} " =~ ' bios.grub.eltorito ' ]]; then (( validation_error=validation_error+1 )) _msg_error "Using 'bios.grub.mbr' boot mode without 'bios.grub.eltorito' is not supported." 0 -- GitLab From a0832bfa4c8e4c7e449b378adcf4201d4c1680ec Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 18:34:40 +0200 Subject: [PATCH 050/105] fix xorrisofs option typo --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index ee90a7a..ed00860 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1975,7 +1975,7 @@ _add_xorrisofs_options_bios.grub.mbr() { local _xorrisofs_options=("$@") _xorrisofs_options+=( # SYSLINUX MBR bootstrap code; does not work without "-eltorito-boot syslinux/isolinux.bin" - '-grub2-mbr' "${bootable_dir}/grub/boot_hybrid.img" + '--grub2-mbr' "${bootable_dir}/grub/boot_hybrid.img" # When GPT is used, create an additional partition in the MBR (besides 0xEE) for sectors 0–1 (MBR # bootstrap code area) and mark it as bootable # May allow booting on some systems -- GitLab From fbbc8eb0a3d593a9813d44ba2e3f171b29b52b75 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 18:44:26 +0200 Subject: [PATCH 051/105] add grub.cfg for mbr config --- archiso/mkarchiso | 1 + 1 file changed, 1 insertion(+) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index ed00860..d8c1280 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1144,6 +1144,7 @@ _make_common_bootmode_grub_copy_to_isofs() { files_to_copy+=("${profile}/grub/"!(*.cfg)) fi install -m 0644 -- "${files_to_copy[@]}" "${isofs_dir}/EFI/BOOT/" + install -m 0644 -- "${files_to_copy[@]}" "${isofs_dir}/grub" } # Module list from https://bugs.archlinux.org/task/71382#comment202911 -- GitLab From 5b1a54382b645f00e49d3732ad42e0d0fd6ebdbf Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 19:15:27 +0200 Subject: [PATCH 052/105] add grub.cfg for mbr config --- archiso/mkarchiso | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index d8c1280..273df31 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -864,7 +864,7 @@ _make_bootmode_bios.grub.mbr() { bootable_dir="${1}" bootable="${2}" _msg_info "Setting up GRUB for BIOS booting from a disk..." - install -d -m 0755 -- "${bootable_dir}/grub" + install -d -m 0755 -- "${bootable_dir}/EFI/BOOT" _run_once _make_common_bootmode_grub_cfg grub-mkstandalone -O i386-pc \ @@ -877,7 +877,7 @@ _make_bootmode_bios.grub.mbr() { --compress=xz \ -o "${work_dir}/BOOTIA32.MBR" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg" - install -D -m 0644 "${work_dir}/BOOTIA32.MBR" "${bootable_dir}/grub" + install -D -m 0644 "${work_dir}/BOOTIA32.MBR" "${bootable_dir}/EFI/BOOT" if [[ "${bootable}" == "iso" ]]; then _run_once _make_boot_on_iso9660 @@ -900,8 +900,8 @@ _make_bootmode_bios.grub.mbr_dongle() { _make_bootmode_bios.grub.eltorito() { local bootable_dir="${1}" _msg_info "Setting up GRUB for BIOS booting from an optical disc..." - install -d -m 0755 -- "${bootable_dir}/grub" - install -m 0644 -- "${pacstrap_dir}/usr/lib/grub/i386-pc/boot_hybrid.img" "${bootable_dir}/grub/" + install -d -m 0755 -- "${bootable_dir}/EFI/BOOT" + install -m 0644 -- "${pacstrap_dir}/usr/lib/grub/i386-pc/boot_hybrid.img" "${bootable_dir}/EFI/BOOT/" _run_once _make_common_bootmode_grub_cfg grub-mkstandalone -O i386-pc-eltorito \ @@ -914,7 +914,7 @@ _make_bootmode_bios.grub.eltorito() { --compress=xz \ -o "${work_dir}/BOOTIA32.ELTORITO" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg" - install -m 0644 -- "${work_dir}/BOOTIA32.ELTORITO" "${bootable_dir}/grub" + install -m 0644 -- "${work_dir}/BOOTIA32.ELTORITO" "${bootable_dir}/EFI/BOOT" if [[ "${bootable}" == "iso" ]]; then _run_once _make_boot_on_iso9660 @@ -1144,7 +1144,6 @@ _make_common_bootmode_grub_copy_to_isofs() { files_to_copy+=("${profile}/grub/"!(*.cfg)) fi install -m 0644 -- "${files_to_copy[@]}" "${isofs_dir}/EFI/BOOT/" - install -m 0644 -- "${files_to_copy[@]}" "${isofs_dir}/grub" } # Module list from https://bugs.archlinux.org/task/71382#comment202911 @@ -1976,7 +1975,7 @@ _add_xorrisofs_options_bios.grub.mbr() { local _xorrisofs_options=("$@") _xorrisofs_options+=( # SYSLINUX MBR bootstrap code; does not work without "-eltorito-boot syslinux/isolinux.bin" - '--grub2-mbr' "${bootable_dir}/grub/boot_hybrid.img" + '--grub2-mbr' "${bootable_dir}/EFI/BOOT/boot_hybrid.img" # When GPT is used, create an additional partition in the MBR (besides 0xEE) for sectors 0–1 (MBR # bootstrap code area) and mark it as bootable # May allow booting on some systems @@ -2002,9 +2001,9 @@ _add_xorrisofs_options_bios.grub.mbr_dongle() { _add_xorrisofs_options_bios.grub.eltorito() { local _xorrisofs_options=("$@") _xorrisofs_options+=(# El Torito boot image for x86 BIOS - '-eltorito-boot' 'grub/BOOTIA32.ELTORITO' + '-eltorito-boot' 'EFI/BOOT/BOOTIA32.ELTORITO' # El Torito boot catalog file - # '-eltorito-catalog' 'syslinux/boot.cat' + '-eltorito-catalog' 'boot.catalog' # Required options to boot with GRUB '-no-emul-boot' '-boot-load-size' '4' '-boot-info-table') echo "${_xorrisofs_options[@]}" -- GitLab From 000fa23a1d750828e232f6569497846463307c08 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 19:41:32 +0200 Subject: [PATCH 053/105] embed grub cfg file directly when mbr/eltorito --- archiso/mkarchiso | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 273df31..e9f66a2 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -875,7 +875,7 @@ _make_bootmode_bios.grub.mbr() { --install-modules="$(_get_grubmodules "bios")" \ --disable-shim-lock \ --compress=xz \ - -o "${work_dir}/BOOTIA32.MBR" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg" + -o "${work_dir}/BOOTIA32.MBR" "boot/grub/grub.cfg=${profile}/grub/grub.cfg" install -D -m 0644 "${work_dir}/BOOTIA32.MBR" "${bootable_dir}/EFI/BOOT" @@ -912,7 +912,7 @@ _make_bootmode_bios.grub.eltorito() { --install-modules="$(_get_grubmodules "bios")" \ --disable-shim-lock \ --compress=xz \ - -o "${work_dir}/BOOTIA32.ELTORITO" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg" + -o "${work_dir}/BOOTIA32.ELTORITO" "boot/grub/grub.cfg=${profile}/grub/grub.cfg" install -m 0644 -- "${work_dir}/BOOTIA32.ELTORITO" "${bootable_dir}/EFI/BOOT" @@ -1153,7 +1153,7 @@ _get_grubmodules(){ iso9660 keylayouts linux loadenv luks minicmd normal part_apple part_gpt part_msdos read regexp search search_fs_file search_fs_uuid usb) - if [ "${_mode}" == "efi" ]; then + if [ "${_mode}" != "bios" ]; then _modules+=(all_video btrfs efifwsetup f2fs font gfxmenu gfxterm gzio halt hfsplus jpeg loopback lsefi lsefimmap reboot png search_label serial sleep tpm usbserial_common usbserial_ftdi usbserial_pl2303 -- GitLab From b0893886d16b5ad70490ad2690c978a991e39abc Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 19:57:39 +0200 Subject: [PATCH 054/105] embed grub cfg file directly when mbr/eltorito --- archiso/mkarchiso | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index e9f66a2..930ec71 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -875,7 +875,7 @@ _make_bootmode_bios.grub.mbr() { --install-modules="$(_get_grubmodules "bios")" \ --disable-shim-lock \ --compress=xz \ - -o "${work_dir}/BOOTIA32.MBR" "boot/grub/grub.cfg=${profile}/grub/grub.cfg" + -o "${work_dir}/BOOTIA32.MBR" "boot/grub/grub.cfg=${work_dir}/grub/grub.cfg" install -D -m 0644 "${work_dir}/BOOTIA32.MBR" "${bootable_dir}/EFI/BOOT" @@ -912,7 +912,7 @@ _make_bootmode_bios.grub.eltorito() { --install-modules="$(_get_grubmodules "bios")" \ --disable-shim-lock \ --compress=xz \ - -o "${work_dir}/BOOTIA32.ELTORITO" "boot/grub/grub.cfg=${profile}/grub/grub.cfg" + -o "${work_dir}/BOOTIA32.ELTORITO" "boot/grub/grub.cfg=${work_dir}/grub/grub.cfg" install -m 0644 -- "${work_dir}/BOOTIA32.ELTORITO" "${bootable_dir}/EFI/BOOT" -- GitLab From f4155d7783a8986122a092b65c5ba4dd8d428514 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 20:09:37 +0200 Subject: [PATCH 055/105] fix grub modules --- archiso/mkarchiso | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 930ec71..04e3a38 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1149,13 +1149,13 @@ _make_common_bootmode_grub_copy_to_isofs() { # Module list from https://bugs.archlinux.org/task/71382#comment202911 _get_grubmodules(){ local _mode="${1}" - _modules=(at_keyboard boot cat chain configfile cryptodisk echo ext2 fat + _modules=(at_keyboard biosdisk boot chain configfile cryptodisk ext2 fat iso9660 keylayouts linux loadenv luks minicmd normal part_apple - part_gpt part_msdos read regexp search search_fs_file + part_gpt part_msdos read search search_fs_uuid usb) if [ "${_mode}" != "bios" ]; then - _modules+=(all_video btrfs efifwsetup f2fs font gfxmenu gfxterm gzio halt - hfsplus jpeg loopback lsefi lsefimmap reboot png search_label + _modules+=(all_video btrfs cat echo efifwsetup f2fs font gfxmenu gfxterm gzio halt + hfsplus jpeg loopback lsefi lsefimmap reboot png regexp search_fs_file search_label serial sleep tpm usbserial_common usbserial_ftdi usbserial_pl2303 usbserial_usbdebug video xfs zstd) fi -- GitLab From 3aea364130360b643b61f2f0312af3430218d758 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 20:12:19 +0200 Subject: [PATCH 056/105] fix grub modules --- archiso/mkarchiso | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 04e3a38..d782c74 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1170,7 +1170,7 @@ _make_bootmode_uefi-ia32.grub.esp() { # Create EFI binary grub-mkstandalone -O i386-efi \ - --modules="$(_get_grubmodules)" \ + --modules="$(_get_grubmodules "efi")" \ --locales="en@quot" \ --themes="" \ --sbat=/usr/share/grub/sbat.csv \ @@ -1258,7 +1258,7 @@ _make_bootmode_uefi-x64.grub.esp() { # Create EFI binary grub-mkstandalone -O x86_64-efi \ - --modules="$(_get_grubmodules)" \ + --modules="$(_get_grubmodules "efi")" \ --locales="en@quot" \ --themes="" \ --sbat=/usr/share/grub/sbat.csv \ -- GitLab From 2d48ffebe9ed51233a321f8030a83fb9871506e4 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 20:16:00 +0200 Subject: [PATCH 057/105] fix grub modules --- archiso/mkarchiso | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index d782c74..f5b2527 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1149,7 +1149,7 @@ _make_common_bootmode_grub_copy_to_isofs() { # Module list from https://bugs.archlinux.org/task/71382#comment202911 _get_grubmodules(){ local _mode="${1}" - _modules=(at_keyboard biosdisk boot chain configfile cryptodisk ext2 fat + _modules=(at_keyboard boot chain configfile cryptodisk ext2 fat iso9660 keylayouts linux loadenv luks minicmd normal part_apple part_gpt part_msdos read search search_fs_uuid usb) @@ -1158,6 +1158,8 @@ _get_grubmodules(){ hfsplus jpeg loopback lsefi lsefimmap reboot png regexp search_fs_file search_label serial sleep tpm usbserial_common usbserial_ftdi usbserial_pl2303 usbserial_usbdebug video xfs zstd) + elif [ "${_mode}" == "bios" ] ; then + _modules+=(biosdisk) fi echo "${_modules[*]}" } -- GitLab From 41ab984f2d176f5227c7da628dba3eb85e555848 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 20:30:50 +0200 Subject: [PATCH 058/105] fix user-setup --- configs/baseline/airootfs/usr/local/bin/user-setup | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/configs/baseline/airootfs/usr/local/bin/user-setup b/configs/baseline/airootfs/usr/local/bin/user-setup index ec4c260..ee8d806 100755 --- a/configs/baseline/airootfs/usr/local/bin/user-setup +++ b/configs/baseline/airootfs/usr/local/bin/user-setup @@ -1,14 +1,13 @@ #!/usr/bin/env bash -_homectl="/usr/bin/homectl" _user_setup(){ local _user=${1} local _does_exist - _does_exist="$(${_homectl} list | awk '{print $1}' | grep -q "\b${_user}\b")" + _does_exist="$(/usr/bin/homectl list | awk '{print $1}' | grep -q "\b${_user}\b")" if ! "${_does_exist}"; then - "${_homectl}" create "${_user}" + /usr/bin/homectl create "${_user}" fi } -- GitLab From ab76e36bd105063197d5d4efd8461c7a1a5004e8 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 20:41:41 +0200 Subject: [PATCH 059/105] fix grub eltorito --- archiso/mkarchiso | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index f5b2527..e7bcd90 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -2121,7 +2121,7 @@ _add_xorrisofs_options_uefi-x64.systemd-boot.esp() { fi # Ensure GPT is used as some systems do not support UEFI booting without it # shellcheck disable=SC2076 - if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then + if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]] || [[ " ${bootmodes[*]} " =~ ' bios.grub.mbr ' ]]; then # A valid GPT prevents BIOS booting on some systems, instead use an invalid GPT (without a protective MBR). # The attached partition will have the EFI system partition type code in MBR, but in the invalid GPT it will # have a Microsoft basic partition type code. @@ -2165,7 +2165,7 @@ _add_xorrisofs_options_uefi-x64.systemd-boot.eltorito() { '-no-emul-boot' ) # A valid GPT prevents BIOS booting on some systems, use an invalid GPT instead. - if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then + if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]] || [[ " ${bootmodes[*]} " =~ ' bios.grub.mbr ' ]]; then # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. @@ -2216,7 +2216,7 @@ _add_xorrisofs_options_uefi-x64.grub.esp() { fi # Ensure GPT is used as some systems do not support UEFI booting without it # shellcheck disable=SC2076 - if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then + if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]] || [[ " ${bootmodes[*]} " =~ ' bios.grub.mbr ' ]]; then # A valid GPT prevents BIOS booting on some systems, instead use an invalid GPT (without a protective MBR). # The attached partition will have the EFI system partition type code in MBR, but in the invalid GPT it will # have a Microsoft basic partition type code. @@ -2261,7 +2261,7 @@ _add_xorrisofs_options_uefi-x64.grub.eltorito() { '-no-emul-boot' ) # A valid GPT prevents BIOS booting on some systems, use an invalid GPT instead. - if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then + if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]] || [[ " ${bootmodes[*]} " =~ ' bios.grub.mbr ' ]]; then # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. -- GitLab From 13bca01801f2edcc65bb91901e8ecd609b074692 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 21:13:49 +0200 Subject: [PATCH 060/105] fix grub eltorito --- archiso/mkarchiso | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index e7bcd90..30eda47 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1977,7 +1977,7 @@ _add_xorrisofs_options_bios.grub.mbr() { local _xorrisofs_options=("$@") _xorrisofs_options+=( # SYSLINUX MBR bootstrap code; does not work without "-eltorito-boot syslinux/isolinux.bin" - '--grub2-mbr' "${bootable_dir}/EFI/BOOT/boot_hybrid.img" + '--grub2-mbr' "${bootable_dir}/EFI/BOOT/BOOTIA32.MBR" # When GPT is used, create an additional partition in the MBR (besides 0xEE) for sectors 0–1 (MBR # bootstrap code area) and mark it as bootable # May allow booting on some systems @@ -2005,7 +2005,7 @@ _add_xorrisofs_options_bios.grub.eltorito() { _xorrisofs_options+=(# El Torito boot image for x86 BIOS '-eltorito-boot' 'EFI/BOOT/BOOTIA32.ELTORITO' # El Torito boot catalog file - '-eltorito-catalog' 'boot.catalog' + '-eltorito-catalog' 'EFI/BOOT/boot.catalog' # Required options to boot with GRUB '-no-emul-boot' '-boot-load-size' '4' '-boot-info-table') echo "${_xorrisofs_options[@]}" -- GitLab From 9f5fb36e33d0753c1dc55f3cde27fe1cad911f62 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 6 Sep 2022 21:42:11 +0200 Subject: [PATCH 061/105] fix grub eltorito --- archiso/mkarchiso | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 30eda47..f1e8dea 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1977,7 +1977,7 @@ _add_xorrisofs_options_bios.grub.mbr() { local _xorrisofs_options=("$@") _xorrisofs_options+=( # SYSLINUX MBR bootstrap code; does not work without "-eltorito-boot syslinux/isolinux.bin" - '--grub2-mbr' "${bootable_dir}/EFI/BOOT/BOOTIA32.MBR" + '--grub2-mbr' "${bootable_dir}/EFI/BOOT/boot_hybrid.img" # When GPT is used, create an additional partition in the MBR (besides 0xEE) for sectors 0–1 (MBR # bootstrap code area) and mark it as bootable # May allow booting on some systems @@ -2007,7 +2007,7 @@ _add_xorrisofs_options_bios.grub.eltorito() { # El Torito boot catalog file '-eltorito-catalog' 'EFI/BOOT/boot.catalog' # Required options to boot with GRUB - '-no-emul-boot' '-boot-load-size' '4' '-boot-info-table') + '-no-emul-boot' '-boot-load-size' '4' '-boot-info-table' '--grub2-boot-info') echo "${_xorrisofs_options[@]}" } -- GitLab From dfa280b7b8565a66ebedab6e62ccb4408c25bccc Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 7 Sep 2022 09:53:50 +0200 Subject: [PATCH 062/105] remove syslinux from profiles --- configs/releng/packages.x86_64 | 1 - configs/releng/profiledef.sh | 8 ++++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/configs/releng/packages.x86_64 b/configs/releng/packages.x86_64 index fc0d3e7..fdb2c15 100644 --- a/configs/releng/packages.x86_64 +++ b/configs/releng/packages.x86_64 @@ -101,7 +101,6 @@ smartmontools sof-firmware squashfs-tools sudo -syslinux systemd-resolvconf tcpdump terminus-font diff --git a/configs/releng/profiledef.sh b/configs/releng/profiledef.sh index e5e3487..077385a 100644 --- a/configs/releng/profiledef.sh +++ b/configs/releng/profiledef.sh @@ -8,12 +8,12 @@ iso_application="Arch Linux Live/Rescue CD" iso_version="$(date +%Y.%m.%d)" install_dir="arch" buildmodes=('iso' 'dongle') -bootmodes=('bios.syslinux.mbr' - 'bios.syslinux.eltorito' +bootmodes=('bios.grub.mbr' + 'bios.grub.eltorito' 'uefi-ia32.grub.esp' 'uefi-ia32.grub.eltorito' - 'uefi-x64.systemd-boot.esp' - 'uefi-x64.systemd-boot.eltorito') + 'uefi-x64.grub.esp' + 'uefi-x64.grub.eltorito') arch="x86_64" pacman_conf="pacman.conf" airootfs_image_type="erofs" -- GitLab From de863fbd2fb40160fe5de9b476c6e283fa20b2e6 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 7 Sep 2022 11:57:54 +0200 Subject: [PATCH 063/105] remove UEFI reference since now GRUB is also installed on BIOS --- archiso/mkarchiso | 1 + configs/baseline/grub/grub.cfg | 4 ++-- configs/releng/grub/grub.cfg | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index f1e8dea..dbaf49d 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1091,6 +1091,7 @@ _get_bootable_uuid() { # Fill a bootloader configuration template and copy the result in a file _build_bootloader_config() { local _template="${1}" + local _boot_type="${2}" sed "s|%BOOTABLE_UUID%|$(_get_bootable_uuid)|g; s|%ARCH%|${arch}|g; s|%INSTALL_DIR%|${install_dir}|g; diff --git a/configs/baseline/grub/grub.cfg b/configs/baseline/grub/grub.cfg index 44775a5..c0e4943 100644 --- a/configs/baseline/grub/grub.cfg +++ b/configs/baseline/grub/grub.cfg @@ -30,14 +30,14 @@ timeout_style=menu # Menu entries -menuentry "Arch Linux (%ARCH%, UEFI)" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' { +menuentry "Arch Linux (%ARCH%)" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' { set gfxpayload=keep search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } -menuentry "Arch Linux (%ARCH%, UEFI) Copy to RAM" --class arch --class gnu-linux --class gnu --class os --id 'archlinux-copy-to-ram' { +menuentry "Arch Linux (%ARCH%) Copy to RAM" --class arch --class gnu-linux --class gnu --class os --id 'archlinux-copy-to-ram' { set gfxpayload=keep search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% copytoram diff --git a/configs/releng/grub/grub.cfg b/configs/releng/grub/grub.cfg index c5b5afc..050b39d 100644 --- a/configs/releng/grub/grub.cfg +++ b/configs/releng/grub/grub.cfg @@ -30,14 +30,14 @@ play 600 988 1 1319 4 # Menu entries -menuentry "Arch Linux install medium (%ARCH%, UEFI)" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' { +menuentry "Arch Linux install medium (%ARCH%)" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' { set gfxpayload=keep search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% initrd /%INSTALL_DIR%/boot/intel-ucode.img /%INSTALL_DIR%/boot/amd-ucode.img /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } -menuentry "Arch Linux install medium with speakup screen reader (%ARCH%, UEFI)" --hotkey s --class arch --class gnu-linux --class gnu --class os --id 'archlinux-accessibility' { +menuentry "Arch Linux install medium with speakup screen reader (%ARCH%)" --hotkey s --class arch --class gnu-linux --class gnu --class os --id 'archlinux-accessibility' { set gfxpayload=keep search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% accessibility=on -- GitLab From 0c2ee1ee8f78a7db4f178cb2725f1546714450f6 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 7 Sep 2022 16:39:37 +0200 Subject: [PATCH 064/105] switch to grub for UEFI --- archiso/mkarchiso | 5 +++++ configs/baseline/profiledef.sh | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index dbaf49d..01ffeec 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -828,6 +828,11 @@ _get_archiso_uuid() { echo "$(_epoch_to_uuid "${SOURCE_DATE_EPOCH}")" } +_get_persistent_uuid() { + #shellcheck disable=SC2005 + echo "$(_epoch_to_uuid $((SOURCE_DATE_EPOCH + 3 * 1415)))" +} + # Produce kernel parameters. _get_kernel_params() { local _kparams=() diff --git a/configs/baseline/profiledef.sh b/configs/baseline/profiledef.sh index 3096e54..5a76aab 100644 --- a/configs/baseline/profiledef.sh +++ b/configs/baseline/profiledef.sh @@ -12,8 +12,8 @@ bootmodes=('bios.grub.mbr' 'bios.grub.eltorito' 'uefi-ia32.grub.esp' 'uefi-ia32.grub.eltorito' - 'uefi-x64.systemd-boot.esp' - 'uefi-x64.systemd-boot.eltorito') + 'uefi-x64.grub.esp' + 'uefi-x64.grub.eltorito') arch="x86_64" pacman_conf="pacman.conf" airootfs_image_type="erofs" -- GitLab From d55b64ec5074cb5e37405bbc96512dfcb74e0e0d Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 7 Sep 2022 16:50:09 +0200 Subject: [PATCH 065/105] set grub for uefi --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 01ffeec..ae92382 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1096,7 +1096,7 @@ _get_bootable_uuid() { # Fill a bootloader configuration template and copy the result in a file _build_bootloader_config() { local _template="${1}" - local _boot_type="${2}" + # local _boot_type="${2}" sed "s|%BOOTABLE_UUID%|$(_get_bootable_uuid)|g; s|%ARCH%|${arch}|g; s|%INSTALL_DIR%|${install_dir}|g; -- GitLab From 732f6f09b54b093b88ef8dec5db1488157da6ee8 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 7 Sep 2022 17:29:20 +0200 Subject: [PATCH 066/105] switch to a luks pbkdf GRUB supports --- archiso/mkarchiso | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index ae92382..30d2267 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -298,7 +298,9 @@ _run_mkluks() { '--integrity' 'hmac-sha512' \ '--sector-size' '4096' \ '--key-size' '512' \ - '--pbkdf-memory' 256) + '--pbkdf' 'pbkdf2') + # switch to argon2i as soon as GRUB merges support + #_format_opts+=('--pbkdf-memory' 256) if [ "${_writable}" != "true" ]; then _msg_info "Integrity journal disabled" -- GitLab From 3c54408e6c0c546ef024172ffbf13e8a7688d33b Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 7 Sep 2022 19:02:59 +0200 Subject: [PATCH 067/105] add grub option to mkluks --- archiso/mkarchiso | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 30d2267..de6337a 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -280,6 +280,7 @@ _run_mkluks() { local _epoch="${4}" local _label="${5}" local _writable="${6}" + local _grub="${7}" local _activation_opts=() _format_opts=() _key_msg="" _mapper local _cryptsetup_opts=('--type' 'luks2') _mapper=$(basename "${_image_path}")".map" @@ -295,12 +296,17 @@ _run_mkluks() { _activation_opts+=("${_cryptsetup_opts[@]}") _format_opts+=("${_cryptsetup_opts[@]}" \ - '--integrity' 'hmac-sha512' \ '--sector-size' '4096' \ - '--key-size' '512' \ - '--pbkdf' 'pbkdf2') - # switch to argon2i as soon as GRUB merges support - #_format_opts+=('--pbkdf-memory' 256) + '--key-size' '512') + + # Remove as soon as gcrypt adds support for argon2i + # and GRUB for the dm-integrity layer + if [ "${_grub}" == "true" ]; then + _format_opts+=('--pbkdf' 'pbkdf2') + else + _format_opts+=('--pbkdf-memory' 256 + '--integrity' 'hmac-sha512') + fi if [ "${_writable}" != "true" ]; then _msg_info "Integrity journal disabled" @@ -506,6 +512,7 @@ _mkpersistent_common() { rm -f -- "${image_path}" persistent_epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) writable="true" + grub="true" } # Create an ext4 image to be used as the persistent ISO partition. @@ -524,7 +531,7 @@ _mkpersistent_ext4+luks() { _mkpersistent_common persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" _run_mkluks "${image_path}" "${persistent_size_kib}" "${persistent_encryption_key}" \ - "${persistent_epoch}" "${iso_label}_PERSISTENT" "${writable}" + "${persistent_epoch}" "${iso_label}_PERSISTENT" "${writable}" "${grub}" _run_mkext4 "${persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ "${persistent_epoch}" "persistent" "${writable}" dd if="${persistent_dir}.img" of="${image_device}" -- GitLab From b7c83beb56988de1ca0d2970876db52640ff4b33 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Fri, 9 Sep 2022 16:31:08 +0000 Subject: [PATCH 068/105] sync --- archiso/mkarchiso | 59 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 50 insertions(+), 9 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index de6337a..15b8118 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -842,6 +842,11 @@ _get_persistent_uuid() { echo "$(_epoch_to_uuid $((SOURCE_DATE_EPOCH + 3 * 1415)))" } +_get_dongle_persistent_uuid() { + #shellcheck disable=SC2005 + echo "$(_epoch_to_uuid $((SOURCE_DATE_EPOCH + 42 * 69 + 3 * 1415)))" +} + # Produce kernel parameters. _get_kernel_params() { local _kparams=() @@ -1093,6 +1098,26 @@ _epoch_to_uuid() { echo "${_uuid}" } +_get_device_select_cmdline() { + local _uuid + # _uuid="$(_get_archiso_uuid)" + # if [[ "${airootfs_image_type}" == *luks ]]; then # || [[ "${buildmode}" = 'dongle' ]]; then + # + # fi + # if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then + # _uuid=$(_get_dongle_uuid) + # fi + # + # echo "${_uuid}" + _uuid="$(_get_bootable_uuid)" + if [[ "${persistent_image_type}" == *luks ]]; then + _get_persistent_uuid + echo "cryptomount -u " + else + echo "search --no-floppy --set=root --fs-uuid $(_get_bootable_uuid)" + fi +} + _get_bootable_uuid() { local _uuid _uuid="$(_get_archiso_uuid)" @@ -1107,6 +1132,7 @@ _build_bootloader_config() { local _template="${1}" # local _boot_type="${2}" sed "s|%BOOTABLE_UUID%|$(_get_bootable_uuid)|g; + s|%DEVICE_SELECT_CMDLINE%|$(_get_device_select_cmdline)|g; s|%ARCH%|${arch}|g; s|%INSTALL_DIR%|${install_dir}|g; s|%KERNEL_PARAMS%|$(_get_kernel_params)|g" \ @@ -1700,7 +1726,7 @@ _prepare_persistent_image() { fi if [ "${persistent_size_kib}" != "" ]; then - if [[ "${persistent_image_type}" == *luks ]]; then + if [[ "${persistent_image_type}" == *"luks" ]]; then sed "s|%PERSISTENT_UUID%|${persistent_uuid}|g" "${crypttab}" > "${pacstrap_dir}/etc/crypttab" if [[ "${airootfs_image_type}" == *luks ]] || [[ "${buildmode}" = 'dongle' ]]; then persistent_encryption_key="${work_dir}/persistent.key" @@ -1708,7 +1734,7 @@ _prepare_persistent_image() { install -d -m700 "${pacstrap_dir}/etc/keys" install -D -m400 "${persistent_encryption_key}" "${pacstrap_dir}/etc/keys" else - _msg_warning "root file system is not encrypted, you will have to insert a password for persistent partition." + _msg_warning "Rootfs encryption disabled, you will have to insert a password for the boot partition." persistent_encryption_key="" fi else @@ -1773,6 +1799,7 @@ _validate_requirements_airootfs_image_type_ext4+squashfs() { _validate_requirements_persistent_image_type_ext4() { _validate_requirements_airootfs_image_type_ext4 + _msg_ } _validate_requirements_persistent_image_type_ext4+luks() { @@ -1828,6 +1855,7 @@ _validate_requirements_airootfs_image_type_erofs+luks() { } _validate_common_requirements_buildmode_all() { + local _msg=() if ! command -v pacman &> /dev/null; then (( validation_error=validation_error+1 )) _msg_error "Validating build mode '${_buildmode}': pacman is not available on this host. Install 'pacman'!" 0 @@ -1840,8 +1868,11 @@ _validate_common_requirements_buildmode_all() { (( validation_error=validation_error+1 )) _msg_error "Validating build mode '${_buildmode}': gzip is not available on this host. Install 'gzip'!" 0 fi - if [[ ! " ${buildmodes[*]} " =~ ' dongle ' ]]; then - _msg_warning "Validating build mode '${_buildmode}': 'dongle' build mode not selected, the resulting image will be vulnerable to 'evil maids'." + if [[ ! " ${buildmodes[*]} " =~ ' dongle ' ]] && [[ "${persistent_image_type}" != *"luks" ]]; then + _msg=("Validating build mode '${_buildmode}':" + "'dongle' build mode not selected; persistent partition encryption disabled." + "Be sure to use the resulting image on a write-once device to not be vulnerable to 'evil maids'.") + _msg_warning "${_msg[*]}" fi } @@ -1872,6 +1903,7 @@ _validate_requirements_buildmode_bootstrap() { _validate_common_requirements_buildmode_iso_netboot() { local bootmode local pkg_list_from_file=() + local _msg=() # Check if the package list file exists and read packages from it if [[ -e "${packages}" ]]; then @@ -1891,7 +1923,9 @@ _validate_common_requirements_buildmode_iso_netboot() { if typeset -f "_validate_requirements_airootfs_image_type_${airootfs_image_type}" &> /dev/null; then "_validate_requirements_airootfs_image_type_${airootfs_image_type}" else - _msg_warning "Function '_validate_requirements_airootfs_image_type_${airootfs_image_type}' does not exist. Validating the requirements of '${airootfs_image_type}' airootfs image type will not be possible." + _msg=("Function '_validate_requirements_airootfs_image_type_${airootfs_image_type}' does not exist." + "Validating the requirements of '${airootfs_image_type}' airootfs image type will not be possible.") + _msg_warning "${_msg[*]}" fi else (( validation_error=validation_error+1 )) @@ -1908,6 +1942,7 @@ _validate_requirements_buildmode_dongle() { } _validate_requirements_buildmode_iso() { + local _msg=() _validate_common_requirements_buildmode_iso_netboot _validate_common_requirements_buildmode_all # Check if the specified bootmodes are supported @@ -1920,7 +1955,9 @@ _validate_requirements_buildmode_iso() { if typeset -f "_validate_requirements_bootmode_${bootmode}" &> /dev/null; then "_validate_requirements_bootmode_${bootmode}" else - _msg_warning "Function '_validate_requirements_bootmode_${bootmode}' does not exist. Validating the requirements of '${bootmode}' boot mode will not be possible." + _msg=("Function '_validate_requirements_bootmode_${bootmode}' does not exist." + "Validating the requirements of '${bootmode}' boot mode will not be possible.") + _msg_warning "${_msg[*]}" fi else (( validation_error=validation_error+1 )) @@ -1938,7 +1975,9 @@ _validate_requirements_buildmode_iso() { if typeset -f "_validate_requirements_persistent_image_type_${persistent_image_type}" &> /dev/null; then "_validate_requirements_persistent_image_type_${persistent_image_type}" else - _msg_warning "Function '_validate_requirements_persistent_image_type_${persistent_image_type}' does not exist. Validating the requirements of '${persistent_image_type}' airootfs image type will not be possible." + _msg=("Function '_validate_requirements_persistent_image_type_${persistent_image_type}' does not exist." + "Validating the requirements of '${persistent_image_type}' airootfs image type will not be possible.") + _msg_warning "${_msg[*]}" fi else (( validation_error=validation_error+1 )) @@ -2459,7 +2498,7 @@ _read_profile() { # Validate set options _validate_options() { - local validation_error=0 _buildmode + local validation_error=0 _buildmode _msg=() _msg_info "Validating options..." @@ -2475,7 +2514,9 @@ _validate_options() { if typeset -f "_validate_requirements_buildmode_${_buildmode}" &> /dev/null; then "_validate_requirements_buildmode_${_buildmode}" else - _msg_warning "Function '_validate_requirements_buildmode_${_buildmode}' does not exist. Validating the requirements of '${_buildmode}' build mode will not be possible." + msg=("Function '_validate_requirements_buildmode_${_buildmode}' does not exist." + "Validating the requirements of '${_buildmode}' build mode will not be possible.") + _msg_warning "${_msg[*]}" fi else (( validation_error=validation_error+1 )) -- GitLab From 3ba6deda0c51547b4d481901b04f648db0cc42da Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Sun, 11 Sep 2022 16:16:30 +0000 Subject: [PATCH 069/105] sync --- archiso/mkarchiso | 44 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 15b8118..753e88e 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -62,6 +62,7 @@ encryption_key="" persistent_size_kib="" persistent_image_type="" persistentimg="" +donglepersistentimg="" # adapted from GRUB_EARLY_INITRD_LINUX_STOCK in https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in readonly ucodes=('intel-uc.img' 'intel-ucode.img' 'amd-uc.img' 'amd-ucode.img' 'early_ucode.cpio' 'microcode.cpio') @@ -541,6 +542,41 @@ _mkpersistent_ext4+luks() { rm -- "${persistent_dir}.img" } +# Steps shared by _mkdonglepersistent+fs_type functions +_mkdonglepersistent_common() { + image_path="${donglepersistentimg}" + rm -f -- "${image_path}" + persistent_epoch=$((SOURCE_DATE_EPOCH + 42 * 69 + 3 * 1415)) + writable="true" + grub="true" +} + +# Create an ext4 image to be used as the persistent ISO partition. +_mkdonglepersistent_ext4() { + _mkpersistent_common + persistent_guid="0FC63DAF-8483-4772-8E79-3D69D8477DE4" + _run_mkext4 "${persistent_dir}" "${persistent_size_kib}" \ + "${persistent_epoch}" "${iso_label}_PERSISTENT" "${writable}" + mv "${persistent_dir}.img" "${image_path}" + sync + _msg_info "Done!" +} + +# Create an ext4 fs inside a LUKS container to be used as the persistent ISO partition. +_mkdonglepersistent_ext4+luks() { + _mkpersistent_common + persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" + _run_mkluks "${image_path}" "${persistent_size_kib}" "${persistent_encryption_key}" \ + "${persistent_epoch}" "${iso_label}_PERSISTENT" "${writable}" "${grub}" + _run_mkext4 "${persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ + "${persistent_epoch}" "persistent" "${writable}" + dd if="${persistent_dir}.img" of="${image_device}" + sync + _close_luks_device "${image_device}" + _msg_info "Done!" + rm -- "${persistent_dir}.img" +} + # Create checksum for a given file. _mkchecksum() { local _file @@ -1111,8 +1147,11 @@ _get_device_select_cmdline() { # echo "${_uuid}" _uuid="$(_get_bootable_uuid)" if [[ "${persistent_image_type}" == *luks ]]; then - _get_persistent_uuid - echo "cryptomount -u " + persistent_epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) + persistent_uuid="$(uuidgen --sha1 \ + --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 \ + --name "${persistent_epoch}" | sed "s|-||g")" + echo "cryptomount -u ${persistent_uuid}" else echo "search --no-floppy --set=root --fs-uuid $(_get_bootable_uuid)" fi @@ -2600,6 +2639,7 @@ _set_overrides() { [[ -n "$dongle_isofs_dir" ]] || dongle_isofs_dir="${work_dir}/dongle_iso" [[ -n "$efibootimg" ]] || efibootimg="${work_dir}/efiboot.img" [[ -n "$persistentimg" ]] || persistentimg="${work_dir}/persistent."$(_get_fs_ext "persistent") + [[ -n "$donglepersistentimg" ]] || donglepersistentimg="${work_dir}/donglepersistent."$(_get_fs_ext "persistent") } _export_gpg_publickey() { -- GitLab From 82f110936eb3648740cab7f0907ba6dac8adf495 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 10:53:19 +0000 Subject: [PATCH 070/105] let's test --- archiso/mkarchiso | 107 ++++++++++++++++++++++++++-------------------- 1 file changed, 60 insertions(+), 47 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 753e88e..f370ab2 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -61,6 +61,7 @@ efiboot_files=() encryption_key="" persistent_size_kib="" persistent_image_type="" +persistentdongle_isofs_dir="" persistentimg="" donglepersistentimg="" # adapted from GRUB_EARLY_INITRD_LINUX_STOCK in https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in @@ -510,10 +511,15 @@ _mkkeys_erofs+luks() { # Steps shared by _mkpersistent+fs_type functions _mkpersistent_common() { image_path="${persistentimg}" + image_label="${iso_label}_PERSISTENT" rm -f -- "${image_path}" persistent_epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) writable="true" - grub="true" + if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then + grub="false" + else + grub="true" + fi } # Create an ext4 image to be used as the persistent ISO partition. @@ -521,7 +527,7 @@ _mkpersistent_ext4() { _mkpersistent_common persistent_guid="0FC63DAF-8483-4772-8E79-3D69D8477DE4" _run_mkext4 "${persistent_dir}" "${persistent_size_kib}" \ - "${persistent_epoch}" "${iso_label}_PERSISTENT" "${writable}" + "${persistent_epoch}" "${image_label}" "${writable}" mv "${persistent_dir}.img" "${image_path}" sync _msg_info "Done!" @@ -532,7 +538,7 @@ _mkpersistent_ext4+luks() { _mkpersistent_common persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" _run_mkluks "${image_path}" "${persistent_size_kib}" "${persistent_encryption_key}" \ - "${persistent_epoch}" "${iso_label}_PERSISTENT" "${writable}" "${grub}" + "${persistent_epoch}" "${image_label}" "${writable}" "${grub}" _run_mkext4 "${persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ "${persistent_epoch}" "persistent" "${writable}" dd if="${persistent_dir}.img" of="${image_device}" @@ -545,18 +551,19 @@ _mkpersistent_ext4+luks() { # Steps shared by _mkdonglepersistent+fs_type functions _mkdonglepersistent_common() { image_path="${donglepersistentimg}" + image_label="${iso_label}_DONGLE_PERSISTENT" rm -f -- "${image_path}" - persistent_epoch=$((SOURCE_DATE_EPOCH + 42 * 69 + 3 * 1415)) + dongle_persistent_epoch=$((SOURCE_DATE_EPOCH + 42 * 69 + 3 * 1415)) writable="true" grub="true" } # Create an ext4 image to be used as the persistent ISO partition. _mkdonglepersistent_ext4() { - _mkpersistent_common + _mkdonglepersistent_common persistent_guid="0FC63DAF-8483-4772-8E79-3D69D8477DE4" - _run_mkext4 "${persistent_dir}" "${persistent_size_kib}" \ - "${persistent_epoch}" "${iso_label}_PERSISTENT" "${writable}" + _run_mkext4 "${dongle_persistent_dir}" "${persistent_size_kib}" \ + "${dongle_persistent_epoch}" "${image_label}" "${writable}" mv "${persistent_dir}.img" "${image_path}" sync _msg_info "Done!" @@ -567,10 +574,10 @@ _mkdonglepersistent_ext4+luks() { _mkpersistent_common persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" _run_mkluks "${image_path}" "${persistent_size_kib}" "${persistent_encryption_key}" \ - "${persistent_epoch}" "${iso_label}_PERSISTENT" "${writable}" "${grub}" - _run_mkext4 "${persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ - "${persistent_epoch}" "persistent" "${writable}" - dd if="${persistent_dir}.img" of="${image_device}" + "${dongle_persistent_epoch}" "${image_label}" "${writable}" "${grub}" + _run_mkext4 "${dongle_persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ + "${dongle_persistent_epoch}" "persistent" "${writable}" + dd if="${dongle_persistent_dir}.img" of="${image_device}" sync _close_luks_device "${image_device}" _msg_info "Done!" @@ -814,8 +821,12 @@ _make_boot_on_iso9660() { # Copy kernel and initramfs to dongle ISO 9660 _make_boot_on_dongle() { - dongle_isofs_dir="${work_dir}/dongle_iso" - _make_boot_on_iso "${dongle_isofs_dir}" + if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then + dongle_boot_dir="${work_dir}/dongle_persistent" + else + dongle_boot_dir="${work_dir}/dongle_iso" + fi + _make_boot_on_iso "${dongle_boot_dir}" } # Copy kernel and initramfs to ISO 9660 @@ -873,14 +884,16 @@ _get_archiso_uuid() { echo "$(_epoch_to_uuid "${SOURCE_DATE_EPOCH}")" } -_get_persistent_uuid() { - #shellcheck disable=SC2005 - echo "$(_epoch_to_uuid $((SOURCE_DATE_EPOCH + 3 * 1415)))" -} - -_get_dongle_persistent_uuid() { - #shellcheck disable=SC2005 - echo "$(_epoch_to_uuid $((SOURCE_DATE_EPOCH + 42 * 69 + 3 * 1415)))" +_get_cryptomount_uuid() { + if [[ "${bootmodes[*]}" =~ ' dongle ' ]]; then + _epoch="$((SOURCE_DATE_EPOCH + 42 * 69 + 3 * 1415))" + else + _epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) + fi + _uuid="$(uuidgen --sha1 \ + --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 \ + --name "${_epoch}" | sed "s|-||g")" + echo "cryptomount -u ${_uuid}" } # Produce kernel parameters. @@ -1135,23 +1148,8 @@ _epoch_to_uuid() { } _get_device_select_cmdline() { - local _uuid - # _uuid="$(_get_archiso_uuid)" - # if [[ "${airootfs_image_type}" == *luks ]]; then # || [[ "${buildmode}" = 'dongle' ]]; then - # - # fi - # if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then - # _uuid=$(_get_dongle_uuid) - # fi - # - # echo "${_uuid}" - _uuid="$(_get_bootable_uuid)" if [[ "${persistent_image_type}" == *luks ]]; then - persistent_epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) - persistent_uuid="$(uuidgen --sha1 \ - --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 \ - --name "${persistent_epoch}" | sed "s|-||g")" - echo "cryptomount -u ${persistent_uuid}" + echo "$(_get_cryptomount_uuid)" else echo "search --no-floppy --set=root --fs-uuid $(_get_bootable_uuid)" fi @@ -1169,9 +1167,7 @@ _get_bootable_uuid() { # Fill a bootloader configuration template and copy the result in a file _build_bootloader_config() { local _template="${1}" - # local _boot_type="${2}" - sed "s|%BOOTABLE_UUID%|$(_get_bootable_uuid)|g; - s|%DEVICE_SELECT_CMDLINE%|$(_get_device_select_cmdline)|g; + sed "s|%DEVICE_SELECT_CMDLINE%|$(_get_device_select_cmdline)|g; s|%ARCH%|${arch}|g; s|%INSTALL_DIR%|${install_dir}|g; s|%KERNEL_PARAMS%|$(_get_kernel_params)|g" \ @@ -1732,6 +1728,7 @@ _prepare_airootfs_image() { _mksignature "$(_get_airootfs_img)" if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then dongle_isofs_dir="${work_dir}/dongle_iso" + dongle_persistent_dir="${work_dir}/dongle_persistent" _sig_dir="${dongle_isofs_dir}/${install_dir}/${arch}" install -d -m711 "${_sig_dir}" cp "$(_get_airootfs_img).sig" "${_sig_dir}" @@ -1769,7 +1766,7 @@ _prepare_persistent_image() { sed "s|%PERSISTENT_UUID%|${persistent_uuid}|g" "${crypttab}" > "${pacstrap_dir}/etc/crypttab" if [[ "${airootfs_image_type}" == *luks ]] || [[ "${buildmode}" = 'dongle' ]]; then persistent_encryption_key="${work_dir}/persistent.key" - dd if=/dev/random bs=512 count=1 of="${persistent_encryption_key}" + _gen_key "${persistent_encryption_key}" install -d -m700 "${pacstrap_dir}/etc/keys" install -D -m400 "${persistent_encryption_key}" "${pacstrap_dir}/etc/keys" else @@ -1780,6 +1777,9 @@ _prepare_persistent_image() { sed '/%PERSISTENT_UUID%/d' "${crypttab}" > "${pacstrap_dir}/etc/crypttab" fi _run_once "_mkpersistent_${persistent_image_type}" + if [[ "${buildmodes}" =~ ' dongle ' ]]; then + _run_once "_mkdonglepersistent_${persistent_image_type}" + fi fi } @@ -1850,12 +1850,17 @@ _validate_requirements_persistent_image_type_ext4+luks() { fi } +_gen_key() { + local _out="${1}" + dd if=/dev/random bs=512 count=1 of="${_out}" > /dev/null 2>&1 +} + _resolve_encryption_key(){ if [ ! -f "${encryption_key}" ]; then if [ "${encryption_key}" = 'auto' ]; then encryption_key="${work_dir}/${iso_label}.key" [ ! -d "${work_dir}" ] && install -d "${work_dir}" - dd if=/dev/random bs=512 count=1 of="${encryption_key}" + _gen_key "${encryption_key}" elif [ "${encryption_key}" != 'auto' ]; then _msg_error "File '${encryption_key}' does not exist." 0 fi @@ -1885,7 +1890,7 @@ _validate_requirements_airootfs_image_type_luks() { (( validation_error=validation_error+1 )) _msg_error "Validating '${airootfs_image_type}': cryptsetup is not available on this host. Install 'cryptsetup'!" 0 fi - [[ -n "$encryption_key" ]] && _resolve_encryption_key + [[ -n "$encryption_key" ]] && _resolve_encryption_key } _validate_requirements_airootfs_image_type_erofs+luks() { @@ -2053,13 +2058,18 @@ _validate_requirements_buildmode_netboot() { } _add_xorrisofs_options_persistent_partition() { - local _xorrisofs_options=("$@") + local _img _xorrisofs_options=("$@") if [[ "${persistent_image_type}" == *"luks" ]]; then persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" else persistent_guid="0FC63DAF-8483-4772-8E79-3D69D8477DE4" fi - _xorrisofs_options+=('-append_partition' '3' "${persistent_guid}" "${persistentimg}") + if [[ " ${buildmode} " == "dongle" ]]; then + _img="${donglepersistentimg}" + else + _img="${persistentimg}" + fi + _xorrisofs_options+=('-append_partition' '3' "${persistent_guid}" "${_img}") echo "${_xorrisofs_options[@]}" } @@ -2209,7 +2219,7 @@ _add_xorrisofs_options_uefi-x64.systemd-boot.esp() { [[ " ${_xorrisofs_options[*]} " =~ ' -partition_offset ' ]] || _xorrisofs_options+=('-partition_offset' '16') # Attach efiboot.img as a second partition and set its partition type to "EFI system partition" _xorrisofs_options+=('-append_partition' '2' 'C12A7328-F81F-11D2-BA4B-00A0C93EC93B' "${efibootimg}") - if [ "${persistent_size_kib}" != "" ]; then + if [ "${persistent_size_kib}" != "" ] || [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then _xorrisofs_options=("$(_add_xorrisofs_options_persistent_partition "${_xorrisofs_options[@]}")") fi # Ensure GPT is used as some systems do not support UEFI booting without it @@ -2304,7 +2314,7 @@ _add_xorrisofs_options_uefi-x64.grub.esp() { [[ " ${_xorrisofs_options[*]} " =~ ' -partition_offset ' ]] || _xorrisofs_options+=('-partition_offset' '16') # Attach efiboot.img as a second partition and set its partition type to "EFI system partition" _xorrisofs_options+=('-append_partition' '2' 'C12A7328-F81F-11D2-BA4B-00A0C93EC93B' "${efibootimg}") - if [ "${persistent_size_kib}" != "" ]; then + if [ "${persistent_size_kib}" != "" ] || [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then _xorrisofs_options=("$(_add_xorrisofs_options_persistent_partition "${_xorrisofs_options[@]}")") fi # Ensure GPT is used as some systems do not support UEFI booting without it @@ -2720,6 +2730,7 @@ _build_dongle_base() { [[ -d "${keys_dir}" ]] || install -d -- "${keys_dir}" [[ -d "${dongle_isofs_dir}" ]] || install -d -- "${dongle_isofs_dir}" + [[ -d "${dongle_persistent_dir}" ]] || install -d -- "${dongle_persistent_dir}" if [ "${encryption_key}" != "" ]; then cp "${encryption_key}" "${keys_dir}/airootfs.key" @@ -2746,11 +2757,13 @@ _build_iso_base() { keys_dir="${work_dir}/keys" airootfs_img_dir="${isofs_dir}/${install_dir}/${arch}" persistent_dir="${work_dir}/persistent" + dongle_persistent_dir="${work_dir}/dongle_persistent" # Create working directory [[ -d "${airootfs_img_dir}" ]] || install -d -- "${airootfs_img_dir}" [[ -d "${keys_dir}" ]] || install -d -- "${keys_dir}" [[ -d "${persistent_dir}" ]] || install -d -- "${persistent_dir}" + [[ -d "${dongle_persistent_dir}" ]] || install -d -- "${dongle_persistent_dir}" # Write build date to file or if the file exists, read it from there if [[ -e "${work_dir}/build_date" ]]; then -- GitLab From bdf1afd2b66123e4e85a185ac0664ad51dce9509 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 10:56:08 +0000 Subject: [PATCH 071/105] shellcheck fixes --- archiso/mkarchiso | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index f370ab2..d5fb3ff 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -61,7 +61,6 @@ efiboot_files=() encryption_key="" persistent_size_kib="" persistent_image_type="" -persistentdongle_isofs_dir="" persistentimg="" donglepersistentimg="" # adapted from GRUB_EARLY_INITRD_LINUX_STOCK in https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in @@ -1148,6 +1147,7 @@ _epoch_to_uuid() { } _get_device_select_cmdline() { + #shellcheck disable=SC2005 if [[ "${persistent_image_type}" == *luks ]]; then echo "$(_get_cryptomount_uuid)" else @@ -1777,7 +1777,7 @@ _prepare_persistent_image() { sed '/%PERSISTENT_UUID%/d' "${crypttab}" > "${pacstrap_dir}/etc/crypttab" fi _run_once "_mkpersistent_${persistent_image_type}" - if [[ "${buildmodes}" =~ ' dongle ' ]]; then + if [[ "${buildmodes[*]}" =~ ' dongle ' ]]; then _run_once "_mkdonglepersistent_${persistent_image_type}" fi fi @@ -2064,7 +2064,7 @@ _add_xorrisofs_options_persistent_partition() { else persistent_guid="0FC63DAF-8483-4772-8E79-3D69D8477DE4" fi - if [[ " ${buildmode} " == "dongle" ]]; then + if [[ "${buildmode}" == "dongle" ]]; then _img="${donglepersistentimg}" else _img="${persistentimg}" @@ -2563,7 +2563,7 @@ _validate_options() { if typeset -f "_validate_requirements_buildmode_${_buildmode}" &> /dev/null; then "_validate_requirements_buildmode_${_buildmode}" else - msg=("Function '_validate_requirements_buildmode_${_buildmode}' does not exist." + _msg=("Function '_validate_requirements_buildmode_${_buildmode}' does not exist." "Validating the requirements of '${_buildmode}' build mode will not be possible.") _msg_warning "${_msg[*]}" fi -- GitLab From fa920462504701475e3caf993836016c6c873ba1 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 10:57:51 +0000 Subject: [PATCH 072/105] upgrade baseline grub.cfg --- configs/baseline/grub/grub.cfg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configs/baseline/grub/grub.cfg b/configs/baseline/grub/grub.cfg index c0e4943..4ad3fc4 100644 --- a/configs/baseline/grub/grub.cfg +++ b/configs/baseline/grub/grub.cfg @@ -32,14 +32,14 @@ timeout_style=menu menuentry "Arch Linux (%ARCH%)" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' { set gfxpayload=keep - search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% + %DEVICE_SELECT_CMDLINE% linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } menuentry "Arch Linux (%ARCH%) Copy to RAM" --class arch --class gnu-linux --class gnu --class os --id 'archlinux-copy-to-ram' { set gfxpayload=keep - search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% + %DEVICE_SELECT_CMDLINE% linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% copytoram initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } -- GitLab From e20c8135f25f7452b2a3d5b2f4404f535015f404 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 11:05:04 +0000 Subject: [PATCH 073/105] add extra warning --- archiso/mkarchiso | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index d5fb3ff..20798ed 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1579,6 +1579,7 @@ _validate_requirements_bootmode_bios.grub.eltorito() { } _validate_requirements_bootmode_bios.syslinux.mbr() { + local _msg # bios.syslinux.mbr requires bios.syslinux.eltorito # shellcheck disable=SC2076 if [[ ! " ${bootmodes[*]} " =~ ' bios.syslinux.eltorito ' ]]; then @@ -1612,7 +1613,9 @@ _validate_requirements_bootmode_bios.syslinux.mbr() { # Check for optional packages # shellcheck disable=SC2076 if [[ ! " ${pkg_list[*]} " =~ ' memtest86+ ' ]]; then - _msg_info "Validating '${bootmode}': 'memtest86+' is not in the package list. Memory testing will not be available from syslinux." + _msg=("Validating '${bootmode}': 'memtest86+' is not in the package list." + "Memory testing will not be available from syslinux.") + _msg_info "${_msg}" fi } @@ -1837,8 +1840,13 @@ _validate_requirements_airootfs_image_type_ext4+squashfs() { } _validate_requirements_persistent_image_type_ext4() { + local _msg _validate_requirements_airootfs_image_type_ext4 - _msg_ + if [[ ! "${bootmodes[*]}" =~ ' dongle ' ]]; then + _msg=("Persistent image not encrypted." + "Be sure not to put sensitive data on it and write the resulting image on a write-once device.") + _msg_warning "${_msg}" + fi } _validate_requirements_persistent_image_type_ext4+luks() { -- GitLab From a6c0dbf70595712f5dd9bbec12d8e3447a4219b5 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 11:06:10 +0000 Subject: [PATCH 074/105] fix typos --- archiso/mkarchiso | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 20798ed..580548d 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1615,7 +1615,7 @@ _validate_requirements_bootmode_bios.syslinux.mbr() { if [[ ! " ${pkg_list[*]} " =~ ' memtest86+ ' ]]; then _msg=("Validating '${bootmode}': 'memtest86+' is not in the package list." "Memory testing will not be available from syslinux.") - _msg_info "${_msg}" + _msg_info "${_msg[*]}" fi } @@ -1845,7 +1845,7 @@ _validate_requirements_persistent_image_type_ext4() { if [[ ! "${bootmodes[*]}" =~ ' dongle ' ]]; then _msg=("Persistent image not encrypted." "Be sure not to put sensitive data on it and write the resulting image on a write-once device.") - _msg_warning "${_msg}" + _msg_warning "${_msg[*]}" fi } -- GitLab From a0194b2989aa716970836ca8f37e94bd356c1fd1 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 11:07:24 +0000 Subject: [PATCH 075/105] fix typos --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 580548d..cf9f0f1 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1842,7 +1842,7 @@ _validate_requirements_airootfs_image_type_ext4+squashfs() { _validate_requirements_persistent_image_type_ext4() { local _msg _validate_requirements_airootfs_image_type_ext4 - if [[ ! "${bootmodes[*]}" =~ ' dongle ' ]]; then + if [[ ! "${buildmodes[*]}" =~ ' dongle ' ]]; then _msg=("Persistent image not encrypted." "Be sure not to put sensitive data on it and write the resulting image on a write-once device.") _msg_warning "${_msg[*]}" -- GitLab From 35970f8890009ea1281332a114ffb709ccea0907 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 11:11:23 +0000 Subject: [PATCH 076/105] fix typos --- archiso/mkarchiso | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index cf9f0f1..85d2f10 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -884,7 +884,7 @@ _get_archiso_uuid() { } _get_cryptomount_uuid() { - if [[ "${bootmodes[*]}" =~ ' dongle ' ]]; then + if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then _epoch="$((SOURCE_DATE_EPOCH + 42 * 69 + 3 * 1415))" else _epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) @@ -1780,7 +1780,7 @@ _prepare_persistent_image() { sed '/%PERSISTENT_UUID%/d' "${crypttab}" > "${pacstrap_dir}/etc/crypttab" fi _run_once "_mkpersistent_${persistent_image_type}" - if [[ "${buildmodes[*]}" =~ ' dongle ' ]]; then + if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then _run_once "_mkdonglepersistent_${persistent_image_type}" fi fi @@ -1842,7 +1842,7 @@ _validate_requirements_airootfs_image_type_ext4+squashfs() { _validate_requirements_persistent_image_type_ext4() { local _msg _validate_requirements_airootfs_image_type_ext4 - if [[ ! "${buildmodes[*]}" =~ ' dongle ' ]]; then + if [[ ! " ${buildmodes[*]} " =~ ' dongle ' ]]; then _msg=("Persistent image not encrypted." "Be sure not to put sensitive data on it and write the resulting image on a write-once device.") _msg_warning "${_msg[*]}" -- GitLab From 512f00810e71f378d3aef78f5e01011f26fe9dab Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 13:21:35 +0000 Subject: [PATCH 077/105] fix function call --- archiso/mkarchiso | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 85d2f10..04b8c16 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -570,7 +570,7 @@ _mkdonglepersistent_ext4() { # Create an ext4 fs inside a LUKS container to be used as the persistent ISO partition. _mkdonglepersistent_ext4+luks() { - _mkpersistent_common + _mkdonglepersistent_common persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" _run_mkluks "${image_path}" "${persistent_size_kib}" "${persistent_encryption_key}" \ "${dongle_persistent_epoch}" "${image_label}" "${writable}" "${grub}" @@ -1752,7 +1752,7 @@ _prepare_keys_image() { # Build persistent filesystem image _prepare_persistent_image() { - local persistent_dir_size persistent_epoch persistent_uuid + local _msg persistent_dir_size persistent_epoch persistent_uuid local crypttab="${profile}/airootfs/etc/crypttab" persistent_epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) persistent_uuid="$(uuidgen --sha1 \ @@ -1767,13 +1767,20 @@ _prepare_persistent_image() { if [ "${persistent_size_kib}" != "" ]; then if [[ "${persistent_image_type}" == *"luks" ]]; then sed "s|%PERSISTENT_UUID%|${persistent_uuid}|g" "${crypttab}" > "${pacstrap_dir}/etc/crypttab" - if [[ "${airootfs_image_type}" == *luks ]] || [[ "${buildmode}" = 'dongle' ]]; then + if [[ "${airootfs_image_type}" == *"luks" ]] || [[ "${buildmode}" = 'dongle' ]]; then persistent_encryption_key="${work_dir}/persistent.key" _gen_key "${persistent_encryption_key}" install -d -m700 "${pacstrap_dir}/etc/keys" install -D -m400 "${persistent_encryption_key}" "${pacstrap_dir}/etc/keys" + elif [[ "${airootfs_image_type}" != *"luks" ]] && [[ "${buildmode}" = 'dongle' ]]; then + persistent_encryption_key="${work_dir}/persistent.key" + _gen_key "${persistent_encryption_key}" + install -d -m700 "${dongle_persistent_dir}/etc/keys" + install -D -m400 "${persistent_encryption_key}" "${pacstrap_dir}/etc/keys" else - _msg_warning "Rootfs encryption disabled, you will have to insert a password for the boot partition." + _msg=("Rootfs encryption and dongle buildmode disabled." + "You will be prompted to insert a password for the boot partition.") + _msg_warning "${_msg[*]}" persistent_encryption_key="" fi else -- GitLab From a218e76e8f0e4437611042487d409a27337396e9 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 13:42:31 +0000 Subject: [PATCH 078/105] fix rm --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 04b8c16..c528ead 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -580,7 +580,7 @@ _mkdonglepersistent_ext4+luks() { sync _close_luks_device "${image_device}" _msg_info "Done!" - rm -- "${persistent_dir}.img" + rm -- "${dongle_persistent_dir}.img" } # Create checksum for a given file. -- GitLab From ab78b573ed9922664c5d43177091637884032dcd Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 14:43:41 +0000 Subject: [PATCH 079/105] kernel not correctly inserted into persistent partition when enabled now fixed --- archiso/mkarchiso | 1 + 1 file changed, 1 insertion(+) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index c528ead..9d8a3bb 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1786,6 +1786,7 @@ _prepare_persistent_image() { else sed '/%PERSISTENT_UUID%/d' "${crypttab}" > "${pacstrap_dir}/etc/crypttab" fi + _run_once _make_boot_on_dongle _run_once "_mkpersistent_${persistent_image_type}" if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then _run_once "_mkdonglepersistent_${persistent_image_type}" -- GitLab From f4f18ada0b23010028dea91b1f235767ce0800f0 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 15:05:26 +0000 Subject: [PATCH 080/105] fix linux and initrd lines --- archiso/mkarchiso | 20 +++++++++++++------- configs/baseline/grub/grub.cfg | 8 ++++---- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 9d8a3bb..6a24240 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -514,11 +514,11 @@ _mkpersistent_common() { rm -f -- "${image_path}" persistent_epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) writable="true" - if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then - grub="false" - else - grub="true" - fi + # if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then + # grub="false" + # else + # grub="true" + # fi } # Create an ext4 image to be used as the persistent ISO partition. @@ -554,7 +554,7 @@ _mkdonglepersistent_common() { rm -f -- "${image_path}" dongle_persistent_epoch=$((SOURCE_DATE_EPOCH + 42 * 69 + 3 * 1415)) writable="true" - grub="true" + # grub="true" } # Create an ext4 image to be used as the persistent ISO partition. @@ -1167,9 +1167,15 @@ _get_bootable_uuid() { # Fill a bootloader configuration template and copy the result in a file _build_bootloader_config() { local _template="${1}" + local _boot_disk + if [[ "${persistent_image_type}" == *luks ]]; then + _boot_disk="(crypto0)" + else + _boot_disk="" + fi sed "s|%DEVICE_SELECT_CMDLINE%|$(_get_device_select_cmdline)|g; s|%ARCH%|${arch}|g; - s|%INSTALL_DIR%|${install_dir}|g; + s|%INSTALL_DIR%|${_boot_disk}/${install_dir}|g; s|%KERNEL_PARAMS%|$(_get_kernel_params)|g" \ "${_template}" } diff --git a/configs/baseline/grub/grub.cfg b/configs/baseline/grub/grub.cfg index 4ad3fc4..b85c776 100644 --- a/configs/baseline/grub/grub.cfg +++ b/configs/baseline/grub/grub.cfg @@ -33,13 +33,13 @@ timeout_style=menu menuentry "Arch Linux (%ARCH%)" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' { set gfxpayload=keep %DEVICE_SELECT_CMDLINE% - linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% - initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img + linux %INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% + initrd %INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } menuentry "Arch Linux (%ARCH%) Copy to RAM" --class arch --class gnu-linux --class gnu --class os --id 'archlinux-copy-to-ram' { set gfxpayload=keep %DEVICE_SELECT_CMDLINE% - linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% copytoram - initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img + linux %INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% copytoram + initrd %INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } -- GitLab From 4fcefda4fa5e74e601940a0ae2a0f05acf1d0f96 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 15:07:15 +0000 Subject: [PATCH 081/105] remove supposed less strict encryption options for grub --- archiso/mkarchiso | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 6a24240..c351dfa 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -537,7 +537,7 @@ _mkpersistent_ext4+luks() { _mkpersistent_common persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" _run_mkluks "${image_path}" "${persistent_size_kib}" "${persistent_encryption_key}" \ - "${persistent_epoch}" "${image_label}" "${writable}" "${grub}" + "${persistent_epoch}" "${image_label}" "${writable}" _run_mkext4 "${persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ "${persistent_epoch}" "persistent" "${writable}" dd if="${persistent_dir}.img" of="${image_device}" @@ -573,7 +573,7 @@ _mkdonglepersistent_ext4+luks() { _mkdonglepersistent_common persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" _run_mkluks "${image_path}" "${persistent_size_kib}" "${persistent_encryption_key}" \ - "${dongle_persistent_epoch}" "${image_label}" "${writable}" "${grub}" + "${dongle_persistent_epoch}" "${image_label}" "${writable}" _run_mkext4 "${dongle_persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ "${dongle_persistent_epoch}" "persistent" "${writable}" dd if="${dongle_persistent_dir}.img" of="${image_device}" -- GitLab From ee7b0e50e9c03b89ba7bbf93ec0806138ee6588d Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 15:11:58 +0000 Subject: [PATCH 082/105] dongle boot partition requires a password, ISO not --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index c351dfa..f27f780 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -572,7 +572,7 @@ _mkdonglepersistent_ext4() { _mkdonglepersistent_ext4+luks() { _mkdonglepersistent_common persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" - _run_mkluks "${image_path}" "${persistent_size_kib}" "${persistent_encryption_key}" \ + _run_mkluks "${image_path}" "${persistent_size_kib}" "" \ "${dongle_persistent_epoch}" "${image_label}" "${writable}" _run_mkext4 "${dongle_persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ "${dongle_persistent_epoch}" "persistent" "${writable}" -- GitLab From 013a31ec6fda249feaf7e48a755f9af07bd0f3b7 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 15:19:25 +0000 Subject: [PATCH 083/105] fix function call --- archiso/mkarchiso | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index f27f780..ea68e7d 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -372,6 +372,8 @@ _mkairootfs_common() { image_path="${airootfs_img_dir}/airootfs."$(_get_fs_ext "airootfs") rm -f -- "${image_path}" _mkfs_options=("${airootfs_image_tool_options[@]}") + writable=false + grub=false } # Create an ext4 image containing the root file system and pack it inside a squashfs image. @@ -391,7 +393,7 @@ _mkairootfs_ext4+squashfs+luks() { _mkairootfs_common _mkluks_common _run_mkluks "${image_path}" "${airootfs_size}" "${encryption_key}" \ - "${SOURCE_DATE_EPOCH}" "${iso_label}" + "${SOURCE_DATE_EPOCH}" "${iso_label}" "${writable}" "${grub}" _run_mkext4 "${pacstrap_dir}" "$(_get_internal_size "${airootfs_size}")" \ "${SOURCE_DATE_EPOCH}" "airootfs" _run_mksquashfs "${pacstrap_dir}.img" "${image_device}" @@ -413,7 +415,7 @@ _mkairootfs_squashfs+luks() { _mkairootfs_common _mkluks_common _run_mkluks "${image_path}" "${airootfs_size}" "${encryption_key}" \ - "${SOURCE_DATE_EPOCH}" "${iso_label}" + "${SOURCE_DATE_EPOCH}" "${iso_label}" "${writable}" "${grub}" _run_mksquashfs "${pacstrap_dir}" "${image_device}" sync _close_luks_device "${image_device}" @@ -432,7 +434,7 @@ _mkairootfs_erofs+luks() { _mkairootfs_common _mkluks_common _run_mkluks "${image_path}" "${airootfs_size}" "${encryption_key}" \ - "${SOURCE_DATE_EPOCH}" "${iso_label}" + "${SOURCE_DATE_EPOCH}" "${iso_label}" "${writable}" "${grub}" _run_mkerofs "${image_device}" "${pacstrap_dir}" "${SOURCE_DATE_EPOCH}" sync _close_luks_device "${image_device}" @@ -444,6 +446,8 @@ _mkkeys_common() { rm -f -- "${image_path}" _mkfs_options=("${keys_image_tool_options[@]}") keys_epoch=$((SOURCE_DATE_EPOCH + 42 * 69)) + writable=false + grub=false } # Create an ext4 image containing the keys file system and pack it inside a squashfs image. @@ -462,7 +466,7 @@ _mkkeys_ext4+squashfs() { _mkkeys_ext4+squashfs+luks() { _mkkeys_common _run_mkluks "${image_path}" "${keys_size}" "" \ - "${keys_epoch}" "${iso_label}_KEYS" + "${keys_epoch}" "${iso_label}_KEYS" "${writable}" "${grub}" _run_mkext4 "${keys_dir}" "$(_get_internal_size "${keys_size}")" \ "${keys_epoch}" "keys" _run_mksquashfs "${keys_dir}.img" "${image_device}" @@ -477,7 +481,7 @@ _mkkeys_ext4+squashfs+luks() { _mkkeys_squashfs+luks() { _mkkeys_common _run_mkluks "${image_path}" "${airootfs_size}" "" \ - "${keys_epoch}" "${iso_label}_KEYS" + "${keys_epoch}" "${iso_label}_KEYS" "${writable}" "${grub}" _run_mksquashfs "${keys_dir}" "${image_device}" sync _close_luks_device "${image_device}" @@ -501,7 +505,7 @@ _mkkeys_erofs() { _mkkeys_erofs+luks() { _mkkeys_common _run_mkluks "${image_path}" "${keys_size}" \ - "${keys_epoch}" "${iso_label}_KEYS" + "${keys_epoch}" "${iso_label}_KEYS" "${writable}" "${grub}" _run_mkerofs "${image_device}" "${keys_dir}" "${keys_epoch}" sync _close_luks_device "${image_device}" @@ -514,11 +518,7 @@ _mkpersistent_common() { rm -f -- "${image_path}" persistent_epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) writable="true" - # if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then - # grub="false" - # else - # grub="true" - # fi + grub="false" } # Create an ext4 image to be used as the persistent ISO partition. @@ -537,7 +537,7 @@ _mkpersistent_ext4+luks() { _mkpersistent_common persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" _run_mkluks "${image_path}" "${persistent_size_kib}" "${persistent_encryption_key}" \ - "${persistent_epoch}" "${image_label}" "${writable}" + "${persistent_epoch}" "${image_label}" "${writable}" "${grub}" _run_mkext4 "${persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ "${persistent_epoch}" "persistent" "${writable}" dd if="${persistent_dir}.img" of="${image_device}" @@ -554,7 +554,7 @@ _mkdonglepersistent_common() { rm -f -- "${image_path}" dongle_persistent_epoch=$((SOURCE_DATE_EPOCH + 42 * 69 + 3 * 1415)) writable="true" - # grub="true" + grub="false" } # Create an ext4 image to be used as the persistent ISO partition. @@ -573,7 +573,7 @@ _mkdonglepersistent_ext4+luks() { _mkdonglepersistent_common persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" _run_mkluks "${image_path}" "${persistent_size_kib}" "" \ - "${dongle_persistent_epoch}" "${image_label}" "${writable}" + "${dongle_persistent_epoch}" "${image_label}" "${writable}" "${grub}" _run_mkext4 "${dongle_persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ "${dongle_persistent_epoch}" "persistent" "${writable}" dd if="${dongle_persistent_dir}.img" of="${image_device}" -- GitLab From b0c09f39a940284ab0284a62199ee32766a9feab Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 15:43:25 +0000 Subject: [PATCH 084/105] ok, grub is not capable of handling integrity --- archiso/mkarchiso | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index ea68e7d..57e2994 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -518,7 +518,11 @@ _mkpersistent_common() { rm -f -- "${image_path}" persistent_epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) writable="true" - grub="false" + if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then + grub="false" + else + grub="true" + fi } # Create an ext4 image to be used as the persistent ISO partition. @@ -554,7 +558,7 @@ _mkdonglepersistent_common() { rm -f -- "${image_path}" dongle_persistent_epoch=$((SOURCE_DATE_EPOCH + 42 * 69 + 3 * 1415)) writable="true" - grub="false" + grub="true" } # Create an ext4 image to be used as the persistent ISO partition. -- GitLab From 30cacc27eda09be88a7edfe4243bfdb32d920e1c Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 16:32:16 +0000 Subject: [PATCH 085/105] luks partition not opened in bioses, trying adding loopback module --- archiso/mkarchiso | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 57e2994..89cc4cf 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1235,13 +1235,12 @@ _make_common_bootmode_grub_copy_to_isofs() { # Module list from https://bugs.archlinux.org/task/71382#comment202911 _get_grubmodules(){ local _mode="${1}" - _modules=(at_keyboard boot chain configfile cryptodisk ext2 fat - iso9660 keylayouts linux loadenv luks minicmd normal part_apple - part_gpt part_msdos read search - search_fs_uuid usb) + _modules=(boot chain configfile cryptodisk ext2 fat + iso9660 keylayouts linux loopback loadenv luks minicmd normal part_apple + part_gpt part_msdos search search_fs_uuid usb) if [ "${_mode}" != "bios" ]; then - _modules+=(all_video btrfs cat echo efifwsetup f2fs font gfxmenu gfxterm gzio halt - hfsplus jpeg loopback lsefi lsefimmap reboot png regexp search_fs_file search_label + _modules+=(at_keyboard all_video btrfs cat echo efifwsetup f2fs font gfxmenu gfxterm gzio halt + hfsplus jpeg lsefi lsefimmap read reboot png regexp search_fs_file search_label serial sleep tpm usbserial_common usbserial_ftdi usbserial_pl2303 usbserial_usbdebug video xfs zstd) elif [ "${_mode}" == "bios" ] ; then -- GitLab From c9fcf2c3812bed6685fff86cfde8ab1650e27f3d Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 16:38:03 +0000 Subject: [PATCH 086/105] add gcry_rijndael --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 89cc4cf..6dfa658 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1235,7 +1235,7 @@ _make_common_bootmode_grub_copy_to_isofs() { # Module list from https://bugs.archlinux.org/task/71382#comment202911 _get_grubmodules(){ local _mode="${1}" - _modules=(boot chain configfile cryptodisk ext2 fat + _modules=(boot chain configfile cryptodisk ext2 fat gcry_rijndael iso9660 keylayouts linux loopback loadenv luks minicmd normal part_apple part_gpt part_msdos search search_fs_uuid usb) if [ "${_mode}" != "bios" ]; then -- GitLab From 2fa62876f60a275a6933e4bcd09209c56a7e717d Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 16:49:28 +0000 Subject: [PATCH 087/105] added by mistake luks instead of luks2 --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 6dfa658..a56211a 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1236,7 +1236,7 @@ _make_common_bootmode_grub_copy_to_isofs() { _get_grubmodules(){ local _mode="${1}" _modules=(boot chain configfile cryptodisk ext2 fat gcry_rijndael - iso9660 keylayouts linux loopback loadenv luks minicmd normal part_apple + iso9660 keylayouts linux loopback loadenv luks2 minicmd normal part_apple part_gpt part_msdos search search_fs_uuid usb) if [ "${_mode}" != "bios" ]; then _modules+=(at_keyboard all_video btrfs cat echo efifwsetup f2fs font gfxmenu gfxterm gzio halt -- GitLab From b09be07e929b6a374f42ff637d34d39304c5afe8 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 17:30:08 +0000 Subject: [PATCH 088/105] now passphrase not read; maybe it needs read module? --- archiso/mkarchiso | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index a56211a..311061e 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1237,10 +1237,10 @@ _get_grubmodules(){ local _mode="${1}" _modules=(boot chain configfile cryptodisk ext2 fat gcry_rijndael iso9660 keylayouts linux loopback loadenv luks2 minicmd normal part_apple - part_gpt part_msdos search search_fs_uuid usb) + part_gpt part_msdos read search search_fs_uuid usb) if [ "${_mode}" != "bios" ]; then _modules+=(at_keyboard all_video btrfs cat echo efifwsetup f2fs font gfxmenu gfxterm gzio halt - hfsplus jpeg lsefi lsefimmap read reboot png regexp search_fs_file search_label + hfsplus jpeg lsefi lsefimmap reboot png regexp search_fs_file search_label serial sleep tpm usbserial_common usbserial_ftdi usbserial_pl2303 usbserial_usbdebug video xfs zstd) elif [ "${_mode}" == "bios" ] ; then -- GitLab From 574ec4241da577bce27f650cf587ee3b21b8a5b3 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 18:14:14 +0000 Subject: [PATCH 089/105] add more modules --- archiso/mkarchiso | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 311061e..317f4aa 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1235,14 +1235,14 @@ _make_common_bootmode_grub_copy_to_isofs() { # Module list from https://bugs.archlinux.org/task/71382#comment202911 _get_grubmodules(){ local _mode="${1}" - _modules=(boot chain configfile cryptodisk ext2 fat gcry_rijndael - iso9660 keylayouts linux loopback loadenv luks2 minicmd normal part_apple - part_gpt part_msdos read search search_fs_uuid usb) + _modules=(at_keyboard boot bufio cat echo chain configfile cryptodisk disk diskfilter ext2 fat gcry_crc gcry_rijndael + gzio iso9660 keylayouts linux loopback loadenv luks2 lzopio minicmd normal part_apple + part_gpt part_msdos png read search search_fs_uuid trig usb zstd) if [ "${_mode}" != "bios" ]; then - _modules+=(at_keyboard all_video btrfs cat echo efifwsetup f2fs font gfxmenu gfxterm gzio halt - hfsplus jpeg lsefi lsefimmap reboot png regexp search_fs_file search_label + _modules+=(all_video btrfs efifwsetup f2fs font gfxmenu gfxterm halt + hfsplus jpeg lsefi lsefimmap reboot regexp search_fs_file search_label serial sleep tpm usbserial_common usbserial_ftdi usbserial_pl2303 - usbserial_usbdebug video xfs zstd) + usbserial_usbdebug video xfs) elif [ "${_mode}" == "bios" ] ; then _modules+=(biosdisk) fi -- GitLab From c2e1452fdfa521e31fab25c459ae1f574951d508 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Mon, 12 Sep 2022 18:20:53 +0000 Subject: [PATCH 090/105] add more modules --- archiso/mkarchiso | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 317f4aa..76bd16e 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1237,12 +1237,12 @@ _get_grubmodules(){ local _mode="${1}" _modules=(at_keyboard boot bufio cat echo chain configfile cryptodisk disk diskfilter ext2 fat gcry_crc gcry_rijndael gzio iso9660 keylayouts linux loopback loadenv luks2 lzopio minicmd normal part_apple - part_gpt part_msdos png read search search_fs_uuid trig usb zstd) + part_gpt part_msdos read search search_fs_uuid trig usb) if [ "${_mode}" != "bios" ]; then _modules+=(all_video btrfs efifwsetup f2fs font gfxmenu gfxterm halt - hfsplus jpeg lsefi lsefimmap reboot regexp search_fs_file search_label + hfsplus jpeg lsefi lsefimmap png reboot regexp search_fs_file search_label serial sleep tpm usbserial_common usbserial_ftdi usbserial_pl2303 - usbserial_usbdebug video xfs) + usbserial_usbdebug video xfs zstd) elif [ "${_mode}" == "bios" ] ; then _modules+=(biosdisk) fi -- GitLab From a79ad1235ba7791070b5de4b3d3ea2014bacabb1 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 13 Sep 2022 00:05:25 +0000 Subject: [PATCH 091/105] update module list --- archiso/mkarchiso | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 76bd16e..7b5b251 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1235,13 +1235,13 @@ _make_common_bootmode_grub_copy_to_isofs() { # Module list from https://bugs.archlinux.org/task/71382#comment202911 _get_grubmodules(){ local _mode="${1}" - _modules=(at_keyboard boot bufio cat echo chain configfile cryptodisk disk diskfilter ext2 fat gcry_crc gcry_rijndael - gzio iso9660 keylayouts linux loopback loadenv luks2 lzopio minicmd normal part_apple - part_gpt part_msdos read search search_fs_uuid trig usb) + _modules=(boot bufio cat echo chain configfile cryptodisk ext2 fat gcry_rijndael + gzio iso9660 keylayouts linux loadenv loopback ls luks2 minicmd normal ntfs part_apple + part_gpt part_msdos password_pbkdf2 search search_fs_uuid usb) if [ "${_mode}" != "bios" ]; then - _modules+=(all_video btrfs efifwsetup f2fs font gfxmenu gfxterm halt - hfsplus jpeg lsefi lsefimmap png reboot regexp search_fs_file search_label - serial sleep tpm usbserial_common usbserial_ftdi usbserial_pl2303 + _modules+=(at_keyboard all_video btrfs disk diskfilter efifwsetup f2fs font gcry_crc gfxmenu gfxterm halt + hfsplus jpeg lsefi lsefimmap lzopio png reboot read regexp search_fs_file search_label + serial sleep tpm trig usbserial_common usbserial_ftdi usbserial_pl2303 usbserial_usbdebug video xfs zstd) elif [ "${_mode}" == "bios" ] ; then _modules+=(biosdisk) -- GitLab From f5cddd8a9bb80616e4e0311ff58cdb418d9dda76 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 13 Sep 2022 00:51:31 +0000 Subject: [PATCH 092/105] update module list --- archiso/mkarchiso | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 7b5b251..aee26a9 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1235,12 +1235,13 @@ _make_common_bootmode_grub_copy_to_isofs() { # Module list from https://bugs.archlinux.org/task/71382#comment202911 _get_grubmodules(){ local _mode="${1}" - _modules=(boot bufio cat echo chain configfile cryptodisk ext2 fat gcry_rijndael - gzio iso9660 keylayouts linux loadenv loopback ls luks2 minicmd normal ntfs part_apple + _modules=(at_keyboard afsplitter boot bufio echo chain configfile cryptodisk disk ext2 + gcry_crc gcry_rijndael gcry_sha512 + iso9660 keylayouts linux loadenv loopback ls luks2 minicmd normal ntfs part_apple part_gpt part_msdos password_pbkdf2 search search_fs_uuid usb) if [ "${_mode}" != "bios" ]; then - _modules+=(at_keyboard all_video btrfs disk diskfilter efifwsetup f2fs font gcry_crc gfxmenu gfxterm halt - hfsplus jpeg lsefi lsefimmap lzopio png reboot read regexp search_fs_file search_label + _modules+=(all_video btrfs cat diskfilter efifwsetup f2fs fat font gcry_crc gfxmenu gfxterm gzio + halt hfsplus jpeg lsefi lsefimmap lzopio png reboot read regexp search_fs_file search_label serial sleep tpm trig usbserial_common usbserial_ftdi usbserial_pl2303 usbserial_usbdebug video xfs zstd) elif [ "${_mode}" == "bios" ] ; then -- GitLab From 21a9be2c8826d8120190689e7db31b4108c38a1f Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 13 Sep 2022 01:29:55 +0000 Subject: [PATCH 093/105] it was sha256 missing it seems; checked with 'set debug=all' --- archiso/mkarchiso | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index aee26a9..c3d2663 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1236,12 +1236,12 @@ _make_common_bootmode_grub_copy_to_isofs() { _get_grubmodules(){ local _mode="${1}" _modules=(at_keyboard afsplitter boot bufio echo chain configfile cryptodisk disk ext2 - gcry_crc gcry_rijndael gcry_sha512 - iso9660 keylayouts linux loadenv loopback ls luks2 minicmd normal ntfs part_apple + gcry_crc gcry_rijndael gcry_sha256 gcry_sha512 + iso9660 keylayouts linux loadenv loopback luks2 minicmd normal ntfs part_apple part_gpt part_msdos password_pbkdf2 search search_fs_uuid usb) if [ "${_mode}" != "bios" ]; then _modules+=(all_video btrfs cat diskfilter efifwsetup f2fs fat font gcry_crc gfxmenu gfxterm gzio - halt hfsplus jpeg lsefi lsefimmap lzopio png reboot read regexp search_fs_file search_label + halt hfsplus jpeg ls lsefi lsefimmap lzopio png reboot read regexp search_fs_file search_label serial sleep tpm trig usbserial_common usbserial_ftdi usbserial_pl2303 usbserial_usbdebug video xfs zstd) elif [ "${_mode}" == "bios" ] ; then -- GitLab From 4977dcfd12791b9ded858127b7dc8e3442dce267 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 13 Sep 2022 04:31:41 +0000 Subject: [PATCH 094/105] reduce the amount of passwords --- archiso/mkarchiso | 32 ++++++++++++++++---------------- configs/releng/grub/grub.cfg | 14 ++++++++------ configs/releng/profiledef.sh | 9 +++++++-- 3 files changed, 31 insertions(+), 24 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index c3d2663..e7d17c9 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -893,10 +893,9 @@ _get_cryptomount_uuid() { else _epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) fi - _uuid="$(uuidgen --sha1 \ - --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 \ - --name "${_epoch}" | sed "s|-||g")" - echo "cryptomount -u ${_uuid}" + echo "$(uuidgen --sha1 \ + --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 \ + --name "${_epoch}" | sed "s|-||g")" } # Produce kernel parameters. @@ -1153,7 +1152,7 @@ _epoch_to_uuid() { _get_device_select_cmdline() { #shellcheck disable=SC2005 if [[ "${persistent_image_type}" == *luks ]]; then - echo "$(_get_cryptomount_uuid)" + echo "cryptomount -u $(_get_cryptomount_uuid)" else echo "search --no-floppy --set=root --fs-uuid $(_get_bootable_uuid)" fi @@ -1180,8 +1179,8 @@ _build_bootloader_config() { sed "s|%DEVICE_SELECT_CMDLINE%|$(_get_device_select_cmdline)|g; s|%ARCH%|${arch}|g; s|%INSTALL_DIR%|${_boot_disk}/${install_dir}|g; - s|%KERNEL_PARAMS%|$(_get_kernel_params)|g" \ - "${_template}" + s|%KERNEL_PARAMS%|$(_get_kernel_params)|g; + s|%BOOTABLE_UUID%|$(_get_bootable_uuid)|g" "${_template}" } # Prepare GRUB configuration files @@ -1235,13 +1234,14 @@ _make_common_bootmode_grub_copy_to_isofs() { # Module list from https://bugs.archlinux.org/task/71382#comment202911 _get_grubmodules(){ local _mode="${1}" - _modules=(at_keyboard afsplitter boot bufio echo chain configfile cryptodisk disk ext2 - gcry_crc gcry_rijndael gcry_sha256 gcry_sha512 - iso9660 keylayouts linux loadenv loopback luks2 minicmd normal ntfs part_apple - part_gpt part_msdos password_pbkdf2 search search_fs_uuid usb) + _modules=(afsplitter boot bufio chain configfile cryptodisk disk ext2 gcry_rijndael + gcry_sha256 gcry_sha512 halt iso9660 linux loadenv loopback luks2 minicmd + normal ntfs part_apple part_gpt part_msdos password_pbkdf2 reboot search + search_fs_uuid usb) if [ "${_mode}" != "bios" ]; then - _modules+=(all_video btrfs cat diskfilter efifwsetup f2fs fat font gcry_crc gfxmenu gfxterm gzio - halt hfsplus jpeg ls lsefi lsefimmap lzopio png reboot read regexp search_fs_file search_label + _modules+=(at_keyboard all_video btrfs cat echo diskfilter echo efifwsetup f2fs + fat font gcry_crc gfxmenu gfxterm gzio hfsplus jpeg keylayouts ls + lsefi lsefimmap lzopio png read regexp search_fs_file search_label serial sleep tpm trig usbserial_common usbserial_ftdi usbserial_pl2303 usbserial_usbdebug video xfs zstd) elif [ "${_mode}" == "bios" ] ; then @@ -1777,16 +1777,16 @@ _prepare_persistent_image() { if [ "${persistent_size_kib}" != "" ]; then if [[ "${persistent_image_type}" == *"luks" ]]; then sed "s|%PERSISTENT_UUID%|${persistent_uuid}|g" "${crypttab}" > "${pacstrap_dir}/etc/crypttab" - if [[ "${airootfs_image_type}" == *"luks" ]] || [[ "${buildmode}" = 'dongle' ]]; then + if [[ "${airootfs_image_type}" == *"luks" ]] || [[ " ${buildmodes[*]} " = ' dongle ' ]]; then persistent_encryption_key="${work_dir}/persistent.key" _gen_key "${persistent_encryption_key}" install -d -m700 "${pacstrap_dir}/etc/keys" install -D -m400 "${persistent_encryption_key}" "${pacstrap_dir}/etc/keys" - elif [[ "${airootfs_image_type}" != *"luks" ]] && [[ "${buildmode}" = 'dongle' ]]; then + elif [[ "${airootfs_image_type}" != *"luks" ]] && [[ " ${buildmodes[*]} " = ' dongle ' ]]; then persistent_encryption_key="${work_dir}/persistent.key" _gen_key "${persistent_encryption_key}" install -d -m700 "${dongle_persistent_dir}/etc/keys" - install -D -m400 "${persistent_encryption_key}" "${pacstrap_dir}/etc/keys" + install -D -m400 "${persistent_encryption_key}" "${dongle_persistent_dir}/etc/keys" else _msg=("Rootfs encryption and dongle buildmode disabled." "You will be prompted to insert a password for the boot partition.") diff --git a/configs/releng/grub/grub.cfg b/configs/releng/grub/grub.cfg index 050b39d..2cccf80 100644 --- a/configs/releng/grub/grub.cfg +++ b/configs/releng/grub/grub.cfg @@ -1,4 +1,6 @@ # Load partition table and file system modules +insmod cryptodisk +insmod luks2 insmod part_gpt insmod part_msdos insmod fat @@ -32,16 +34,16 @@ play 600 988 1 1319 4 menuentry "Arch Linux install medium (%ARCH%)" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' { set gfxpayload=keep - search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% - linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% - initrd /%INSTALL_DIR%/boot/intel-ucode.img /%INSTALL_DIR%/boot/amd-ucode.img /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img + %DEVICE_SELECT_CMDLINE% + linux %INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% + initrd %INSTALL_DIR%/boot/intel-ucode.img %INSTALL_DIR%/boot/amd-ucode.img %INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } menuentry "Arch Linux install medium with speakup screen reader (%ARCH%)" --hotkey s --class arch --class gnu-linux --class gnu --class os --id 'archlinux-accessibility' { set gfxpayload=keep - search --no-floppy --set=root --fs-uuid %BOOTABLE_UUID% - linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% accessibility=on - initrd /%INSTALL_DIR%/boot/intel-ucode.img /%INSTALL_DIR%/boot/amd-ucode.img /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img + %DEVICE_SELECT_CMDLINE% + linux %INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux %KERNEL_PARAMS% accessibility=on + initrd %INSTALL_DIR%/boot/intel-ucode.img %INSTALL_DIR%/boot/amd-ucode.img %INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img } if [ "${grub_platform}" == "efi" ]; then diff --git a/configs/releng/profiledef.sh b/configs/releng/profiledef.sh index 077385a..52d1ded 100644 --- a/configs/releng/profiledef.sh +++ b/configs/releng/profiledef.sh @@ -19,15 +19,20 @@ pacman_conf="pacman.conf" airootfs_image_type="erofs" airootfs_image_tool_options=('-zlz4hc,12' -E ztailpacking) encryption_key="auto" +persistent_size_kib=500000 +persistent_image_type="ext4+luks" keys_image_type="erofs" -keys_image_tool_options=('-zlz4hc,12') +keys_image_tool_options=('-zlz4hc,12' -E ztailpacking) file_permissions=( ["/etc/shadow"]="0:0:400" - ["/root"]="0:0:750" + ["/home"]="0:0:711" + ["/root"]="0:0:700" ["/root/.automated_script.sh"]="0:0:755" ["/run/archiso/keys"]="0:0:700" ["/usr/local/bin/choose-mirror"]="0:0:755" ["/usr/local/bin/Installation_guide"]="0:0:755" ["/usr/local/bin/livecd-sound"]="0:0:755" ["/usr/local/bin/setup-persistent-storage"]="0:0:755" + ["/usr/local/bin/user-setup"]="0:0:755" + ["/var/lib/bluetooth"]="0:0:755" ) -- GitLab From 92d2a4f4ae306f581790578cd2b2c7419a973780 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 13 Sep 2022 04:33:00 +0000 Subject: [PATCH 095/105] reduce the amount of passwords --- archiso/mkarchiso | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index e7d17c9..0aa8c6a 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -893,9 +893,9 @@ _get_cryptomount_uuid() { else _epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) fi - echo "$(uuidgen --sha1 \ - --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 \ - --name "${_epoch}" | sed "s|-||g")" + uuidgen --sha1 \ + --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 \ + --name "${_epoch}" | sed "s|-||g" } # Produce kernel parameters. -- GitLab From 57704804e97c5a786d13a518f260f268da69b816 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 13 Sep 2022 04:46:39 +0000 Subject: [PATCH 096/105] fix typo --- archiso/mkarchiso | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 0aa8c6a..018ccaf 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1777,12 +1777,12 @@ _prepare_persistent_image() { if [ "${persistent_size_kib}" != "" ]; then if [[ "${persistent_image_type}" == *"luks" ]]; then sed "s|%PERSISTENT_UUID%|${persistent_uuid}|g" "${crypttab}" > "${pacstrap_dir}/etc/crypttab" - if [[ "${airootfs_image_type}" == *"luks" ]] || [[ " ${buildmodes[*]} " = ' dongle ' ]]; then + if [[ "${airootfs_image_type}" == *"luks" ]] || [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then persistent_encryption_key="${work_dir}/persistent.key" _gen_key "${persistent_encryption_key}" install -d -m700 "${pacstrap_dir}/etc/keys" install -D -m400 "${persistent_encryption_key}" "${pacstrap_dir}/etc/keys" - elif [[ "${airootfs_image_type}" != *"luks" ]] && [[ " ${buildmodes[*]} " = ' dongle ' ]]; then + elif [[ "${airootfs_image_type}" != *"luks" ]] && [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then persistent_encryption_key="${work_dir}/persistent.key" _gen_key "${persistent_encryption_key}" install -d -m700 "${dongle_persistent_dir}/etc/keys" -- GitLab From 3addb9624a87b36da03aab5fd88c86b3ccda0f00 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Tue, 13 Sep 2022 05:21:42 +0000 Subject: [PATCH 097/105] update bootloaders --- archiso/mkarchiso | 11 ++++++----- .../loader/entries/01-archiso-x86_64-linux.conf | 4 ++-- .../loader/entries/02-archiso-x86_64-ram-linux.conf | 4 ++-- configs/baseline/syslinux/syslinux-linux.cfg | 8 ++++---- .../loader/entries/01-archiso-x86_64-linux.conf | 8 ++++---- .../entries/02-archiso-x86_64-speech-linux.conf | 8 ++++---- .../loader/entries/03-archiso-x86_64-ram-linux.conf | 8 ++++---- .../entries/04-archiso-x86_64-ram-speech-linux.conf | 8 ++++---- configs/releng/syslinux/archiso_pxe-linux.cfg | 12 ++++++------ configs/releng/syslinux/archiso_sys-linux.cfg | 12 ++++++------ 10 files changed, 42 insertions(+), 41 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 018ccaf..6bb71ed 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -1012,7 +1012,7 @@ _make_bootmode_bios.syslinux.mbr() { _msg_info "Setting up SYSLINUX for BIOS booting from a disk..." install -d -m 0755 -- "${bootable_dir}/syslinux" for _cfg in "${profile}/syslinux/"*.cfg; do - _build_bootloader_config "${_cfg}" > "${bootable_dir}/syslinux/${_cfg##*/}" + _build_bootloader_config "${_cfg}" "syslinux" > "${bootable_dir}/syslinux/${_cfg##*/}" done if [[ -e "${profile}/syslinux/splash.png" ]]; then install -m 0644 -- "${profile}/syslinux/splash.png" "${bootable_dir}/syslinux/" @@ -1170,8 +1170,9 @@ _get_bootable_uuid() { # Fill a bootloader configuration template and copy the result in a file _build_bootloader_config() { local _template="${1}" + local _bootloader="${2}" local _boot_disk - if [[ "${persistent_image_type}" == *luks ]]; then + if [[ "${persistent_image_type}" == *luks ]] && [[ "${_bootloader}" = "grub" ]]; then _boot_disk="(crypto0)" else _boot_disk="" @@ -1191,7 +1192,7 @@ _make_common_bootmode_grub_cfg(){ # Fill GRUB configuration files for _cfg in "${profile}/grub/"*'.cfg'; do - _build_bootloader_config "${_cfg}" > "${work_dir}/grub/${_cfg##*/}" + _build_bootloader_config "${_cfg}" "grub" > "${work_dir}/grub/${_cfg##*/}" done # Add all GRUB files to the list of files used to calculate the required FAT image size. efiboot_files+=("${work_dir}/grub/" @@ -1457,7 +1458,7 @@ _make_bootmode_uefi-x64.systemd-boot.esp() { mmd -D o -i "${efibootimg}" ::/loader ::/loader/entries mcopy -D o -i "${efibootimg}" "${profile}/efiboot/loader/loader.conf" ::/loader/ for _conf in "${profile}/efiboot/loader/entries/"*".conf"; do - _build_bootloader_config "${_conf}" | mcopy -D o -i "${efibootimg}" - "::/loader/entries/${_conf##*/}" + _build_bootloader_config "${_conf}" "systemd-boot" | mcopy -D o -i "${efibootimg}" - "::/loader/entries/${_conf##*/}" done # shellx64.efi is picked up automatically when on / @@ -1503,7 +1504,7 @@ _make_bootmode_uefi-x64.systemd-boot.eltorito() { install -d -m 0755 -- "${bootable_dir}/loader/entries" install -m 0644 -- "${profile}/efiboot/loader/loader.conf" "${bootable_dir}/loader/" for _conf in "${profile}/efiboot/loader/entries/"*".conf"; do - _build_bootloader_config "${_conf}" > "${bootable_dir}/loader/entries/${_conf##*/}" + _build_bootloader_config "${_conf}" "systemd-boot" > "${bootable_dir}/loader/entries/${_conf##*/}" done # edk2-shell based UEFI shell diff --git a/configs/baseline/efiboot/loader/entries/01-archiso-x86_64-linux.conf b/configs/baseline/efiboot/loader/entries/01-archiso-x86_64-linux.conf index 814678d..950d004 100644 --- a/configs/baseline/efiboot/loader/entries/01-archiso-x86_64-linux.conf +++ b/configs/baseline/efiboot/loader/entries/01-archiso-x86_64-linux.conf @@ -1,5 +1,5 @@ title Arch Linux (%ARCH%, UEFI) sort-key 01 -linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img +linux %INSTALL_DIR%/boot/x86_64/vmlinuz-linux +initrd %INSTALL_DIR%/boot/x86_64/initramfs-linux.img options %KERNEL_PARAMS% diff --git a/configs/baseline/efiboot/loader/entries/02-archiso-x86_64-ram-linux.conf b/configs/baseline/efiboot/loader/entries/02-archiso-x86_64-ram-linux.conf index f37a001..a5521ba 100644 --- a/configs/baseline/efiboot/loader/entries/02-archiso-x86_64-ram-linux.conf +++ b/configs/baseline/efiboot/loader/entries/02-archiso-x86_64-ram-linux.conf @@ -1,5 +1,5 @@ title Arch Linux (%ARCH%, UEFI) Copy to RAM sort-key 02 -linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img +linux %INSTALL_DIR%/boot/x86_64/vmlinuz-linux +initrd %INSTALL_DIR%/boot/x86_64/initramfs-linux.img options %KERNEL_PARAMS% copytoram diff --git a/configs/baseline/syslinux/syslinux-linux.cfg b/configs/baseline/syslinux/syslinux-linux.cfg index 274515a..490e4af 100644 --- a/configs/baseline/syslinux/syslinux-linux.cfg +++ b/configs/baseline/syslinux/syslinux-linux.cfg @@ -1,11 +1,11 @@ LABEL arch MENU LABEL Arch Linux (%ARCH%, BIOS) -LINUX /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux -INITRD /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +LINUX %INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD %INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img APPEND %KERNEL_PARAMS% LABEL arch-ram MENU LABEL Arch Linux (%ARCH%, BIOS) Copy to RAM -LINUX /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux -INITRD /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +LINUX %INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD %INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img APPEND %KERNEL_PARAMS% copytoram diff --git a/configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf b/configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf index 7e0ab93..2fcee5f 100644 --- a/configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf +++ b/configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf @@ -1,7 +1,7 @@ title Arch Linux install medium (%ARCH%, UEFI) sort-key 01 -linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux -initrd /%INSTALL_DIR%/boot/intel-ucode.img -initrd /%INSTALL_DIR%/boot/amd-ucode.img -initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +linux %INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +initrd %INSTALL_DIR%/boot/intel-ucode.img +initrd %INSTALL_DIR%/boot/amd-ucode.img +initrd %INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img options %KERNEL_PARAMS% diff --git a/configs/releng/efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf b/configs/releng/efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf index f0d4ddc..d80802e 100644 --- a/configs/releng/efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf +++ b/configs/releng/efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf @@ -1,7 +1,7 @@ title Arch Linux install medium (%ARCH%, UEFI) with speech sort-key 02 -linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux -initrd /%INSTALL_DIR%/boot/intel-ucode.img -initrd /%INSTALL_DIR%/boot/amd-ucode.img -initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +linux %INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +initrd %INSTALL_DIR%/boot/intel-ucode.img +initrd %INSTALL_DIR%/boot/amd-ucode.img +initrd %INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img options %KERNEL_PARAMS% accessibility=on diff --git a/configs/releng/efiboot/loader/entries/03-archiso-x86_64-ram-linux.conf b/configs/releng/efiboot/loader/entries/03-archiso-x86_64-ram-linux.conf index 63a552d..6cc794f 100644 --- a/configs/releng/efiboot/loader/entries/03-archiso-x86_64-ram-linux.conf +++ b/configs/releng/efiboot/loader/entries/03-archiso-x86_64-ram-linux.conf @@ -1,7 +1,7 @@ title Arch Linux install medium (%ARCH%, UEFI, Copy to RAM) sort-key 03 -linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux -initrd /%INSTALL_DIR%/boot/intel-ucode.img -initrd /%INSTALL_DIR%/boot/amd-ucode.img -initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +linux %INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +initrd %INSTALL_DIR%/boot/intel-ucode.img +initrd %INSTALL_DIR%/boot/amd-ucode.img +initrd %INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img options %KERNEL_PARAMS% copytoram diff --git a/configs/releng/efiboot/loader/entries/04-archiso-x86_64-ram-speech-linux.conf b/configs/releng/efiboot/loader/entries/04-archiso-x86_64-ram-speech-linux.conf index 0f64f5c..64f5c69 100644 --- a/configs/releng/efiboot/loader/entries/04-archiso-x86_64-ram-speech-linux.conf +++ b/configs/releng/efiboot/loader/entries/04-archiso-x86_64-ram-speech-linux.conf @@ -1,7 +1,7 @@ title Arch Linux install medium (%ARCH%, UEFI, Copy to RAM) with speech sort-key 04 -linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux -initrd /%INSTALL_DIR%/boot/intel-ucode.img -initrd /%INSTALL_DIR%/boot/amd-ucode.img -initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +linux %INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +initrd %INSTALL_DIR%/boot/intel-ucode.img +initrd %INSTALL_DIR%/boot/amd-ucode.img +initrd %INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img options %KERNEL_PARAMS% copytoram accessibility=on diff --git a/configs/releng/syslinux/archiso_pxe-linux.cfg b/configs/releng/syslinux/archiso_pxe-linux.cfg index b5e300f..c355c14 100644 --- a/configs/releng/syslinux/archiso_pxe-linux.cfg +++ b/configs/releng/syslinux/archiso_pxe-linux.cfg @@ -4,8 +4,8 @@ Boot the Arch Linux install medium using NBD. It allows you to install Arch Linux or perform system maintenance. ENDTEXT MENU LABEL Arch Linux install medium (%ARCH%, NBD) -LINUX ::/%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux -INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +LINUX ::%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD ::%INSTALL_DIR%/boot/intel-ucode.img,::%INSTALL_DIR%/boot/amd-ucode.img,::%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img APPEND %KERNEL_PARAMS% archiso_nbd_srv=${pxeserver} checksum verify SYSAPPEND 3 @@ -15,8 +15,8 @@ Boot the Arch Linux live medium using NFS. It allows you to install Arch Linux or perform system maintenance. ENDTEXT MENU LABEL Arch Linux install medium (%ARCH%, NFS) -LINUX ::/%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux -INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +LINUX ::%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD ::%INSTALL_DIR%/boot/intel-ucode.img,::%INSTALL_DIR%/boot/amd-ucode.img,::%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img APPEND %KERNEL_PARAMS% archiso_nfs_srv=${pxeserver}:/run/archiso/bootmnt checksum verify SYSAPPEND 3 @@ -26,7 +26,7 @@ Boot the Arch Linux live medium using HTTP. It allows you to install Arch Linux or perform system maintenance. ENDTEXT MENU LABEL Arch Linux install medium (%ARCH%, HTTP) -LINUX ::/%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux -INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +LINUX ::%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD ::%INSTALL_DIR%/boot/intel-ucode.img,::%INSTALL_DIR%/boot/amd-ucode.img,::%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img APPEND %KERNEL_PARAMS% archiso_http_srv=http://${pxeserver}/ checksum verify SYSAPPEND 3 diff --git a/configs/releng/syslinux/archiso_sys-linux.cfg b/configs/releng/syslinux/archiso_sys-linux.cfg index e47f3fa..18c434a 100644 --- a/configs/releng/syslinux/archiso_sys-linux.cfg +++ b/configs/releng/syslinux/archiso_sys-linux.cfg @@ -4,8 +4,8 @@ Boot the Arch Linux install medium on BIOS. It allows you to install Arch Linux or perform system maintenance. ENDTEXT MENU LABEL Arch Linux install medium (%ARCH%, BIOS) -LINUX /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux -INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +LINUX %INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD %INSTALL_DIR%/boot/intel-ucode.img,%INSTALL_DIR%/boot/amd-ucode.img,%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img APPEND %KERNEL_PARAMS% # Accessibility boot option @@ -15,8 +15,8 @@ Boot the Arch Linux install medium on BIOS with speakup screen reader. It allows you to install Arch Linux or perform system maintenance with speech feedback. ENDTEXT MENU LABEL Arch Linux install medium (%ARCH%, BIOS) with ^speech -LINUX /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux -INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +LINUX %INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD %INSTALL_DIR%/boot/intel-ucode.img,%INSTALL_DIR%/boot/amd-ucode.img,%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img APPEND %KERNEL_PARAMS% accessibility=on # Copy to RAM boot option @@ -26,6 +26,6 @@ Boot the Arch Linux install medium on BIOS with Copy-to-RAM option It allows you to install Arch Linux or perform system maintenance. ENDTEXT MENU LABEL Arch Linux install medium (%ARCH%, BIOS, Copy to RAM) -LINUX /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux -INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img +LINUX %INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux +INITRD %INSTALL_DIR%/boot/intel-ucode.img,%INSTALL_DIR%/boot/amd-ucode.img,%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img APPEND %KERNEL_PARAMS% copytoram -- GitLab From c95594b22b6023600551337a720a499d4f1af648 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 14 Sep 2022 00:25:18 +0000 Subject: [PATCH 098/105] switch to new type --- archiso/mkarchiso | 80 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 58 insertions(+), 22 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 6bb71ed..11eb302 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -356,24 +356,64 @@ _close_luks_device() { # Ask the user for a passphrase if not specified _mkluks_common() { - local _out="${work_dir}/${iso_label}.key" - if [ "${encryption_key}" = "" ]; then - echo -n "Airootfs password:" + local _name="${1}" + local _key="${2}" + local _label="${3}" + local _out="${work_dir}/${_label}.key" + if [ "${_key}" = "" ]; then + echo -n "Insert ${_name} (${_label}) password:" read -rs password echo "${password}" > "${_out}" - encryption_key="${_out}" + _encryption_key="${_out}" fi } # Steps shared by _mkairootfs_fs_type functions _mkairootfs_common() { + _mkfs_options=("${airootfs_image_tool_options[@]}") + _name="airootfs" + _dir="${pacstrap_dir}" + _image_path="${airootfs_img_dir}/airootfs."$(_get_fs_ext "airootfs") + _size="${airootfs_size}" + _epoch="" + _label="${iso_label}" + _writable=false + _grub=false + rm -f -- "${_image_path}" [[ -e "${pacstrap_dir}" ]] || _msg_error "The path '${pacstrap_dir}' does not exist" 1 install -d -m 0755 -- "${airootfs_img_dir}" - image_path="${airootfs_img_dir}/airootfs."$(_get_fs_ext "airootfs") - rm -f -- "${image_path}" - _mkfs_options=("${airootfs_image_tool_options[@]}") - writable=false - grub=false +} + +_mkimg(){ + name="${1}" + image_type="${2}" + _run_once "_mk${name}_common" + _mkimg "${_name}" +} + +# Create an ext4 fs inside a LUKS container to be used as the persistent ISO partition. +_mkimg_ext4+luks() { + local _name="${1}" + local _dir="${2}" + local _image_path="${3}" + local _size_kib="${4}" + local _encryption_key="${5}" + local _epoch="${6}" + local _label="${7}" + local _writable="${8}" + local _grub="${9}" + run_once "_mk${_name}_common" + # persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" + _mkluks_common "${_name}" "${_encryption_key}" "${_label}" + _run_mkluks "${_image_path}" "${_size_kib}" "${_encryption_key}" \ + "${_epoch}" "${_label}" "${_writable}" "${_grub}" + _run_mkext4 "${_dir}" "$(_get_internal_size "${_size_kib}")" \ + "${_epoch}" "${name}" "${_writable}" + dd if="${_dir}.img" of="${image_device}" + sync + _close_luks_device "${image_device}" + _msg_info "Done!" + rm -- "${_dir}.img" } # Create an ext4 image containing the root file system and pack it inside a squashfs image. @@ -390,17 +430,8 @@ _mkairootfs_ext4+squashfs() { # Create an ext4 image containing the root file system and pack it inside a squashfs image. # Pack the squash image inside the LUKS image and save it on the ISO 9660 file system. _mkairootfs_ext4+squashfs+luks() { - _mkairootfs_common - _mkluks_common - _run_mkluks "${image_path}" "${airootfs_size}" "${encryption_key}" \ - "${SOURCE_DATE_EPOCH}" "${iso_label}" "${writable}" "${grub}" - _run_mkext4 "${pacstrap_dir}" "$(_get_internal_size "${airootfs_size}")" \ - "${SOURCE_DATE_EPOCH}" "airootfs" - _run_mksquashfs "${pacstrap_dir}.img" "${image_device}" - sync - _close_luks_device "${image_device}" - _msg_info "Done!" - rm -- "${pacstrap_dir}.img" + _mkimg "${_name}" "${_dir}" "${_image_path}" "${_size_kib}" "${_encryption_key}" \ + "${_epoch}" "${_writable}" "${_grub}" } # Create a squashfs image containing the root file system and saves it on the ISO 9660 file system. @@ -442,12 +473,13 @@ _mkairootfs_erofs+luks() { # Steps shared by _mkkeys+fs_type functions _mkkeys_common() { - image_path="${dongle_isofs_dir}/keys."$(_get_fs_ext "keys") - rm -f -- "${image_path}" _mkfs_options=("${keys_image_tool_options[@]}") + _name="keys" + _image_path="${dongle_isofs_dir}/keys."$(_get_fs_ext "keys") keys_epoch=$((SOURCE_DATE_EPOCH + 42 * 69)) writable=false grub=false + rm -f -- "${_image_path}" } # Create an ext4 image containing the keys file system and pack it inside a squashfs image. @@ -464,6 +496,10 @@ _mkkeys_ext4+squashfs() { # Create an ext4 image containing the keys file system and pack it inside a squashfs image. # Pack the squash image inside the LUKS image and save it on the ISO 9660 file system. _mkkeys_ext4+squashfs+luks() { + _mkkeys_common + _mkimg_ext4+squashfs+luks "${_name}" "${_dir}" "${_image_path}" "${_size_kib}" \ + "${_encryption_key}" "${_epoch}" "${_writable}" "${_grub}" + _mkkeys_common _run_mkluks "${image_path}" "${keys_size}" "" \ "${keys_epoch}" "${iso_label}_KEYS" "${writable}" "${grub}" -- GitLab From 8dd9326316934e740185d324fa242ca28a482725 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 14 Sep 2022 02:08:51 +0000 Subject: [PATCH 099/105] introduce mkimg functions --- archiso/mkarchiso | 308 +++++++++++++++++++++++++++------------------- 1 file changed, 181 insertions(+), 127 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 11eb302..bb64e00 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -374,24 +374,33 @@ _mkairootfs_common() { _name="airootfs" _dir="${pacstrap_dir}" _image_path="${airootfs_img_dir}/airootfs."$(_get_fs_ext "airootfs") - _size="${airootfs_size}" - _epoch="" + _size_kib="${airootfs_size}" + _epoch="$((SOURCE_DATE_EPOCH))" _label="${iso_label}" _writable=false _grub=false rm -f -- "${_image_path}" - [[ -e "${pacstrap_dir}" ]] || _msg_error "The path '${pacstrap_dir}' does not exist" 1 + [[ -e "${_dir}" ]] || _msg_error "The path '${_dir}' does not exist" 1 install -d -m 0755 -- "${airootfs_img_dir}" } -_mkimg(){ - name="${1}" - image_type="${2}" - _run_once "_mk${name}_common" - _mkimg "${_name}" +# Create an ext4 fs inside a LUKS container image file. +_mkimg_ext4() { + local _dir="${2}" + local _image_path="${3}" + local _size_kib="${4}" + local _epoch="${6}" + local _label="${7}" + local _writable="${8}" + _run_mkext4 "${_dir}" "$(_get_internal_size "${_size_kib}")" \ + "${_epoch}" "${_label}" "${_writable}" + mv "${_dir}.img" "${_image_path}" + sync + _msg_info "Done!" } -# Create an ext4 fs inside a LUKS container to be used as the persistent ISO partition. + +# Create an ext4 fs inside a LUKS container image file. _mkimg_ext4+luks() { local _name="${1}" local _dir="${2}" @@ -402,13 +411,11 @@ _mkimg_ext4+luks() { local _label="${7}" local _writable="${8}" local _grub="${9}" - run_once "_mk${_name}_common" - # persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" _mkluks_common "${_name}" "${_encryption_key}" "${_label}" _run_mkluks "${_image_path}" "${_size_kib}" "${_encryption_key}" \ "${_epoch}" "${_label}" "${_writable}" "${_grub}" _run_mkext4 "${_dir}" "$(_get_internal_size "${_size_kib}")" \ - "${_epoch}" "${name}" "${_writable}" + "${_epoch}" "${_name}" "${_writable}" dd if="${_dir}.img" of="${image_device}" sync _close_luks_device "${image_device}" @@ -416,211 +423,255 @@ _mkimg_ext4+luks() { rm -- "${_dir}.img" } +# Create an ext4 image and pack it inside a squashfs image. +# Pack the squash image inside a LUKS image. +_mkimg_ext4+squashfs+luks() { + local _name="${1}" + local _dir="${2}" + local _image_path="${3}" + local _size_kib="${4}" + local _encryption_key="${5}" + local _epoch="${6}" + local _label="${7}" + local _writable="${8}" + local _grub="${9}" + _mkluks_common "${_name}" "${_encryption_key}" "${_label}" + _run_mkluks "${_image_path}" "${_size_kib}" "${_encryption_key}" \ + "${_epoch}" "${_label}" "${_writable}" "${_grub}" + _run_mkext4 "${_dir}" "$(_get_internal_size "${_size_kib}")" \ + "${_epoch}" "${_name}" "${_writable}" + _run_mksquashfs "${_dir}.img" "${image_device}" + sync + _close_luks_device "${image_device}" + _msg_info "Done!" + rm -- "${_dir}.img" +} + +# Create a squashfs image and saves it on a LUKS image. +_mkimg_squashfs+luks() { + local _name="${1}" + local _dir="${2}" + local _image_path="${3}" + local _size_kib="${4}" + local _encryption_key="${5}" + local _epoch="${6}" + local _label="${7}" + local _writable="${8}" + local _grub="${9}" + _mkluks_common "${_name}" "${_encryption_key}" "${_label}" + _run_mkluks "${_image_path}" "${_size_kib}" "${_encryption_key}" \ + "${_epoch}" "${_label}" "${_writable}" "${_grub}" + _run_mksquashfs "${_dir}" "${image_device}" + sync + _close_luks_device "${image_device}" +} + +_mkimg_ext4+squashfs() { + local _name="${1}" + local _dir="${2}" + local _image_path="${3}" + local _size_kib="${4}" + local _epoch="${5}" + local _label="${6}" + local _writable="false" + _run_mkext4 "${_dir}" "$(_get_internal_size "${_size_kib}")" \ + "${_epoch}" "${_name}" "${_writable}" + _run_mksquashfs "${_dir}.img" "${_image_path}" + _msg_info "Done!" + rm -- "${_dir}.img" +} + +# Makes a squash fs image. +_mkimg_squashfs() { + local _name="${1}" + local _dir="${2}" + local _image_path="${3}" + _run_mksquashfs "${_dir}" "${_image_path}" +} + +# Create an EROFS image containing the root file system and saves it on the ISO 9660 file system. +_mkimg_erofs() { + local _image_path="${1}" + local _dir="${2}" + local _epoch="${3}" + _run_mkerofs "${_image_path}" "${_dir}" "${_epoch}" + _msg_info "Done!" +} + +# Create an EROFS image containing the root file system and saves it on the LUKS image. +# Save the LUKS image on the ISO 9660 file system. +_mkimg_erofs+luks() { + local _name="${1}" + local _dir="${2}" + local _image_path="${3}" + local _size_kib="${4}" + local _encryption_key="${5}" + local _epoch="${6}" + local _label="${7}" + local _grub="${8}" + local _writable="false" + _mkluks_common "${_name}" "${_encryption_key}" "${_label}" + _run_mkluks "${_image_path}" "${_size_kib}" "${_encryption_key}" \ + "${_epoch}" "${_label}" "${_writable}" "${_grub}" + _run_mkerofs "${image_device}" "${_dir}" "${_epoch}" + sync + _close_luks_device "${image_device}" +} + +# Create an ext4 image containing the root file system. +# Save the image on the ISO 9660 file system. +_mkairootfs_ext4() { + _mkimg_ext4 "${_dir}" "${_image_path}" "${_size_kib}" "${_epoch}" "${_label}" "${_writable}" +} + # Create an ext4 image containing the root file system and pack it inside a squashfs image. # Save the squashfs image on the ISO 9660 file system. _mkairootfs_ext4+squashfs() { - _mkairootfs_common - _run_mkext4 "${pacstrap_dir}" "$(_get_internal_size "${airootfs_size}")" \ - "${SOURCE_DATE_EPOCH}" "airootfs" - _run_mksquashfs "${pacstrap_dir}.img" "${image_path}" - _msg_info "Done!" - rm -- "${pacstrap_dir}.img" + _mkimg_ext4+squashfs "${_name}" "${_dir}" "${_image_path}" "${_size_kib}" \ + "${_epoch}" "${_label}" "${_writable}" } # Create an ext4 image containing the root file system and pack it inside a squashfs image. # Pack the squash image inside the LUKS image and save it on the ISO 9660 file system. _mkairootfs_ext4+squashfs+luks() { - _mkimg "${_name}" "${_dir}" "${_image_path}" "${_size_kib}" "${_encryption_key}" \ - "${_epoch}" "${_writable}" "${_grub}" + _mkimg_ext4+squashfs+luks "${_name}" "${_dir}" "${_image_path}" "${_size_kib}" \ + "${_encryption_key}" "${_epoch}" "${_writable}" "${_grub}" } # Create a squashfs image containing the root file system and saves it on the ISO 9660 file system. _mkairootfs_squashfs() { - _mkairootfs_common - _run_mksquashfs "${pacstrap_dir}" "${image_path}" + _mkimg_squashfs "${_name}" "${_dir}" "${_image_path}" } # Create a squashfs image containing the root file system and saves it on the LUKS image. # Saves the LUKS image on the ISO 9660 file system. _mkairootfs_squashfs+luks() { - _mkairootfs_common - _mkluks_common - _run_mkluks "${image_path}" "${airootfs_size}" "${encryption_key}" \ - "${SOURCE_DATE_EPOCH}" "${iso_label}" "${writable}" "${grub}" - _run_mksquashfs "${pacstrap_dir}" "${image_device}" - sync - _close_luks_device "${image_device}" + _mkimg_squashfs+luks "${_name}" "${_dir}" "${_image_path}" "${_size_kib}" \ + "${encryption_key}" "${_epoch}" "${_label}" "${_writable}" "${_grub}" } # Create an EROFS image containing the root file system and saves it on the ISO 9660 file system. _mkairootfs_erofs() { - _mkairootfs_common - _run_mkerofs "${image_path}" "${pacstrap_dir}" "${SOURCE_DATE_EPOCH}" - _msg_info "Done!" + _mkimg_erofs "${_image_path}" "${_dir}" "${_epoch}" } # Create an EROFS image containing the root file system and saves it on the LUKS image. # Save the LUKS image on the ISO 9660 file system. _mkairootfs_erofs+luks() { - _mkairootfs_common - _mkluks_common - _run_mkluks "${image_path}" "${airootfs_size}" "${encryption_key}" \ - "${SOURCE_DATE_EPOCH}" "${iso_label}" "${writable}" "${grub}" - _run_mkerofs "${image_device}" "${pacstrap_dir}" "${SOURCE_DATE_EPOCH}" - sync - _close_luks_device "${image_device}" + _mkimg_erofs+luks "${_name}" "${_dir}" "${_image_path}" "${_size_kib}" \ + "${_encryption_key}" "${_epoch}" "${_label}" "${_grub}" } # Steps shared by _mkkeys+fs_type functions _mkkeys_common() { _mkfs_options=("${keys_image_tool_options[@]}") _name="keys" + _dir="${keys_dir}" _image_path="${dongle_isofs_dir}/keys."$(_get_fs_ext "keys") - keys_epoch=$((SOURCE_DATE_EPOCH + 42 * 69)) - writable=false - grub=false + _encryption_key="" + _size_kib="${keys_size}" + _epoch=$((SOURCE_DATE_EPOCH + 42 * 69)) + _label="${iso_label}_KEYS" + _writable="false" + _grub="false" rm -f -- "${_image_path}" } +# Create an ext4 image containing the keys file system for the dongle. +# Save the image on the dongle ISO 9660 file system. +_mkkeys_ext4() { + _mkimg_ext4 "${_dir}" "${_image_path}" "${_size_kib}" "${_epoch}" "${_label}" "${_writable}" +} + # Create an ext4 image containing the keys file system and pack it inside a squashfs image. -# Save the squashfs image on the ISO 9660 file system. +# Save the squashfs image on the dongle ISO 9660 file system. _mkkeys_ext4+squashfs() { - _mkkeys_common - _run_mkext4 "${keys_dir}" "$(_get_internal_size "${keys_size}")" \ - "${keys_epoch}" "keys" - _run_mksquashfs "${keys_dir}.img" "${image_path}" - _msg_info "Done!" - rm -- "${keys_dir}.img" + _mkimg_ext4+squashfs "${_name}" "${_dir}" "${_image_path}" "${_size_kib}" \ + "${_epoch}" "${_label}" "${_writable}" } # Create an ext4 image containing the keys file system and pack it inside a squashfs image. # Pack the squash image inside the LUKS image and save it on the ISO 9660 file system. _mkkeys_ext4+squashfs+luks() { - _mkkeys_common _mkimg_ext4+squashfs+luks "${_name}" "${_dir}" "${_image_path}" "${_size_kib}" \ "${_encryption_key}" "${_epoch}" "${_writable}" "${_grub}" - - _mkkeys_common - _run_mkluks "${image_path}" "${keys_size}" "" \ - "${keys_epoch}" "${iso_label}_KEYS" "${writable}" "${grub}" - _run_mkext4 "${keys_dir}" "$(_get_internal_size "${keys_size}")" \ - "${keys_epoch}" "keys" - _run_mksquashfs "${keys_dir}.img" "${image_device}" - sync - _close_luks_device "${image_device}" - _msg_info "Done!" - rm -- "${keys_dir}.img" -} - -# Create a squashfs image containing the keys file system and saves it on the LUKS image. -# Saves the LUKS image on the ISO 9660 file system. -_mkkeys_squashfs+luks() { - _mkkeys_common - _run_mkluks "${image_path}" "${airootfs_size}" "" \ - "${keys_epoch}" "${iso_label}_KEYS" "${writable}" "${grub}" - _run_mksquashfs "${keys_dir}" "${image_device}" - sync - _close_luks_device "${image_device}" } # Create a squashfs image containing the root file system and saves it on the ISO 9660 file system. _mkkeys_squashfs() { - _mkkeys_common - _run_mksquashfs "${keys_dir}" "${image_path}" + _mkimg_squashfs "${_name}" "${_dir}" "${_image_path}" } # Create an EROFS image containing the keys file system and saves it on the ISO 9660 file system. _mkkeys_erofs() { - _mkkeys_common - _run_mkerofs "${image_path}" "${keys_dir}" "${keys_epoch}" - _msg_info "Done!" + _mkimg_erofs "${_image_path}" "${_dir}" "${_epoch}" } # Create an EROFS image containing the keys file system and saves it on the LUKS image. # Save the LUKS image on the ISO 9660 file system. _mkkeys_erofs+luks() { - _mkkeys_common - _run_mkluks "${image_path}" "${keys_size}" \ - "${keys_epoch}" "${iso_label}_KEYS" "${writable}" "${grub}" - _run_mkerofs "${image_device}" "${keys_dir}" "${keys_epoch}" - sync - _close_luks_device "${image_device}" + _mkimg_erofs+luks "${_name}" "${_dir}" "${_image_path}" "${_size_kib}" \ + "${_encryption_key}" "${_epoch}" "${_label}" "${_grub}" } # Steps shared by _mkpersistent+fs_type functions _mkpersistent_common() { - image_path="${persistentimg}" - image_label="${iso_label}_PERSISTENT" - rm -f -- "${image_path}" - persistent_epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) - writable="true" + _name="persistent" + _dir="${persistent_dir}" + _image_path="${persistentimg}" + _encryption_key="${persistent_encryption_key}" + _size_kib="${persistent_size_kib}" + _epoch=$((SOURCE_DATE_EPOCH + 3 * 1415)) + _label="${iso_label}_PERSISTENT" + _writable="true" if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then - grub="false" + _grub="false" else - grub="true" + _grub="true" fi + persistent_epoch="${_epoch}" + rm -f -- "${image_path}" } # Create an ext4 image to be used as the persistent ISO partition. _mkpersistent_ext4() { - _mkpersistent_common persistent_guid="0FC63DAF-8483-4772-8E79-3D69D8477DE4" - _run_mkext4 "${persistent_dir}" "${persistent_size_kib}" \ - "${persistent_epoch}" "${image_label}" "${writable}" - mv "${persistent_dir}.img" "${image_path}" - sync - _msg_info "Done!" + _mkimg_ext4 "${_dir}" "${_image_path}" "${_size_kib}" "${_epoch}" "${_label}" "${_writable}" } # Create an ext4 fs inside a LUKS container to be used as the persistent ISO partition. _mkpersistent_ext4+luks() { - _mkpersistent_common persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" - _run_mkluks "${image_path}" "${persistent_size_kib}" "${persistent_encryption_key}" \ - "${persistent_epoch}" "${image_label}" "${writable}" "${grub}" - _run_mkext4 "${persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ - "${persistent_epoch}" "persistent" "${writable}" - dd if="${persistent_dir}.img" of="${image_device}" - sync - _close_luks_device "${image_device}" - _msg_info "Done!" - rm -- "${persistent_dir}.img" + _mkimg_ext4+luks "${_name}" "${_dir}" "${_image_path}" "${_encryption_key}" "${_epoch}" \ + "${_writable}" "${_grub}" } # Steps shared by _mkdonglepersistent+fs_type functions _mkdonglepersistent_common() { - image_path="${donglepersistentimg}" - image_label="${iso_label}_DONGLE_PERSISTENT" + _name="donglepersistent" + _dir="${dongle_persistent_dir}" + _image_path="${donglepersistentimg}" + _encryption_key="" + _size_kib="${persistent_size_kib}" + _epoch=$((SOURCE_DATE_EPOCH + 42 * 69 + 3 * 1415)) + _label="${iso_label}_DONGLE_PERSISTENT" + _writable="true" + _grub="true" rm -f -- "${image_path}" - dongle_persistent_epoch=$((SOURCE_DATE_EPOCH + 42 * 69 + 3 * 1415)) - writable="true" - grub="true" + dongle_persistent_epoch="${_epoch}" } # Create an ext4 image to be used as the persistent ISO partition. _mkdonglepersistent_ext4() { - _mkdonglepersistent_common persistent_guid="0FC63DAF-8483-4772-8E79-3D69D8477DE4" - _run_mkext4 "${dongle_persistent_dir}" "${persistent_size_kib}" \ - "${dongle_persistent_epoch}" "${image_label}" "${writable}" - mv "${persistent_dir}.img" "${image_path}" - sync - _msg_info "Done!" + _mkimg_ext4 "${_dir}" "${_image_path}" "${_size_kib}" "${_epoch}" "${_label}" "${_writable}" } # Create an ext4 fs inside a LUKS container to be used as the persistent ISO partition. _mkdonglepersistent_ext4+luks() { - _mkdonglepersistent_common persistent_guid="CA7D7CCB-63ED-4C53-861C-1742536059CC" - _run_mkluks "${image_path}" "${persistent_size_kib}" "" \ - "${dongle_persistent_epoch}" "${image_label}" "${writable}" "${grub}" - _run_mkext4 "${dongle_persistent_dir}" "$(_get_internal_size "${persistent_size_kib}")" \ - "${dongle_persistent_epoch}" "persistent" "${writable}" - dd if="${dongle_persistent_dir}.img" of="${image_device}" - sync - _close_luks_device "${image_device}" - _msg_info "Done!" - rm -- "${dongle_persistent_dir}.img" + _mkimg_ext4+luks "${_name}" "${_dir}" "${_image_path}" "${_encryption_key}" "${_epoch}" \ + "${_writable}" "${_grub}" } # Create checksum for a given file. @@ -1772,6 +1823,7 @@ _prepare_airootfs_image() { pacstrap_size=$(du -s "${pacstrap_dir}" | cut -f 1) airootfs_size=$((pacstrap_size+200000)) + _run_once "_mkairootfs_common" _run_once "_mkairootfs_${airootfs_image_type}" _mkchecksum "$(_get_airootfs_img)" if [[ -n "${gpg_key}" ]]; then @@ -1789,6 +1841,7 @@ _prepare_airootfs_image() { # Build keys filesystem image _prepare_keys_image() { keys_size=25000 + _run_once "_mkkeys_common" _run_once "_mkkeys_${keys_image_type}" _mkchecksum "${dongle_isofs_dir}/keys.$(_get_fs_ext "keys")" @@ -1834,6 +1887,7 @@ _prepare_persistent_image() { sed '/%PERSISTENT_UUID%/d' "${crypttab}" > "${pacstrap_dir}/etc/crypttab" fi _run_once _make_boot_on_dongle + _run_once "_mkpersistent_common" _run_once "_mkpersistent_${persistent_image_type}" if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then _run_once "_mkdonglepersistent_${persistent_image_type}" -- GitLab From 932ac7c84f1d8611de39ee11721d9837f16f733d Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 14 Sep 2022 02:27:09 +0000 Subject: [PATCH 100/105] review --- archiso/mkarchiso | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index bb64e00..e9381d7 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -788,7 +788,7 @@ _make_pacman_conf() { # see `man 8 pacman` for further info pacman-conf --config "${pacman_conf}" | \ sed "/CacheDir/d;/DBPath/d;/HookDir/d;/LogFile/d;/RootDir/d;/\[options\]/a CacheDir = ${_cache_dirs} - /\[options\]/a HookDir = ${pacstrap_dir}/etc/pacman.d/hooks/" > "${work_dir}/${buildmode}.pacman.conf" + /\[options\]/a HookDir = ${pacstrap_dir}/etc/pacman.d/hooks/" > "${work_dir}/${buildmode}.pacman.conf" } # Prepare working directory and copy custom root file system files. -- GitLab From 91d2bb822ec7b4829597dac8f558f727b3ef55bf Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 14 Sep 2022 02:30:38 +0000 Subject: [PATCH 101/105] move down --- archiso/mkarchiso | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index e9381d7..4b5c159 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -368,22 +368,6 @@ _mkluks_common() { fi } -# Steps shared by _mkairootfs_fs_type functions -_mkairootfs_common() { - _mkfs_options=("${airootfs_image_tool_options[@]}") - _name="airootfs" - _dir="${pacstrap_dir}" - _image_path="${airootfs_img_dir}/airootfs."$(_get_fs_ext "airootfs") - _size_kib="${airootfs_size}" - _epoch="$((SOURCE_DATE_EPOCH))" - _label="${iso_label}" - _writable=false - _grub=false - rm -f -- "${_image_path}" - [[ -e "${_dir}" ]] || _msg_error "The path '${_dir}' does not exist" 1 - install -d -m 0755 -- "${airootfs_img_dir}" -} - # Create an ext4 fs inside a LUKS container image file. _mkimg_ext4() { local _dir="${2}" @@ -518,6 +502,22 @@ _mkimg_erofs+luks() { _close_luks_device "${image_device}" } +# Steps shared by _mkairootfs_fs_type functions +_mkairootfs_common() { + _mkfs_options=("${airootfs_image_tool_options[@]}") + _name="airootfs" + _dir="${pacstrap_dir}" + _image_path="${airootfs_img_dir}/airootfs."$(_get_fs_ext "airootfs") + _size_kib="${airootfs_size}" + _epoch="$((SOURCE_DATE_EPOCH))" + _label="${iso_label}" + _writable=false + _grub=false + rm -f -- "${_image_path}" + [[ -e "${_dir}" ]] || _msg_error "The path '${_dir}' does not exist" 1 + install -d -m 0755 -- "${airootfs_img_dir}" +} + # Create an ext4 image containing the root file system. # Save the image on the ISO 9660 file system. _mkairootfs_ext4() { @@ -948,6 +948,7 @@ _make_boot_on_iso() { _msg_info "Done!" } +# Add archiso modules to profile's mkinitcpio.conf _build_archiso_mkinitcpio_conf() { local _hooks=() _mkinitcpio_conf="${profile}/airootfs/etc/mkinitcpio.conf" _modules=() if [[ "${airootfs_image_type}" == *luks ]] || [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then @@ -964,16 +965,19 @@ _build_archiso_mkinitcpio_conf() { s|%ARCHISO_MODULES%|${_modules[*]}|g" "${work_dir}/mkinitcpio.conf" > "${_mkinitcpio_conf}" } +# Get UUID for the dongle GRUB plain mount _get_dongle_uuid() { #shellcheck disable=SC2005 echo "$(_epoch_to_uuid $((SOURCE_DATE_EPOCH + 42 * 69)))" } +# Get UUID for the GRUB plain mount _get_archiso_uuid() { #shellcheck disable=SC2005 echo "$(_epoch_to_uuid "${SOURCE_DATE_EPOCH}")" } +# Get UUID for the GRUB cryptomount _get_cryptomount_uuid() { if [[ " ${buildmodes[*]} " =~ ' dongle ' ]]; then _epoch="$((SOURCE_DATE_EPOCH + 42 * 69 + 3 * 1415))" -- GitLab From cf26df40f7d0a2704a3fe3f9a19ce7757e9110a7 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 14 Sep 2022 02:34:36 +0000 Subject: [PATCH 102/105] fix more things --- archiso/mkarchiso | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 4b5c159..6bc8652 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -383,8 +383,7 @@ _mkimg_ext4() { _msg_info "Done!" } - -# Create an ext4 fs inside a LUKS container image file. +# Creates an ext4 fs inside a LUKS container image file. _mkimg_ext4+luks() { local _name="${1}" local _dir="${2}" @@ -407,8 +406,8 @@ _mkimg_ext4+luks() { rm -- "${_dir}.img" } -# Create an ext4 image and pack it inside a squashfs image. -# Pack the squash image inside a LUKS image. +# Creates an ext4 image and packs it inside a squashfs image. +# Packs the squash image inside a LUKS image. _mkimg_ext4+squashfs+luks() { local _name="${1}" local _dir="${2}" @@ -431,7 +430,7 @@ _mkimg_ext4+squashfs+luks() { rm -- "${_dir}.img" } -# Create a squashfs image and saves it on a LUKS image. +# Creates a squashfs image and saves it on a LUKS image. _mkimg_squashfs+luks() { local _name="${1}" local _dir="${2}" @@ -450,6 +449,7 @@ _mkimg_squashfs+luks() { _close_luks_device "${image_device}" } +# Creates an ext4 file system inside a squashfs image. _mkimg_ext4+squashfs() { local _name="${1}" local _dir="${2}" @@ -465,7 +465,7 @@ _mkimg_ext4+squashfs() { rm -- "${_dir}.img" } -# Makes a squash fs image. +# Creates a squash fs image. _mkimg_squashfs() { local _name="${1}" local _dir="${2}" -- GitLab From 7815f6e99afdbb860f0dd88c6db510e65a8a0722 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 14 Sep 2022 02:45:12 +0000 Subject: [PATCH 103/105] update CHANGELOG --- CHANGELOG.rst | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5a02caa..dba5076 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -7,15 +7,16 @@ Changelog Added ----- -- Add support for LUKS2 image disks: - - ``+luks`` airootfs image types; - - ``keys`` buildmode; - - ``encryption_key`` parameter. +- Add support for LUKS2 image disks; + - new ``+luks`` image types. +- Add support for ``dongle`` buildmode. +- Add support for a third persistent partition on both ``iso`` and ``dongle``. - Upgraded storage handling function functions: - - Set overwrite flag in ``mtools`` commands. + - Set overwrite flag in ``mtools`` commands; - Refactor ``run_`` functions. -- Add support for persistent partition on ISO: - - ''persistent_size'' parameter; +- Add support for GRUB as MBR bootloader. +- Add support for GRUB booting system from both ``iso`` and ``dongle`` persistent partition. +- Add known vulnerabilities warnings. Changed ------- -- GitLab From b124686c3cbb5e697857c5d3a0d12a13d5929380 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 14 Sep 2022 03:03:38 +0000 Subject: [PATCH 104/105] update CHANGELOG --- CHANGELOG.rst | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index dba5076..d150012 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -9,17 +9,27 @@ Added ----- - Add support for LUKS2 image disks; - new ``+luks`` image types. + - insert known needed extra modules for the new configurations. - Add support for ``dongle`` buildmode. - Add support for a third persistent partition on both ``iso`` and ``dongle``. -- Upgraded storage handling function functions: - - Set overwrite flag in ``mtools`` commands; - - Refactor ``run_`` functions. - Add support for GRUB as MBR bootloader. - Add support for GRUB booting system from both ``iso`` and ``dongle`` persistent partition. -- Add known vulnerabilities warnings. +- Added known vulnerabilities warnings. +- Added functions to determine file system type. +Profiles: + - Add systemd automounts for persistent partition. Changed ------- +- Upgraded storage handling function functions: + - Set overwrite flag in ``mtools`` commands. + - Refactor ``run_`` functions. +- Abstract signature and checksum functions. +- Grouped all bootloader seds in a single function. +- Profiles: + - Completely switch to GRUB. + - Reduced bootloader configuration files complexity. + - Reduced mkinitcpio.conf complexity. Removed ------- -- GitLab From 9c51f2cb2f9b7490dd2d11ea1a65b61f9c245583 Mon Sep 17 00:00:00 2001 From: Pellegrino Prevete Date: Wed, 14 Sep 2022 03:15:49 +0000 Subject: [PATCH 105/105] update CHANGELOG --- CHANGELOG.rst | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index d150012..db1559a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -9,13 +9,15 @@ Added ----- - Add support for LUKS2 image disks; - new ``+luks`` image types. - - insert known needed extra modules for the new configurations. +- Insert known needed extra modules in ``mkinitcpio.conf`` if image configuration requires it. - Add support for ``dongle`` buildmode. -- Add support for a third persistent partition on both ``iso`` and ``dongle``. +- Add support for a new ISO partition intended to be "persistent" + on both ``iso`` (``persistent``) and ``dongle`` (``donglepersistent``). +- New ``mk_`` functions. - Add support for GRUB as MBR bootloader. -- Add support for GRUB booting system from both ``iso`` and ``dongle`` persistent partition. +- Add support for GRUB booting system from persistent partitions. - Added known vulnerabilities warnings. -- Added functions to determine file system type. +- Added functions to determine chosen file system image type. Profiles: - Add systemd automounts for persistent partition. @@ -24,6 +26,8 @@ Changed - Upgraded storage handling function functions: - Set overwrite flag in ``mtools`` commands. - Refactor ``run_`` functions. +- Upgraded image building functions: + - Abstract ``mkairootfs_`` as ``mk_``. - Abstract signature and checksum functions. - Grouped all bootloader seds in a single function. - Profiles: -- GitLab