diff options
-rw-r--r-- | CHANGELOG.rst | 21 | ||||
-rw-r--r-- | configs/baseline/profiledef.sh | 2 | ||||
-rw-r--r-- | configs/releng/airootfs/root/.zlogin | 2 | ||||
-rw-r--r-- | configs/releng/grub/grub.cfg | 5 | ||||
-rw-r--r-- | configs/releng/packages.both | 1 | ||||
-rw-r--r-- | configs/releng/syslinux/parabolaiso_pxe32-linux-libre.cfg | 6 | ||||
-rw-r--r-- | configs/releng/syslinux/parabolaiso_pxe64-linux-libre.cfg | 6 | ||||
-rw-r--r-- | docs/README.profile.rst | 2 | ||||
-rwxr-xr-x | parabolaiso/mkparabolaiso | 72 |
9 files changed, 83 insertions, 34 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 52fe96f..a0065a8 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -14,6 +14,27 @@ Changed Removed ------- +[69] - 2022-12-24 +================= + +Added +----- + +- Add Memtest86+ to x86_64 UEFI GRUB boot menu. + +Changed +------- + +- Check if the GPG public key file was successfully placed in the work directory before trying to use it. +- Open the file descriptors for code signing certificates and GPG public key as read only. Nothing from the within the + ``pacstrap`` invoked chroot should ever be allowed to write outside of it. +- Error out early if any of the code signing certificate files passed with option ``-c`` do not exist. +- Use LZMA compressed EROFS image for the baseline profile. Now that xz 5.4 is out and erofs-utils is built with LZMA + support, using a higher compression is possible. +- Add ``/etc/machine-id`` with special value ``uninitialized``. The final id is generated at boot time, and systemd's + first-boot mechanim (see ``First Boot Semantics`` in ``machine-id(5)``) applies. No functional change unless that + ``ConditionFirstBoot=yes`` is true and passive unit ``first-boot-complete.target`` activates for ordering. + [68] - 2022-10-30 ================= diff --git a/configs/baseline/profiledef.sh b/configs/baseline/profiledef.sh index 7e714ef..27b0b6a 100644 --- a/configs/baseline/profiledef.sh +++ b/configs/baseline/profiledef.sh @@ -14,7 +14,7 @@ bootmodes=('bios.syslinux.mbr' 'bios.syslinux.eltorito' arch="x86_64" pacman_conf="pacman.conf" airootfs_image_type="erofs" -airootfs_image_tool_options=('-zlz4hc,12' -E ztailpacking) +airootfs_image_tool_options=('-zlzma,9' -E ztailpacking) file_permissions=( ["/etc/shadow"]="0:0:400" ) diff --git a/configs/releng/airootfs/root/.zlogin b/configs/releng/airootfs/root/.zlogin index 0fb119d..bf6bc8f 100644 --- a/configs/releng/airootfs/root/.zlogin +++ b/configs/releng/airootfs/root/.zlogin @@ -1,5 +1,5 @@ # fix for screen readers -if grep -Fq 'accessibility=' /proc/cmdline &> /dev/null; then +if grep -Fqa 'accessibility=' /proc/cmdline &> /dev/null; then setopt SINGLE_LINE_ZLE fi diff --git a/configs/releng/grub/grub.cfg b/configs/releng/grub/grub.cfg index c8c885e..44942f1 100644 --- a/configs/releng/grub/grub.cfg +++ b/configs/releng/grub/grub.cfg @@ -46,6 +46,11 @@ menuentry "Parabola GNU/Linux-libre install medium with speakup screen reader (x if [ "${grub_platform}" == "efi" ]; then if [ "${grub_cpu}" == "x86_64" ]; then + menuentry "Run Memtest86+ (RAM test)" --class memtest86 --class gnu --class tool { + set gfxpayload=800x600,1024x768 + search --fs-uuid --no-floppy --set=root --label %PARABOLAISO_LABEL% + linux /%INSTALL_DIR%/boot/memtest.efi + } menuentry "UEFI Shell" { insmod chain search --no-floppy --set=root --label %PARABOLAISO_LABEL% diff --git a/configs/releng/packages.both b/configs/releng/packages.both index aabb1e6..0dd1b3c 100644 --- a/configs/releng/packages.both +++ b/configs/releng/packages.both @@ -53,6 +53,7 @@ man-pages mc mdadm memtest86+ +memtest86+-efi mkinitcpio mkinitcpio-parabolaiso mkinitcpio-nfs-utils diff --git a/configs/releng/syslinux/parabolaiso_pxe32-linux-libre.cfg b/configs/releng/syslinux/parabolaiso_pxe32-linux-libre.cfg index 5e44dc9..69b8212 100644 --- a/configs/releng/syslinux/parabolaiso_pxe32-linux-libre.cfg +++ b/configs/releng/syslinux/parabolaiso_pxe32-linux-libre.cfg @@ -6,7 +6,7 @@ ENDTEXT MENU LABEL Boot Parabola GNU/Linux-libre (i686) (NBD) LINUX ::/%INSTALL_DIR%/boot/i686/vmlinuz-linux-libre INITRD ::/%INSTALL_DIR%/boot/i686/initramfs-linux-libre.img -APPEND parabolaisobasedir=%INSTALL_DIR% parabolaisolabel=%PARABOLAISO_LABEL% parabolaiso_nbd_srv=${pxeserver} checksum verify +APPEND parabolaisobasedir=%INSTALL_DIR% parabolaisolabel=%PARABOLAISO_LABEL% parabolaiso_nbd_srv=${pxeserver} cms_verify=y SYSAPPEND 3 LABEL parabola32_nfs @@ -17,7 +17,7 @@ ENDTEXT MENU LABEL Boot Parabola GNU/Linux-libre (i686) (NFS) LINUX ::/%INSTALL_DIR%/boot/i686/vmlinuz-linux-libre INITRD ::/%INSTALL_DIR%/boot/i686/initramfs-linux-libre.img -APPEND parabolaisobasedir=%INSTALL_DIR% parabolaiso_nfs_srv=${pxeserver}:/run/parabolaiso/bootmnt checksum verify +APPEND parabolaisobasedir=%INSTALL_DIR% parabolaiso_nfs_srv=${pxeserver}:/run/parabolaiso/bootmnt cms_verify=y SYSAPPEND 3 LABEL parabola32_http @@ -28,5 +28,5 @@ ENDTEXT MENU LABEL Boot Parabola GNU/Linux-libre (i686) (HTTP) LINUX ::/%INSTALL_DIR%/boot/i686/vmlinuz-linux-libre INITRD ::/%INSTALL_DIR%/boot/i686/initramfs-linux-libre.img -APPEND parabolaisobasedir=%INSTALL_DIR% parabolaiso_http_srv=http://${pxeserver}/ checksum verify +APPEND parabolaisobasedir=%INSTALL_DIR% parabolaiso_http_srv=http://${pxeserver}/ cms_verify=y SYSAPPEND 3 diff --git a/configs/releng/syslinux/parabolaiso_pxe64-linux-libre.cfg b/configs/releng/syslinux/parabolaiso_pxe64-linux-libre.cfg index 9868ea9..28a131b 100644 --- a/configs/releng/syslinux/parabolaiso_pxe64-linux-libre.cfg +++ b/configs/releng/syslinux/parabolaiso_pxe64-linux-libre.cfg @@ -6,7 +6,7 @@ ENDTEXT MENU LABEL Boot Parabola GNU/Linux-libre (x86_64) (NBD) LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux-libre INITRD ::/%INSTALL_DIR%/boot/x86_64/initramfs-linux-libre.img -APPEND parabolaisobasedir=%INSTALL_DIR% parabolaisolabel=%PARABOLAISO_LABEL% parabolaiso_nbd_srv=${pxeserver} checksum verify +APPEND parabolaisobasedir=%INSTALL_DIR% parabolaisolabel=%PARABOLAISO_LABEL% parabolaiso_nbd_srv=${pxeserver} cms_verify=y SYSAPPEND 3 LABEL parabola64_nfs @@ -17,7 +17,7 @@ ENDTEXT MENU LABEL Boot Parabola GNU/Linux-libre (x86_64) (NFS) LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux-libre INITRD ::/%INSTALL_DIR%/boot/x86_64/initramfs-linux-libre.img -APPEND parabolaisobasedir=%INSTALL_DIR% parabolaiso_nfs_srv=${pxeserver}:/run/parabolaiso/bootmnt checksum verify +APPEND parabolaisobasedir=%INSTALL_DIR% parabolaiso_nfs_srv=${pxeserver}:/run/parabolaiso/bootmnt cms_verify=y SYSAPPEND 3 LABEL parabola64_http @@ -28,5 +28,5 @@ ENDTEXT MENU LABEL Boot Parabola GNU/Linux-libre (x86_64) (HTTP) LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux-libre INITRD ::/%INSTALL_DIR%/boot/x86_64/initramfs-linux-libre.img -APPEND parabolaisobasedir=%INSTALL_DIR% parabolaiso_http_srv=http://${pxeserver}/ checksum verify +APPEND parabolaisobasedir=%INSTALL_DIR% parabolaiso_http_srv=http://${pxeserver}/ cms_verify=y SYSAPPEND 3 diff --git a/docs/README.profile.rst b/docs/README.profile.rst index 2da996d..258981d 100644 --- a/docs/README.profile.rst +++ b/docs/README.profile.rst @@ -139,7 +139,7 @@ The following *custom template identifiers* are understood and will be replaced respective variables in ``profiledef.sh``: * ``%PARABOLAISO_LABEL%``: Set this using the ``iso_label`` variable in ``profiledef.sh``. -* ``%INSTALL_DIR%``: Set this using the ``iso_label`` variable in ``profiledef.sh``. +* ``%INSTALL_DIR%``: Set this using the ``install_dir`` variable in ``profiledef.sh``. * ``%ARCH%``: Set this using the ``arch`` variable in ``profiledef.sh``. diff --git a/parabolaiso/mkparabolaiso b/parabolaiso/mkparabolaiso index 26fa82d..ac2d6ec 100755 --- a/parabolaiso/mkparabolaiso +++ b/parabolaiso/mkparabolaiso @@ -166,9 +166,10 @@ _cleanup_pacstrap_dir() { [[ -d "${pacstrap_dir}/var/tmp" ]] && find "${pacstrap_dir}/var/tmp" -mindepth 1 -delete # Delete package pacman related files. find "${work_dir}" \( -name '*.pacnew' -o -name '*.pacsave' -o -name '*.pacorig' \) -delete - # Create an empty /etc/machine-id + # Create /etc/machine-id with special value 'uninitialized': the final id is + # generated on first boot, systemd's first-boot mechanism applies (see machine-id(5)) rm -f -- "${pacstrap_dir}/etc/machine-id" - printf '' > "${pacstrap_dir}/etc/machine-id" + printf 'uninitialized\n' > "${pacstrap_dir}/etc/machine-id" _msg_info "Done!" } @@ -364,6 +365,20 @@ _make_packages() { local buildmode_pkg_list_arch eval "buildmode_pkg_list_arch=(\${buildmode_pkg_list_${arch}[@]})" + if [[ -v gpg_publickey ]]; then + exec {PARABOLAISO_GNUPG_FD}<"$gpg_publickey" + export PARABOLAISO_GNUPG_FD + fi + if [[ -v cert_list[0] ]]; then + exec {PARABOLAISO_TLS_FD}<"${cert_list[0]}" + export PARABOLAISO_TLS_FD + fi + if [[ -v cert_list[2] ]]; then + exec {PARABOLAISO_TLSCA_FD}<"${cert_list[2]}" + export PARABOLAISO_TLSCA_FD + fi + + # Install the qemu-arm-static binary if [[ "${arch}" == "armv7h" ]] && ! setarch armv7l /bin/true 2>/dev/null; then # Make sure that qemu-static is set up with binfmt_misc @@ -378,20 +393,6 @@ _make_packages() { install -m 0755 -- /usr/bin/qemu-arm-static "${pacstrap_dir}/usr/bin" fi - if [[ -n "${gpg_key}" ]]; then - exec {PARABOLAISO_GNUPG_FD}<>"${work_dir}/pubkey.gpg" - export PARABOLAISO_GNUPG_FD - fi - if [[ -v cert_list[0] ]]; then - exec {PARABOLAISO_TLS_FD}<>"${cert_list[0]}" - export PARABOLAISO_TLS_FD - fi - if [[ -v cert_list[2] ]]; then - exec {PARABOLAISO_TLSCA_FD}<>"${cert_list[2]}" - export PARABOLAISO_TLSCA_FD - fi - - # Unset TMPDIR to work around https://bugs.archlinux.org/task/70580 if [[ "${quiet}" = "y" ]]; then env -u TMPDIR pacstrap -C "${work_dir}/${buildmode}.pacman.conf.${arch}" -c -G -M -- "${pacstrap_dir}" "${buildmode_pkg_list[@]}" "${buildmode_pkg_list_arch[@]}" &> /dev/null @@ -399,6 +400,11 @@ _make_packages() { env -u TMPDIR pacstrap -C "${work_dir}/${buildmode}.pacman.conf.${arch}" -c -G -M -- "${pacstrap_dir}" "${buildmode_pkg_list[@]}" "${buildmode_pkg_list_arch[@]}" fi + # Delete the qemu-arm-static binary + if [[ "${arch}" == "armv7h" ]] && ! setarch armv7l /bin/true 2>/dev/null; then + rm -f -- "${pacstrap_dir}/usr/bin/qemu-arm-static" + fi + if [[ -v cert_list[0] ]]; then exec {PARABOLAISO_TLS_FD}<&- unset PARABOLAISO_TLS_FD @@ -407,16 +413,11 @@ _make_packages() { exec {PARABOLAISO_TLSCA_FD}<&- unset PARABOLAISO_TLSCA_FD fi - if [[ -n "${gpg_key}" ]]; then + if [[ -v gpg_publickey ]]; then exec {PARABOLAISO_GNUPG_FD}<&- unset PARABOLAISO_GNUPG_FD fi - # Delete the qemu-arm-static binary - if [[ "${arch}" == "armv7h" ]] && ! setarch armv7l /bin/true 2>/dev/null; then - rm -f -- "${pacstrap_dir}/usr/bin/qemu-arm-static" - fi - _msg_info "Done! Packages installed successfully." } @@ -737,6 +738,13 @@ _make_bootmode_uefi-x64.grub.esp() { mcopy -i "${efibootimg}" "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" ::/shellx64.efi fi + # Add other aditional/extra files to ${install_dir}/boot/ + if [[ -e "${pacstrap_dir}/boot/memtest86+/memtest.efi" ]]; then + install -d -m 0755 -- "${isofs_dir}/boot/memtest86+/" + install -m 0644 -- "${pacstrap_dir}/boot/memtest86+/memtest.efi" "${isofs_dir}/boot/memtest86+/memtest.efi" + install -m 0644 -- "${pacstrap_dir}/usr/share/licenses/common/GPL2/license.txt" "${isofs_dir}/boot/memtest86+/" + fi + _msg_info "Done! GRUB set up for UEFI booting successfully." } @@ -1016,6 +1024,10 @@ _validate_requirements_bootmode_uefi-x64.grub.esp() { if [[ ! " ${pkg_list[*]} " =~ ' edk2-shell ' ]]; then _msg_info "'edk2-shell' is not in the package list. The ISO will not contain a bootable UEFI shell." fi + # shellcheck disable=SC2076 + if [[ ! " ${pkg_list[*]} " =~ ' memtest86+-efi ' ]]; then + _msg_info "Validating '${bootmode}': 'memtest86+-efi' is not in the package list. Memory testing will not be available from GRUB." + fi } _validate_requirements_bootmode_uefi-x64.grub.eltorito() { @@ -1596,7 +1608,7 @@ _read_profile() { # Validate set options _validate_options() { - local validation_error=0 _buildmode + local validation_error=0 _buildmode certfile _msg_info "Validating options..." # Check if pacman configuration file exists @@ -1605,6 +1617,14 @@ _validate_options() { _msg_error "File '${pacman_conf}' does not exist." 0 fi + # Check if the code signing certificate files exist + for certfile in "${cert_list[@]}"; do + if [[ ! -e "$certfile" ]]; then + (( validation_error=validation_error+1 )) + _msg_error "Code signing certificate '${certfile}' does not exist." 0 + fi + done + # Check if the specified buildmodes are supported for _buildmode in "${buildmodes[@]}"; do if typeset -f "_build_buildmode_${_buildmode}" &> /dev/null; then @@ -1687,8 +1707,10 @@ _set_overrides() { } _export_gpg_publickey() { - rm -f -- "${work_dir}/pubkey.gpg" - gpg --batch --no-armor --output "${work_dir}/pubkey.gpg" --export "${gpg_key}" + gpg_publickey="${work_dir}/pubkey.gpg" + rm -f -- "$gpg_publickey" + gpg --batch --no-armor --output "$gpg_publickey" --export "${gpg_key}" + [[ -s "$gpg_publickey" ]] || return } _make_version() { |