Added new <environment> section to the existing <bootloadersettings>
section which allows to specify environment variables for setting
up an environment blob for the selected loader. With this commit
we add support for grub by using grub2-editenv. Other loaders
do not yet have an implementation or does not support environment
blobs. Settings will be ignored for unsupported loaders.
This Fixes#2922
Co-authored-by: Rhys Oxenham <rhys.oxenham@suse.com>
The early boot script and also the ISO template should only
set this option if the conditions to set it are met. Conditions
for this option are if btrfs is in use and a default subvolume
and/or a snapper based snapshot is requested by the image
description. This Fixes#2919
To run pvattest perform an attestation request binary as
well as the corresponding attestation key and the secure
execution header is required. This data should be created
as part of the image build. In this commit we are adding
support for creating the attestation data when building
a secure execution enabled image
A recent commit changed the way these are looked up and
accidentally broke image building on riscv64, with
KiwiBootLoaderGrubSecureBootError: Signed grub2 efi loader not found
now being raised for kiwi recipes that worked just fine
before that moment.
Fixes: 197572378c
Thanks: David Abdurachmanov <davidlt@rivosinc.com>
Thanks: Marcus Schäfer <marcus.schaefer@gmail.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Add missing search path for shim binary on arm based SUSE
systems. Also update the tumbleweed/test-image-live-disk
integration test for arm to build with secure boot enabled
to actually test a secure boot enabled ISO build.
This Fixes#2842
Allow to lookup and included EFI binaries/modules for
multiple architectures. For testing the integration
test in rawhide/test-image-live-disk has been adapted
accordingly to install 32bit and 64bit EFI binaries.
This Fixes#2822
Add driver configuration support for dracut initrd
Add support for specifying kernel drivers to be included or omitted
in the dracut initrd configuration. This extends the existing dracut
configuration capabilities like in the following example
<initrd action="add">
<dracut driver="erofs"/>
</initrd>
In a btrfs based design, allow to put /boot as subvolume.
This required a small fix in the mount order in a way that
boot/efi gets mounted after the subvolume mounts are done.
The respective integration test has been updated to test
this functionality. This Fixes#2824
In addition to systemd_boot also add support for UKI creation
when grub is used. This includes the creation of a UKI image
via dracut in the same way as it's done for systemd_boot.
In addition an earlyboot grub script chainloads the UKI and
bypasses any written grub configuration. In Theory this should
also allow to use the shim loader for chainloading an UKI.
However I haven't done testing in this direction and I also
expect security issues with this approach because loading
any non signed data by shim is not expected to work. A new
profile named grub_uki_verity_erofs has been added to the
integration test that experiments with UKIs
Extend scope and content of the <initrd> section to be allowed
as part of the <type> section. This allows to specify custom
call options and modules for the dracut tool. In particular
this commit implementes support for passing the uefi option
to dracut to enable building an UKI EFI binary as follows:
<initrd action="setup">
<dracut uefi="true"/>
</initrd>
This Fixes#2809 and Fixes#2408
When building an image with overlayroot set to true and
activated verity data, the root= parameter must be
set to root=overlay:MAPPER=verityroot instead of the standard
overlay:PARTUUID mapping.
Copying the modules creates a situation where future updates
applied to a running system can cause GRUB to crash due to mixed
modules and GRUB EFI binaries.
It is not needed anyway since GRUB EFI binaries for Secure Boot have
all modules compiled into the binaries.
Fixes: https://github.com/OSInside/kiwi/issues/2790
If called on full read-only systems, log the information
that the files can't be modified but do not fail. On
such systems the expectation is that no fix code must
be applied and as such the fix function can be considered
an optional step.
When building an image with overlayroot set to true and
activated luks encryption, the root= parameter must be
set to root=overlay:MAPPER=luks instead of the standard
overlay:PARTUUID mapping. This Fixes#2776
Prior to this change, KIWI blindly synced the ESP directory into the
embedded ESP image. Depending on the distribution and packages included
for the created image, this can have undesirable side-effects.
For image builds that need some more fine-grained control over the
creation of the embedded ESP image (particularly for ISO images),
this change introduces the ability to inject an exclusion list
similar to what is used to filter out files for the root filesystem.
Fixes: https://github.com/OSInside/kiwi/issues/2008
Fixes: https://github.com/OSInside/kiwi/issues/2777
On ppc the CHRP loader name can vary between distributions.
This commit adds a search method to lookup different ELF
loader names. In addition an integration test image for
Fedora was added. This Fixes#2741
The list of modules used to create a grub platform image for
ppc was the same list as used for the x86 bios platform.
This commit fixes this and also cleans up the inconsistency
and misleading names used for creating platform specific
output. This Fixes#2738
Rename btrfs_root_is_snapshot to btrfs_root_is_snapper_snapshot.
This happens in preparation for the changes suggested in #2697
where we want to get rid of snapper specific btrfs code which
will be available in snapper natively soon. To make sure a btrfs
layout specific to snapper(and SUSE), the implicitly used attribute
named btrfs_root_is_snapshot now becomes explicit and its new
name will indicate that snapper sits behind it. Along with the
rename a XSLT stylesheet to automatically convert the old name
into the new name for schema v8.3 will be performed.
IBM SEL(Secure Execution for Linux) is supported for s390
KVM guests. SEL images used to start a confidential computing
protected guest contain an encrypted boot image which encapsulates
the kernel the initrd and the bootparams. The encrypted Image is
provided by the KVM/hypervisor to the Embedded zFirmware of the
system (the ultravisor device). The decryption keys are hardware
based and each system has an individual keypool unique to that
system. The root filesystem is LUKS encrypted with a random key
produced by kiwi at build time and kept inside of the initrd which
exists only inside of the encrypted boot image and the encrypted
rootfs to allow kernel updates. The commit to support secure
execution also comes with an integration test that provides
profiled image builds to target SUSE's LinuxONE as well
as IBM Cloud systems.
zipl gets confused with an active sysfs mount inside
the root tree at call time of zipl. This commit
umounts the /sys bind mount in the image tree prior
calling zipl
When using the plain zipl bootloader kiwi created a /etc/zipl.conf
file. However, this file was only useful during image build as it
points to a loop target device and geometry but does not represent
a proper config file to be used in the running system. In addition
the different distributors provides their own version and layout
of the zipl.conf to be used inside of the system and with their
respective tools. Thus this commit changes the way how kiwi operates
in a way that the zipl.conf used in the initial image only exists
during the image build process. An eventual present /etc/zipl.conf
will not be touched by kiwi. This Fixes#2597
Usually custom files are managed by placing them as overlay
files or archives. However, overlay files must be structured
inside of a root/ subdirectory and archive files are binary
data. It is therefore not straight forward to just reference
one or more files as source files to the image description
to be placed into the image. This commit adds a new <file>
element which allows to do this. This Fixes#1953
When kiwi calls the bootloader config and installation modules
several files gets created as unlabeled_t because the labeling
happened earlier. This commit ensures that setfiles gets called
after BootLoaderConfig and/or BootLoaderInstall has done its
job. This Fixes#2568
The strings command is used to lookup the in-efi binary encoded
vendor path. However, if the strings or bash command is not availabe
on the build host, the command silently failed and moved into the
standard (non vendored) EFI boot path. This can lead to a broken
boot for those distros and image targets which requires a vendor
directory and should lead to an error message instead of a
successful image build. This Fixes#2565
Since commit 8aa517eb7 it is necessary to call
_mount_device_and_volumes() prior making any modifications
to boot files. In addition handle potential errors
from the grub.cfg modification better.
The change to introduce the bls parameter broke backward compatibility
with all existing kiwi descriptions for distributions that default to BLS.
This fixes that by allowing the unset state to be equivalent to enabling it.
Fixes: 8a8190098c
Check if there is already an entry file name produced by the
distribution logic/policy. If we can find an already present
entry name, prefer this name over the kiwi naming policy
If no console setting is done in the image description for grub
the default output console is set to: gfxterm and the default
input console is set to: console. This Fixes bsc#1219074
In case no bootloader implementation by kiwi should be
used, users can specify the bootloader="custom" attribute.
Instead of skipping the bootloader stage in the builders
it is better to consistently create an instance of bootloader
but raise if a method of the bootloader interface is called
for which the custom bootloader has no implementation. This
commit adds the consistency bits.
Change the Disk class to be a context manager.
All code using Disk was updated to the following
with statement:
with Disk(...) as disk:
disk.some_member()
This is related to Issue #2412
