lanzatool: add support for generations and correct naming of kernels a… (#12)

* lanzatool: add support for generations and correct naming of kerels and initrds

* test: use convert_to_esp(extract_bspec_attr(⋅)) for unsigned tests

* lanzatool: ryan is a B class engineer

Co-authored-by: nikstur@outlook.com

flake.nix

@@ -139,7 +139,6 @@
 
             machine.start()
             bootspec = json.loads(machine.succeed("cat /run/current-system/bootspec/boot.v1.json"))
-            print(machine.succeed("ls /boot/EFI/nixos"))
             src_path = ${path.src}
             dst_path = ${path.dst}
             machine.succeed(f"cp -rf {src_path} {dst_path}")
@@ -187,14 +186,14 @@
           name = "unsigned-initrd-do-not-boot-under-secureboot";
           path = {
             src = "extract_bspec_attr('initrd')";
-            dst = "\"/boot/EFI/nixos/initrd\"";
+            dst = "convert_to_esp(extract_bspec_attr('initrd'))";
           };
         };
         is-kernel-secured = mkUnsignedTest {
           name = "unsigned-kernel-do-not-boot-under-secureboot";
           path = {
             src = "extract_bspec_attr('kernel')";
-            dst = "\"/boot/EFI/nixos/kernel\"";
+            dst = "convert_to_esp(extract_bspec_attr('kernel'))";
           };
         };
 

nix/lanzaboote.nix

@@ -45,7 +45,7 @@ in
             cp -r ${cfg.pkiBundle}/* /tmp/pki
             ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
           ''}
-        ${cfg.package}/bin/lanzatool install --pki-bundle ${cfg.pkiBundle} --public-key ${cfg.publicKeyFile} --private-key ${cfg.privateKeyFile} "$@"
+        ${cfg.package}/bin/lanzatool install --pki-bundle ${cfg.pkiBundle} --public-key ${cfg.publicKeyFile} --private-key ${cfg.privateKeyFile} "$@" /nix/var/nix/profiles/system-*-link
       ''}/bin/bootinstall";
       # ${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--auto-enroll"} --pki-bundle ${cfg.pkiBundle}
     };

rust/lanzatool/src/cli.rs

@@ -32,6 +32,8 @@ pub enum Commands {
         auto_enroll: bool,
 
         bootspec: PathBuf,
+
+        generations: Vec<PathBuf>,
     },
 }
 
@@ -50,12 +52,14 @@ impl Commands {
                 pki_bundle,
                 auto_enroll,
                 bootspec,
+                generations,
             } => install(
                 &public_key,
                 &private_key,
-                pki_bundle,
+                &pki_bundle,
                 auto_enroll,
                 &bootspec,
+                generations,
             ),
         }
     }
@@ -64,9 +68,10 @@ impl Commands {
 fn install(
     public_key: &Path,
     private_key: &Path,
-    pki_bundle: Option<PathBuf>,
+    pki_bundle: &Option<PathBuf>,
     auto_enroll: bool,
     bootspec: &Path,
+    generations: Vec<PathBuf>,
 ) -> Result<()> {
     let lanzaboote_stub =
         std::env::var("LANZABOOTE_STUB").context("Failed to read LANZABOOTE_STUB env variable")?;
@@ -79,6 +84,7 @@ fn install(
         pki_bundle,
         auto_enroll,
         bootspec,
+        generations,
         Path::new(&lanzaboote_stub),
         Path::new(&initrd_stub),
     )

rust/lanzatool/src/esp.rs

@@ -1,5 +1,8 @@
+use anyhow::{Context, Result};
 use std::path::{Path, PathBuf};
 
+use crate::bootspec::Bootspec;
+
 pub struct EspPaths {
     pub esp: PathBuf,
     pub nixos: PathBuf,
@@ -14,24 +17,48 @@ pub struct EspPaths {
 }
 
 impl EspPaths {
-    pub fn new(esp: &str) -> Self {
+    pub fn new(esp: &str, generation: u64, bootspec: &Bootspec) -> Result<Self> {
         let esp = Path::new(esp);
         let esp_nixos = esp.join("EFI/nixos");
         let esp_linux = esp.join("EFI/Linux");
         let esp_systemd = esp.join("EFI/systemd");
         let esp_efi_fallback_dir = esp.join("EFI/BOOT");
 
-        Self {
+        Ok(Self {
             esp: esp.to_owned(),
             nixos: esp_nixos.clone(),
-            kernel: esp_nixos.join("kernel"),
+            kernel: esp_nixos.join(nixos_path(&bootspec.kernel, "bzImage")?),
-            initrd: esp_nixos.join("initrd"),
+            initrd: esp_nixos.join(nixos_path(&bootspec.initrd, "initrd")?),
             linux: esp_linux.clone(),
-            lanzaboote_image: esp_linux.join("lanzaboote-image.efi"),
+            lanzaboote_image: esp_linux.join(generation_path(generation)),
             efi_fallback_dir: esp_efi_fallback_dir.clone(),
             efi_fallback: esp_efi_fallback_dir.join("BOOTX64.EFI"),
             systemd: esp_systemd.clone(),
             systemd_boot: esp_systemd.join("systemd-bootx64.efi"),
+        })
     }
 }
+
+fn nixos_path(path: impl AsRef<Path>, name: &str) -> Result<PathBuf> {
+    let resolved = path.as_ref().read_link().unwrap_or(path.as_ref().into());
+
+    let parent = resolved.parent().ok_or(anyhow::anyhow!(format!(
+        "Path: {} does not have a parent",
+        resolved.display()
+    )))?;
+
+    let without_store = parent.strip_prefix("/nix/store").with_context(|| {
+        format!(
+            "Failed to strip /nix/store from path {}",
+            path.as_ref().display()
+        )
+    })?;
+
+    let nixos_filename = format!("{}-{}.efi", without_store.display(), name);
+
+    Ok(PathBuf::from(nixos_filename))
+}
+
+fn generation_path(generation: u64) -> PathBuf {
+    PathBuf::from(format!("nixos-generation-{}.efi", generation))
 }

rust/lanzatool/src/install.rs

@@ -17,7 +17,61 @@ use std::process::Command;
 pub fn install(
     public_key: &Path,
     private_key: &Path,
-    _pki_bundle: Option<PathBuf>,
+    pki_bundle: &Option<PathBuf>,
+    auto_enroll: bool,
+    bootspec: &Path,
+    generations: Vec<PathBuf>,
+    lanzaboote_stub: &Path,
+    initrd_stub: &Path,
+) -> Result<()> {
+    for generation in generations {
+        let generation_version = extract_generation_version(&generation).with_context(|| {
+            format!(
+                "Failed to extract generation version from generation: {}",
+                generation.display()
+            )
+        })?;
+
+        println!("Installing generation {generation_version}");
+
+        install_generation(
+            generation_version,
+            public_key,
+            private_key,
+            pki_bundle,
+            auto_enroll,
+            bootspec,
+            lanzaboote_stub,
+            initrd_stub,
+        )?;
+    }
+
+    Ok(())
+}
+
+fn extract_generation_version(path: impl AsRef<Path>) -> Result<u64> {
+    let file_name = path.as_ref().file_name().ok_or(anyhow::anyhow!(
+        "Failed to extract file name from generation"
+    ))?;
+    let file_name_str = file_name
+        .to_str()
+        .with_context(|| "Failed to convert file name of generation to string")?;
+
+    let generation_version = file_name_str
+        .split("-")
+        .nth(1)
+        .ok_or(anyhow::anyhow!("Failed to extract version from generation"))?;
+
+    Ok(generation_version
+        .parse()
+        .with_context(|| format!("Failed to parse generation version: {}", generation_version))?)
+}
+
+fn install_generation(
+    generation: u64,
+    public_key: &Path,
+    private_key: &Path,
+    _pki_bundle: &Option<PathBuf>,
     _auto_enroll: bool,
     bootspec: &Path,
     lanzaboote_stub: &Path,
@@ -29,7 +83,7 @@ pub fn install(
         serde_json::from_slice(&fs::read(bootspec).context("Failed to read bootspec file")?)
             .context("Failed to parse bootspec json")?;
 
-    let esp_paths = EspPaths::new(&bootspec_doc.extension.esp);
+    let esp_paths = EspPaths::new(&bootspec_doc.extension.esp, generation, &bootspec_doc)?;
 
     println!("Assembling lanzaboote image...");