From 14afe7ce9b71560e2edd26ac78bba32145c0b593 Mon Sep 17 00:00:00 2001 From: Julian Stecklina Date: Sat, 10 Feb 2024 20:52:22 +0100 Subject: [PATCH 1/2] tests: check whether our UKIs are recognized --- nix/tests/lanzaboote.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nix/tests/lanzaboote.nix b/nix/tests/lanzaboote.nix index 2989606..3af78f5 100644 --- a/nix/tests/lanzaboote.nix +++ b/nix/tests/lanzaboote.nix @@ -202,6 +202,10 @@ in testScript = '' machine.start() assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") + + # We want systemd to recognize our PE binaries as true UKIs. systemd has + # become more picky in the past, so make sure. + assert "Kernel Type: uki" in machine.succeed("bootctl kernel-inspect /boot/EFI/Linux/nixos-generation-1-*.efi") ''; }; From 5de0b3e54a05aaf0faa3ab42fea5ac09008109aa Mon Sep 17 00:00:00 2001 From: Julian Stecklina Date: Sat, 10 Feb 2024 20:53:15 +0100 Subject: [PATCH 2/2] stub: rename sections for UKI compatibility systemd 255 is stricter in what it considers UKIs. It demands .linux and .initrd sections. Rename our sections that contain the respective filenames to match these names. --- rust/tool/shared/src/pe.rs | 6 +++--- rust/tool/systemd/src/install.rs | 4 ++-- rust/uefi/stub/src/thin.rs | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rust/tool/shared/src/pe.rs b/rust/tool/shared/src/pe.rs index 3333c61..ff0c37f 100644 --- a/rust/tool/shared/src/pe.rs +++ b/rust/tool/shared/src/pe.rs @@ -47,10 +47,10 @@ pub fn lanzaboote_image( let sections = vec![ s(".osrel", os_release, os_release_offs), s(".cmdline", kernel_cmdline_file, kernel_cmdline_offs), - s(".initrdp", initrd_path_file, initrd_path_offs), - s(".kernelp", kernel_path_file, kernel_path_offs), + s(".initrd", initrd_path_file, initrd_path_offs), + s(".linux", kernel_path_file, kernel_path_offs), s(".initrdh", initrd_hash_file, initrd_hash_offs), - s(".kernelh", kernel_hash_file, kernel_hash_offs), + s(".linuxh", kernel_hash_file, kernel_hash_offs), ]; let image_path = tempdir.path().join(tmpname()); diff --git a/rust/tool/systemd/src/install.rs b/rust/tool/systemd/src/install.rs index a40dca4..ef9e5cc 100644 --- a/rust/tool/systemd/src/install.rs +++ b/rust/tool/systemd/src/install.rs @@ -271,11 +271,11 @@ impl Installer { let stub = fs::read(&stub_target)?; let kernel_path = resolve_efi_path( &self.esp_paths.esp, - pe::read_section_data(&stub, ".kernelp").context("Missing kernel path.")?, + pe::read_section_data(&stub, ".linux").context("Missing kernel path.")?, )?; let initrd_path = resolve_efi_path( &self.esp_paths.esp, - pe::read_section_data(&stub, ".initrdp").context("Missing initrd path.")?, + pe::read_section_data(&stub, ".initrd").context("Missing initrd path.")?, )?; if !kernel_path.exists() && !initrd_path.exists() { diff --git a/rust/uefi/stub/src/thin.rs b/rust/uefi/stub/src/thin.rs index bf91c5e..f83e65a 100644 --- a/rust/uefi/stub/src/thin.rs +++ b/rust/uefi/stub/src/thin.rs @@ -46,10 +46,10 @@ fn extract_hash(pe_data: &[u8], section: &str) -> Result { impl EmbeddedConfiguration { fn new(file_data: &[u8]) -> Result { Ok(Self { - kernel_filename: extract_string(file_data, ".kernelp")?, - kernel_hash: extract_hash(file_data, ".kernelh")?, + kernel_filename: extract_string(file_data, ".linux")?, + kernel_hash: extract_hash(file_data, ".linuxh")?, - initrd_filename: extract_string(file_data, ".initrdp")?, + initrd_filename: extract_string(file_data, ".initrd")?, initrd_hash: extract_hash(file_data, ".initrdh")?, cmdline: extract_string(file_data, ".cmdline")?,