min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #302 from nix-community/uki-issues 

UKI Compatibility for systemd 255
This commit is contained in:
nikstur 2024-02-12 22:40:17 +00:00 committed by GitHub
parent 71fb51225c 5de0b3e54a
commit 96181a4667
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nix/tests/lanzaboote.nix
View File

@ -202,6 +202,10 @@ in
testScript = '' testScript = ''
machine.start() machine.start()
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
# We want systemd to recognize our PE binaries as true UKIs. systemd has
# become more picky in the past, so make sure.
assert "Kernel Type: uki" in machine.succeed("bootctl kernel-inspect /boot/EFI/Linux/nixos-generation-1-*.efi")
''; '';
}; };

6
rust/tool/shared/src/pe.rs
View File

@ -47,10 +47,10 @@ pub fn lanzaboote_image(
let sections = vec![ let sections = vec![
s(".osrel", os_release, os_release_offs), s(".osrel", os_release, os_release_offs),
s(".cmdline", kernel_cmdline_file, kernel_cmdline_offs), s(".cmdline", kernel_cmdline_file, kernel_cmdline_offs),
s(".initrdp", initrd_path_file, initrd_path_offs), s(".initrd", initrd_path_file, initrd_path_offs),
s(".kernelp", kernel_path_file, kernel_path_offs), s(".linux", kernel_path_file, kernel_path_offs),
s(".initrdh", initrd_hash_file, initrd_hash_offs), s(".initrdh", initrd_hash_file, initrd_hash_offs),
s(".kernelh", kernel_hash_file, kernel_hash_offs), s(".linuxh", kernel_hash_file, kernel_hash_offs),
]; ];
let image_path = tempdir.path().join(tmpname()); let image_path = tempdir.path().join(tmpname());

4
rust/tool/systemd/src/install.rs
View File

@ -271,11 +271,11 @@ impl Installer {
let stub = fs::read(&stub_target)?; let stub = fs::read(&stub_target)?;
let kernel_path = resolve_efi_path( let kernel_path = resolve_efi_path(
&self.esp_paths.esp, &self.esp_paths.esp,
pe::read_section_data(&stub, ".kernelp").context("Missing kernel path.")?, pe::read_section_data(&stub, ".linux").context("Missing kernel path.")?,
)?; )?;
let initrd_path = resolve_efi_path( let initrd_path = resolve_efi_path(
&self.esp_paths.esp, &self.esp_paths.esp,
pe::read_section_data(&stub, ".initrdp").context("Missing initrd path.")?, pe::read_section_data(&stub, ".initrd").context("Missing initrd path.")?,
)?; )?;
if !kernel_path.exists() && !initrd_path.exists() { if !kernel_path.exists() && !initrd_path.exists() {

6
rust/uefi/stub/src/thin.rs
View File

@ -46,10 +46,10 @@ fn extract_hash(pe_data: &[u8], section: &str) -> Result<Hash> {
impl EmbeddedConfiguration { impl EmbeddedConfiguration {
fn new(file_data: &[u8]) -> Result<Self> { fn new(file_data: &[u8]) -> Result<Self> {
Ok(Self { Ok(Self {
kernel_filename: extract_string(file_data, ".kernelp")?, kernel_filename: extract_string(file_data, ".linux")?,
kernel_hash: extract_hash(file_data, ".kernelh")?, kernel_hash: extract_hash(file_data, ".linuxh")?,
initrd_filename: extract_string(file_data, ".initrdp")?, initrd_filename: extract_string(file_data, ".initrd")?,
initrd_hash: extract_hash(file_data, ".initrdh")?, initrd_hash: extract_hash(file_data, ".initrdh")?,
cmdline: extract_string(file_data, ".cmdline")?, cmdline: extract_string(file_data, ".cmdline")?,