Commit Graph

551 Commits

Author SHA1 Message Date
Alois Wohlschlager ca070a9eec
tool: make stubs input-addressed
The stubs on the ESP are now input-addressed, where the inputs are the
system toplevel and the public key used for signature. This way, it is
guaranteed that any stub at a given path will boot the desired system,
even in the presence of one of the two edge-cases where it was not
previously guaranteed:
* The latest generation was deleted at one point, and its generation
  number was reused by a different system configuration. This is
  detected because the toplevel will change.
* The secure boot signing key was rotated, so old stubs would not boot
  at all any more. This is detected because the public key will change.

Avoiding these two cases will allow to skip reinstallation of stubs that
are already in place at the correct path.
2023-10-03 22:08:10 +02:00
Alois Wohlschlager 240914d763
tool: make kernels and initrds content-addressed
Kernels and initrds on the ESP are now content-addressed. By definition,
it is impossible for two different kernels or initrds to ever end up at
the same place, even in the presence of changing initrd secrets or other
unreproducibility.

The basic advantage of this is that installing the kernel or initrd for
a generation can never break another generation. In turn, this enables
the following two improvements:
* All generations can be installed independently. In particular, the
  installation can be performed in one pass, one generation at a time.
  As a result, the code is significantly simplified, and memory usage
  (due to the temporary files) does not grow with the number of
  generations any more.
* Generations that already have their files in place on the ESP do not
  need to be reinstalled. This will be taken advantage of in a
  subsequent commit.
2023-10-03 22:08:03 +02:00
nikstur bccf7738d5
Merge pull request #233 from alois31/troubleshooting-docs
docs: Add troubleshooting documentation
2023-10-03 22:06:18 +02:00
Alois Wohlschlager 7b4d1250b7
docs: Add troubleshooting documentation
Running out of space on the ESP is an error that commonly happens.
Document how to proceed in this case.

Furthermore, in case the ESP gets corrupted, the system needs to be
recovered. Document how to do this.
2023-10-03 21:08:12 +02:00
Ryan Lahfa 8154cef11c
Merge pull request #230 from nix-community/ukify 2023-09-29 23:00:32 +02:00
Ryan Lahfa 9d1f7603ab
Merge pull request #231 from SuperSandro2000/fix-eval-no-aliases 2023-09-29 22:36:22 +02:00
Sandro Jäckel d5e6d91b4f
Fix eval in flakes when aliases are disabled 2023-09-29 22:31:47 +02:00
Raito Bezarius a55db483fb nix/modules/uki: fix ukify build
Previously, we were not on recent enough nixpkgs to see the new `withBootloader` flag
which is required to build ukify.

Fixes the test.
2023-09-29 20:07:42 +02:00
Ryan Lahfa 644dc8a269
Merge pull request #31 from nix-community/aarch64 2023-09-29 02:41:12 +02:00
Raito Bezarius 7951cbc668 flake: bump to get systemd v254
With systemd v254, we get valid AA64 EFI binaries from systemd!
2023-09-29 02:40:26 +02:00
Raito Bezarius 976faf9bf5 flake: use proper uefi target in general
Remove the x86_64 hardcoding.
2023-09-14 16:55:18 +02:00
nikstur 0b5ce324d7 tool: clean up a few minor details 2023-09-14 16:35:53 +02:00
nikstur 3bf55f92b8 test: clean up a few minor details 2023-09-14 16:35:53 +02:00
Raito Bezarius f81c30d7d9 module: use kernel package hostPlatform if nixpkgs.hostPlatform is not available
Sometimes, it is not…
2023-09-14 16:35:53 +02:00
Raito Bezarius 1330292008 tool/systemd: make clippy happy I guess 2023-09-14 16:35:53 +02:00
Raito Bezarius 0107754d62 tool(architecture): make it generic
Architecture is now a generic structure that can be specialized
via an "external" trait for generating the paths you care about
depending on your target bootloader.
2023-09-14 16:35:53 +02:00
Raito Bezarius 609c11f26d tool(systemd-boot): install it once instead of checking for each generation
systemd-boot is now installed once for many generations rather than multiple times.

This means it is not really possible to manage different system in the same "machine", which is a very
obscure usecase, theoretically possible, but not yet encountered.
2023-09-14 16:35:53 +02:00
Raito Bezarius e5c1d74e3f tool: introduce --target-system to choose target architecture
We will hard fail in case of encountering different architectures in bootspec.
This should still be compatible with cross-compiling systems in the future.
2023-09-14 16:35:53 +02:00
Raito Bezarius acc4c2e0a1 tool(tests): use library to use the "target architecture" properly in tests 2023-09-14 16:35:53 +02:00
Raito Bezarius 7a6c9945b8 tool: introduce a library 2023-09-14 16:35:53 +02:00
Raito Bezarius 9af0e56527 tool(esp): add systemd stub filenames mapping for systems 2023-09-14 16:35:53 +02:00
Raito Bezarius 7acb1b218a tool: implement general architecture support - for aarch64, x86 for now 2023-09-14 16:35:53 +02:00
Raito Bezarius 4521ae21fc platform: clean up flake.nix for aarch64 support 2023-09-14 16:35:53 +02:00
Raito Bezarius 18771d30f4 lanzaboote: add aarch64-unknown-efi target 2023-09-14 16:35:53 +02:00
Ryan Lahfa 7f92dd1e7b
Merge pull request #224 from nix-community/stub-remove-tpm1
stub: remove TPM 1 support
2023-09-14 13:26:25 +00:00
nikstur 3dab5531b1 stub: remove TPM 1 support
TPM 1 will not be supported by newer systemd versions and is not widely
available anyways.
2023-09-14 15:04:53 +02:00
Ryan Lahfa 1255f8fc49
Merge pull request #223 from nix-community/flake-remove-substituters
flake: remove nixConfig
2023-09-14 11:10:07 +00:00
nikstur 8c6ef1f190 flake: remove nixConfig
nixConfig is not a nice abstraction because it imperatively changes your
system. However this also does not work correctly without extra changes
to your system (i.e. your NixOS configuration). Thus it is removed.
2023-09-14 12:55:12 +02:00
nikstur 45b529ca58
Merge pull request #206 from nix-community/generic-lzbt
lzbt: abstraction for multiple backends
2023-09-14 10:45:27 +00:00
nikstur ff442cd032 tool: introduce some more whitespace 2023-09-14 12:38:40 +02:00
nikstur 143a000f36 tool: separates use statements correctly with whitespace 2023-09-14 12:36:02 +02:00
nikstur baf2f5f6bb tool: use workspace values in Cargo.toml 2023-09-14 12:35:42 +02:00
nikstur efd8c50214 tool: remove superfluous lock file 2023-09-14 12:29:54 +02:00
Raito Bezarius 726524d2d7 readme: update about lzbt
Explains what is the backend.
2023-09-14 11:57:48 +02:00
Raito Bezarius f9cb4257c7 flake: fix lanzaboote-tool → lzbt-systemd
As we moved to abstraction for backends, we have to update our flake code
2023-09-14 11:55:09 +02:00
Raito Bezarius eba963b6f1 tool/shared: make clippy happy
- implements a trivial Default for Roots
- implements a FromStr for OsRelease
2023-09-14 11:55:09 +02:00
Raito Bezarius fd188a0e32 tool/shared: make constraints less concrete and drop lockfile
In a library, a lockfile is not really needed per se
and we should avoid creating duplicate dependencies
as much as possible.
2023-09-14 11:55:09 +02:00
Raito Bezarius 923567d08a systemd-tool: make integration test pass 2023-09-14 11:55:09 +02:00
Raito Bezarius 8029449cba tool: split systemd into a new crate and make tool into a lib-only crate
This is necessary to make integration testing specific to the backend.
2023-09-14 11:55:09 +02:00
Raito Bezarius efe7b40f5c lzbt: abstraction for multiple backends
This generates `lzbt-systemd` binary instead of `lzbt`
which is using a special systemd-specific entrypoint.

This is part of the effort to enable multiple backends.
2023-09-14 11:55:09 +02:00
nikstur 7ef2b13780
Merge pull request #222 from nix-community/fix-flake-description
flake: use an appropriate description
2023-09-14 09:24:04 +00:00
nikstur 0c7606cd18 flake: use an appropriate description 2023-09-14 11:22:22 +02:00
nikstur 07c78bd84f
Merge pull request #214 from tuxiqae/patch-1
docs: Add hyperlinks to lzbt, stub file locations instead of static paths
2023-09-14 11:10:10 +02:00
Sagi Sarussi e766f36441 Fix lzbt, stub path links 2023-09-14 11:08:45 +02:00
Ryan Lahfa 3dc8778c32
Merge pull request #215 from nix-community/linux-bootloader-crate
stub: split up into a linux-bootloader crate
2023-09-13 16:43:16 +00:00
nikstur 83f4376929 uefi: move uefi code to separate workspace 2023-09-13 17:46:05 +02:00
Raito Bezarius 64f1760944 flake: add cargo-machete to machete the unused crates in our Cargo.toml
Useful for the previous split up.
2023-09-13 17:43:35 +02:00
Raito Bezarius 51d9c1dff8 stub: split up into a linux-bootloader crate
We introduce `linux-bootloader` a crate made to build Rust-based Linux-oriented bootloaders.

It follows systemd/UAPI group and semantics as much as possible, e.g. BLS/loader capabilities/stub capabilities.
2023-09-13 17:43:35 +02:00
Ryan Lahfa 9a9b09628b
Merge pull request #219 from tilpner/syncfs
tool: only sync ESP filesystem
2023-09-13 14:58:58 +00:00
Ryan Lahfa 6d6cdf59b9
Merge pull request #218 from nix-community/get-crane-back 2023-08-25 16:14:52 +02:00