Draft: Add experimental sysupdate image with secure boot
This is the previous approach not using sysext for devel tree. Please see !2220 (merged) instead
Depends on:
- !2190 (merged)
- !2209 (closed)
- https://github.com/systemd/systemd/pull/27925
- https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/13400
- https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/13419
- https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/13418
- https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/13541
Building and running a VM
To test you need qemu-system-x86_64, swtpm, bst2:
./utils/run-secure-vm.shUpdating with sysupdate
If you want to reset the VM with a fresh image, use --reset. If you want to clear the TPM and the secure boot keys, use --reset-secure-state.
In order to test and update:
./utils/run-sysupdate-repo.shThis will rebuild a new version and service through HTTP. In the VM type:
sudo /usr/lib/systemd/systemd-sysupdate updateThen reboot.
You can call run-sysupdate-repo.sh with --same-version if you do not want to bump the version and rebuild.
On bare-metal
Set your machine with secure boot, but in "setup mode". When the systemd-boot menu appears, sometimes the keys are not enrolled automatically. If it shows in the menu an option to enroll keys, choose that option before running.
If you want to use sysupdate, edit files in files/sysupdate/*.conf to change the address to point to the machine you will serve the updates from.
Switching to development tree
- Run
run-sysupdate-repo.shwith--devel(and eventually also--user). - In a console type
sudo /usr/lib/systemd/systemd-sysupdate --component=devel - It will find a candidate, for example
su-devel-l.2. - Run
sudo /usr/lib/systemd/systemd-sysupdate --component=devel update su-devel-l.2 - Reboot, select the right boot entry.
After a successful boot, you can set it as the default boot with sudo bootctl set-default gnomeos_su-devel-l.2.efi. Note that this does not work before a successful boot due to naming scheme for counting boot tries.
Note, for now we use a component to provide sysupdate definitions. It might be the wrong way. We can change it to use --definitions=<path> instead.
Non-secure boot
It is possible to run run-sysupdate-repo.sh with --notpm to test without TPM2 device.
In order to disable the secure boot, in the systemd-boot menu, select Reboot Into Firmware Interface. Then select Device Manager, Secure Boot Configuration. And deselect Attempt Secure Boot. Exit and continue.
Expected behavior:
- Secure boot + TPM2: Encryption
- Secure boot + no TPM2: Failure
- No secure boot + TPM2: No encryption (TPM2 ignored) (We could enable encryption)
- No secure boot + no TPM2: No encryption
Discoverable Disk Image
systemd-dissect output gives:
Name: disk.img
Size: 10.5G
OS Release: NAME=GNOME OS
VERSION=Nightly
VERSION_ID=Nightly
ID=org.gnome.gnomeos
PRETTY_NAME=GNOME OS (Nightly)
BUG_REPORT_URL=https://gitlab.gnome.org/GNOME/gnome-build-meta/-/issues/new
HOME_URL=https://www.gnome.org/
VARIANT=User (sysupdate)
VARIANT_ID=su-user
IMAGE_VERSION=l.1
IMAGE_ID=user
DEFAULT_HOSTNAME=gnomeos
Use As: ✓ bootable system for UEFI
✓ bootable system for container
✗ portable service
✗ extension for system
✗ extension for initrd
✗ extension for portable service
RW DESIGNATOR PARTITION UUID PARTITION LABEL FSTYPE ARCHITECTURE VERITY GROWFS NODE PARTNO
ro usr cdf7145a-57ab-8da5-6bc1-f754cc485881 gnomeos_usr_su-user-l.1 squashfs x86-64 no no /dev/loop11p2 2
rw esp e7edaab9-5aee-57c8-95bd-dbcaf44d138d efi vfat - - no /dev/loop11p1 1
ro usr-verity 43f8e6c4-320f-b2d9-b472-f288dba8133e gnomeos_usr_v_su-user-l.1 DM_verity_hash x86-64 - no /dev/loop11p3 3