Add experimental sysupdate image with secure boot (development tree as sysext)
This !2195 (closed) but with development tree as sysext
Depends on:
- !2190 (merged)
- https://github.com/systemd/systemd/pull/27925 (merged)
- https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/13400 (merged)
- https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/13419 (merged)
- https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/13418 (merged)
- https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/13541 (merged)
Building and running a VM
To test you need qemu-system-x86_64, swtpm, bst2:
./utils/run-secure-vm.sh
If you want to reset the VM with a fresh image, use --reset
. If you want to clear the TPM and the secure boot keys, use --reset-secure-state
.
Updating with sysupdate
In order to test and update:
./utils/run-sysupdate-repo.sh
This will rebuild a new version and service through HTTP. In the VM type:
sudo /usr/lib/systemd/systemd-sysupdate update
Then reboot.
You can call run-sysupdate-repo.sh
with --same-version
if you do not want to bump the version and rebuild.
Setting a recovery key
On first boot, /run/recovery-password
will contain the key to both home and root disks. You can use it to enroll a recovery key. After reboot, this is lost.
You can enroll a recovery key with:
sudo systemd-cryptenroll --unlock-key-file=/run/recovery-password --recovery-key /dev/disk/by-partlabel/root
Run the command also for /dev/disk/by-partlabel/home
. Instead of a recovery key, you can also enroll a password with --password
instead of --recovery-key
.
After enrolling the key, you may remove the old recovery password with --wipe-slot=0
.
On bare-metal
Set your machine with secure boot, but in "setup mode". When the systemd-boot menu appears, sometimes the keys are not enrolled automatically. If it shows in the menu an option to enroll keys, choose that option before running.
If you need and installer, see section "Installer image".
If you want to use sysupdate, edit files in files/sysupdate/*.conf
to change the address to point to the machine you will serve the updates from.
Switching to development tree
- Run
run-sysupdate-repo.sh
with--devel
. - Run:
sudo /usr/lib/systemd/systemd-sysupdate update
sudo /usr/lib/systemd/systemd-sysupdate update --component=devel
# sudo /usr/lib/systemd/systemd-sysupdate reboot
- Reboot
To update further, you need first to disable the devel tree. For that use sudo systemd-sysext unmerge
. Then update both trees. If you want to access again the development tree again before rebooting, you can do sudo systemd-sysext merge
.
Non-secure boot
It is possible to run run-sysupdate-repo.sh
with --notpm
to test without TPM2 device.
In order to disable the secure boot, in the systemd-boot menu, select Reboot Into Firmware Interface
. Then select Device Manager
, Secure Boot Configuration
. And deselect Attempt Secure Boot
. Exit and continue.
Expected behavior:
- Secure boot + TPM2: Encryption
- Secure boot + no TPM2: Failure
- No secure boot + TPM2: No encryption (TPM2 ignored) (We could enable encryption)
- No secure boot + no TPM2: No encryption
Discoverable Disk Image
systemd-dissect
output gives:
Name: disk.img
Size: 4.5G
Sec. Size: 512
Image UUID: 0c27c77c-98c9-5961-bccb-a2e5f3301c01
OS Release: NAME=GNOME OS
VERSION=Nightly
VERSION_ID=Nightly
ID=org.gnome.gnomeos
PRETTY_NAME=GNOME OS (Nightly)
BUG_REPORT_URL=https://gitlab.gnome.org/GNOME/gnome-build-meta/-/issues/new
HOME_URL=https://www.gnome.org/
VARIANT=User (sysupdate)
VARIANT_ID=su-user
IMAGE_VERSION=l.1
IMAGE_ID=user
DEFAULT_HOSTNAME=gnomeos
Use As: ✓ bootable system for UEFI
✓ bootable system for container
✗ portable service
✗ initrd
✗ extension for system
✗ extension for initrd
✗ extension for portable service
RW DESIGNATOR PARTITION UUID PARTITION LABEL FSTYPE ARCHITECTURE VERITY GROWFS NODE PARTNO
ro usr 5ef7cdcb-b687-45f8-4deb-1c1d7d3415e9 gnomeos_usr_l.1 squashfs x86-64 no no /dev/loop3p3 3
rw esp e7edaab9-5aee-57c8-95bd-dbcaf44d138d efi vfat - - no /dev/loop3p1 1
ro usr-verity c7534150-6263-62c0-d4b4-5bc44ee3a038 gnomeos_usr_v_l.1 DM_verity_hash x86-64 - no /dev/loop3p2 2
Disk image
You can build and checkout the disk image and dd it into a disk with:
bst -o signed_modules true build vm-secure/image.bst
bst -o signed_modules true artifact checkout --hardlinks vm-secure/image.bst --directory image/
Installer image
You can build and checkout the ISO image installer with:
bst -o signed_modules true -o secure_image_installer true build iso/image.bst
bst -o signed_modules true -o secure_image_installer true artifact checkout iso/image.bst --directory iso