Add experimental sysupdate image with secure boot (development tree as sysext)

This !2195 (closed) but with development tree as sysext

Depends on:

• !2190 (merged)
• https://github.com/systemd/systemd/pull/27925 (merged)
• https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/13400 (merged)
• https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/13419 (merged)
• https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/13418 (merged)
• https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/13541 (merged)

Building and running a VM

To test you need qemu-system-x86_64, swtpm, bst2:

./utils/run-secure-vm.sh

If you want to reset the VM with a fresh image, use --reset. If you want to clear the TPM and the secure boot keys, use --reset-secure-state.

Updating with sysupdate

In order to test and update:

./utils/run-sysupdate-repo.sh

This will rebuild a new version and service through HTTP. In the VM type:

sudo /usr/lib/systemd/systemd-sysupdate update

Then reboot.

You can call run-sysupdate-repo.sh with --same-version if you do not want to bump the version and rebuild.

Setting a recovery key

On first boot, /run/recovery-password will contain the key to both home and root disks. You can use it to enroll a recovery key. After reboot, this is lost.

You can enroll a recovery key with:

sudo systemd-cryptenroll --unlock-key-file=/run/recovery-password --recovery-key /dev/disk/by-partlabel/root

Run the command also for /dev/disk/by-partlabel/home. Instead of a recovery key, you can also enroll a password with --password instead of --recovery-key.

After enrolling the key, you may remove the old recovery password with --wipe-slot=0.

On bare-metal

Set your machine with secure boot, but in "setup mode". When the systemd-boot menu appears, sometimes the keys are not enrolled automatically. If it shows in the menu an option to enroll keys, choose that option before running.

If you need and installer, see section "Installer image".

If you want to use sysupdate, edit files in files/sysupdate/*.conf to change the address to point to the machine you will serve the updates from.

Switching to development tree

• Run run-sysupdate-repo.sh with --devel.
• Run:

sudo /usr/lib/systemd/systemd-sysupdate update
sudo /usr/lib/systemd/systemd-sysupdate update --component=devel
# sudo /usr/lib/systemd/systemd-sysupdate reboot

• Reboot

To update further, you need first to disable the devel tree. For that use sudo systemd-sysext unmerge. Then update both trees. If you want to access again the development tree again before rebooting, you can do sudo systemd-sysext merge.

Non-secure boot

It is possible to run run-sysupdate-repo.sh with --notpm to test without TPM2 device.

In order to disable the secure boot, in the systemd-boot menu, select Reboot Into Firmware Interface. Then select Device Manager, Secure Boot Configuration. And deselect Attempt Secure Boot. Exit and continue.

Expected behavior:

• Secure boot + TPM2: Encryption
• Secure boot + no TPM2: Failure
• No secure boot + TPM2: No encryption (TPM2 ignored) (We could enable encryption)
• No secure boot + no TPM2: No encryption

Discoverable Disk Image

systemd-dissect output gives:

      Name: disk.img
      Size: 4.5G
 Sec. Size: 512

Image UUID: 0c27c77c-98c9-5961-bccb-a2e5f3301c01
OS Release: NAME=GNOME OS
            VERSION=Nightly
            VERSION_ID=Nightly
            ID=org.gnome.gnomeos
            PRETTY_NAME=GNOME OS (Nightly)
            BUG_REPORT_URL=https://gitlab.gnome.org/GNOME/gnome-build-meta/-/issues/new
            HOME_URL=https://www.gnome.org/
            VARIANT=User (sysupdate)
            VARIANT_ID=su-user
            IMAGE_VERSION=l.1
            IMAGE_ID=user
            DEFAULT_HOSTNAME=gnomeos

    Use As: ✓ bootable system for UEFI
            ✓ bootable system for container
            ✗ portable service
            ✗ initrd
            ✗ extension for system
            ✗ extension for initrd
            ✗ extension for portable service

RW DESIGNATOR PARTITION UUID                       PARTITION LABEL   FSTYPE         ARCHITECTURE VERITY GROWFS NODE         PARTNO
ro usr        5ef7cdcb-b687-45f8-4deb-1c1d7d3415e9 gnomeos_usr_l.1   squashfs       x86-64       no         no /dev/loop3p3 3
rw esp        e7edaab9-5aee-57c8-95bd-dbcaf44d138d efi               vfat           -            -          no /dev/loop3p1 1
ro usr-verity c7534150-6263-62c0-d4b4-5bc44ee3a038 gnomeos_usr_v_l.1 DM_verity_hash x86-64       -          no /dev/loop3p2 2

Disk image

You can build and checkout the disk image and dd it into a disk with:

bst -o signed_modules true build vm-secure/image.bst
bst -o signed_modules true artifact checkout --hardlinks vm-secure/image.bst --directory image/

Installer image

You can build and checkout the ISO image installer with:

bst -o signed_modules true -o secure_image_installer true build iso/image.bst
bst -o signed_modules true -o secure_image_installer true artifact checkout iso/image.bst --directory iso