From f5b372ec4717f232c4d97277cfbcd77b26f415fa Mon Sep 17 00:00:00 2001
From: Itxaka <itxaka@kairos.io>
Date: Mon, 27 Nov 2023 20:11:55 +0100
Subject: [PATCH] [uki] Rework script to use only docker+earthly

Signed-off-by: Itxaka <itxaka@kairos.io>
---
 build_uki.sh | 95 ++++++++++++++++++----------------------------------
 1 file changed, 32 insertions(+), 63 deletions(-)

diff --git a/build_uki.sh b/build_uki.sh
index dbbe298c00..55d306a1f5 100755
--- a/build_uki.sh
+++ b/build_uki.sh
@@ -8,9 +8,7 @@ set -e
 # - Builds the ISO
 # This needs to work:
 # - earthly for our artifacts to be properly generated
-# - docker to sign the artifacts (Cant use earthly as it needs access to a tpm device and earhtly still doesnt allow mounts)
-# - xorriso to build the iso
-# - mtools to copy files to the iso
+# - docker to sign the artifacts (Cant use earthly as it needs access to a tpm device and earhtly still doesnt allow mounts) and build the iso
 # Last 2 should be easy to move into a docker container if needed and run everything in a docker container to avoid host pollution
 # systemd-ukify does the following:
 # - Measure the kernel, initrd, osrelease, cmdline, uname
@@ -45,8 +43,7 @@ printf "BASE_IMAGE -> Base image. Defaults to opensuse/leap:15.5\n"
 printf "IMMUCORE_DEV -> Use immucore dev version. Defaults to true\n"
 printf "IMMUCORE_DEV_BRANCH -> Branch to use from immucore repo. Defaults to master\n"
 printf "BUILD_ARTIFACTS -> Use earthly to generate the uki artifacts. Useful if you got the artifacts already generated under build/.Defaults to false \n"
-printf "SIGN_EFI -> Sign the artifacts. Useful if you already have signed them. Defaults to false\n"
-printf "BUILD_ISO -> Build the iso. Defaults to false\n"
+printf "CREATE_ISO -> Sign the artifacts and build the iso. Defaults to false\n"
 printf "Most of these values can be obtained by checking the .github/flavors.yml file\n"
 printf "\n"
 
@@ -61,8 +58,7 @@ BASE_IMAGE=${BASE_IMAGE:-opensuse/leap:15.5}
 IMMUCORE_DEV=${IMMUCORE_DEV:-true}
 IMMUCORE_DEV_BRANCH=${IMMUCORE_DEV_BRANCH:-master}
 BUILD_ARTIFACTS=${BUILD_ARTIFACTS:-false}
-SIGN_EFI=${SIGN_EFI:-false}
-BUILD_ISO=${BUILD_ISO:-false}
+CREATE_ISO=${CREATE_ISO:-false}
 
 
 echo "###############################################"
@@ -76,7 +72,7 @@ echo "BASE_IMAGE: $BASE_IMAGE"
 echo "IMMUCORE_DEV: $IMMUCORE_DEV"
 echo "IMMUCORE_DEV_BRANCH: $IMMUCORE_DEV_BRANCH"
 echo "BUILD_ARTIFACTS: $BUILD_ARTIFACTS"
-echo "SIGN_EFI: $SIGN_EFI"
+echo "CREATE_ISO: $CREATE_ISO"
 echo "###############################################"
 printf "\n"
 
@@ -89,8 +85,8 @@ else
   echo "Not building artifacts"
 fi
 
-if [ "$SIGN_EFI" = true ]; then
-  echo "Signing EFI"
+if [ "$CREATE_ISO" = true ]; then
+  echo "Signing EFI and creating ISO"
   test -f build/Kernel
   test -f build/Initrd
   test -f build/Cmdline
@@ -99,8 +95,8 @@ if [ "$SIGN_EFI" = true ]; then
   test -f tests/keys/DB.key
   test -f tests/keys/DB.crt
   test -f tests/keys/private.pem
-  docker run --privileged -w /workspace -v /dev:/dev -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket -v $(pwd):/workspace fedora:39 /bin/bash -c "\
-  dnf install -y binutils systemd-boot mtools efitools sbsigntools shim openssl systemd-ukify && \
+  docker run --privileged -w /workspace -v /dev:/dev -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket -v $(pwd):/workspace fedora:39 /bin/bash -exc "\
+  dnf install -y binutils xorriso systemd-boot mtools efitools dosfstools sbsigntools shim openssl systemd-ukify && \
   /usr/lib/systemd/ukify build/Kernel build/Initrd \
     --cmdline @build/Cmdline \
     --os-release @build/Osrelease \
@@ -111,58 +107,31 @@ if [ "$SIGN_EFI" = true ]; then
     --pcr-private-key tests/keys/private.pem \
     --measure \
     --output build/uki.signed.efi && \
-  sbsign --key tests/keys/DB.key --cert tests/keys/DB.crt --output build/systemd-bootx64.signed.efi /usr/lib/systemd/boot/efi/systemd-bootx64.efi"
+  sbsign --key tests/keys/DB.key --cert tests/keys/DB.crt --output build/systemd-bootx64.signed.efi /usr/lib/systemd/boot/efi/systemd-bootx64.efi && \
+  mkdir -p /tmp/efi/ && \
+  printf 'title Kairos %s %s\nefi /EFI/kairos/kairos.efi' ${FLAVOR} ${VERSION} > build/kairos.conf && \
+  printf 'default kairos.conf' > build/loader.conf && \
+  dd if=/dev/zero of=/tmp/efi/efiboot.img bs=1G count=1 && \
+  mkfs.msdos -F 32 /tmp/efi/efiboot.img && \
+  mmd -i /tmp/efi/efiboot.img ::EFI && \
+  mmd -i /tmp/efi/efiboot.img ::EFI/BOOT && \
+  mmd -i /tmp/efi/efiboot.img ::EFI/kairos && \
+  mmd -i /tmp/efi/efiboot.img ::EFI/tools && \
+  mmd -i /tmp/efi/efiboot.img ::loader && \
+  mmd -i /tmp/efi/efiboot.img ::loader/entries && \
+  mmd -i /tmp/efi/efiboot.img ::loader/keys && \
+  mmd -i /tmp/efi/efiboot.img ::loader/keys/kairos && \
+  mcopy -i /tmp/efi/efiboot.img tests/keys/PK.der ::loader/keys/kairos/PK.der && \
+  mcopy -i /tmp/efi/efiboot.img tests/keys/KEK.der ::loader/keys/kairos/KEK.der && \
+  mcopy -i /tmp/efi/efiboot.img tests/keys/DB.der ::loader/keys/kairos/DB.der && \
+  mcopy -i /tmp/efi/efiboot.img build/kairos.conf ::loader/entries/kairos.conf && \
+  mcopy -i /tmp/efi/efiboot.img build/loader.conf ::loader/loader.conf && \
+  mcopy -i /tmp/efi/efiboot.img build/uki.signed.efi ::EFI/kairos/kairos.EFI && \
+  mcopy -i /tmp/efi/efiboot.img build/systemd-bootx64.signed.efi ::EFI/BOOT/BOOTX64.EFI && \
+  xorriso -as mkisofs -V 'UKI_ISO_INSTALL' -e efiboot.img -no-emul-boot -o build/uki.iso /tmp/efi
+  "
 else
-  echo "Not signing EFI"
-fi
-
-
-if [ "$BUILD_ISO" = true ]; then
-  D=$(mktemp -d)
-  OLDDIR=$(pwd)
-  # Check files exist before doing anything
-  echo "Building ISO"
-  test -f build/uki.signed.efi
-  test -f build/systemd-bootx64.signed.efi
-  test -f tests/keys/DB.der
-  test -f tests/keys/KEK.der
-  test -f tests/keys/PK.der
-  # copy needed files to temp dir
-  cp tests/keys/* "$D"/
-  cp build/uki.signed.efi "$D"/
-  cp build/systemd-bootx64.signed.efi "$D"/
-  pushd "$D" || exit
-  printf "title Kairos ${FLAVOR} ${VERSION}\nefi /EFI/kairos/kairos.efi" > kairos.conf
-  printf "default kairos.conf" > loader.conf
-  mkdir -p efi
-  dd if=/dev/zero of=efi/efiboot.img bs=1G count=1
-  mkfs.msdos -F 32 efi/efiboot.img
-  mmd -i efi/efiboot.img ::EFI
-  mmd -i efi/efiboot.img ::EFI/BOOT
-  mmd -i efi/efiboot.img ::EFI/kairos
-  mmd -i efi/efiboot.img ::EFI/tools
-  mmd -i efi/efiboot.img ::loader
-  mmd -i efi/efiboot.img ::loader/entries
-  mmd -i efi/efiboot.img ::loader/keys
-  mmd -i efi/efiboot.img ::loader/keys/kairos
-  # Copy keys
-  mcopy -i efi/efiboot.img PK.der ::loader/keys/kairos/PK.der
-  mcopy -i efi/efiboot.img KEK.der ::loader/keys/kairos/KEK.der
-  mcopy -i efi/efiboot.img DB.der ::loader/keys/kairos/DB.der
-  # Copy kairos efi. This dir would make system-boot autosearch and add to entries automatically /EFI/Linux/
-  # but here we do it by using systemd-boot as fallback so it sets the proper efivars
-  mcopy -i efi/efiboot.img kairos.conf ::loader/entries/kairos.conf
-  mcopy -i efi/efiboot.img uki.signed.efi ::EFI/kairos/kairos.EFI
-  # systemd-boot as bootloader
-  mcopy -i efi/efiboot.img loader.conf ::loader/loader.conf
-  # TODO: TARGETARCH should change the output name to BOOTAA64.EFI in arm64!
-  mcopy -i efi/efiboot.img systemd-bootx64.signed.efi ::EFI/BOOT/BOOTX64.EFI
-  xorriso -as mkisofs -V 'UKI_ISO_INSTALL' -e efiboot.img -no-emul-boot -o uki.iso efi/
-  cp uki.iso "$OLDDIR"/build
-  popd || exit
-  rm -Rf "${D}"
-else
-  echo "Not building ISO"
+  echo "Not signing EFI or building ISO"
 fi