Skip to content

Commit

Permalink
fix: generation of SecureBoot iso
Browse files Browse the repository at this point in the history
The Secureboot ISO previously generated has just an EFI parition.

Now generate iso with both the EFI partition and also having ISO
filesystem having the content so *File System transposition* also works.

Fixes: #9565

Signed-off-by: Noel Georgi <git@frezbo.dev>
  • Loading branch information
frezbo committed Oct 28, 2024
1 parent c755b6d commit 9db7a36
Showing 1 changed file with 41 additions and 45 deletions.
86 changes: 41 additions & 45 deletions pkg/imager/iso/uefi.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,14 @@ package iso

import (
"bytes"
"context"
_ "embed"
"fmt"
"os"
"path/filepath"
"text/template"
"time"

"github.com/siderolabs/go-cmd/pkg/cmd"
"github.com/siderolabs/go-copy/copy"

"github.com/siderolabs/talos/pkg/imager/utils"
"github.com/siderolabs/talos/pkg/machinery/constants"
Expand Down Expand Up @@ -67,6 +66,8 @@ func CreateUEFI(printf func(string, ...any), options UEFIOptions) error {

efiBootImg := filepath.Join(options.ScratchDir, "efiboot.img")

isoRoot := filepath.Join(options.ScratchDir, "isoroot")

// initial size
isoSize := int64(10 * mib)

Expand Down Expand Up @@ -109,112 +110,107 @@ func CreateUEFI(printf func(string, ...any), options UEFIOptions) error {
return err
}

if _, err := cmd.Run("mmd", "-i", efiBootImg, "::EFI"); err != nil {
return err
}

if _, err := cmd.Run("mmd", "-i", efiBootImg, "::EFI/BOOT"); err != nil {
return err
}

if _, err := cmd.Run("mmd", "-i", efiBootImg, "::EFI/Linux"); err != nil {
return err
}

if _, err := cmd.Run("mmd", "-i", efiBootImg, "::EFI/keys"); err != nil {
if err := os.MkdirAll(filepath.Join(isoRoot, "EFI/Linux"), 0o755); err != nil {
return err
}

if _, err := cmd.Run("mmd", "-i", efiBootImg, "::loader"); err != nil {
if err := os.MkdirAll(filepath.Join(isoRoot, "EFI/BOOT"), 0o755); err != nil {
return err
}

if _, err := cmd.Run("mmd", "-i", efiBootImg, "::loader/keys"); err != nil {
if err := os.MkdirAll(filepath.Join(isoRoot, "EFI/keys"), 0o755); err != nil {
return err
}

if _, err := cmd.Run("mmd", "-i", efiBootImg, "::loader/keys/auto"); err != nil {
if err := os.MkdirAll(filepath.Join(isoRoot, "loader/keys/auto"), 0o755); err != nil {
return err
}

efiBootPath := "::EFI/BOOT/BOOTX64.EFI"
efiBootPath := "EFI/BOOT/BOOTX64.EFI"

if options.Arch == "arm64" {
efiBootPath = "::EFI/BOOT/BOOTAA64.EFI"
efiBootPath = "EFI/BOOT/BOOTAA64.EFI"
}

if _, err := cmd.Run("mcopy", "-i", efiBootImg, options.SDBootPath, efiBootPath); err != nil {
if err := copy.File(options.SDBootPath, filepath.Join(isoRoot, efiBootPath)); err != nil {
return err
}

if _, err := cmd.Run("mcopy", "-i", efiBootImg, options.UKIPath, fmt.Sprintf("::EFI/Linux/Talos-%s.efi", options.Version)); err != nil {
if err := copy.File(options.UKIPath, filepath.Join(isoRoot, fmt.Sprintf("EFI/Linux/Talos-%s.efi", options.Version))); err != nil {
return err
}

if _, err := cmd.RunContext(
cmd.WithStdin(context.Background(), &loaderConfigOut),
"mcopy", "-i", efiBootImg, "-", "::loader/loader.conf",
); err != nil {
if err := os.WriteFile(filepath.Join(isoRoot, "loader/loader.conf"), loaderConfigOut.Bytes(), 0o644); err != nil {
return err
}

if _, err := cmd.Run("mcopy", "-i", efiBootImg, options.UKISigningCertDerPath, "::EFI/keys/uki-signing-cert.der"); err != nil {
if err := copy.File(options.UKISigningCertDerPath, filepath.Join(isoRoot, "EFI/keys/uki-signing-cert.der")); err != nil {
return err
}

if options.PlatformKeyPath != "" {
if _, err := cmd.Run("mcopy", "-i", efiBootImg, options.PlatformKeyPath, filepath.Join("::loader/keys/auto", constants.PlatformKeyAsset)); err != nil {
if err := copy.File(options.PlatformKeyPath, filepath.Join(isoRoot, "loader/keys/auto", constants.PlatformKeyAsset)); err != nil {
return err
}
}

if options.KeyExchangeKeyPath != "" {
if _, err := cmd.Run("mcopy", "-i", efiBootImg, options.KeyExchangeKeyPath, filepath.Join("::loader/keys/auto", constants.KeyExchangeKeyAsset)); err != nil {
if err := copy.File(options.KeyExchangeKeyPath, filepath.Join(isoRoot, "loader/keys/auto", constants.KeyExchangeKeyAsset)); err != nil {
return err
}
}

if options.SignatureKeyPath != "" {
if _, err := cmd.Run("mcopy", "-i", efiBootImg, options.SignatureKeyPath, filepath.Join("::loader/keys/auto", constants.SignatureKeyAsset)); err != nil {
if err := copy.File(options.SignatureKeyPath, filepath.Join(isoRoot, "loader/keys/auto", constants.SignatureKeyAsset)); err != nil {
return err
}
}

if _, err := cmd.Run(
"mcopy",
"-s", // recursive
"-p", // preserve attributes
"-Q", // quit on error
"-m", // preserve modification time
"-i",
efiBootImg,
filepath.Join(isoRoot, "EFI"),
filepath.Join(isoRoot, "loader"),
"::",
); err != nil {
return err
}

// fixup directory timestamps recursively
if err := utils.TouchFiles(printf, options.ScratchDir); err != nil {
return err
}

printf("creating ISO image")

// ref: https://askubuntu.com/questions/1110651/how-to-produce-an-iso-image-that-boots-only-on-uefi/1111760#1111760
args := []string{
"-as", "mkisofs",
"-e", "efiboot.img",
"-e", "--interval:appended_partition_2:all::", // use appended partition 2 for EFI
"-append_partition", "2", "0xef", efiBootImg,
"-partition_cyl_align", // pad partition to cylinder boundary
"all",
"-partition_offset", "16", // support booting from USB
"-iso_mbr_part_type", "0x83", // just to have more clear info when doing a fdisk -l
"-no-emul-boot",
"-o", options.OutPath,
options.ScratchDir,
"--",
}

if epoch, ok, err := utils.SourceDateEpoch(); err != nil {
return err
} else if ok {
args = append(args,
"-volume_date", "all_file_dates", fmt.Sprintf("=%d", epoch),
"-volume_date", "uuid", time.Unix(epoch, 0).Format("2006010215040500"),
)
isoRoot,
}

if quirks.New(options.Version).SupportsISOLabel() {
label := Label(options.Version, true)

args = append(args,
"-volid", VolumeID(label),
"-volset-id", label,
"-volset", label,
)
}

if _, err := cmd.Run("xorriso", args...); err != nil {
if _, err := cmd.Run("xorrisofs", args...); err != nil {
return err
}

Expand Down

0 comments on commit 9db7a36

Please sign in to comment.