Add support for filtering out files from the ESP image for GRUB

Prior to this change, KIWI blindly synced the ESP directory into the
embedded ESP image. Depending on the distribution and packages included
for the created image, this can have undesirable side-effects.

For image builds that need some more fine-grained control over the
creation of the embedded ESP image (particularly for ISO images),
this change introduces the ability to inject an exclusion list
similar to what is used to filter out files for the root filesystem.

Fixes: #2008
Fixes: #2777

Author: Conan-Kudo

build-tests/x86/fedora/test-image-live-disk/appliance.kiwi

@@ -61,6 +61,8 @@
         <source path="obsrepositories:/"/>
     </repository>
     <packages type="image">
+        <!-- Filter out unwanted EFI files from the embedded ESP -->
+        <file name="iso-esp-excludes.yaml" target="image/exclude_files_efifatimage.yaml"/>
         <package name="grub2"/>
         <package name="grubby"/>
         <package name="kernel"/>

build-tests/x86/fedora/test-image-live-disk/iso-esp-excludes.yaml

@@ -0,0 +1,3 @@
+exclude:
+- BOOT/fb*.efi
+- fedora

kiwi/bootloader/config/grub2.py

@@ -35,6 +35,7 @@
 from kiwi.system.identifier import SystemIdentifier
 from kiwi.utils.sync import DataSync
 from kiwi.utils.sysconfig import SysConfig
+from kiwi.utils.temporary import Temporary
 
 from kiwi.exceptions import (
     KiwiTemplateError,
@@ -1032,6 +1033,12 @@ def _create_embedded_fat_efi_image(self, path):
             self.xml_state.build_type
                 .get_efifatimagesize() or defaults.EFI_FAT_IMAGE_SIZE
         )
+        efi_folder = Temporary(prefix='efi_folder').new_dir()
+        efi_data = DataSync(self.boot_dir + '/EFI/', efi_folder.name)
+        efi_data.sync_data(
+            options=Defaults.get_sync_options(),
+            exclude=Defaults.get_exclude_list_from_custom_exclude_files_for_efifatimage(self.root_dir)
+        )
         Command.run(
             ['qemu-img', 'create', path, f'{fat_image_mbsize}M']
         )
@@ -1041,7 +1048,7 @@ def _create_embedded_fat_efi_image(self, path):
         Command.run(
             [
                 'mcopy', '-Do', '-s', '-i', path,
-                self.boot_dir + '/EFI', '::'
+                efi_folder.name, '::EFI'
             ]
         )
 

kiwi/defaults.py

@@ -443,19 +443,30 @@ def get_runtime_checker_metadata() -> Dict:
             return yaml.safe_load(meta)
 
     @staticmethod
-    def get_exclude_list_from_custom_exclude_files(root_dir: str) -> List:
+    def _parse_exclude_file(root_dir: str, exclude_filename: str) -> List:
         """
-        Provides the list of folders that are excluded by the
-        optional metadata file image/exclude_files.yaml
+        Retrieves an exclusion list from the provided metadata file
 
-        :return: list of file and directory names
+        The file should contain a YAML dictionary with a top-level key
+        named 'exclude' and the list of exclusions as its value.
+
+        The list of exclusions may include:
+            * file paths
+            * folder paths
+            * glob patterns
+
+        Paths and patterns should be relative to the filesystem or
+        directory that they're being excluded from.
+
+        :return: list of paths and glob patterns
 
         :param string root_dir: image root directory
+        :param string exclude_filename: file exclusion YAML metadata file
 
         :rtype: list
         """
         exclude_file = os.sep.join(
-            [root_dir, 'image', 'exclude_files.yaml']
+            [root_dir, 'image', exclude_filename]
         )
         exclude_list = []
         if os.path.isfile(exclude_file):
@@ -473,6 +484,36 @@ def get_exclude_list_from_custom_exclude_files(root_dir: str) -> List:
                     )
         return exclude_list
 
+    @staticmethod
+    def get_exclude_list_from_custom_exclude_files(root_dir: str) -> List:
+        """
+        Gets the list of excluded items for the root filesystem from
+        the optional metadata file image/exclude_files.yaml
+
+        :return: list of paths and glob patterns
+
+        :param string root_dir: image root directory
+
+        :rtype: list
+        """
+        return Defaults._parse_exclude_file(root_dir, 'exclude_files.yaml')
+
+    @staticmethod
+    def get_exclude_list_from_custom_exclude_files_for_efifatimage(root_dir: str) -> List:
+        """
+        Gets the list of excluded items for the ESP's EFI folder from
+        the optional metadata file image/exclude_files_efifatimage.yaml
+
+        Excluded items must be relative to the ESP's /EFI directory.
+
+        :return: list of paths and glob patterns
+
+        :param string root_dir: EFI root directory
+
+        :rtype: list
+        """
+        return Defaults._parse_exclude_file(root_dir, 'exclude_files_efifatimage.yaml')
+
     @staticmethod
     def get_exclude_list_for_non_physical_devices():
         """

test/data/root-dir/image/exclude_files_efifatimage.yaml

@@ -0,0 +1,3 @@
+exclude:
+- BOOT/fbia32.efi
+- BOOT/fbx64.efi

test/unit/bootloader/config/grub2_test.py

@@ -326,8 +326,13 @@ def test_write(
                 'some-data'
             )
 
+    @patch('kiwi.bootloader.config.grub2.DataSync.sync_data')
+    @patch('kiwi.bootloader.config.grub2.Temporary.new_dir')
     @patch('kiwi.bootloader.config.grub2.Command.run')
-    def test_create_embedded_fat_efi_image(self, mock_command):
+    def test_create_embedded_fat_efi_image(self, mock_command, mock_tmpdir, mock_syncdata):
+        tmpdir = Mock()
+        tmpdir.name = 'tmpdir'
+        mock_tmpdir.return_value = tmpdir
         self.bootloader._create_embedded_fat_efi_image('tmp-esp-image')
         assert mock_command.call_args_list == [
             call(
@@ -343,7 +348,7 @@ def test_create_embedded_fat_efi_image(self, mock_command):
             call(
                 [
                     'mcopy', '-Do', '-s', '-i', 'tmp-esp-image',
-                    'root_dir/EFI', '::'
+                    'tmpdir', '::EFI'
                 ]
             )
         ]

test/unit/defaults_test.py

@@ -107,6 +107,23 @@ def test_get_vendor_grubenv(self, mock_path_exists):
         assert Defaults.get_vendor_grubenv('boot/efi') == \
             'boot/efi/EFI/fedora/grubenv'
 
+    def test_parse_exclude_file_is_valid(self):
+        assert Defaults._parse_exclude_file(
+            '../data/root-dir', 'exclude_files.yaml'
+        ) == [
+            'usr/bin/qemu-binfmt',
+            'usr/bin/qemu-x86_64-binfmt',
+            'usr/bin/qemu-x86_64'
+        ]
+
+    @patch('yaml.safe_load')
+    def test_parse_exclude_file_is_invalid(self, mock_yaml_safe_load):
+        mock_yaml_safe_load.return_value = {'invalid': 'artificial'}
+        with self._caplog.at_level(logging.WARNING):
+            assert Defaults._parse_exclude_file(
+                '../data/root-dir', 'exclude_files.yaml'
+            ) == []
+
     def test_get_exclude_list_from_custom_exclude_files(self):
         assert Defaults.get_exclude_list_from_custom_exclude_files(
             '../data/root-dir'
@@ -126,6 +143,24 @@ def test_get_exclude_list_from_custom_exclude_files_is_invalid(
                 '../data/root-dir'
             ) == []
 
+    def test_get_exclude_list_from_custom_exclude_files_for_efifatimage(self):
+        assert Defaults.get_exclude_list_from_custom_exclude_files_for_efifatimage(
+            '../data/root-dir'
+        ) == [
+            'BOOT/fbia32.efi',
+            'BOOT/fbx64.efi',
+        ]
+
+    @patch('yaml.safe_load')
+    def test_get_exclude_list_from_custom_exclude_files_for_efifatimage_is_invalid(
+        self, mock_yaml_safe_load
+    ):
+        mock_yaml_safe_load.return_value = {'invalid': 'artificial'}
+        with self._caplog.at_level(logging.WARNING):
+            assert Defaults.get_exclude_list_from_custom_exclude_files_for_efifatimage(
+                '../data/root-dir'
+            ) == []
+
     def test_get_exclude_list_for_root_data_sync(self):
         assert Defaults.get_exclude_list_for_root_data_sync() == [
             'image', '.kconfig',