Merge pull request #2800 from OSInside/support_erofs_overlaydisk

Support erofs overlaydisk

Author: Conan-Kudo

build-tests/x86/tumbleweed/test-image-overlayroot/appliance.kiwi

@@ -1,11 +1,16 @@
 <?xml version="1.0" encoding="utf-8"?>
-
+<!-- OBS-Profiles: @BUILD_FLAVOR@ -->
 <image schemaversion="7.5" name="kiwi-test-image-overlayroot">
     <description type="system">
         <author>Marcus Schäfer</author>
-        <contact>ms@suse.com</contact>
+        <contact>marcus.schaefer@suse.com</contact>
         <specification>Overlayroot Disk test build</specification>
     </description>
+    <profiles>
+        <profile name="sdboot_erofs" description="systemd boot overlay disk using erofs"/>
+        <profile name="sdboot_verity_erofs" description="systemd boot verity baked overlay disk using erofs"/>
+        <profile name="grub_verity_erofs" description="grub verity baked overlay disk using erofs"/>
+    </profiles>
     <preferences>
         <version>1.42.1</version>
         <packagemanager>zypper</packagemanager>
@@ -14,9 +19,66 @@
         <timezone>Europe/Berlin</timezone>
         <rpm-excludedocs>true</rpm-excludedocs>
         <rpm-check-signatures>false</rpm-check-signatures>
-        <bootsplash-theme>breeze</bootsplash-theme>
-        <bootloader-theme>openSUSE</bootloader-theme>
-        <type image="oem" filesystem="ext3" kernelcmdline="console=ttyS0" firmware="efi" format="vmdk" overlayroot="true">
+    </preferences>
+    <preferences profiles="sdboot_erofs">
+        <type
+            image="oem"
+            filesystem="xfs"
+            kernelcmdline="console=ttyS0"
+            firmware="uefi"
+            format="vmdk"
+            overlayroot="true"
+            overlayroot_readonly_filesystem="erofs"
+            overlayroot_readonly_partsize="915"
+            erofscompression="zstd,level=9"
+            eficsm="false"
+            bootpartition="false"
+            efipartsize="200"
+        >
+            <oemconfig>
+                <oem-resize>false</oem-resize>
+            </oemconfig>
+            <bootloader name="systemd_boot" timeout="10"/>
+            <size unit="G">4</size>
+        </type>
+    </preferences>
+    <preferences profiles="sdboot_verity_erofs">
+        <type
+            image="oem"
+            filesystem="xfs"
+            kernelcmdline="console=ttyS0 rd.systemd.verity=1"
+            firmware="uefi"
+            format="vmdk"
+            overlayroot="true"
+            overlayroot_readonly_filesystem="erofs"
+            overlayroot_readonly_partsize="915"
+            erofscompression="zstd,level=9"
+            eficsm="false"
+            verity_blocks="all"
+            bootpartition="false"
+            efipartsize="200"
+        >
+            <oemconfig>
+                <oem-resize>false</oem-resize>
+            </oemconfig>
+            <bootloader name="systemd_boot" timeout="10"/>
+            <size unit="G">4</size>
+        </type>
+    </preferences>
+    <preferences profiles="grub_verity_erofs">
+        <type
+            image="oem"
+            filesystem="btrfs"
+            kernelcmdline="console=ttyS0 rd.systemd.verity=1"
+            firmware="efi"
+            format="vmdk"
+            overlayroot="true"
+            overlayroot_readonly_filesystem="erofs"
+            overlayroot_readonly_partsize="915"
+            erofscompression="zstd,level=9"
+            eficsm="false"
+            verity_blocks="all"
+        >
             <oemconfig>
                 <oem-resize>false</oem-resize>
             </oemconfig>
@@ -30,19 +92,23 @@
     <repository type="rpm-md">
         <source path="obsrepositories:/"/>
     </repository>
+    <packages type="image" profiles="sdboot_verity_erofs,grub_verity_erofs">
+        <package name="cryptsetup"/>
+        <package name="dracut-kiwi-verity"/>
+    </packages>
     <packages type="image">
         <package name="patterns-base-minimal_base"/>
+        <package name="systemd-boot"/>
+        <package name="grub2"/>
+        <package name="grub2-x86_64-efi" arch="x86_64"/>
+        <package name="shim"/>
         <package name="procps"/>
         <package name="bind-utils"/>
         <package name="systemd"/>
         <package name="plymouth-theme-breeze"/>
         <package name="plymouth-plugin-script"/>
-        <package name="grub2-branding-openSUSE"/>
         <package name="iputils"/>
         <package name="vim"/>
-        <package name="grub2"/>
-        <package name="grub2-x86_64-efi" arch="x86_64"/>
-        <package name="grub2-i386-pc"/>
         <package name="lvm2"/>
         <package name="plymouth"/>
         <package name="fontconfig"/>

build-tests/x86/tumbleweed/test-image-overlayroot/config.sh

@@ -1,66 +1,52 @@
 #!/bin/bash
-#================
-# FILE          : config.sh
-#----------------
-# PROJECT       : OpenSuSE KIWI Image System
-# COPYRIGHT     : (c) 2006 SUSE LINUX Products GmbH. All rights reserved
-#               :
-# AUTHOR        : Marcus Schaefer <[email protected]>
-#               :
-# BELONGS TO    : Operating System images
-#               :
-# DESCRIPTION   : configuration script for SUSE based
-#               : operating systems
-#               :
-#               :
-# STATUS        : BETA
-#----------------
-#======================================
-# Functions...
-#--------------------------------------
-test -f /.kconfig && . /.kconfig
-test -f /.profile && . /.profile
+set -ex
+
+declare kiwi_iname=${kiwi_iname}
+declare kiwi_profiles=${kiwi_profiles}
 
 #======================================
 # Greeting...
 #--------------------------------------
 echo "Configure image: [$kiwi_iname]..."
 
-#======================================
-# Setup baseproduct link
-#--------------------------------------
-suseSetupProduct
-
 #======================================
 # Activate services
 #--------------------------------------
-suseInsertService sshd
+systemctl enable sshd
 
 #======================================
-# Setup default target, multi-user
+# kernel links
 #--------------------------------------
-baseSetRunlevel 3
-
-# For image tests with an extra boot partition the
-# kernel must not be a symlink to another area of
-# the filesystem. Latest changes on SUSE changed the
-# layout of the kernel which breaks every image with
-# an extra boot partition
-#
-# All of the following is more than a hack and I
-# don't like it all
-#
-# Complains and discussions about this please with
-# the SUSE kernel team as we in kiwi can just live
-# with the consequences of this change
-#
-pushd /
+for profile in ${kiwi_profiles//,/ }; do
+    if [ "${profile}" = "grub_verity_erofs" ]; then
+        # For image tests with an extra boot partition the
+        # kernel must not be a symlink to another area of
+        # the filesystem. Latest changes on SUSE changed the
+        # layout of the kernel which breaks every image with
+        # an extra boot partition
+        #
+        # All of the following is more than a hack and I
+        # don't like it all
+        #
+        # Complains and discussions about this please with
+        # the SUSE kernel team as we in kiwi can just live
+        # with the consequences of this change
+        #
+        pushd /
 
-for file in /boot/* /boot/.*; do
-    if [ -L ${file} ];then
-        link_target=$(readlink ${file})
-        if [[ ${link_target} =~ usr/lib/modules ]];then
-            mv ${link_target} ${file}
-        fi
+        for file in /boot/* /boot/.*; do
+            if [ -L ${file} ];then
+                link_target=$(readlink ${file})
+                if [[ ${link_target} =~ usr/lib/modules ]];then
+                    mv ${link_target} ${file}
+                fi
+            fi
+        done
     fi
 done
+
+#======================================
+# Include erofs module
+#--------------------------------------
+# remove from blacklist
+rm -f /usr/lib/modprobe.d/60-blacklist_fs-erofs.conf

doc/source/image_description/elements.rst

@@ -825,6 +825,11 @@ overlayroot="true|false":
   the squashfs root filesystem. In fact this mode is the same
   as not installing the `kiwi-overlay` dracut module.
 
+overlayroot_readonly_filesystem="squashfs|erofs":
+  For the `oem` type only, specifies the filesystem type to use
+  as read-only filesystem in an `overlayroot` setup. By default
+  `squashfs` is used
+
 overlayroot_write_partition="true|false":
   For the `oem` type only, allows to specify if the extra read-write
   partition in an `overlayroot` setup should be created or not.

dracut/modules.d/80kiwi-verity/Makefile

@@ -11,7 +11,8 @@ all: build
 
 .PHONY: install
 install: build
-	install -Dm0755 kiwi-verity-setup.sh module-setup.sh \
+	install -Dm0755 \
+		kiwi-verity-setup.sh kiwi-veritytab-setup.sh module-setup.sh \
 		-t ${buildroot}usr/lib/dracut/modules.d/80kiwi-verity
 	install -Dm0755 $(BINARY) ${buildroot}usr/bin/$(BINARY)
 

dracut/modules.d/80kiwi-verity/kiwi-veritytab-setup.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+# This file is part of kiwi.
+#
+# kiwi is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# kiwi is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with kiwi.  If not, see <http://www.gnu.org/licenses/>
+#
+# shellcheck disable=SC1091
+type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh
+
+if [ ! -e "/etc/veritytab" ];then
+    return
+fi
+
+read -r name data_device hash_device root_hash options < /etc/veritytab
+
+if [ "$(echo "${data_device}" | cut -f1 -d=)" = "UUID" ];then
+    data_device=/dev/disk/by-uuid/$(echo "${data_device}" | cut -f2 -d=)
+fi
+if [ "$(echo "${hash_device}" | cut -f1 -d=)" = "UUID" ];then
+    hash_device=/dev/disk/by-uuid/$(echo "${hash_device}" | cut -f2 -d=)
+fi
+
+veritysetup="veritysetup open "
+veritysetup="${veritysetup} ${data_device} ${name} ${hash_device} ${root_hash}"
+
+for option in $(echo "${options}" | tr , " ");do
+    veritysetup="${veritysetup} --${option}"
+done
+
+eval "${veritysetup}"

dracut/modules.d/80kiwi-verity/module-setup.sh

@@ -30,6 +30,11 @@ depends() {
 }
 
 install() {
-    inst_multiple /usr/bin/kiwi-parse-verity /usr/sbin/veritysetup
+    inst_multiple \
+        /usr/bin/kiwi-parse-verity \
+        /usr/sbin/veritysetup \
+        cut \
+        tr
     inst_hook initqueue/settled 70 "$moddir/kiwi-verity-setup.sh"
+    inst_hook initqueue/settled 71 "$moddir/kiwi-veritytab-setup.sh"
 }

kiwi.yml

@@ -101,9 +101,6 @@
 #      # verify that the URL for imageinclude repos is accessable
 #      - check_image_include_repos_publicly_resolvable
 
-#      # verify secure boot setup disabled for overlay configured disk images
-#      - check_efi_mode_for_disk_overlay_correctly_setup
-
 #      # verify for legacy kiwi boot images that they exist on the host
 #      - check_boot_description_exists
 

kiwi/bootloader/config/base.py

@@ -60,6 +60,7 @@ def __init__(self, xml_state, root_dir, boot_dir=None, custom_args={}):
         self.proc_mount = None
         self.sys_mount = None
         self.tmp_mount = None
+        self.etc_kernel_mount = None
 
         self.root_filesystem_is_overlay = xml_state.build_type.get_overlayroot()
         self.post_init(custom_args)
@@ -555,16 +556,24 @@ def _mount_system(
 
         if self.root_filesystem_is_overlay:
             # In case of an overlay root system all parts of the rootfs
-            # are read-only by squashfs except for the extra boot partition.
-            # However tools like grub's mkconfig creates temporary files
-            # at call time and therefore /tmp needs to be writable during
-            # the call time of the tools
+            # are read-only. However tools like grub's mkconfig creates
+            # temporary files at call time and therefore /tmp needs to
+            # be writable during the call time of the tools
             self.tmp_mount = MountManager(
                 device='/tmp',
                 mountpoint=self.root_mount.mountpoint + '/tmp'
             )
             self.tmp_mount.bind_mount()
 
+            # There are also tools that writes to /etc/kernel, e.g
+            # systemd-boot. If it exists we map it to the ESP
+            etc_kernel = f'{self.root_mount.mountpoint}/etc/kernel'
+            if os.path.exists(etc_kernel):
+                self.etc_kernel_mount = MountManager(
+                    device=efi_device, mountpoint=etc_kernel
+                )
+                self.etc_kernel_mount.mount()
+
         self.device_mount = MountManager(
             device='/dev',
             mountpoint=self.root_mount.mountpoint + '/dev'
@@ -600,6 +609,8 @@ def _umount_system(self):
                 self.efi_mount.umount()
             if self.tmp_mount:
                 self.tmp_mount.umount()
+            if self.etc_kernel_mount:
+                self.etc_kernel_mount.umount()
             if self.boot_mount:
                 self.boot_mount.umount()
             if self.root_mount:
@@ -626,13 +637,17 @@ def _get_root_cmdline_parameter(self, boot_device):
                 return root_search.group(1)
         if boot_device:
             if self.xml_state.build_type.get_overlayroot():
-                # In case of an overlay setup the root partition is a squashfs
-                # In this case the root location can only be specified by the
-                # partition uuid because squashfs itself doesn't have one.
+                # In case of an overlay setup the root partition is read-only
+                # In this case the root location will be specified by the
+                # partition uuid because not all read-only filesystems have one.
                 # Exception to this is if the overlay is also encrypted
+                # Exception to this is if the overlay is on verity
+                verity = self.xml_state.build_type.get_verity_blocks()
                 luks = self.xml_state.get_luks_credentials()
                 if luks is not None:
                     return 'root=overlay:MAPPER=luks'
+                elif verity:
+                    return 'root=overlay:MAPPER=verityroot'
                 else:
                     root_location = self._get_location(
                         boot_device, 'by-partuuid'