Add UKI feature

Unified kernel image (UKI) is a single executable which can be booted
directly from UEFI firmware, or automatically sourced by boot-loaders
with little or no configuration.

Signed-off-by: Alexey Gladkov <[email protected]>

Author: legionus

features/uki/README.md

@@ -0,0 +1,31 @@
+# Feature: uki
+
+Unified kernel image (UKI) is a single executable which can be booted directly
+from UEFI firmware, or automatically sourced by boot-loaders with little or no
+configuration.
+
+See https://uapi-group.org/specifications/specs/unified_kernel_image/
+
+## Parameters
+
+- **UKI_FEATURES** -- Variable contains a list of features that will be
+  added to the UEFI image.
+- **UKI_SPLASH_IMAGE** -- Variable contains a filename which will be used as a
+  splash image when creating an UEFI (Optional). Requires bitmap (.bmp) image
+  format.
+- **UKI_CMDLINE** -- Variable contains a list of kernel cmdline parameters.
+  If the variable is not specified, the parameters from `/etc/cmdline.d/*.conf`
+  will be taken. If the directory `/etc/cmdline.d` does not exist, the
+  parameters from `/proc/cmdline` will be taken.
+- **UKI_KERNEL** -- The variable specifies the kernel image filename. If not
+  specified, the image will be guessed.
+- **UKI_SBAT** -- CSV lines encoded the SBAT metadata for the image (Optional).
+- **UKI_UEFI_STUB** -- A simple UEFI kernel boot stub. By default,
+  systemd-stub(7) is used. But an independent [stubby](https://github.com/puzzleos/stubby)
+  can also be used.
+
+## ToDo
+
+- Multi-Profile UKIs
+- PE Addons
+- UKI TPM PCR Measurements

features/uki/bin/find-kernel

@@ -0,0 +1,93 @@
+#!/bin/bash -eu
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+. shell-error
+
+BOOTDIR="${BOOTDIR:-/boot}"
+arch="${ARCH:-$(uname -m)}"
+kversion="${KERNEL:-$(uname -r)}"
+
+show_usage()
+{
+	cat <<-EOF
+	Usage: $PROG [options]
+
+	The utility shows the kernel image.
+
+	Options:
+	  --arch=ARCH                 Use ARCH as target architecture instead of `uname -m`;
+	  -k, --set-version=VERSION   Use VERSION instead of `uname -r`;
+	  -h, --help                  Show this text and exit.
+
+	Report bugs to authors.
+
+	EOF
+	exit
+}
+
+TEMP=`getopt -n "$PROG" -o "k:,h" -l "arch:,set-version:,help" -- "$@"` ||
+	show_usage
+eval set -- "$TEMP"
+
+while :; do
+	case "$1" in
+		--arch) shift
+			arch="$1"
+			;;
+		-k|--set-version) shift
+			kversion="$1"
+			;;
+		-h|--help)
+			show_usage
+			;;
+		--) shift; break
+			;;
+		*) fatal "unrecognized option: $1"
+			;;
+	esac
+	shift
+done
+
+efi_type=
+
+if [ -n "$arch" ]; then
+        case "$arch" in
+            x86_64)  efi_type=x64  ;;
+            i?86)    efi_type=ia32 ;;
+            aarch64) efi_type=aa64 ;;
+            *)
+                fatal "Architecture '$arch' not supported to create a UEFI executable"
+                ;;
+        esac
+fi
+
+for ent in "$BOOTDIR"/loader/entries/*.conf; do
+	[ -s "$ent" ] ||
+		continue
+
+	version='' architecture='' linux=''
+
+	while read -r k v; do
+		case "$k" in
+			architecture) architecture="$v" ;;
+			version)      version="$v"      ;;
+			linux)        linux="$v"        ;;
+		esac
+	done < "$ent"
+
+	[ -z "$architecture" ] || [ "$architecture" = "$efi_type" ] ||
+		continue
+
+	[ "$version" = "$kverion" ] ||
+		continue
+
+	[ -n "$linux" ] ||
+		continue
+
+	! readlink -ev -- "$linux" 2>/dev/null ||
+		exit 0
+done
+
+readlink -ev -- "$BOOTDIR/vmlinuz-$kversion" 2>/dev/null ||
+readlink -ev -- "/lib/modules/$kversion/vmlinuz" 2>/dev/null ||
+	fatal "kernel not found"

features/uki/bin/pack-uki

@@ -0,0 +1,181 @@
+#!/bin/bash -eu
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+. sh-functions
+. shell-error
+
+BOOTDIR="${BOOTDIR:-/boot}"
+PROCFS_PATH="${PROCFS_PATH:-/proc}"
+arch="${ARCH:-$(uname -m)}"
+
+uefi_stub="${UKI_UEFI_STUB-}"
+kernel="${UKI_KERNEL-}"
+initrd="$workdir/initrd.img"
+outfile="${UKI_EFI_INTERNAL_IMAGE:-$workdir/linux.efi}"
+
+
+get_offset_value()
+{
+	local idx name size vma lma file_off algn
+
+	printf -v "$1" '0'
+
+	while read -r idx name size vma lma file_off algn; do
+		[ -z "$idx" ] || [ -z "${idx##*[!0-9]*}" ] ||
+			printf -v "$1" '%s' "$(( 16#${size} + 16#${vma} ))"
+	done < <(objdump -h "$2" 2>/dev/null)
+}
+
+filter_objdump()
+{
+	local k a b c d e;
+
+	eval "$1=('' '' '' '' '')"
+
+	while read -r k a b c d e; do
+		[ "$k" != "$3" ] ||
+			eval "$1=(\"\$a\" \"\$b\" \"\$c\" \"\$d\" \"\$e\")"
+	done < <(objdump -p "$2" 2>/dev/null)
+}
+
+pe_get_int_value()
+{
+	local values
+	filter_objdump values "$2" "$3"
+
+	[ -n "${values[0]}" ] &&
+		printf -v "$1" '%s' "$(( 16#${values[0]} ))" ||
+		return 1
+}
+
+pe_file_format()
+{
+	local magic=0
+	pe_get_int_value magic "$1" "Magic"
+
+	case "$magic" in
+		267|523) # 010b (PE32) | 020b (PE32+)
+			return 0
+			;;
+	esac
+	return 1
+}
+
+section_align=0
+offset=0
+update_section_offset()
+{
+	[ "$#" -eq 0 ] ||
+		offset=$(( $offset + $(stat -Lc%s "$1") ))
+	offset=$(( $offset + $section_align - $offset % $section_align ))
+}
+
+args=()
+add_section()
+{
+	local offs
+	printf -v offs '0x%x' "$offset"
+	args+=( --add-section "$1=$2" --change-section-vma "$1=$offs" )
+	update_section_offset "$2"
+}
+
+[ -n "$kernel" ] ||
+	kernel="$("$FEATURESDIR"/uki/bin/find-kernel)"
+
+[ -f "$kernel" ] ||
+	fatal "Can't find a kernel image to create a UEFI executable"
+
+verbose "Kernel image: $kernel"
+
+if [ -z "$uefi_stub" ]; then
+	case "$arch" in
+		x86_64)  efi_type=x64  ;;
+		i?86)    efi_type=ia32 ;;
+		aarch64) efi_type=aa64 ;;
+		*)
+			fatal "Architecture '$arch' not supported to create a UEFI executable"
+			;;
+	esac
+
+	uefi_stub="/usr/lib/systemd/boot/efi/linux${efi_type}.efi.stub"
+fi
+
+pe_file_format "$uefi_stub" ||
+	fatal "wrong file format: $uefi_stub"
+
+verbose "UEFI stub file: $uefi_stub"
+
+get_offset_value offset "$uefi_stub"
+
+[ $offset -gt 0 ] ||
+	fatal "failed to get the size of $uefi_stub to create UEFI image file"
+
+pe_get_int_value section_align "$uefi_stub" SectionAlignment ||
+	fatal "failed to get the SectionAlignment of the stub PE header to create the UEFI image file"
+
+image_base=0
+pe_get_int_value image_base "$uefi_stub" ImageBase ||
+	fatal "failed to get the ImageBase of the stub PE header to create the UEFI image file"
+
+printf -v image_base '0x%x' "$image_base"
+
+args=( --image-base="$image_base" )
+
+update_section_offset
+
+for f in /usr/lib/os-release /etc/os-release; do
+	if [ -s "$f" ]; then
+		add_section ".osrel" "$f"
+		break
+	fi
+done
+
+# shellcheck disable=SC2206
+cmdline=( ${UKI_CMDLINE-} )
+
+if [ "${#cmdline[@]}" -gt 0 ]; then
+	:;
+elif [ -d /etc/cmdline.d ]; then
+	for conf in /etc/cmdline.d/*.conf; do
+		[ -e "$conf" ] ||
+			continue
+		while read -r l; do
+			# shellcheck disable=SC2206
+			cmdline+=( $l )
+		done < "$conf"
+	done
+elif [ -e "$PROCFS_PATH/cmdline" ]; then
+	while read -r l; do
+		# shellcheck disable=SC2206
+		cmdline+=( $l )
+	done < "$PROCFS_PATH/cmdline"
+fi
+
+verbose "UEFI kernel cmdline: ${cmdline[*]}"
+
+uefi_cmdline="$workdir/cmdline.txt"
+printf >"$uefi_cmdline" '%s\0' "${cmdline[*]}"
+
+add_section ".cmdline" "$uefi_cmdline"
+
+if [ -n "${UKI_SPLASH_IMAGE-}" ] && [ -s "$UKI_SPLASH_IMAGE" ]; then
+	add_section ".splash" "$UKI_SPLASH_IMAGE"
+	verbose "UEFI splash image: $UKI_SPLASH_IMAGE"
+fi
+
+uefi_sbat="$workdir/uki.sbat"
+printf >"$uefi_sbat" '%s\n' \
+	"sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md" \
+	${UKI_SBAT:+"$UKI_SBAT"}
+
+add_section ".sbat"   "$uefi_sbat"
+add_section ".linux"  "$kernel"
+add_section ".initrd" "$initrd"
+
+uefi_stub_file="$workdir/stub.efi"
+
+cp $verbose -f -- "$uefi_stub" "$uefi_stub_file"
+objcopy --remove-section ".sbat" "$uefi_stub_file" >/dev/null 2>&1
+objcopy $verbose "${args[@]}" "$uefi_stub_file" "$outfile"
+
+rm -f -- "$uefi_cmdline" "$uefi_sbat" "$uefi_stub_file" "$initrd"

features/uki/config.mk

@@ -0,0 +1,22 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+UKI_FEATURES = \
+	modules-blockdev \
+	modules-crypto-user-api \
+	modules-filesystem \
+	modules-multiple-devices \
+	modules-network \
+	modules-nfs
+
+UKI_PROGS = objdump objcopy
+
+UKI_UEFI_STUB ?=
+UKI_SBAT ?=
+UKI_KERNEL ?=
+UKI_CMDLINE ?=
+UKI_SPLASH_IMAGE ?=
+
+UKI_EFIDIR    ?= $(firstword $(wildcard /efi/EFI $(BOOTDIR)/efi/EFI $(BOOTDIR)))
+UKI_IMAGEFILE ?= $(UKI_EFIDIR)/linux-$(KERNEL)$(IMAGE_SUFFIX).efi
+
+FEATURES += $(if $(UKI),$(UKI_FEATURES))

features/uki/rules.mk

@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+PHONY += pack-uki install
+
+PUT_FEATURE_PROGS += $(UKI_PROGS)
+
+UKI_EFI_INTERNAL_IMAGE := $(WORKDIR)/linux.efi
+
+pack-uki: pack $(call if-active-feature,ucode compress bootconfig)
+	@$(VMSG) "Packing UKI image ..."
+	@$(FEATURESDIR)/uki/bin/pack-uki
+
+install: pack-uki
+	@$(VMSG) "Installing UKI image ..."
+	@if [ -f "$(TEMPDIR)/images" ] && grep -Fxqs "$(UKI_IMAGEFILE)" "$(TEMPDIR)/images"; then \
+	    echo ""; \
+	    echo "An attempt to create two images with the same name. There is possibility"; \
+	    echo "that you forgot to define IMAGE_SUFFIX or UKI_IMAGEFILE in one of the config files."; \
+	    echo ""; \
+	    echo "ERROR: Unable to overwrite the image $(UKI_IMAGEFILE)"; \
+	    echo ""; \
+	    exit 1; \
+	fi >&2
+	@$(TOOLSDIR)/show-install-info "$(UKI_EFI_INTERNAL_IMAGE)"
+	@chmod 600 -- "$(UKI_EFI_INTERNAL_IMAGE)"
+	@mv -f $(verbose) -- "$(UKI_EFI_INTERNAL_IMAGE)" "$(UKI_IMAGEFILE)"
+	@echo "$(UKI_IMAGEFILE)" >> "$(TEMPDIR)/images"
+
+IMAGEFILE = $(UKI_IMAGEFILE)
+genimage:

mk/functions.mk.in

@@ -74,7 +74,7 @@ endef
 
 define get-all-features
 $(strip $(if $(filter get-all-features,$(0)),\
-	$(sort $(filter-out ,$(call expand-features,FEATURE-REQUIRES,$(FEATURES))))))
+	$(sort $(filter-out ,$(call expand-features,FEATURE-REQUIRES,$(FEATURES) $(if $(UKI),uki))))))
 endef
 
 define get-all-disable-features

mk/genimage.mk.in

@@ -5,7 +5,12 @@
 # The previous call to 'guess' has already done this.
 IGNORE_DEPMOD := 1
 
+# Replace 'install' target by UKI feature because regular initramfs must be
+# converted to create a UEFI image.
+INSTALL_TARGET_SUFFIX := $(if $(UKI),-uki-disabled)
+
 PHONY += create pack install genimage
+PHONY += install$(INSTALL_TARGET_SUFFIX)
 
 create: depmod-host
 	@$(VMSG) "Creating initrd image ..."
@@ -18,7 +23,7 @@ pack: create
 	@$(VMSG) "Packing image to archive ..."
 	@$(TOOLSDIR)/pack-image
 
-install: pack
+install$(INSTALL_TARGET_SUFFIX): pack
 	@$(VMSG) "Installing image ..."
 	@if [ -f "$(TEMPDIR)/images" ] && grep -Fxqs "$(IMAGEFILE)" "$(TEMPDIR)/images"; then \
 	    echo ""; \