Add UKI mode

Signed-off-by: Alexey Gladkov <[email protected]>

Author: legionus

features/uki/README.md

@@ -0,0 +1,5 @@
+# Feature: uki
+
+Unified kernel image (UKI) is a single executable which can be booted directly
+from UEFI firmware, or automatically sourced by boot-loaders with little or no
+configuration.

features/uki/bin/find-kernel

@@ -0,0 +1,93 @@
+#!/bin/bash -eu
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+. shell-error
+
+BOOTDIR="${BOOTDIR:-/boot}"
+arch="${ARCH:-$(uname -m)}"
+kversion="${KERNEL:-$(uname -r)}"
+
+show_usage()
+{
+	cat <<-EOF
+	Usage: $PROG [options]
+
+	The utility shows the kernel image.
+
+	Options:
+	  --arch=ARCH                 Use ARCH as target architecture instead of `uname -m`;
+	  -k, --set-version=VERSION   Use VERSION instead of `uname -r`;
+	  -h, --help                  Show this text and exit.
+
+	Report bugs to authors.
+
+	EOF
+	exit
+}
+
+TEMP=`getopt -n "$PROG" -o "k:,h" -l "arch:,set-version:,help" -- "$@"` ||
+	show_usage
+eval set -- "$TEMP"
+
+while :; do
+	case "$1" in
+		--arch) shift
+			arch="$1"
+			;;
+		-k|--set-version) shift
+			kversion="$1"
+			;;
+		-h|--help)
+			show_usage
+			;;
+		--) shift; break
+			;;
+		*) fatal "unrecognized option: $1"
+			;;
+	esac
+	shift
+done
+
+efi_type=
+
+if [ -n "$arch" ]; then
+        case "$arch" in
+            x86_64)  efi_type=x64  ;;
+            i?86)    efi_type=ia32 ;;
+            aarch64) efi_type=aa64 ;;
+            *)
+                fatal "Architecture '$arch' not supported to create a UEFI executable"
+                ;;
+        esac
+fi
+
+for ent in "$BOOTDIR"/loader/entries/*.conf; do
+	[ -s "$ent" ] ||
+		continue
+
+	version='' architecture='' linux=''
+
+	while read -r k v; do
+		case "$k" in
+			architecture) architecture="$v" ;;
+			version)      version="$v"      ;;
+			linux)        linux="$v"        ;;
+		esac
+	done < "$ent"
+
+	[ -z "$architecture" ] || [ "$architecture" = "$efi_type" ] ||
+		continue
+
+	[ "$version" = "$kverion" ] ||
+		continue
+
+	[ -n "$linux" ] ||
+		continue
+
+	! readlink -ev -- "$linux" 2>/dev/null ||
+		exit 0
+done
+
+readlink -ev -- "$BOOTDIR/vmlinuz-$kversion" 2>/dev/null ||
+readlink -ev -- "/lib/modules/$kversion/vmlinuz" 2>/dev/null ||
+	fatal "kernel not found"

features/uki/bin/pack-uefi

@@ -0,0 +1,173 @@
+#!/bin/bash -eu
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+. sh-functions
+. shell-error
+
+BOOTDIR="${BOOTDIR:-/boot}"
+PROCFS_PATH="${PROCFS_PATH:-/proc}"
+arch="${ARCH:-$(uname -m)}"
+
+uefi_stub="${UKI_UEFI_STUB-}"
+kernel="${UKI_KERNEL-}"
+initrd="$workdir/initrd.img"
+outfile="${UKI_EFI_INTERNAL_IMAGE:-$workdir/linux.efi}"
+
+
+get_offset_value()
+{
+	local idx name size vma lma file_off algn
+
+	printf -v "$1" '0'
+
+	while read -r idx name size vma lma file_off algn; do
+		[ -z "$idx" ] || [ -z "${idx##*[!0-9]*}" ] ||
+			printf -v "$1" '%s' "$(( 16#${size} + 16#${vma} ))"
+	done < <(objdump -h "$2" 2>/dev/null)
+}
+
+filter_objdump()
+{
+	local k a b c d e;
+
+	eval "$1=('' '' '' '' '')"
+
+	while read -r k a b c d e; do
+		[ "$k" != "$3" ] ||
+			eval "$1=(\"\$a\" \"\$b\" \"\$c\" \"\$d\" \"\$e\")"
+	done < <(objdump -p "$2" 2>/dev/null)
+}
+
+pe_get_int_value()
+{
+	local values
+	filter_objdump values "$2" "$3"
+
+	[ -n "${values[0]}" ] &&
+		printf -v "$1" '%s' "$(( 16#${values[0]} ))" ||
+		return 1
+}
+
+pe_file_format()
+{
+	local magic=0
+	pe_get_int_value magic "$1" "Magic"
+
+	case "$magic" in
+		267|523) # 010b (PE32) | 020b (PE32+)
+			return 0
+			;;
+	esac
+	return 1
+}
+
+section_align=0
+offset=0
+update_section_offset()
+{
+	[ "$#" -eq 0 ] ||
+		offset=$(( $offset + $(stat -Lc%s "$1") ))
+	offset=$(( $offset + $section_align - $offset % $section_align ))
+}
+
+args=()
+add_section()
+{
+	local offs
+	printf -v offs '0x%x' "$offset"
+	args+=( --add-section "$1=$2" --change-section-vma "$1=$offs" )
+	update_section_offset "$2"
+}
+
+[ -n "$kernel" ] ||
+	kernel="$("$FEATURESDIR"/uki/bin/find-kernel)"
+
+[ -f "$kernel" ] ||
+	fatal "Can't find a kernel image to create a UEFI executable"
+
+if [ -z "$uefi_stub" ]; then
+	case "$arch" in
+		x86_64)  efi_type=x64  ;;
+		i?86)    efi_type=ia32 ;;
+		aarch64) efi_type=aa64 ;;
+		*)
+			fatal "Architecture '$arch' not supported to create a UEFI executable"
+			;;
+	esac
+
+	uefi_stub="/usr/lib/systemd/boot/efi/linux${efi_type}.efi.stub"
+fi
+
+pe_file_format "$uefi_stub" ||
+	fatal "wrong file format: $uefi_stub"
+
+get_offset_value offset "$uefi_stub"
+
+[ $offset -gt 0 ] ||
+	fatal "failed to get the size of $uefi_stub to create UEFI image file"
+
+pe_get_int_value section_align "$uefi_stub" SectionAlignment ||
+	fatal "failed to get the SectionAlignment of the stub PE header to create the UEFI image file"
+
+image_base=0
+pe_get_int_value image_base "$uefi_stub" ImageBase ||
+	fatal "failed to get the ImageBase of the stub PE header to create the UEFI image file"
+
+printf -v image_base '0x%x' "$image_base"
+
+args=( --image-base="$image_base" )
+
+update_section_offset
+
+for f in /usr/lib/os-release /etc/os-release; do
+	if [ -s "$f" ]; then
+		add_section ".osrel" "$f"
+		break
+	fi
+done
+
+# shellcheck disable=SC2206
+cmdline=( ${UKI_CMDLINE-} )
+
+if [ "${#cmdline[@]}" -gt 0 ]; then
+	:;
+elif [ -d /etc/cmdline.d ]; then
+	for conf in /etc/cmdline.d/*.conf; do
+		[ -e "$conf" ] ||
+			continue
+		while read -r l; do
+			# shellcheck disable=SC2206
+			cmdline+=( $l )
+		done < "$conf"
+	done
+elif [ -e "$PROCFS_PATH/cmdline" ]; then
+	while read -r l; do
+		# shellcheck disable=SC2206
+		cmdline+=( $l )
+	done < "$PROCFS_PATH/cmdline"
+fi
+
+uefi_cmdline="$workdir/cmdline.txt"
+printf >"$uefi_cmdline" '%s\0' "${cmdline[*]}"
+
+add_section ".cmdline" "$uefi_cmdline"
+
+[ -z "${UKI_SPLASH_IMAGE-}" ] || [ ! -s "$UKI_SPLASH_IMAGE" ] ||
+	add_section ".splash" "$UKI_SPLASH_IMAGE"
+
+uefi_sbat="$workdir/uki.sbat"
+printf >"$uefi_sbat" '%s\n' \
+	"sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md" \
+	${UKI_SBAT:+"$UKI_SBAT"}
+
+add_section ".sbat"   "$uefi_sbat"
+add_section ".linux"  "$kernel"
+add_section ".initrd" "$initrd"
+
+uefi_stub_file="$workdir/stub.efi"
+
+cp $verbose -f -- "$uefi_stub" "$uefi_stub_file"
+objcopy --remove-section ".sbat" "$uefi_stub_file" >/dev/null 2>&1
+objcopy $verbose "${args[@]}" "$uefi_stub_file" "$outfile"
+
+rm -f -- "$uefi_cmdline" "$uefi_sbat" "$uefi_stub_file" "$initrd"

features/uki/config.mk

@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+$(call feature-requires,\
+	$(call if-active-feature,btrfs mdadm lvm luks devmapper) \
+	add-modules add-udev-rules \
+	modules-blockdev \
+	modules-crypto-user-api \
+	modules-filesystem \
+	modules-multiple-devices \
+	modules-network \
+	modules-nfs)
+
+$(call feature-disables,compress)
+
+UKI_PROGS = objdump objcopy
+
+UKI_UEFI_STUB =
+UKI_SBAT =
+UKI_KERNEL =
+UKI_CMDLINE =
+UKI_SPLASH_IMAGE =
+
+UKI_EFIDIR    ?= $(firstword $(wildcard /efi/EFI $(BOOTDIR)/efi/EFI $(BOOTDIR)))
+UKI_IMAGEFILE ?= $(UKI_EFIDIR)/linux-$(KERNEL).efi

features/uki/rules.mk

@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+PUT_FEATURE_PROGS += $(UKI_PROGS)
+
+UKI_EFI_INTERNAL_IMAGE := $(WORKDIR)/linux.efi
+
+pack-uefi: pack $(call if-active-feature,ucode bootconfig)
+	@$(VMSG) "Packing UEFI image ..."
+	@$(FEATURESDIR)/uki/bin/pack-uefi
+
+install: pack-uefi
+	@$(MSG) 'Used features: $(USED_FEATURES)'
+	@$(MSG_N) 'Packed modules: '
+	@find $(ROOTDIR)/lib/modules/$(KERNEL) -type f \( -name '*.ko'  -o -name '*.ko.*' \) -printf '%f\n' 2>/dev/null | \
+	    sed -e 's/\.ko\(\.[^\.]\+\)\?$$//' | sort -u | tr '\n' ' '
+	@printf '\n'
+	@if [ -f "$(TEMPDIR)/images" ] && grep -Fxqs "$(UKI_IMAGEFILE)" "$(TEMPDIR)/images"; then \
+	    echo ""; \
+	    echo "An attempt to create two images with the same name. There is possibility" >&2; \
+	    echo "that you forgot to define IMAGE_SUFFIX or IMAGEFILE in one of the config files." >&2; \
+	    echo "" >&2; \
+	    echo "ERROR: Unable to overwrite the image $(UKI_IMAGEFILE)" >&2; \
+	    echo "" >&2; \
+	    exit 1; \
+	else \
+	    $(VMSG) "Installing UKI image ..."; \
+	    $(MSG) "Unpacked size: `du -sh "$(WORKDIR)/img" |cut -f1 ||:`"; \
+	    $(MSG) "Image size: `du -sh "$(UKI_EFI_INTERNAL_IMAGE)" |cut -f1 ||:`"; \
+	    chmod 600 -- "$(UKI_EFI_INTERNAL_IMAGE)"; \
+	    mv -f $(verbose) -- "$(UKI_EFI_INTERNAL_IMAGE)" "$(UKI_IMAGEFILE)"; \
+	    echo "$(UKI_IMAGEFILE)" >> "$(TEMPDIR)/images"; \
+	fi
+
+genimage: install
+	@$(MSG) "Image is saved as $(UKI_IMAGEFILE)"
+	@echo

mk/config.mk.in

@@ -125,7 +125,7 @@ PUT_PROGS ?=
 #
 # See https://github.com/systemd/systemd/blob/main/docs/ELF_DLOPEN_METADATA.md
 #
-IGNORE_PUT_DLOPEN_FEATURE  ?=
+IGNORE_PUT_DLOPEN_FEATURE  ?= /libsystemd-shared-.*\.so:archive
 IGNORE_PUT_DLOPEN_PRIORITY ?=
 
 # Load user configuration

mk/functions.mk.in

@@ -69,7 +69,7 @@ endef
 
 define get-all-features
 $(strip $(if $(filter get-all-features,$(0)),\
-	$(sort $(filter-out ,$(call expand-features,FEATURE-REQUIRES,$(FEATURES))))))
+	$(sort $(filter-out ,$(call expand-features,FEATURE-REQUIRES,$(FEATURES) $(if $(UKI),uki))))))
 endef
 
 define get-all-disable-features