Provide a package with systemd-ukify+systemd-measure (#689)

2025-08-02 00:00:52 +00:00 · 2024-02-16 22:17:59 +01:00 · 2024-02-16 22:17:59 +01:00 · fadc193e63
commit fadc193e63
parent 7856d37947
2 changed files with 27 additions and 5 deletions
--- a/packages/system/systemd/build.yaml
+++ b/packages/system/systemd/build.yaml
@ -3,25 +3,39 @@ image: {{ .Values.image }}
 package_dir: /package

 prelude:
-  - dnf update -y && dnf install -y gcc meson git ninja-build gperf libpcap libcap libcap-devel cmake libmount-devel python3-jinja2 rsync diffutils python3-pyelftools
+  - dnf update -y && dnf install -y gcc meson git ninja-build gperf libpcap libcap libcap-devel cmake libmount-devel python3-jinja2 rsync diffutils python3-pyelftools openssl-devel tpm2-*
  - mkdir -p src/
  - PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && cd src/ && git clone --branch v${PACKAGE_VERSION} https://github.com/systemd/systemd.git

 steps:
  # Minimal systemd build, remove almost everything, we only interested in the efi boot files
-  - cd src/systemd && meson setup build -Dmode=release -Dbootloader=true -Defi=true -Dnss-resolve=disabled -Dlogind=false -Dcoredump=false -Dhomed=disabled -Dfirstboot=false -Dhostnamed=false -Dhibernate=false -Dinitrd=false -Dimportd=false -Dkernel-install=false -Dlocaled=false -Dmachined=false -Dnetworkd=false -Dnss-myhostname=false -Dnss-mymachines=false -Dnss-systemd=false -Doomd=false -Dportabled=false -Dhwdb=false -Dpstore=false -Dquotacheck=false -Drandomseed=false -Drepart=false -Dresolve=false -Drfkill=false -Dsysext=false -Danalyze=false -Dsysupdate=false -Dsysusers=false -Dstoragetm=false -Dtimedated=false -Dtimesyncd=false -Dtmpfiles=false -Duserdb=false -Dvconsole=false -Dxdg-autostart=false -Didn=false -Dpolkit=false -Dnscd=false -Dkmod=false -Ddbus=false -Dglib=false -Dbacklight=false -Dldconfig=false -Dgshadow=false -Dwheel-group=false -Dadm-group=false -Dxkbcommon=false -Dzstd=false -Dlz4=false -Dutmp=false -Dlink-udev-shared=false -Dlink-systemctl-shared=false -Dlink-networkd-shared=false -Dlink-timesyncd-shared=false -Dlink-journalctl-shared=false -Dlink-boot-shared=false -Dlink-portabled-shared=false -Dblkid=false -Denvironment-d=false -Dqrencode=false -Dpwquality=false -Dlibcurl=false -Dfdisk=false -Dlibidn2=false -Dlibiptc=false -Dopenssl=false -Ddns-over-tls=false -Didn=false -Dgnutls=false -Dp11kit=false -Dlibidn=false -Dlibidn2=false -Dgcrypt=false -Dxz=false -Dzlib=false -Dbzip2=false
+  # To get systemd-measure to build we need to set blkid, openssl and bootloader to true
+  # Set also the shared lib name with an appended kairos so we can use it everywhere without overwriting the system one
+  - PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && cd src/systemd && meson setup build -Dmode=release -Dbootloader=true -Defi=true -Dblkid=true -Dopenssl=true -Dshared-lib-tag=${PACKAGE_VERSION}-kairos -Dnss-resolve=disabled -Dlogind=false -Dcoredump=false -Dhomed=disabled -Dfirstboot=false -Dhostnamed=false -Dhibernate=false -Dinitrd=false -Dimportd=false -Dkernel-install=false -Dlocaled=false -Dmachined=false -Dnetworkd=false -Dnss-myhostname=false -Dnss-mymachines=false -Dnss-systemd=false -Doomd=false -Dportabled=false -Dhwdb=false -Dpstore=false -Dquotacheck=false -Drandomseed=false -Drepart=false -Dresolve=false -Drfkill=false -Dsysext=false -Danalyze=false -Dsysupdate=false -Dsysusers=false -Dstoragetm=false -Dtimedated=false -Dtimesyncd=false -Dtmpfiles=false -Duserdb=false -Dvconsole=false -Dxdg-autostart=false -Didn=false -Dpolkit=false -Dnscd=false -Dkmod=false -Ddbus=false -Dglib=false -Dbacklight=false -Dldconfig=false -Dgshadow=false -Dwheel-group=false -Dadm-group=false -Dxkbcommon=false -Dzstd=false -Dlz4=false -Dutmp=false -Dlink-udev-shared=false -Dlink-systemctl-shared=false -Dlink-networkd-shared=false -Dlink-timesyncd-shared=false -Dlink-journalctl-shared=false -Dlink-boot-shared=false -Dlink-portabled-shared=false -Denvironment-d=false -Dqrencode=false -Dpwquality=false -Dlibcurl=false -Dfdisk=false -Dlibidn2=false -Dlibiptc=false -Ddns-over-tls=false -Didn=false -Dgnutls=false -Dp11kit=false -Dlibidn=false -Dlibidn2=false -Dgcrypt=false -Dxz=false -Dzlib=false -Dbzip2=false
  - cd src/systemd && ninja -C build
+{{if eq .Values.name "systemd-boot"}}
  # Artifacts located at src/systemd/build/src/boot/efi/
  # change the x64 to aa64 for arm64
  - mkdir -p /package/usr/kairos/
-{{ if .Values.arch }}
-  {{ if eq .Values.arch "arm64" }}
+  {{ if .Values.arch }}
+    {{ if eq .Values.arch "arm64" }}
  - cp src/systemd/build/src/boot/efi/systemd-bootaa64.efi /package/usr/kairos/
  - cp src/systemd/build/src/boot/efi/linuxaa64.efi.stub /package/usr/kairos/
  - cp src/systemd/build/src/boot/efi/addonaa64.efi.stub /package/usr/kairos/
-  {{else}}
+    {{else}}
  - cp src/systemd/build/src/boot/efi/systemd-bootx64.efi /package/usr/kairos/
  - cp src/systemd/build/src/boot/efi/linuxx64.efi.stub /package/usr/kairos/
  - cp src/systemd/build/src/boot/efi/addonx64.efi.stub /package/usr/kairos/
+    {{end}}
  {{end}}
+{{else if eq .Values.name "systemd-ukify"}}
+  - mkdir -p /package/usr/lib/systemd/
+  - mkdir -p /package/usr/bin/
+  # ukify calls systemd-measure to measure and sign
+  - cp src/systemd/build/systemd-measure /package/usr/lib/systemd/
+  - PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && cp src/systemd/build/src/shared/libsystemd-shared-${PACKAGE_VERSION}-kairos.so /package/usr/lib/systemd/
+  # ukify is copied in two places according to upstream, I guess to maintain backwards compatibility
+  - cp src/systemd/build/ukify /package/usr/bin/
+  - cp src/systemd/build/ukify /package/usr/lib/systemd/
 {{end}}
+  - ls -ltra /package
--- a/packages/system/systemd/collection.yaml
+++ b/packages/system/systemd/collection.yaml
@ -7,3 +7,11 @@ packages:
      github.repo: "systemd"
      autobump.revdeps: "true"
      github.owner: "systemd"
+  - name: "systemd-ukify"
+    category: "system"
+    version: "255+1"
+    image: "fedora:39"
+    labels:
+      github.repo: "systemd"
+      autobump.revdeps: "true"
+      github.owner: "systemd"