Age | Commit message (Collapse) | Author |
|
treated as text
This protects against the case where /proc/cmdline contains garbage triggering grep to think it is a binary.
See e.g. https://bugs.archlinux.org/task/76468 for an example.
|
|
|
|
archiso_kms hook with kms
The archiso_kms hook was moved from mkinitcpio-archiso to the mkinitcpio project.
See https://github.com/archlinux/mkinitcpio/commit/7bfe4861eacb3bf6cb70d9a17a0262542733a8ed and https://gitlab.archlinux.org/mkinitcpio/mkinitcpio-archiso/-/commit/dec17db5324285118e2faee296cc990ff1281bd8
|
|
The default is now copytoram=auto which enables copying to RAM when the rootfs image size is less than 4 GiB and free RAM exceeds the rootfs image size + 2 GiB.
See https://gitlab.archlinux.org/mkinitcpio/mkinitcpio-archiso/-/issues/13 and https://gitlab.archlinux.org/mkinitcpio/mkinitcpio-archiso/-/merge_requests/26.
Implements #177.
|
|
Make sure existing sig files are deleted before creating new ones and make sure to not sign any sig files.
This allows retrying failed mkarchiso runs without ending up with files such as vmlinuz.ipxe.sig.ipxe.sig.
Fixes #198
|
|
qemu-guest-agent.service will be started by the /usr/lib/udev/rules.d/99-qemu-guest-agent.rules udev rule.
Fixes #199
|
|
CHANGELOG.rst:
Add changelog for version 67.
|
|
README.rst:
Change referenced PGP key ID from `C7E7849466FE2358343588377258734B41C31549` to
`991F6E3F0765CF6295888586139B09DA5BF0D338`, as the latter is now in used. The keys are cross-signed and both available
via Arch Linux's WKD.
|
|
``-c`` is given.
(gitlab ci)
Added a CA structure to the codesigning certificates.
This to test the functionality of optional CA being in the signing message.
(mkarchiso)
Removed the ``sign_netboot_artifacts`` variable and instead
we'll now rely on ``if [[ -v cert_list ]]; then``.
Added ``ARCHISO_TLS_FD`` and ``ARCHISO_TLSCA_FD`` environment variables
to override the certificates used. This is so that third party CA's can
be used during building in a meaningful way without distrupting the
CA trust that is shipped by default.
_cms_sign_artifact() was added which signs the rootfs using OpenSSL CMS.
The files will be saved as "${artifact}.cms.sig". That would be for instance
"${isofs_dir}/${install_dir}/${arch}/airootfs.sfs.cms.sig".
|
|
CHANGELOG.rst:
Add changelog entry for ordering pacman-init after time-sync.target
|
|
configs/releng/airootfs/etc/systemd/system/pacman-init.service:
Order pacman-init.service after time-sync.target, so that time on the host is synchronized before initializing pacman.
|
|
configs/releng/airootfs/etc/systemd/system/{dbus-org.freedesktop.timesync1},sysinit.target.wants/systemd-timesyncd}.service:
Enable systemd-timesyncd which aliases to dbus-org.freedesktop.timesync1 to ensure time gets synced on the host.
configs/releng/airootfs/etc/systemd/system/sysinit.target.wants/systemd-time-wait-sync.service:
Enable systemd-time-wait-sync to ensure time is finished syncing when time-sync.target is finished.
|
|
By Tobias Powalowski
* origin/merge-requests/286:
remove ipw2100-fw and ipw2200-fw, cleanup of [core]
https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.org/thread/UKXPJEJZPU5PFKAPSATNL2DSWFGNEUCK/
See merge request https://gitlab.archlinux.org/archlinux/archiso/-/merge_requests/286
|
|
|
|
archlinux-keyring-wkd-sync.service needs an initialized pacman keyring to work.
Add BindsTo=etc-pacman.d-gnupg.mount to stop pacman-init.service if the mount unit suddenly enters inactive state.
|
|
|
|
By Christian Hesse
* origin/merge-requests/281:
mkarchiso: touch clock-epoch for extra hint on date and time
See merge request https://gitlab.archlinux.org/archlinux/archiso/-/merge_requests/281
While it feels dirty to place files in /usr/lib/, since it is the package manager's teritory, the path is unfortunately hardcoded.
https://github.com/systemd/systemd/commit/5170afbc55d492f270c8948579324910c8c0b838
|
|
This helps on systems with screwed or broken RTC.
|
|
By Kristian Klausen
* origin/merge-requests/277:
Use VM runners[1] for building
See merge request https://gitlab.archlinux.org/archlinux/archiso/-/merge_requests/277
|
|
Building inside a TCG accelerated qemu VM is slow and painful, but it is
the only option when running in a non-privileged container.
arch-boxes has been built inside a KVM accelerated VMs ("VM runner") for
over 11 months[2] and recently the MR[1] was merged into the
infrastructure repo. With it now being a official part of arch's
infrastructure we should switch to it and get much faster builds.
Doing some quick testing, the whole pipeline is now roughly ~29-84
minutes faster (taking between 7-9 minutes, instead of 36-93 minutes).
[1] https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/385
[2] https://gitlab.archlinux.org/archlinux/arch-boxes/-/commit/3bda5b26a675f241a1e0ba596dc94858839d96fc
Fix #161
|
|
--disable-shim-lock is required to support Secure Boot with custom signatures without using shim.
Otherwise GRUB will trow an error when trying to boot a kernel:
error: shim_lock protocol not found.
error: you need to load the kernel first.
The modules GRUB will use need to be preloaded otherwise the EFI binaries cannot be signed and used for Secure Boot.
See https://bugs.archlinux.org/task/71382.
GRUB will trow en error:
error: verification requested but nobody cares
These changes are done to support Secure Boot using custom keys (not shim) by simply extracting the boot loader
(BOOTx64.EFI and BOOTIA32.EFI), kernel, UEFI shell, signing them and then repacking the ISO.
For example.
Extract the files:
$ osirrox -indev archlinux-YYYY.MM.DD-x86_64.iso \
-extract_boot_images ./ \
-extract /EFI/BOOT/BOOTx64.EFI BOOTx64.EFI \
-extract /EFI/BOOT/BOOTIA32.EFI BOOTIA32.EFI \
-extract /shellx64.efi shellx64.efi \
-extract /shellia32.efi shellia32.efi \
-extract /arch/boot/x86_64/vmlinuz-linux vmlinuz-linux
Make the files writable:
$ chmod +w BOOTx64.EFI BOOTIA32.EFI shellx64.efi shellia32.efi vmlinuz-linux
Sign the files:
$ sbsign --key db.key --cert db.crt --output BOOTx64.EFI BOOTx64.EFI
$ sbsign --key db.key --cert db.crt --output BOOTIA32.EFI BOOTIA32.EFI
$ sbsign --key db.key --cert db.crt --output shellx64.efi shellx64.efi
$ sbsign --key db.key --cert db.crt --output shellia32.efi shellia32.efi
$ sbsign --key db.key --cert db.crt --output vmlinuz-linux vmlinuz-linux
Copy the boot loader and UEFI shell to the EFI system partition image:
$ mcopy -D oO -i eltorito_img2_uefi.img BOOTx64.EFI BOOTIA32.EFI ::/EFI/BOOT/
$ mcopy -D oO -i eltorito_img2_uefi.img shellx64.efi shellia32.efi ::/
Repack the ISO using the modified El Torito UEFI boot image and add the signed boot loader files, UEFI shell and
kernel to ISO9660:
$ xorriso -indev archlinux-YYYY.MM.DD-x86_64.iso \
-outdev archlinux-YYYY.MM.DD-x86_64-Secure_Boot.iso \
-boot_image any replay \
-append_partition 2 0xef eltorito_img2_uefi.img \
-map BOOTx64.EFI /EFI/BOOT/BOOTx64.EFI \
-map BOOTIA32.EFI /EFI/BOOT/BOOTIA32.EFI \
-map shellx64.efi /shellx64.efi \
-map shellia32.efi /shellia32.efi \
-map vmlinuz-linux /arch/boot/x86_64/vmlinuz-linux
Boot the resulting archlinux-YYYY.MM.DD-x86_64-Secure_Boot.iso.
|
|
Do not limit file copying to only grub.cfg and instead copy all GRUB configuration files and assets to both the ISO9660 and FAT image.
This will allow for including custom images, fonts, etc.
To easily match all non-configuration files (i.e. files without the .cfg extension), bash's extended glob feature will be enabled.
Actions common to multiple _make_bootmode_uefi-*.grub are split off into dedicated functions:
* _make_common_bootmode_grub_copy_to_efibootimg,
* _make_common_bootmode_grub_copy_to_isofs,
* _make_common_bootmode_grub_cfg.
Use the same du command in all efiboot_imgsize variable assignments.
Fixes #185.
|
|
LC_ALL=C.UTF-8, unlike LC_ALL=C, does not override LANGUAGE.
See https://sourceware.org/bugzilla/show_bug.cgi?id=16621 and https://savannah.gnu.org/bugs/?62815
|
|
* origin/merge-requests/273:
Add efibootimg variable in place of full path
See merge request https://gitlab.archlinux.org/archlinux/archiso/-/merge_requests/273
|
|
Update authors
Update CHANGELOG
|
|
|
|
Try to initialize a serial device and use it for input and output.
Add more comments to grub.cfg to explain what is done.
Related to #75
|
|
Fixes #183
|
|
* Set the default boot entry and its timeout.
* Add classes to menu entries to allow theming them.
Fixes #179
|
|
By Alexander Epaneshnikov
* origin/merge-requests/266:
change grub init tune
Closes #180
See merge request https://gitlab.archlinux.org/archlinux/archiso/-/merge_requests/266
|
|
yes it was descriptive but too large. this fixes #180
|
|
Even though archiso created ISOs do not support Secure Boot, having SBAT would allow users to more easily repack the files in the ISO to add a signed shim.
Fixes #174
|
|
* Fix typos and wording,
* Remove impossible TODO.
|
|
airootfs_image_tool_options for mkfs.erofs
As the man page says, it saves more space, although the feature is experimental.
|
|
By plainlinen
* origin/merge-requests/261:
Add implicit package dependencies to PACKAGE_LIST in .gitlab-ci.yml
Closes #176
See merge request https://gitlab.archlinux.org/archlinux/archiso/-/merge_requests/261
|
|
After more than ten years, archiso is once again using GRUB. GRUB! Only this time, it's for UEFI not BIOS boot.
By plainlinen
* origin/merge-requests/256:
Update documentation for uefi x64 grub boot modes
Use grub for uefi x64 boot modes in profiledef.sh
Add *_uefi-x64.grub.* functions to mkarchiso
Add useful grub menu entries to grub.cfg
Closes #63 and #159
See merge request https://gitlab.archlinux.org/archlinux/archiso/-/merge_requests/256.
|
|
CI was working before because these dependencies were already in
the official ISO but include them explicitly to be safe.
|
|
|
|
|
|
|
|
|
|
The glibc 2.35-6 package ships with the C.UTF-8 locale included, so mkarchiso does not need to use a non-UTF-8 locale anymore.
Implements #175.
|
|
The glibc 2.35-6 package ships with the C.UTF-8 locale included.
This means there is now a UTF-8 locale available by default and en_US.UTF-8, which requires editing /etc/locale.gen and running locale-gen, is not needed anymore.
Implements #175.
|
|
* .cer, .crt, .key and .pem are typical file name extensions for TLS certificates and keys. They are used when codesigning with openssl and should never be commited in the repo.
* .img is a generic image file. Such files could be used when repacking an ISO to attach cloud-init CIDATA.
|
|
|
|
|
|
By Alexander Epaneshnikov
* origin/merge-requests/254:
fix boot menu entry sorting
add accessible copytoram entry
enable beeps in boot menu
See merge request !254
|
|
I guess new systemd changed this
|
|
|
|
|