Add verity-sig etc

valtzu · Apr 25, 2024 · 6e98dea · 6e98dea
1 parent 1bf1a33
commit 6e98dea
Show file tree

Hide file tree

Showing 10 changed files with 44 additions and 5 deletions.
diff --git a/curl.txt b/curl.txt
@@ -22,5 +22,11 @@ expand-output="{{fw_dir}}/overlays/disable-bt.dtbo"
 url="https://github.com/pftf/RPi4/releases/download/v1.37/RPi4_UEFI_Firmware_v1.37.zip"
 expand-output="{{dl_dir}}/rpi_uefi.zip"
 
-url="https://raw.githubusercontent.com/raspberrypi/rpi-eeprom/e120a595d49707640c48d5351985315f704dd3f8/rpi-eeprom-digest"
+url="https://raw.githubusercontent.com/raspberrypi/rpi-eeprom/v2024.04.20-2712/rpi-eeprom-digest"
 expand-output="{{dl_dir}}/rpi-eeprom-digest"
+
+url="https://raw.githubusercontent.com/raspberrypi/rpi-eeprom/v2024.04.20-2712/rpi-eeprom-config"
+expand-output="{{dl_dir}}/rpi-eeprom-config"
+
+url="https://raw.githubusercontent.com/raspberrypi/rpi-eeprom/v2024.04.20-2712/firmware-2711/default/pieeprom-2024-04-15.bin"
+expand-output="{{dl_dir}}/pieeprom-2024-04-15.bin"
diff --git a/docs/plan.md b/docs/plan.md
diff --git a/docs/plan.plantuml b/docs/plan.plantuml
@@ -8,7 +8,11 @@ rectangle usr_verity {
 }
 
 rectangle esp {
+    file config.txt as esp/config.txt {
+    }
     artifact boot.img {
+        file "bcm2711-rpi-4-b.dtb"
+        file "overlays/"
         file fixup4.dat
         file start4.elf
         file config.txt
@@ -29,6 +33,10 @@ rectangle esp {
         artifact cmdline
         artifact vmlinux
     }
+
+    artifact "EFI/BOOT/BOOTAA64.efi" as systemd {
+        artifact "systemd-boot"
+    }
 }
 
 sign_key_private.pem -.> sign_key_public.pem

diff --git a/mkosi.extra/usr/lib/repart.d/00-esp.conf b/mkosi.extra/usr/lib/repart.d/00-esp.conf
@@ -3,3 +3,4 @@ Label=boot
 Type=esp
 SizeMinBytes=512M
 SizeMaxBytes=512M
+CopyBlocks=auto
diff --git a/mkosi.extra/usr/lib/repart.d/10-usr-a.conf b/mkosi.extra/usr/lib/repart.d/10-usr-a.conf
@@ -3,4 +3,3 @@ Label=_empty
 Type=usr
 SizeMinBytes=2G
 SizeMaxBytes=2G
-ReadOnly=on
diff --git a/mkosi.extra/usr/lib/repart.d/12-usr-a-verity-sig.conf b/mkosi.extra/usr/lib/repart.d/12-usr-a-verity-sig.conf
@@ -0,0 +1,5 @@
+[Partition]
+Label=_empty
+Type=usr-verity-sig
+SizeMinBytes=16K
+SizeMaxBytes=16K
diff --git a/mkosi.extra/usr/lib/repart.d/22-usr-b-verity-sig.conf b/mkosi.extra/usr/lib/repart.d/22-usr-b-verity-sig.conf
@@ -0,0 +1 @@
+12-usr-a-verity-sig.conf
diff --git a/mkosi.extra/usr/lib/sysupdate.d/30-usr-verity-sig.conf b/mkosi.extra/usr/lib/sysupdate.d/30-usr-verity-sig.conf
@@ -0,0 +1,16 @@
+[Transfer]
+ProtectVersion=%A
+Verify=no
+
+[Source]
+Type=url-file
+Path=https://github.com/valtzu/rpi-mkosi/releases/latest/download
+MatchPattern=%M_@v_@u.usr-verity-sig.raw.xz
+
+[Target]
+Type=partition
+Path=auto
+MatchPattern=%M_@v_verity_sig
+MatchPartitionType=usr-verity-sig
+PartitionFlags=0
+ReadOnly=1
diff --git a/mkosi.repart/10-usr-a.conf b/mkosi.repart/10-usr-a.conf
@@ -2,7 +2,6 @@
 Type=usr
 SizeMinBytes=2G
 SizeMaxBytes=2G
-ReadOnly=on
 Label=%M_%A
 Format=ext4
 CopyFiles=/usr:/

diff --git a/mkosi.repart/12-usr-a-verity-sig.conf b/mkosi.repart/12-usr-a-verity-sig.conf
@@ -0,0 +1,6 @@
+[Partition]
+Label=%M_%A_verity_sig
+Type=usr-verity-sig
+Verity=signature
+VerityMatchKey=usr
+SplitName=%U.usr-verity-sig