diff --git a/curl.txt b/curl.txt index 8d50a31..3b742a1 100644 --- a/curl.txt +++ b/curl.txt @@ -22,5 +22,11 @@ expand-output="{{fw_dir}}/overlays/disable-bt.dtbo" url="https://github.com/pftf/RPi4/releases/download/v1.37/RPi4_UEFI_Firmware_v1.37.zip" expand-output="{{dl_dir}}/rpi_uefi.zip" -url="https://raw.githubusercontent.com/raspberrypi/rpi-eeprom/e120a595d49707640c48d5351985315f704dd3f8/rpi-eeprom-digest" +url="https://raw.githubusercontent.com/raspberrypi/rpi-eeprom/v2024.04.20-2712/rpi-eeprom-digest" expand-output="{{dl_dir}}/rpi-eeprom-digest" + +url="https://raw.githubusercontent.com/raspberrypi/rpi-eeprom/v2024.04.20-2712/rpi-eeprom-config" +expand-output="{{dl_dir}}/rpi-eeprom-config" + +url="https://raw.githubusercontent.com/raspberrypi/rpi-eeprom/v2024.04.20-2712/firmware-2711/default/pieeprom-2024-04-15.bin" +expand-output="{{dl_dir}}/pieeprom-2024-04-15.bin" diff --git a/docs/plan.md b/docs/plan.md deleted file mode 100644 index 482a7c8..0000000 --- a/docs/plan.md +++ /dev/null @@ -1,2 +0,0 @@ -- Include pieeprom.upd to add public key to eeprom? -- Delete 00-esp.conf, 10-usr-a.conf & 11-usr-a-verity.conf from the image – sysupdate relies on GPT? diff --git a/docs/plan.plantuml b/docs/plan.plantuml index ecf1cc4..39c52ca 100644 --- a/docs/plan.plantuml +++ b/docs/plan.plantuml @@ -8,7 +8,11 @@ rectangle usr_verity { } rectangle esp { + file config.txt as esp/config.txt { + } artifact boot.img { + file "bcm2711-rpi-4-b.dtb" + file "overlays/" file fixup4.dat file start4.elf file config.txt @@ -29,6 +33,10 @@ rectangle esp { artifact cmdline artifact vmlinux } + + artifact "EFI/BOOT/BOOTAA64.efi" as systemd { + artifact "systemd-boot" + } } sign_key_private.pem -.> sign_key_public.pem diff --git a/mkosi.extra/usr/lib/repart.d/00-esp.conf b/mkosi.extra/usr/lib/repart.d/00-esp.conf index c1349b3..229815d 100644 --- a/mkosi.extra/usr/lib/repart.d/00-esp.conf +++ b/mkosi.extra/usr/lib/repart.d/00-esp.conf @@ -3,3 +3,4 @@ Label=boot Type=esp SizeMinBytes=512M SizeMaxBytes=512M +CopyBlocks=auto diff --git a/mkosi.extra/usr/lib/repart.d/10-usr-a.conf b/mkosi.extra/usr/lib/repart.d/10-usr-a.conf index 4ae4d2f..2391f9b 100644 --- a/mkosi.extra/usr/lib/repart.d/10-usr-a.conf +++ b/mkosi.extra/usr/lib/repart.d/10-usr-a.conf @@ -3,4 +3,3 @@ Label=_empty Type=usr SizeMinBytes=2G SizeMaxBytes=2G -ReadOnly=on diff --git a/mkosi.extra/usr/lib/repart.d/12-usr-a-verity-sig.conf b/mkosi.extra/usr/lib/repart.d/12-usr-a-verity-sig.conf new file mode 100644 index 0000000..8a2dbda --- /dev/null +++ b/mkosi.extra/usr/lib/repart.d/12-usr-a-verity-sig.conf @@ -0,0 +1,5 @@ +[Partition] +Label=_empty +Type=usr-verity-sig +SizeMinBytes=16K +SizeMaxBytes=16K diff --git a/mkosi.extra/usr/lib/repart.d/22-usr-b-verity-sig.conf b/mkosi.extra/usr/lib/repart.d/22-usr-b-verity-sig.conf new file mode 120000 index 0000000..1bed06b --- /dev/null +++ b/mkosi.extra/usr/lib/repart.d/22-usr-b-verity-sig.conf @@ -0,0 +1 @@ +12-usr-a-verity-sig.conf \ No newline at end of file diff --git a/mkosi.extra/usr/lib/sysupdate.d/30-usr-verity-sig.conf b/mkosi.extra/usr/lib/sysupdate.d/30-usr-verity-sig.conf new file mode 100644 index 0000000..0a28dce --- /dev/null +++ b/mkosi.extra/usr/lib/sysupdate.d/30-usr-verity-sig.conf @@ -0,0 +1,16 @@ +[Transfer] +ProtectVersion=%A +Verify=no + +[Source] +Type=url-file +Path=https://github.com/valtzu/rpi-mkosi/releases/latest/download +MatchPattern=%M_@v_@u.usr-verity-sig.raw.xz + +[Target] +Type=partition +Path=auto +MatchPattern=%M_@v_verity_sig +MatchPartitionType=usr-verity-sig +PartitionFlags=0 +ReadOnly=1 diff --git a/mkosi.repart/10-usr-a.conf b/mkosi.repart/10-usr-a.conf index e7cb8ae..8bb0ef4 100644 --- a/mkosi.repart/10-usr-a.conf +++ b/mkosi.repart/10-usr-a.conf @@ -2,7 +2,6 @@ Type=usr SizeMinBytes=2G SizeMaxBytes=2G -ReadOnly=on Label=%M_%A Format=ext4 CopyFiles=/usr:/ diff --git a/mkosi.repart/12-usr-a-verity-sig.conf b/mkosi.repart/12-usr-a-verity-sig.conf new file mode 100644 index 0000000..5b8c36f --- /dev/null +++ b/mkosi.repart/12-usr-a-verity-sig.conf @@ -0,0 +1,6 @@ +[Partition] +Label=%M_%A_verity_sig +Type=usr-verity-sig +Verity=signature +VerityMatchKey=usr +SplitName=%U.usr-verity-sig