Add kernel-uki-signed and systemd-boot-signed (#9521)

- Add kernel-uki-signed.spec
- Add systemd-boot-signed.spec
- kernel-uki: Install UKI EFI binary under /boot and create a symlink to it under /lib/modules/$(uname -r)/

Signed-off-by: Thien Trung Vuong <tvuong@microsoft.com>

LICENSES-AND-NOTICES/SPECS/data/licenses.json

@@ -2235,6 +2235,7 @@
                 "keras",
                 "kernel-signed",
                 "kernel-uki",
+                "kernel-uki-signed",
                 "kpatch",
                 "kube-vip-cloud-provider",
                 "kubernetes",
@@ -2403,6 +2404,7 @@
                 "sriov-network-device-plugin",
                 "SymCrypt",
                 "SymCrypt-OpenSSL",
+                "systemd-boot-signed",
                 "tensorflow",
                 "tinyxml2",
                 "toml11",

SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec

@@ -0,0 +1,70 @@
+%global debug_package %{nil}
+%ifarch x86_64
+%global buildarch x86_64
+%endif
+%define kernelver %{version}-%{release}
+Summary:        Signed Unified Kernel Image for %{buildarch} systems
+Name:           kernel-uki-signed-%{buildarch}
+Version:        6.6.35.1
+Release:        2%{?dist}
+License:        GPLv2
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+Group:          System Environment/Kernel
+URL:            https://github.com/microsoft/CBL-Mariner-Linux-Kernel
+# This package's "version" and "release" must reflect the unsigned version that
+# was signed.
+# An important consequence is that when making a change to this package, the
+# unsigned version/release must be increased to keep the two versions consistent.
+# Ideally though, this spec will not change much or at all, so the version will
+# just track the unsigned package's version/release.
+#
+# To populate these sources:
+#   1. Build the unsigned packages as normal
+#   2. Sign the desired binary
+#   3. Place the unsigned package and signed binary in this spec's folder
+#   4. Build this spec
+Source0:        kernel-uki-%{kernelver}.%{buildarch}.rpm
+Source1:        vmlinuz-uki-%{kernelver}.efi
+ExclusiveArch:  x86_64
+
+%description
+This package contains the Unified Kernel Image (UKI) EFI binary signed for secure boot.
+The package is specifically created for installing on %{buildarch} systems.
+
+%package -n     kernel-uki
+Summary:        Unified Kernel Image
+Group:          System Environment/Kernel
+
+%description -n kernel-uki
+The kernel-uki package contains the Linux kernel packaged as a Unified
+Kernel Image (UKI).
+
+%prep
+
+%build
+mkdir rpm_contents
+pushd rpm_contents
+
+# This spec's whole purpose is to inject the signed kernel-uki binary
+rpm2cpio %{SOURCE0} | cpio -idmv
+cp %{SOURCE1} ./boot/vmlinuz-uki-%{kernelver}.efi
+
+popd
+
+%install
+pushd rpm_contents
+
+# Don't use * wildcard. It does not copy over hidden files in the root folder...
+cp -rp ./. %{buildroot}/
+
+popd
+
+%files -n kernel-uki
+/boot/vmlinuz-uki-%{kernelver}.efi
+/lib/modules/%{kernelver}/vmlinuz-uki.efi
+
+%changelog
+* Tue Jun 25 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.35.1-2
+- Original version for Azure Linux.
+- License verified.

SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec

@@ -0,0 +1,91 @@
+%global debug_package %{nil}
+%ifarch x86_64
+%global buildarch x86_64
+%endif
+
+# Support for quick builds with rpmbuild --build-in-place.
+# See README.build-in-place
+%bcond inplace 0
+Summary:        Signed systemd-boot for %{buildarch} systems
+Name:           systemd-boot-%{buildarch}
+%if %{without inplace}
+Version:        255
+%else
+# determine the build information from local checkout
+Version:        %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
+%endif
+Release:        15%{?dist}
+License:        LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+URL:            https://systemd.io
+# This package's "version" and "release" must reflect the unsigned version that
+# was signed.
+# An important consequence is that when making a change to this package, the
+# unsigned version/release must be increased to keep the two versions consistent.
+# Ideally though, this spec will not change much or at all, so the version will
+# just track the unsigned package's version/release.
+#
+# To populate these sources:
+#   1. Build the unsigned packages as normal
+#   2. Sign the desired binary
+#   3. Place the unsigned package and signed binary in this spec's folder
+#   4. Build this spec
+Source0:        systemd-boot-%{version}-%{release}.%{buildarch}.rpm
+Source1:        systemd-bootx64.efi
+ExclusiveArch:  x86_64
+
+%description
+This package contains the systemd-boot EFI binary signed for secure boot. The package is
+specifically created for installing on %{buildarch} systems
+
+%package -n     systemd-boot
+Summary:        UEFI boot manager (signed version)
+
+Provides: systemd-boot-%{efi_arch} = %version-%release
+Provides: systemd-boot = %version-%release
+Provides: systemd-boot%{_isa} = %{version}-%{release}
+# A provides with just the version, no release or dist, used to build systemd-boot
+Provides: version(systemd-boot) = %version
+Provides: version(systemd-boot)%{_isa} = %version
+
+# self-obsoletes to install both packages after split of systemd-boot
+Obsoletes: systemd-udev < 252.2^
+
+%description -n systemd-boot
+systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a
+graphical menu to select the entry to boot and an editor for the kernel command
+line. systemd-boot supports systems with UEFI firmware only.
+
+This package contains the signed version that works with Secure Boot.
+
+%prep
+
+%build
+mkdir rpm_contents
+pushd rpm_contents
+
+# This spec's whole purpose is to inject the signed systemd-boot binary
+rpm2cpio %{SOURCE0} | cpio -idmv
+cp %{SOURCE1} ./usr/lib/systemd/boot/efi/systemd-bootx64.efi
+
+popd
+
+%install
+pushd rpm_contents
+
+# Don't use * wildcard. It does not copy over hidden files in the root folder...
+cp -rp ./. %{buildroot}/
+
+popd
+
+%files -n systemd-boot
+/usr/lib/systemd/boot/efi/*
+/usr/share/man/man5/loader.conf.5.gz
+/usr/share/man/man7/sd-boot.7.gz
+/usr/share/man/man7/systemd-boot.7.gz
+
+%changelog
+* Tue Jun 25 2024 Thien Trung Vuong <tvuong@microsoft.com> - 255-15
+- Original version for Azure Linux.
+- License verified.

SPECS/kernel/kernel-uki.spec

@@ -30,7 +30,7 @@ BuildRequires:  kernel = %{version}-%{release}
 BuildRequires:  systemd-ukify
 BuildRequires:  dracut
 BuildRequires:  binutils
-BuildRequires:  systemd-boot-unsigned
+BuildRequires:  systemd-boot
 BuildRequires:  systemd-udev
 BuildRequires:  system-release
 BuildRequires:  tpm2-tools
@@ -59,9 +59,13 @@ ukify build \
       --output vmlinuz-uki.efi
 
 %install
-install -D -t %{buildroot}/lib/modules/%{kernelver} vmlinuz-uki.efi
+install -vdm 700 %{buildroot}/boot
+install -vdm 700 %{buildroot}/lib/modules/%{kernelver}
+install -vm 600 vmlinuz-uki.efi %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi
+ln -s /boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/lib/modules/%{kernelver}/vmlinuz-uki.efi
 
 %files
+/boot/vmlinuz-uki-%{kernelver}.efi
 /lib/modules/%{kernelver}/vmlinuz-uki.efi
 
 %changelog

SPECS/systemd/systemd.spec

@@ -50,7 +50,7 @@ Version:        255
 # determine the build information from local checkout
 Version:        %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
 %endif
-Release:        14%{?dist}
+Release:        15%{?dist}
 
 # FIXME - hardcode to 'stable' for now as that's what we have in our blobstore
 %global stable 1
@@ -468,20 +468,20 @@ This package provides ukify, a script that combines a kernel image, an initrd,
 with a command line, and possibly PCR measurements and other metadata, into a
 Unified Kernel Image (UKI).
 
-%package boot-unsigned
+%package boot
 Summary: UEFI boot manager (unsigned version)
 
-Provides: systemd-boot-unsigned-%{efi_arch} = %version-%release
+Provides: systemd-boot-%{efi_arch} = %version-%release
 Provides: systemd-boot = %version-%release
 Provides: systemd-boot%{_isa} = %version-%release
 # A provides with just the version, no release or dist, used to build systemd-boot
-Provides: version(systemd-boot-unsigned) = %version
-Provides: version(systemd-boot-unsigned)%{_isa} = %version
+Provides: version(systemd-boot) = %version
+Provides: version(systemd-boot)%{_isa} = %version
 
 # self-obsoletes to install both packages after split of systemd-boot
 Obsoletes:      systemd-udev < 252.2^
 
-%description boot-unsigned
+%description boot
 systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a
 graphical menu to select the entry to boot and an editor for the kernel command
 line. systemd-boot supports systems with UEFI firmware only.
@@ -1166,7 +1166,7 @@ fi
 
 %if 0%{?want_bootloader}
 %files ukify -f .file-list-ukify
-%files boot-unsigned -f .file-list-boot
+%files boot -f .file-list-boot
 %endif
 
 %files container -f .file-list-container
@@ -1202,6 +1202,9 @@ rm -f %{name}.lang
 # %autochangelog. So we need to continue manually maintaining the
 # changelog here.
 %changelog
+* Tue Jun 25 2024 Thien Trung Vuong <tvuong@microsoft.com> - 255-15
+- Rename systemd-boot-unsigned to systemd-boot
+
 * Thu Jun 13 2024 Chris Co <chrco@microsoft.com> - 255-14
 - Disable LLMNR by default to prevent LLMNR poisoning MitM attacks
 

toolkit/scripts/check_entangled_specs.py

@@ -14,10 +14,15 @@ import sys
 version_release_matching_groups = [
     frozenset([
         "SPECS-SIGNED/kernel-signed/kernel-signed.spec",
+        "SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec",
         "SPECS/kernel/kernel.spec",
         "SPECS/kernel/kernel-uki.spec",
         "SPECS/kernel-headers/kernel-headers.spec"
     ]),
+    frozenset([
+        "SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec",
+        "SPECS/systemd/systemd.spec"
+    ]),
     frozenset([
         "SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec",
         "SPECS/grub2/grub2.spec"