faerbit/archiso
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,279 Commits 1 Branch 79 Tags 2.4 MiB
7bc4c54245
Go to file
nl6720 7bc4c54245
mkarchiso: preload more GRUB modules and disable shim_lock verifier 
--disable-shim-lock is required to support Secure Boot with custom signatures without using shim.
Otherwise GRUB will trow an error when trying to boot a kernel:

    error: shim_lock protocol not found.
    error: you need to load the kernel first.

The modules GRUB will use need to be preloaded otherwise the EFI binaries cannot be signed and used for Secure Boot.
See https://bugs.archlinux.org/task/71382.
GRUB will trow en error:

    error: verification requested but nobody cares

These changes are done to support Secure Boot using custom keys (not shim) by simply extracting the boot loader
(BOOTx64.EFI and BOOTIA32.EFI), kernel, UEFI shell, signing them and then repacking the ISO.

For example.
Extract the files:

    $ osirrox -indev archlinux-YYYY.MM.DD-x86_64.iso \
        -extract_boot_images ./ \
        -extract /EFI/BOOT/BOOTx64.EFI BOOTx64.EFI \
        -extract /EFI/BOOT/BOOTIA32.EFI BOOTIA32.EFI \
        -extract /shellx64.efi shellx64.efi \
        -extract /shellia32.efi shellia32.efi \
        -extract /arch/boot/x86_64/vmlinuz-linux vmlinuz-linux

Make the files writable:

    $ chmod +w BOOTx64.EFI BOOTIA32.EFI shellx64.efi shellia32.efi vmlinuz-linux

Sign the files:

    $ sbsign --key db.key --cert db.crt --output BOOTx64.EFI BOOTx64.EFI
    $ sbsign --key db.key --cert db.crt --output BOOTIA32.EFI BOOTIA32.EFI
    $ sbsign --key db.key --cert db.crt --output shellx64.efi shellx64.efi
    $ sbsign --key db.key --cert db.crt --output shellia32.efi shellia32.efi
    $ sbsign --key db.key --cert db.crt --output vmlinuz-linux vmlinuz-linux

Copy the boot loader and UEFI shell to the EFI system partition image:

    $ mcopy -D oO -i eltorito_img2_uefi.img BOOTx64.EFI BOOTIA32.EFI ::/EFI/BOOT/
    $ mcopy -D oO -i eltorito_img2_uefi.img shellx64.efi shellia32.efi ::/

Repack the ISO using the modified El Torito UEFI boot image and add the signed boot loader files, UEFI shell and
kernel to ISO9660:

    $ xorriso -indev archlinux-YYYY.MM.DD-x86_64.iso \
        -outdev archlinux-YYYY.MM.DD-x86_64-Secure_Boot.iso \
        -boot_image any replay \
        -append_partition 2 0xef eltorito_img2_uefi.img \
        -map BOOTx64.EFI /EFI/BOOT/BOOTx64.EFI \
        -map BOOTIA32.EFI /EFI/BOOT/BOOTIA32.EFI \
        -map shellx64.efi /shellx64.efi \
        -map shellia32.efi /shellia32.efi \
        -map vmlinuz-linux /arch/boot/x86_64/vmlinuz-linux

Boot the resulting archlinux-YYYY.MM.DD-x86_64-Secure_Boot.iso.
2022-08-19 10:22:40 +03:00
.gitlab/ci .gitlab/ci/build_archiso.sh: use mkarchiso's -G option 2021-08-25 00:26:07 +03:00
archiso mkarchiso: preload more GRUB modules and disable shim_lock verifier 2022-08-19 10:22:40 +03:00
configs configs/*/grub/grub.cfg: enable serial input and output 2022-06-26 13:16:29 +03:00
docs Update documentation for uefi x64 grub boot modes 2022-06-10 22:37:32 -07:00
scripts Use QEMU 6.x options 2021-05-06 01:41:19 +02:00
.editorconfig Add license and basic documentation 2020-07-29 14:27:48 +02:00
.gitattributes Add .gitignore and .gitattributes 2012-08-03 22:03:03 +02:00
.gitignore .gitignore: ignore *.cer, *.crt, *.key, *.pem and *.img 2022-05-31 10:18:07 +03:00
.gitlab-ci.yml Add implicit package dependencies to PACKAGE_LIST in .gitlab-ci.yml 2022-06-17 21:03:39 -07:00
.mailmap Add .mailmap file 2021-08-31 11:56:48 +03:00
AUTHORS.rst Add efibootimg variable in place of full path 2022-07-16 12:02:53 +00:00
CHANGELOG.rst mkarchiso: preload more GRUB modules and disable shim_lock verifier 2022-08-19 10:22:40 +03:00
CONTRIBUTING.rst Add contributing guideline about merge requests 2022-01-30 21:26:43 +01:00
LICENSE Add license and basic documentation 2020-07-29 14:27:48 +02:00
Makefile Makefile: Remove mkinitcpio-archiso specific targets 2021-07-31 17:27:17 +02:00
README.rst Add support for GRUB ia32 UEFI in mkarchiso, update READMEs. 2022-05-25 14:49:02 +00:00

README.rst 

=======
archiso
=======

The archiso project features scripts and configuration templates to build installation media (*.iso* images and
*.tar.gz* bootstrap images) as well as netboot artifacts for BIOS and UEFI based systems on the x86_64 architecture.
Currently creating the images is only supported on Arch Linux but may work on other operating systems as well.

Requirements
============

The following packages need to be installed to be able to create an image with the included scripts:

* arch-install-scripts
* awk
* dosfstools
* e2fsprogs
* erofs-utils (optional)
* findutils
* grub
* gzip
* libarchive
* libisoburn
* mtools
* openssl
* pacman
* sed
* squashfs-tools

For running the images in a virtualized test environment the following packages are required:

* edk2-ovmf
* qemu

For linting the shell scripts the following package is required:

* shellcheck

Profiles
========

Archiso comes with two profiles: **baseline** and **releng**. While both can serve as starting points for creating
custom live media, **releng** is used to create the monthly installation medium.
They can be found below `configs/baseline/ <configs/baseline/>`_  and `configs/releng/ <configs/releng/>`_
(respectively). Both profiles are defined by files to be placed into overlays (e.g. airootfs ‎→‎ the image's ``/``).

Read `README.profile.rst <docs/README.profile.rst>`_ to learn more about how to create profiles.

Create images
=============

Usually the archiso tools are installed as a package. However, it is also possible to clone this repository and create
images without installing archiso system-wide.

As filesystems are created and various mount actions have to be done when creating an image, **root** is required to run
the scripts.

When archiso is installed system-wide and the modification of a profile is desired, it is necessary to copy it to a
writeable location, as ``/usr/share/archiso`` is tracked by the package manager and only writeable by root (changes will
be lost on update).

The examples below will assume an unmodified profile in a system location (unless noted otherwise).

It is advised to consult the help output of **mkarchiso**:

.. code:: sh

   mkarchiso -h

Create images with packaged archiso
-----------------------------------

.. code:: sh

   mkarchiso -w path/to/work_dir -o path/to/out_dir path/to/profile

Create images with local clone
------------------------------

Clone this repository and run:

.. code:: sh

   ./archiso/mkarchiso -w path/to/work_dir -o path/to/out_dir path/to/profile

Testing
=======

The convenience script **run_archiso** is provided to boot into the medium using qemu.
It is advised to consult its help output:

.. code:: sh

   run_archiso -h

Run the following to boot the iso using BIOS:

.. code:: sh

   run_archiso -i path/to/an/arch.iso

Run the following to boot the iso using UEFI:

.. code:: sh

   run_archiso -u -i path/to/an/arch.iso

The script can of course also be executed from this repository:


.. code:: sh

   ./scripts/run_archiso.sh -i path/to/an/arch.iso

Installation
============

To install archiso system-wide use the included ``Makefile``:

.. code:: sh

   make install

Optional features

The iso image contains a GRUB environment block holding the iso name and version. This allows to
boot the iso image from GRUB with a version specific cow directory to mitigate overlay clashes.

.. code:: sh

   loopback loop archlinux.iso
   load_env -f (loop)/arch/grubenv
   linux (loop)/arch/boot/x86_64/vmlinuz-linux ... \
       cow_directory=${NAME}/${VERSION} ...
   initrd (loop)/arch/boot/x86_64/initramfs-linux-lts.img

Contribute
==========

Development of archiso takes place on Arch Linux' Gitlab: https://gitlab.archlinux.org/archlinux/archiso.

Please read our distribution-wide `Code of Conduct <https://wiki.archlinux.org/title/Code_of_conduct>`_ before
contributing, to understand what actions will and will not be tolerated.

Read our `contributing guide <CONTRIBUTING.rst>`_ to learn more about how to provide fixes or improvements for the code
base.

Discussion around archiso takes place on the `arch-releng mailing list
<https://lists.archlinux.org/listinfo/arch-releng>`_ and in `#archlinux-releng
<ircs://irc.libera.chat/archlinux-releng>`_ on `Libera Chat <https://libera.chat/>`_.

All past and present authors of archiso are listed in `AUTHORS <AUTHORS.rst>`_.

Releases
========

`Releases of archiso <https://gitlab.archlinux.org/archlinux/archiso/-/tags>`_ are created by their current maintainers

- `David Runge <https://gitlab.archlinux.org/dvzrv>`_ (``C7E7849466FE2358343588377258734B41C31549``)
- `nl6720 <https://gitlab.archlinux.org/nl6720>`_ (``BB8E6F1B81CF0BB301D74D1CBF425A01E68B38EF``)

Tags are signed using respective PGP keys.

To verify a tag, first import the relevant PGP key(s):

.. code:: sh

  gpg --auto-key-locate wkd --search-keys dvzrv@archlinux.org

or

.. code:: sh

  gpg --auto-key-locate keyserver --recv-keys BB8E6F1B81CF0BB301D74D1CBF425A01E68B38EF

Afterwards a tag can be verified from a clone of this repository:

.. code:: sh

  git verify-tag <tag>

License
=======

Archiso is licensed under the terms of the **GPL-3.0-or-later** (see `LICENSE <LICENSE>`_).