Better additional file copy

2025-04-18 15:41:32 -04:00 · 2025-04-18 15:41:32 -04:00 · 26f1805fa4
commit 26f1805fa4
parent adc7a14884
8 changed files with 108 additions and 20 deletions
--- a/README.md
+++ b/README.md
@ -24,7 +24,7 @@ There are a few overridable variables that control configuration elements of Hal
 - `SECBOOT`: Default is `true`. This will control whether or not Secure Boot keys are generated and enrolled. Disable if your system does not support Secure Boot.
 - `REQSIG`: Default is `true`. This will control whether or not update images and overlays require signatures. Disable ONLY for testing or development purposes.

-Disabling `SECBOOT` or `REQSIG` sets a flag in the system partition indicating that the installation has a fundamentally insecure configuration, as important system files could be tampered with easily.
+Disabling `SECBOOT`, `TPM`, or `REQSIG` sets a flag in the system partition indicating that the installation has a fundamentally insecure configuration, as important system files could be tampered with easily.

 ## Signing Keys

--- a/build/build-image.sh
+++ b/build/build-image.sh
@ -12,7 +12,7 @@ echo "========== VERSION ==========="
 echo "Version: $VERSION"
 echo "Distfiles path: $DISTPATH"
 echo -n "Distribution URL: "
-if [ -n "$DISTURL" ]; then echo "Not set, OTA disabled"
+if [ -n "$DISTURL" ]; then echo "Not set, OTA disabled"; DISTURL="none"
 else echo "$DISTURL"; fi
 echo "========== SECURITY =========="
 echo -en "Secure Boot: \t\t"
@ -20,10 +20,10 @@ if [ "$SECBOOT" == "true" ]; then echo "Enabled"
 else echo "Disabled"; SECURESYS="false"; fi
 echo -en "TPM Security: \t"
 if [ "$TPM" == "true" ]; then echo "Enabled"
-else echo "Disabled"; fi
+else echo "Disabled"; SECURESYS="false"; fi
 echo -en "Signature required: \t"
 if [ "$REQSIG" == "true" ]; then echo "Enabled"
-else echo "Disabled"; unset SECURESYS="false"; fi
+else echo "Disabled"; SECURESYS="false"; fi
 echo -en "Overall security: \t"
 if [  "$SECURESYS" == "true"  ]; then echo "Intact"
 else echo "Degraded"; fi
@ -31,6 +31,7 @@ echo "=============================="

 set -x

+export $DISTPATH
 mkdir -p "$DISTPATH"

 # Gentoo setup
@ -38,13 +39,23 @@ mkdir -p /var/db/repos/gentoo
 rm -f /var/db/repos/gentoo/metadata/timestamp.x
 emerge-webrsync --quiet
 eselect profile set default/linux/amd64/23.0/musl/hardened/selinux
+# STOP TELLING ME ABOUT THE NEWS
+eselect news read new > /dev/null

-# SquashFS tools needed for image generation
-emerge --quiet squashfs-tools
+# squashfs-tools needed for image mksquashfs for image generation
+# gentoolkit needed for euse for setting use flags
+emerge --quiet squashfs-tools gentoolkit

 # Copy in package list
 mkdir -p /etc/portage/sets
-cp /build/packages.txt /etc/portage/sets/halogenos
+cp /build/emerge/packages.txt /etc/portage/sets/halogenos
+cp -r /build/emerge/package.use /etc/portage/
+
+# We have to ensure use.disable contains at least one flag
+# Otherwise euse -D will disable all global use flags
+if [[ "$(cat /build/emerge/use.disable)" = *[![:space:]]* ]]; then
+    euse -D "$(cat /build/emerge/use.disable)"
+fi

 # Set install location
 export ROOT="$DISTPATH"
@ -65,6 +76,11 @@ mkdir -p "$DISTPATH"/usr/share/halogenos
 mkdir "$DISTPATH"/usr/share/halogenos/keys
 mkdir "$DISTPATH"/usr/share/halogenos/bin

+cp -r /build/include/* "$DISTPATH"/
+
+# Install gvisor OCI runtime
+/build/external/gvisor.sh
+
 # Require inclusion of public key if $REQSIG is true
 if [ "$REQSIG" == "true" ]; then
    cp /run/secrets/signing_key_public "$DISTPATH"/usr/share/halogenos/keys/release_key_pub.asc
@ -79,20 +95,18 @@ fi

 # Metadata & build-time configs
 mkdir "$DISTPATH"/usr/share/halogenos/meta
-echo "$VERSION" > "$DISTPATH"/usr/share/halogenos/meta/version
-if [ -n "$DISTURL" ]; then echo "$DISTURL" > "$DISTPATH"/usr/share/halogenos/meta/ota
-else echo "DISABLED" > "$DISTPATH"/usr/share/halogenos/meta/ota; fi
-if [ "$SECBOOT" == "true" ]; then echo "ENABLED" > "$DISTPATH"/usr/share/halogenos/meta/secboot
-else echo "DISABLED" > "$DISTPATH"/usr/share/halogenos/meta/secboot; fi
-if [ "$TPM" == "true" ]; then echo "ENABLED" > "$DISTPATH"/usr/share/halogenos/meta/tpm
-else echo "DISABLED" > "$DISTPATH"/usr/share/halogenos/meta/tpm; fi
-if [ "$SECURESYS" == "true" ]; then echo "TRUE" > "$DISTPATH"/usr/share/halogenos/meta/securesys
-else echo "FALSE" > "$DISTPATH"/usr/share/halogenos/meta/securesys; fi
+echo "VERSION=$VERSION
+OTA=$DISTURL
+TPM=$TPM
+REQSIG=$REQSIG
+SECBOOT=$SECBOOT
+SECURESYS=$SECURESYS" > "$DISTPATH"/usr/share/halogenos/release.meta

 # Make any additional config changes

 # Create images dir and img files
 mkdir -p /build/images
+cp "$DISTPATH"/usr/share/halogenos/release.meta /build/images/
 dd if=/dev/zero of=/build/images/usr.img bs=1 count=0 seek=2G
 mkfs.ext4 /build/images/usr.img
 dd if=/dev/zero of=/build/images/verity.img bs=1 count=0 seek=2000M 
@ -107,3 +121,5 @@ cp /build/artifacts/usr.squashfs /mnt/usr
 umount /mnt/usr

 # Build verity
+
+tar -czf /build/images/usr.img /build/images/verity.img /build/images/
--- a/build/emerge/packages.txt
+++ b/build/emerge/packages.txt
@ -0,0 +1,13 @@
+app-containers/distrobox
+app-containers/podman
+app-crypt/gnupg
+app-shells/bash
+app-misc/hyfetch
+kde-plasma/flatpak-kcm
+kde-plasma/plasma-desktop
+kde-plasma/plasma-vault
+sys-apps/bubblewrap
+sys-apps/flatpak
+sys-apps/fwupd
+sys-libs/musl
+virtual/tmpfiles
--- a/build/emerge/use.disable
+++ b/build/emerge/use.disable
@ -0,0 +1 @@
+
--- a/build/external/gvisor.sh
+++ b/build/external/gvisor.sh
@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+ARCH=$(uname -m)
+URL=https://storage.googleapis.com/gvisor/releases/release/latest/"${ARCH}"
+wget "${URL}"/runsc "${URL}"/runsc.sha512 "${URL}"/containerd-shim-runsc-v1 "${URL}"/containerd-shim-runsc-v1.sha512
+
+sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512
+rm -f ./*.sha512
+
+chmod a+rx runsc containerd-shim-runsc-v1
+mv runsc containerd-shim-runsc-v1 "$DISTPATH"/usr/local/bin
--- a/build/include/usr/etc/containers.conf
+++ b/build/include/usr/etc/containers.conf
@ -0,0 +1,29 @@
+[containers]
+
+cgroupns = "private"
+cgroups = "enabled"
+
+default_capabilities = []
+
+default_sysctls = [
+  "net.ipv4.ping_group_range=0 0",
+]
+
+label = true
+label_users = true
+
+ipcns = "private"
+netns = "private"
+pidns = "private"
+userns = "auto"
+utsns = "private"
+
+privileged = false
+
+[engine]
+runtime = "runsc"
+
+[engine.runtimes]
+runsc = [
+  "/usr/local/bin/runsc",
+]
--- a/build/include/usr/sbin/sysupd.sh
+++ b/build/include/usr/sbin/sysupd.sh
@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+# These are expected to happen
+ERR_GEN = 1 # General error
+ERR_NET = 2 # Network link error
+ERR_DNS = 3 # DNS error or resolution failure
+ERR_SSL = 4 # HTTPS failure
+ERR_SIG = 5 # Update file fails signature
+
+# These should probably never happen
+ERR_PRM = 6 # Insufficient permission
+ERR_BLK = 7 # Block device or partition error
+ERR_MNT = 8 # Mounting failure
+
+err_exit() {
+    >&2 echo $2
+}
--- a/build/packages.txt
+++ b/build/packages.txt
@ -1,3 +0,0 @@
-app-shells/bash
-app-misc/hyfetch
-sys-libs/musl