From 75c1210aff4a08955226a8563e17b81ac7e36c87 Mon Sep 17 00:00:00 2001 From: Steven Kreitzer Date: Fri, 5 Apr 2024 07:19:41 -0500 Subject: [PATCH] feat(talos): allow building custom versions --- .github/workflows/talos-boot-assets.yaml | 184 ++++++++---------- .../pkgs/0001-feat-add-apple-t2-patches.patch | 62 ++++++ patches/talos/0001-fix-large-apple-efi.patch | 40 ++++ 3 files changed, 182 insertions(+), 104 deletions(-) create mode 100644 patches/pkgs/0001-feat-add-apple-t2-patches.patch create mode 100644 patches/talos/0001-fix-large-apple-efi.patch diff --git a/.github/workflows/talos-boot-assets.yaml b/.github/workflows/talos-boot-assets.yaml index 17f0cee..d4da7af 100644 --- a/.github/workflows/talos-boot-assets.yaml +++ b/.github/workflows/talos-boot-assets.yaml @@ -2,9 +2,14 @@ name: Talos Boot Assets Generation on: + workflow_dispatch: + inputs: + version: + description: Talos version + default: latest + required: false schedule: - cron: "0 * * * *" - workflow_dispatch: concurrency: group: ${{ github.actor }}-build @@ -21,25 +26,29 @@ jobs: runs-on: ubuntu-latest steps: - - name: Fetch latest Talos release version + - name: Fetch Talos release version id: talos-release run: | - talos_release_tag=$(curl -sL https://api.github.com/repos/siderolabs/talos/releases/latest | jq -r ".tag_name") + if [ "${{ inputs.version }}" != "latest" ]; then + talos_release_tag="${{ inputs.version }}" + else + talos_release_tag=$(curl -sL https://api.github.com/repos/siderolabs/talos/releases/latest | jq -r ".tag_name") + fi echo "talos_release_tag=$talos_release_tag" >> $GITHUB_OUTPUT + - name: Fetch Talos release body + id: talos-release-body + run: | + echo 'talos_release_body<> $GITHUB_OUTPUT + curl -sL https://api.github.com/repos/siderolabs/talos/releases/tags/${{ steps.talos-release.outputs.talos_release_tag }} | jq -r ".body" >> $GITHUB_OUTPUT + echo EOF >> $GITHUB_OUTPUT + - name: Fetch latest Boot Asset release version id: boot-asset-release run: | - boot_assets_release_tag=$(curl -sL https://api.github.com/repos/buroa/talos-boot-assets/releases/latest | jq -r ".tag_name") + boot_assets_release_tag=$(curl -sL https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r ".tag_name") echo "boot_assets_release_tag=$boot_assets_release_tag" >> $GITHUB_OUTPUT - - name: Fetch latest Talos release body - id: talos-release-body - run: | - echo 'talos_release_body<> $GITHUB_OUTPUT - curl -sL https://api.github.com/repos/siderolabs/talos/releases/latest | jq -r ".body" >> $GITHUB_OUTPUT - echo EOF >> $GITHUB_OUTPUT - - name: Compare release versions if: steps.talos-release.outputs.talos_release_tag != steps.boot-asset-release.outputs.boot_assets_release_tag id: compare-releases @@ -56,94 +65,45 @@ jobs: talosReleaseTag: ${{ steps.talos-release.outputs.talos_release_tag }} talosReleaseBody: ${{ steps.talos-release-body.outputs.talos_release_body }} - sync-talos-fork: - needs: [ check-releases ] - name: Sync talos fork with upstream - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - repository: ${{ github.repository }} - ref: talos - token: ${{ secrets.GITHUB_TOKEN }} - fetch-depth: 0 - - - name: Setup git - run: | - git config --global user.name "${{ github.actor }}" - git config --global user.email "${{ github.actor }}@users.noreply.github.com" - - - name: Sync upstream changes - run: | - git remote add talos https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/siderolabs/talos - git pull talos refs/tags/${{ needs.check-releases.outputs.talosReleaseTag }} --rebase - git push --set-upstream origin talos --force - - sync-pkgs-fork: - needs: [ check-releases ] - name: Sync pkgs fork with upstream - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - repository: ${{ github.repository }} - ref: pkgs - token: ${{ secrets.GITHUB_TOKEN }} - fetch-depth: 0 - - - name: Get pkgs release tag - id: pkgs-release - run: | - release=release-$(grep -Eo '[0-9]\.[0-9]+' <<< '${{ needs.check-releases.outputs.talosReleaseTag }}') - echo "release=$release" >> $GITHUB_OUTPUT - - - name: Setup git - run: | - git config --global user.name "${{ github.actor }}" - git config --global user.email "${{ github.actor }}@users.noreply.github.com" - - - name: Sync upstream changes - run: | - git remote add pkgs https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/siderolabs/pkgs - git pull pkgs ${{ steps.pkgs-release.outputs.release }} --rebase - git push --set-upstream origin pkgs --force - build-kernel: - needs: [ check-releases, sync-pkgs-fork ] + needs: [ check-releases ] if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch' name: Build kernel image runs-on: ubuntu-latest - outputs: - sha: ${{ steps.hash.outputs.sha_short }} - steps: + - name: Get pkgs release tag + id: pkgs-release + run: | + release=release-$(grep -Eo '[0-9]\.[0-9]+' <<< '${{ needs.check-releases.outputs.talosReleaseTag }}') + echo "release=$release" >> $GITHUB_OUTPUT + - name: Checkout + uses: actions/checkout@v4 + with: + repository: siderolabs/pkgs + ref: ${{ steps.pkgs-release.outputs.release }} + token: ${{ secrets.GITHUB_TOKEN }} + fetch-depth: 0 + + - name: Checkout patches uses: actions/checkout@v4 with: repository: ${{ github.repository }} - ref: pkgs + ref: ${{ github.sha }} + token: ${{ secrets.GITHUB_TOKEN }} + path: patches + sparse-checkout: patches/pkgs + sparse-checkout-cone-mode: false - - name: Get short commit hash - id: hash + - name: Apply patches run: | - sha_short=$(git rev-parse --short HEAD) - echo "sha_short=$sha_short" >> $GITHUB_OUTPUT - - - name: Check if kernel image is already built - id: check - run: | - token=$(echo "${{ secrets.GITHUB_TOKEN }}" | base64) - tags=$(curl -H "Authorization: Bearer $token" https://ghcr.io/v2/${{ github.actor }}/kernel/tags/list) - built=$(echo "$tags" | jq -r '.tags | contains(["${{ steps.hash.outputs.sha_short }}"])') - echo "built=$built" >> $GITHUB_OUTPUT + while IFS= read -r file; do + echo "==> Adding $file" + git apply -v $file + done < <(find "./patches/patches/pkgs" -type f -name "*.patch" | sort) - name: Maximize build space - if: steps.check.outputs.built == 'false' uses: jlumbroso/free-disk-space@main with: large-packages: true @@ -151,15 +111,12 @@ jobs: swap-storage: true - name: Set up QEMU - if: steps.check.outputs.built == 'false' uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - if: steps.check.outputs.built == 'false' uses: docker/setup-buildx-action@v3 - name: Login to GitHub Container Registry - if: steps.check.outputs.built == 'false' uses: docker/login-action@v3.1.0 with: registry: ghcr.io @@ -167,25 +124,44 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build kernel image - if: steps.check.outputs.built == 'false' - env: - PLATFORM: linux/amd64 - USERNAME: ${{ github.actor }} - PUSH: "true" - run: make kernel + run: | + make kernel \ + PLATFORM=linux/amd64 \ + USERNAME="${{ github.actor }}" \ + TAG="${{ needs.check-releases.outputs.talosReleaseTag }}" \ + PUSH="true" build-installer: - needs: [ check-releases, sync-talos-fork, build-kernel ] + needs: [ check-releases, build-kernel ] if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch' name: Build installer image runs-on: ubuntu-latest steps: - name: Checkout + uses: actions/checkout@v4 + with: + repository: siderolabs/talos + ref: refs/tags/${{ needs.check-releases.outputs.talosReleaseTag }} + token: ${{ secrets.GITHUB_TOKEN }} + fetch-depth: 0 + + - name: Checkout patches uses: actions/checkout@v4 with: repository: ${{ github.repository }} - ref: talos + ref: ${{ github.sha }} + token: ${{ secrets.GITHUB_TOKEN }} + path: patches + sparse-checkout: patches/talos + sparse-checkout-cone-mode: false + + - name: Apply patches + run: | + while IFS= read -r file; do + echo "==> Adding $file" + git apply -v $file + done < <(find "./patches/patches/talos" -type f -name "*.patch" | sort) - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -201,13 +177,13 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build installer image - env: - PLATFORM: linux/amd64 - USERNAME: ${{ github.actor }} - TAG: ${{ needs.check-releases.outputs.talosReleaseTag }} - PKG_KERNEL: ghcr.io/${{ github.actor }}/kernel:${{ needs.build-kernel.outputs.sha }} - PUSH: "true" - run: make installer + run: | + make installer \ + PLATFORM="linux/amd64" \ + USERNAME="${{ github.actor }}" \ + TAG="${{ needs.check-releases.outputs.talosReleaseTag }}" \ + PKG_KERNEL="ghcr.io/${{ github.actor }}/kernel:${{ needs.check-releases.outputs.talosReleaseTag }}" \ + PUSH="true" build-boot-assets: needs: [ check-releases, build-installer ] @@ -219,7 +195,7 @@ jobs: contents: write container: - image: ghcr.io/buroa/installer:${{ needs.check-releases.outputs.talosReleaseTag }} + image: ghcr.io/${{ github.actor }}/installer:${{ needs.check-releases.outputs.talosReleaseTag }} options: --privileged volumes: - /dev:/dev diff --git a/patches/pkgs/0001-feat-add-apple-t2-patches.patch b/patches/pkgs/0001-feat-add-apple-t2-patches.patch new file mode 100644 index 0000000..8109cf1 --- /dev/null +++ b/patches/pkgs/0001-feat-add-apple-t2-patches.patch @@ -0,0 +1,62 @@ +From a1c892e579f5191fd09fb377794b8675fb2b79f1 Mon Sep 17 00:00:00 2001 +From: Steven Kreitzer +Date: Fri, 15 Dec 2023 05:36:52 -0600 +Subject: [PATCH] feat: add apple t2 patches + +Signed-off-by: Steven Kreitzer +--- + kernel/build/pkg.yaml | 7 +++++++ + kernel/prepare/pkg.yaml | 12 ++++++++++++ + 2 files changed, 19 insertions(+) + +diff --git a/kernel/build/pkg.yaml b/kernel/build/pkg.yaml +index 35f0e380f..1a3ccc31c 100644 +--- a/kernel/build/pkg.yaml ++++ b/kernel/build/pkg.yaml +@@ -12,6 +12,13 @@ steps: + cd /src + cp -v /pkg/config-${CARCH} .config + cp -v /pkg/certs/* certs/ ++ - | ++ cd /src ++ scripts/config --enable CONFIG_APPLE_BCE ++ scripts/config --enable CONFIG_HID_APPLE_IBRIDGE ++ scripts/config --enable CONFIG_SENSORS_APPLESMC ++ scripts/config --enable CONFIG_USB4 ++ scripts/config --enable CONFIG_USB4_NET + build: + {{ if .BUILD_ARG_KERNEL_TARGET }} + - | +diff --git a/kernel/prepare/pkg.yaml b/kernel/prepare/pkg.yaml +index 35dba08d1..b369f4976 100644 +--- a/kernel/prepare/pkg.yaml ++++ b/kernel/prepare/pkg.yaml +@@ -9,6 +9,10 @@ steps: + destination: linux.tar.xz + sha256: "{{ .linux_sha256 }}" + sha512: "{{ .linux_sha512 }}" ++ - url: https://github.com/t2linux/linux-t2-patches/archive/15ed66844da78b46dde88fd361154c95b37d0286.tar.gz ++ destination: patches.tar.gz ++ sha256: 8d80db3d846eed1e9b30fb29b3004ba440f4cd3509700045cc3e9216382eacbc ++ sha512: d7317bda6c056d7c11b642a98e65e6ee8ae635995ff3f58e258f6bfa140a767cf07bc91c2db2a3f6e528fe793f492543ef2d6799dfda95d30852eceac467477b + env: + ARCH: {{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}x86_64{{ else }}unsupported{{ end }} + prepare: +@@ -40,6 +44,14 @@ steps: + done + + make mrproper ++ - | ++ mkdir -p /pkg/patches ++ tar xf patches.tar.gz --strip-components=1 -C /pkg/patches ++ - | ++ while IFS= read -r file; do ++ echo "==> Adding $file" ++ patch -p1 < "$file" ++ done < <(find "/pkg/patches/" -type f -name "*.patch" | sort) + - | + cd /toolchain && git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git + install: +-- +2.44.0 + diff --git a/patches/talos/0001-fix-large-apple-efi.patch b/patches/talos/0001-fix-large-apple-efi.patch new file mode 100644 index 0000000..4fbeb40 --- /dev/null +++ b/patches/talos/0001-fix-large-apple-efi.patch @@ -0,0 +1,40 @@ +From 60659a28f750cdd0bb71ac73e14fd878c91e0b8a Mon Sep 17 00:00:00 2001 +From: Steven Kreitzer +Date: Fri, 15 Dec 2023 05:42:06 -0600 +Subject: [PATCH] fix: large apple efi + +Signed-off-by: Steven Kreitzer +--- + internal/pkg/partition/constants.go | 2 +- + pkg/imager/profile/default.go | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/internal/pkg/partition/constants.go b/internal/pkg/partition/constants.go +index 534537181..d18877cd1 100644 +--- a/internal/pkg/partition/constants.go ++++ b/internal/pkg/partition/constants.go +@@ -30,7 +30,7 @@ const ( + const ( + MiB = 1024 * 1024 + +- EFISize = 100 * MiB ++ EFISize = 500 * MiB + BIOSGrubSize = 1 * MiB + BootSize = 1000 * MiB + // EFIUKISize is the size of the EFI partition when UKI is enabled. +diff --git a/pkg/imager/profile/default.go b/pkg/imager/profile/default.go +index 45ab35873..54261f81d 100644 +--- a/pkg/imager/profile/default.go ++++ b/pkg/imager/profile/default.go +@@ -14,7 +14,7 @@ const ( + mib = 1024 * 1024 + + // MinRAWDiskSize is the minimum size disk we can create. Used for metal images. +- MinRAWDiskSize = 1246 * mib ++ MinRAWDiskSize = 1646 * mib + + // DefaultRAWDiskSize is the value we use for any non-metal images by default. + DefaultRAWDiskSize = 8192 * mib +-- +2.44.0 +