From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Mon, 10 Feb 2025 22:17:03 +0000 (+0000)
Subject: Add SplitArtifacts=roothash
X-Git-Tag: v26~396^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=543bb45be4f8e82d33a1b46a05ba496308c62224;p=thirdparty%2Fmkosi.git

Add SplitArtifacts=roothash
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 9d8698c1c..7290f3a0c 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3357,6 +3357,11 @@ def make_image(
             if p.split_path:
                 maybe_compress(context, context.config.compress_output, p.split_path)
 
+    if ArtifactOutput.roothash in context.config.split_artifacts and (
+        roothash := finalize_roothash(partitions)
+    ):
+        (context.staging / context.config.output_split_roothash).write_text(roothash.partition("=")[2])
+
     return partitions
 
 
diff --git a/mkosi/config.py b/mkosi/config.py
index c18f95c8c..dfedd96f3 100644
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -572,6 +572,7 @@ class ArtifactOutput(StrEnum):
     partitions = enum.auto()
     tar = enum.auto()
     pcrs = enum.auto()
+    roothash = enum.auto()
 
     @staticmethod
     def compat_no() -> list["ArtifactOutput"]:
@@ -2049,6 +2050,10 @@ class Config:
     def output_split_pcrs(self) -> str:
         return f"{self.output}.pcrs"
 
+    @property
+    def output_split_roothash(self) -> str:
+        return f"{self.output}.roothash"
+
     @property
     def output_nspawn_settings(self) -> str:
         return f"{self.output}.nspawn"
@@ -2088,6 +2093,7 @@ class Config:
             self.output_split_kernel,
             self.output_split_initrd,
             self.output_split_pcrs,
+            self.output_split_roothash,
             self.output_nspawn_settings,
             self.output_checksum,
             self.output_signature,
diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md
index 5a44f6b62..c3ec09793 100644
--- a/mkosi/resources/man/mkosi.1.md
+++ b/mkosi/resources/man/mkosi.1.md
@@ -603,8 +603,8 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
 
 `SplitArtifacts=`, `--split-artifacts`
 :   The artifact types to split out of the final image. A comma-delimited
-    list consisting of `uki`, `kernel`, `initrd`, `prcs`, `partitions` and
-    `tar`. When building a bootable image `kernel` and `initrd`
+    list consisting of `uki`, `kernel`, `initrd`, `prcs`, `partitions`,
+    `roothash` and `tar`. When building a bootable image `kernel` and `initrd`
     correspond to their artifact found in the image (or in the UKI),
     while `uki` copies out the entire UKI. If `pcrs` is specified, a JSON
     file containing the pre-calculated TPM2 digests is written out, according
@@ -623,6 +623,9 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
     When `tar` is specified, the rootfs is additionally archived as a
     tar archive (compressed according to `CompressOutput=`).
 
+    When `roothash` is specified and a dm-verity disk image is built, the dm-verity
+    roothash is written out as a separate file, which is useful for offline signing.
+
     By default `uki`, `kernel` and `initrd` are split out.
 
 `RepartDirectories=`, `--repart-directory=`