From 4ff2d549adfc6df4b1213cb2b044dbd4542a2692 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Sat, 21 Jun 2025 17:54:48 +0100
Subject: [PATCH] mkosi-obs: support splitting out and compressing partitions

Need to recompress the verity-sig partition after creating it,
and deleting the non-compressed split out partitions that are
already present as compressed but that sd-repart re-creates
when doing the signature attach operation.
---
 mkosi/resources/mkosi-obs/mkosi.build      | 17 +++++++++++++++++
 mkosi/resources/mkosi-obs/mkosi.postoutput | 10 ++++++++++
 2 files changed, 27 insertions(+)

diff --git a/mkosi/resources/mkosi-obs/mkosi.build b/mkosi/resources/mkosi-obs/mkosi.build
index a9d293139..c73366fed 100755
--- a/mkosi/resources/mkosi-obs/mkosi.build
+++ b/mkosi/resources/mkosi-obs/mkosi.build
@@ -209,12 +209,25 @@ while read -r SIG; do
         cp "/usr/src/packages/SOURCES/$(basename "${SIG%roothash.sig}osrelease")" mkosi.repart/usr/lib/os-release
         ARGS+=(--root="$PWD"/mkosi.repart)
     fi
+
+    if jq -r '.SplitArtifacts[]' "$MKOSI_CONFIG" | grep -q partitions; then
+        # Need to recreate the split artifact and compress it if needed
+        ARGS+=(--split=yes)
+        split=1
+    fi
     systemd-repart "${ARGS[@]}"
     rm -rf mkosi.repart
 
     if ((recompress)); then
         zstd --force "$OUTPUTDIR/$(basename "${SIG%roothash.sig}")"raw*
         rm -f "$OUTPUTDIR/$(basename "${SIG%roothash.sig}raw")" "$OUTPUTDIR/$(basename "${SIG%roothash.sig}raw.img")"
+        if ((split)); then
+            zstd --force "$OUTPUTDIR/$(basename "${SIG%roothash.sig}")"*-verity-sig.*.raw
+            # sd-repart will split out all partitions again
+            rm -f "$OUTPUTDIR/$(basename "${SIG%roothash.sig}")"usr-*.raw \
+                "$OUTPUTDIR/$(basename "${SIG%roothash.sig}")"root-*.raw \
+                "$OUTPUTDIR/$(basename "${SIG%roothash.sig}")"esp.raw
+        fi
     fi
 
     # Do not publish the roothash here, as importctl and friends will mistake it as the roothash of the .raw image
@@ -240,6 +253,10 @@ mapfile -t AUTHVARS < <(find hashes/authvars -type f -name "*.auth")
 if (( ${#AUTHVARS[@]} > 0 )); then
     for ddi in "$OUTPUTDIR"/*.raw*; do
         test -f "$ddi" || continue
+        # Skip over split artifacts, if any
+        [[ "$ddi" =~ \.usr- ]] && continue
+        [[ "$ddi" =~ \.root- ]] && continue
+        [[ "$ddi" =~ -verity ]] && continue
 
         if [[ $ddi == *.zst ]]; then
             unzstd "${ddi}"
diff --git a/mkosi/resources/mkosi-obs/mkosi.postoutput b/mkosi/resources/mkosi-obs/mkosi.postoutput
index 1693a8a55..5e8cb7ade 100755
--- a/mkosi/resources/mkosi-obs/mkosi.postoutput
+++ b/mkosi/resources/mkosi-obs/mkosi.postoutput
@@ -72,6 +72,11 @@ done
 # Handle bootloaders separately from UKIs
 for ddi in "${DDIS[@]}"; do
     test -f "$ddi" || continue
+    # Skip over split artifacts, if any
+    [[ "$ddi" =~ \.usr- ]] && continue
+    [[ "$ddi" =~ \.root- ]] && continue
+    [[ "$ddi" =~ -verity ]] && continue
+
     if [[ $ddi == *.zst ]]; then
         unzstd "${ddi}"
     fi
@@ -141,12 +146,17 @@ echo "Staging the following files for signing:"
 cpio -t <"$OUTPUTDIR/hashes.cpio.rsasign"
 
 # The second stage will not do a full rebuild, but only attach signatures to the existing UKI
+# Remember whether we need to split out the verity signature partition, as it's generated later
+if jq -r '.SplitArtifacts[]' "$MKOSI_CONFIG" | grep -q partitions; then
+    split="SplitArtifacts=partitions"
+fi
 cat >"$OUTPUTDIR/mkosi.conf" <<EOF
 [Distribution]
 Distribution=custom
 [Output]
 Format=none
 ImageId=$IMAGE_ID
+${split:-}
 [Include]
 Include=mkosi-obs
 [Build]
-- 
2.47.2