examples: reduce duplication, various cleanups

Create an examples/common/ directory for some of the many copy-pasted
parts between our existing examples.

Rework the fix-verity hack: it's now a proper container image which
contains its product (`fix-verity.efi`) in the image at `/`.  This can
be pulled from `quay.io` now, or (the default) built locally.  This
allows it to share the same caching tricks we use in the other builds,
but also means we should just need to build it a whole lot less often.

Add a `README.md` to `examples/` to explain what each example does.

Signed-off-by: Allison Karlitskaya <[email protected]>

examples/.gitignore

@@ -0,0 +1,5 @@
+/*/cfsctl
+/*/extra/usr/lib/dracut/modules.d/37composefs/composefs-pivot-sysroot
+/*/image.qcow2
+/*/tmp/
+/common/fix-verity/fix-verity.efi

examples/README.md

@@ -0,0 +1,9 @@
+# composefs examples
+
+This directory contains a few different approaches to using `cfsctl` to produce
+a verified operating system image.
+
+ - `uki`: an OS built around a [Unified Kernel
+   Image](https://github.com/uapi-group/specifications/blob/main/specs/unified_kernel_image.md).  If this image is signed then the signature effectively covers every single file in the filesystem.  This works with a special form of multi-stage `Containerfile` which builds a base image, measures it using `cfsctl` and then uses that measurement to inject the composefs image fs-verity hash into the second stage of the build which actually builds the UKI (and embeds the hash into the `.cmdline`).  We avoid a circular hash dependency by removing the UKI from the final image via a white-out (but `cfsctl` still knows how to find it).
+ - `bls`: an OS built around a separate kernel and initramfs installed with a [Type #1 Boot Loader Specification Entries](https://uapi-group.org/specifications/specs/boot_loader_specification/#type-1-boot-loader-specification-entries).  In this case we simply hack the bootloader entry to refer to the correct composefs hash at install type.
+ - `unified`: similar to the `uki` example, but avoiding the intermediate `cfsctl` step by running `cfsctl` inside a build stage from the `Containerfile` itself.  This involves bind-mounting the earlier build stage of the base image so that we can measure it from inside the stage that builds the UKI.

examples/bls/build

@@ -42,18 +42,4 @@ else
 fi
 sed -i 's@ /boot/@ /@' "${BLE}"
 
-> tmp/image.raw
-SYSTEMD_REPART_MKFS_OPTIONS_EXT4='-O verity' \
-    fakeroot \
-        systemd-repart \
-            --empty=require \
-            --size=auto \
-            --dry-run=no \
-            --no-pager \
-            --offline=yes \
-            --root=tmp \
-            --definitions=repart.d \
-            tmp/image.raw
-
-qemu-img convert -f raw tmp/image.raw -O qcow2 image.qcow2
-./fix-verity image.qcow2  # https://github.com/tytso/e2fsprogs/issues/201
+../common/make-image image.qcow2

examples/bls/run

@@ -0,0 +1 @@
+../common/run

examples/common/README.md

@@ -0,0 +1,33 @@
+# Common files used in examples
+
+This isn't a composefs example, but it's used by the other examples.
+
+## `fix-fsverity/`
+
+This is a workaround for missing fs-verity support in e2fsprogs and
+systemd-repart.
+
+That's being worked on here:
+ - https://github.com/systemd/systemd/issues/35352
+ - https://github.com/tytso/e2fsprogs/pull/203
+
+But we'll probably need this workaround until those changes are widely
+available.
+
+## `run`
+
+The script to run the VM.
+
+## `make-image`
+
+Creates the qcow2 filesystem image from the contents of the `tmp/` directory.
+
+This also invokes the `fix-fsverity` hack required to build a working image.
+
+## `run-repart`
+
+The part of `make-image` that needs to run under `fakeroot`.
+
+## `repart.d`
+
+The partition definitions for `systemd-repart`.

examples/common/fix-verity/Containerfile

@@ -0,0 +1,14 @@
+FROM fedora:41
+COPY dracut-hook.sh /
+RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
+    dnf --setopt keepcache=1 install -y \
+        kernel binutils systemd-boot-unsigned btrfs-progs fsverity-utils
+    dracut \
+        --uefi \
+        --no-hostonly \
+        --install 'sync fsverity' \
+        --include /dracut-hook.sh /lib/dracut/hooks/pre-pivot/fix-verity.sh \
+        --kver "$(rpm -q kernel-core --qf '%{VERSION}-%{RELEASE}.%{ARCH}')" \
+        --kernel-cmdline="root=PARTLABEL=root-x86-64 console=ttyS0" \
+        /fix-verity.efi
+EOF

examples/common/fix-verity/dracut-hook.sh

@@ -0,0 +1,13 @@
+# dracut hook for fixing fs-verity on composefs sysroot
+mount -o remount,rw /sysroot
+(
+  cd /sysroot/composefs/objects
+  echo >&2 'Enabling fsverity on composefs objects'
+  for i in */*; do
+      fsverity enable $i;
+  done
+  echo >&2 'done!'
+)
+umount /sysroot
+sync
+poweroff -ff

examples/common/fix-verity/fix-verity

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+set -eux
+
+mydir="${0%/*}"
+fix_verity_efi="${mydir}/fix-verity.efi"
+
+# hihi fakeroot
+unset LD_PRELOAD
+
+if [ ! -f ${fix_verity_efi} ]; then
+    if ! podman image exists quay.io/lis/fix-verity; then
+        podman image build -t quay.io/lis/fix-verity "${mydir}"
+    fi
+
+    podman run --rm -i quay.io/lis/fix-verity \
+        cat /fix-verity.efi > "${fix_verity_efi}".tmp
+    mv "${fix_verity_efi}.tmp" "${fix_verity_efi}"
+fi
+
+qemu-system-x86_64 \
+    -nographic \
+    -m 4096 \
+    -enable-kvm \
+    -bios /usr/share/edk2/ovmf/OVMF_CODE.fd \
+    -drive file="$1",format=raw,if=virtio,media=disk \
+    -kernel "${fix_verity_efi}"

examples/common/make-image

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -eux
+
+fakeroot "${0%/*}/run-repart" tmp/image.raw
+"${0%/*}/fix-verity/fix-verity" tmp/image.raw
+qemu-img convert -f raw tmp/image.raw -O qcow2 image.qcow2
+rm tmp/image.raw

examples/common/run

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -eux
+
+cd "${0%/*}"
+
+qemu-system-x86_64 \
+    -m 4096 \
+    -enable-kvm \
+    -bios /usr/share/edk2/ovmf/OVMF_CODE.fd \
+    -drive file=image.qcow2,if=virtio,cache=unsafe \
+    -nic user,model=virtio-net-pci

examples/uki/make-image → examples/common/run-repart

@@ -6,6 +6,8 @@ chown -R 0:0 tmp/sysroot
 chcon -R system_u:object_r:usr_t:s0 tmp/sysroot/composefs
 chcon system_u:object_r:var_t:s0 tmp/sysroot/var
 
+definitions="${0%/*}/repart.d"
+
 > tmp/image.raw
 SYSTEMD_REPART_MKFS_OPTIONS_EXT4='-O verity' \
     systemd-repart \
@@ -15,5 +17,5 @@ SYSTEMD_REPART_MKFS_OPTIONS_EXT4='-O verity' \
         --no-pager \
         --offline=yes \
         --root=tmp \
-        --definitions=repart.d \
+        --definitions="${definitions}" \
         tmp/image.raw

examples/uki/build

@@ -50,6 +50,4 @@ cp /usr/lib/systemd/boot/efi/systemd-bootx64.efi tmp/efi/EFI/systemd
 cp /usr/lib/systemd/boot/efi/systemd-bootx64.efi tmp/efi/EFI/BOOT/BOOTX64.EFI
 ${CFSCTL} oci prepare-boot "${FINAL_ID}" tmp/efi
 
-fakeroot ./make-image
-qemu-img convert -f raw tmp/image.raw -O qcow2 image.qcow2
-./fix-verity image.qcow2  # https://github.com/tytso/e2fsprogs/issues/201
+../common/make-image image.qcow2

examples/uki/run

@@ -0,0 +1 @@
+../common/run

examples/unified/build

@@ -30,6 +30,4 @@ cp /usr/lib/systemd/boot/efi/systemd-bootx64.efi tmp/efi/EFI/systemd
 cp /usr/lib/systemd/boot/efi/systemd-bootx64.efi tmp/efi/EFI/BOOT/BOOTX64.EFI
 ${CFSCTL} oci prepare-boot "${IMAGE_ID}" tmp/efi
 
-fakeroot ./make-image
-qemu-img convert -f raw tmp/image.raw -O qcow2 image.qcow2
-./fix-verity image.qcow2  # https://github.com/tytso/e2fsprogs/issues/201
+../common/make-image image.qcow2