From 1dae66b69609a58bd7786b5a0cb04fbb876f5672 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Sat, 2 Apr 2022 10:07:13 +0800
Subject: [PATCH] LAT: upgrade to 20220403 to add hook to customize iso
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In https://github.com/Wind-River/meta-lat/, it contains commits:
 e01f82d wic: add boot param BOOTIF=$net_default_mac to grub.cfg
 e8c43f8 genimage: correct typo for ISO image generation
 cd132bd genimage/debian_constant.py.in: correct typo
 2bfd727 lat installer: set to boot from disk as first order
 f2fe2cb lat debian: provide a hook as example to customize ISO image
 cfd4840 lat: add hook to customize iso
 facc678 wic: add hook to customize iso
 f08f82d genimage: do not copy ostree repo to PXE tarball
 efd6d2c lat intaller: try to find local kickstart configuration
 from instboot partition
 42a5482 grub-efi bbappend: add built-in commands

Edit base-bullseye.yaml to provide an example to customize
ISO image which add the following files to ISO image:
- kickstart: including self generated iso-ks.cfg and pxe-ks.cfg,
  copy kickstart.cfg from rootfs
- pxeboot: for both of EFI and Legacy BIOS, and support EFI secure
  boot if possible

iso/
├── kickstart
│   ├── iso-ks.cfg
│   ├── kickstart.cfg
│   └── pxe-ks.cfg
└── pxeboot
    ├── bzImage
    ├── bzImage.sig
    ├── EFI
    │   └── BOOT
    │       ├── bootx64.efi
    │       ├── bootx64-nosig.efi
    │       ├── grub.cfg
    │       ├── grub.cfg.sig
    │       ├── grubx64.efi
    │       ├── LockDown.efi
    │       ├── LockDown.efi.sig
    │       └── mmx64.efi
    ├── grubx64.efi
    ├── initrd
    ├── initrd.sig
    ├── ldlinux.c32
    ├── libcom32.c32
    ├── libutil.c32
    ├── pxelinux.0
    ├── pxelinux.cfg
    │   └── default
    └── vesamenu.c32

Story: 2008846
Task: 44920

PASS: Build ISO image with EFI secure boot feature enabled
PASS: Build ISO image with EFI secure boot feature disabled

Depends-On: https://review.opendev.org/c/starlingx/integ/+/836224

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Change-Id: Idf251857ca9bf486eeb36831ce8e9f99fdc2d5d3
---
 .../config/debian/common/base-bullseye.yaml   | 113 ++++++++++++++++++
 stx/dockerfiles/stx-lat-tool.Dockerfile       |   2 +-
 2 files changed, 114 insertions(+), 1 deletion(-)

diff --git a/debian-mirror-tools/config/debian/common/base-bullseye.yaml b/debian-mirror-tools/config/debian/common/base-bullseye.yaml
index 35cb0bca..5c634ee3 100644
--- a/debian-mirror-tools/config/debian/common/base-bullseye.yaml
+++ b/debian-mirror-tools/config/debian/common/base-bullseye.yaml
@@ -115,6 +115,119 @@ ostree:
   OSTREE_FDISK_VSZ: 20480
   OSTREE_FDISK_FSZ: 32
   OSTREE_CONSOLE: console=ttyS0,115200 console=tty1
+iso-post-script: |
+  cd ${ISO_DIR}
+
+  # 1. Kickstart
+  mkdir -p kickstart
+  # 1.1 Kickstart example for PXE
+  cat << ENDOF > kickstart/pxe-ks.cfg
+  lat-disk --install-device=/dev/disk/by-path/pci-0000:af:00.0-scsi-0:2:0:0
+  ENDOF
+
+  # 1.2 Kickstart example for ISO
+  cat << ENDOF > kickstart/iso-ks.cfg
+  lat-disk --install-device=/dev/sda
+  ENDOF
+
+  # 1.3 Kickstart from image rootfs (provided by package platform-kickstarts)
+  if [ -e $IMAGE_ROOTFS/var/www/pages/feed/rel-22.02/kickstart.cfg ]; then
+    cp $IMAGE_ROOTFS/var/www/pages/feed/rel-22.02/kickstart.cfg kickstart/
+  fi
+
+  # 2. PXE
+  mkdir -p pxeboot/pxelinux.cfg
+
+  # 2.1 Kernel and initramfs
+  install -m 644 bzImage*  pxeboot
+  install -m 644 initrd* pxeboot
+
+  # 2.2 Bootloader
+  # 2.2.1 Legacy BIOS PXE
+  cp $OECORE_TARGET_SYSROOT/usr/share/syslinux/pxelinux.0 pxeboot/
+  cp isolinux/isolinux.cfg pxeboot/pxelinux.cfg/default
+  for f in libcom32.c32 ldlinux.c32 libutil.c32 vesamenu.c32; do
+    cp isolinux/$f pxeboot/
+  done
+
+  # 2.2.2 EFI PXE
+  cp -a EFI pxeboot
+  if [ -e $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64-nosig.efi ]; then
+    cp $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64-nosig.efi pxeboot/EFI/BOOT/
+  fi
+
+  # 2.3 Edit grub.cfg and pxelinux.cfg/default
+  # 2.3.1 Drop to install from local ostree repo
+  sed -i "s#instl=/ostree_repo#@BOOTPARAMS@#g" \
+    pxeboot/EFI/BOOT/grub.cfg \
+    pxeboot/pxelinux.cfg/default
+
+  # 2.3.2 Install from remote ostree repo
+  sed -i "s#insturl=file://NOT_SET#insturl=http://pxecontroller:8080/feed/debian/ostree_repo#g" \
+    pxeboot/EFI/BOOT/grub.cfg \
+    pxeboot/pxelinux.cfg/default
+
+  # 2.3.3 Configure kickstart url
+  BOOT_PARAMS="ks=http://pxecontroller:8080/feed/debian/kickstart/pxe-ks.cfg"
+
+  # 2.3.4 Verbose installation
+  BOOT_PARAMS="${BOOT_PARAMS} instsh=2"
+
+  # 2.3.5 Update boot params
+  sed -i "s#@BOOTPARAMS@#${BOOT_PARAMS}#g" \
+    pxeboot/EFI/BOOT/grub.cfg \
+    pxeboot/pxelinux.cfg/default
+
+  # 2.3.6 Add `Boot from hard drive' entry to grub.cfg
+  cat <<ENDOF>> pxeboot/EFI/BOOT/grub.cfg
+
+  menuentry 'UEFI Boot from hard drive' {
+      search --set=root --label otaefi
+      configfile /efi/boot/grub.cfg
+  }
+  ENDOF
+
+  # 2.4 Tweak PXE if EFI secure boot enabled
+  if [ "$EFI_SECURE_BOOT" = enable ]; then
+    # On some host, PXE make bootx64.efi search grubx64.efi
+    # from tftp/ dir other than tftp/EFI/BOOT/
+    install -m 0644 EFI/BOOT/grubx64.efi pxeboot/
+
+    # Resign grub.cfg
+    rm pxeboot/EFI/BOOT/grub.cfg.sig
+    echo 'SecureCore' | gpg  --pinentry-mode loopback \
+                             --batch \
+                             --homedir /tmp/.lat_gnupg_root \
+                             -u SecureBootCore \
+                             --detach-sign \
+                             --passphrase-fd 0 \
+                             pxeboot/EFI/BOOT/grub.cfg
+  fi
+
+  # 3. ISO
+  # 3.1 Edit grub.cfg and isolinux.cfg
+  # 3.1.1 Configure local kickstart url
+  BOOT_PARAMS="ks=file:///kickstart/iso-ks.cfg"
+
+  # 3.1.2 Verbose installation
+  BOOT_PARAMS="${BOOT_PARAMS} instsh=2"
+
+  # 3.1.3 Update boot params
+  sed -i "s#instl=/ostree_repo#& ${BOOT_PARAMS}#g" \
+    EFI/BOOT/grub.cfg \
+    isolinux/isolinux.cfg
+
+  # 3.2 Resign grub.cfg if EFI secure boot enabled
+  if [ "$EFI_SECURE_BOOT" = enable ]; then
+    rm EFI/BOOT/grub.cfg.sig
+    echo 'SecureCore' | gpg  --pinentry-mode loopback \
+                             --batch \
+                             --homedir /tmp/.lat_gnupg_root \
+                             -u SecureBootCore \
+                             --detach-sign \
+                             --passphrase-fd 0 \
+                             EFI/BOOT/grub.cfg
+  fi
 system:
 - contains:
   - /localdisk/deploy/lat-initramfs.yaml
diff --git a/stx/dockerfiles/stx-lat-tool.Dockerfile b/stx/dockerfiles/stx-lat-tool.Dockerfile
index 5a08e569..f495d366 100644
--- a/stx/dockerfiles/stx-lat-tool.Dockerfile
+++ b/stx/dockerfiles/stx-lat-tool.Dockerfile
@@ -16,7 +16,7 @@ FROM debian:bullseye
 
 MAINTAINER Chen Qi <Qi.Chen@windriver.com>
 
-ARG LAT_BINARY_RESOURCE_PATH=http://mirror.starlingx.cengn.ca/mirror/lat-sdk/lat-sdk-20220325
+ARG LAT_BINARY_RESOURCE_PATH=http://mirror.starlingx.cengn.ca/mirror/lat-sdk/lat-sdk-20220403
 
 # Install necessary packages
 RUN apt-get -y update && apt-get --no-install-recommends -y install \