feat: add systemd-boot support

Signed-off-by: Robert Sturla <[email protected]>

Author: p5

Cargo.toml

@@ -15,6 +15,10 @@ include = ["src", "LICENSE", "Makefile", "systemd"]
 platforms = ["*-unknown-linux-gnu"]
 tier = "2"
 
+[features]
+default = []
+systemd-boot = []
+
 [[bin]]
 name = "bootupd"
 path = "src/main.rs"

README.md

@@ -34,6 +34,10 @@ that's for tools like `grubby` and `ostree`.
 bootupd supports updating GRUB and shim for UEFI firmware on x86_64, aarch64,
 and riscv64, and GRUB for BIOS firmware on x86_64 and ppc64le.
 
+bootupd only supports installing the systemd-boot shim currently, though may be
+updated to also handle updates in future.  systemd-boot support just proxies
+to the relevant `bootctl` commands.
+
 The project is used in Bootable Containers and ostree/rpm-ostree based systems:
   - [`bootc install`](https://github.com/containers/bootc/#using-bootc-install)
   - [Fedora CoreOS](https://docs.fedoraproject.org/en-US/fedora-coreos/bootloader-updates/)
@@ -78,7 +82,7 @@ care of GRUB and shim.  See discussion in [this issue](https://github.com/coreos
 ### systemd bootctl
 
 [systemd bootctl](https://man7.org/linux/man-pages/man1/bootctl.1.html) can update itself;
-this project would probably just proxy that if we detect systemd-boot is in use.
+this project just proxies that if we detect systemd-boot is present.
 
 ## Other goals
 
@@ -151,4 +155,3 @@ bootupd now uses `systemd-run` instead to guarantee the following:
 - If we want a non-CLI API (whether that's DBus or Cap'n Proto or varlink or
   something else), we will create an independent daemon with a stable API for
   this specific need.
-

src/bios.rs

@@ -112,6 +112,7 @@ impl Component for Bios {
         dest_root: &str,
         device: &str,
         _update_firmware: bool,
+        _bootloader: &crate::bootupd::Bootloader,
     ) -> Result<InstalledContent> {
         let Some(meta) = get_component_update(src_root, self)? else {
             anyhow::bail!("No update metadata for component {} found", self.name());

src/bootupd.rs

@@ -25,6 +25,13 @@ use std::fs::{self, File};
 use std::io::{BufRead, BufReader, BufWriter, Write};
 use std::path::{Path, PathBuf};
 
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub(crate) enum Bootloader {
+    Grub2,
+    #[cfg(feature = "systemd-boot")]
+    SystemdBoot,
+}
+
 pub(crate) enum ConfigMode {
     None,
     Static,
@@ -81,6 +88,25 @@ pub(crate) fn install(
         anyhow::bail!("No components specified");
     }
 
+    // If Grub2 binaries are present, use Grub2
+    // Else if systemd-boot EFI binaries are present, use SystemdBoot
+    // Else fall back to Grub2
+    let bootloader = if has_grub(&source_root) {
+        Bootloader::Grub2
+    } else if has_systemd_boot(&source_root) {
+        #[cfg(feature = "systemd-boot")]
+        {
+            Bootloader::SystemdBoot
+        }
+        #[cfg(not(feature = "systemd-boot"))]
+        {
+            anyhow::bail!("systemd-boot support is not enabled in this build");
+        }
+    } else {
+        log::warn!("No bootloader binaries found, defaulting to Grub2");
+        Bootloader::Grub2
+    };
+
     let mut state = SavedState::default();
     let mut installed_efi_vendor = None;
     for &component in target_components.iter() {
@@ -93,20 +119,51 @@ pub(crate) fn install(
             continue;
         }
 
+        #[cfg(feature = "systemd-boot")]
+        if bootloader == Bootloader::SystemdBoot && component.name() == "BIOS" {
+            log::warn!("Skip installing BIOS component when using systemd-boot");
+            continue;
+        }
+
+        let update_firmware = match bootloader {
+            Bootloader::Grub2 => update_firmware,
+            #[cfg(feature = "systemd-boot")]
+            Bootloader::SystemdBoot => false,
+        };
+
         let meta = component
-            .install(&source_root, dest_root, device, update_firmware)
+            .install(
+                &source_root,
+                dest_root,
+                device,
+                update_firmware,
+                &bootloader,
+            )
             .with_context(|| format!("installing component {}", component.name()))?;
         log::info!("Installed {} {}", component.name(), meta.meta.version);
         state.installed.insert(component.name().into(), meta);
-        // Yes this is a hack...the Component thing just turns out to be too generic.
-        if let Some(vendor) = component.get_efi_vendor(&source_root)? {
-            assert!(installed_efi_vendor.is_none());
-            installed_efi_vendor = Some(vendor);
+
+        match bootloader {
+            Bootloader::Grub2 => {
+                // Yes this is a hack...the Component thing just turns out to be too generic.
+                if let Some(vendor) = component.get_efi_vendor(&source_root)? {
+                    assert!(installed_efi_vendor.is_none());
+                    installed_efi_vendor = Some(vendor);
+                }
+            }
+            #[cfg(feature = "systemd-boot")]
+            _ => {}
         }
     }
     let sysroot = &openat::Dir::open(dest_root)?;
 
-    match configs.enabled_with_uuid() {
+    // If systemd-boot is enabled, do not run grubconfigs::install
+    let configs_with_uuid = match bootloader {
+        Bootloader::Grub2 => configs.enabled_with_uuid(),
+        #[cfg(feature = "systemd-boot")]
+        _ => None,
+    };
+    match configs_with_uuid {
         Some(uuid) => {
             let meta = get_static_config_meta()?;
             state.static_configs = Some(meta);
@@ -715,6 +772,16 @@ fn strip_grub_config_file(
     Ok(())
 }
 
+/// Determine whether the necessary bootloader files are present for GRUB.
+fn has_grub(source_root: &openat::Dir) -> bool {
+    source_root.open_file(bios::GRUB_BIN).is_ok()
+}
+
+/// Determine whether the necessary bootloader files are present for systemd-boot.
+fn has_systemd_boot(source_root: &openat::Dir) -> bool {
+    source_root.open_file(efi::SYSTEMD_BOOT_EFI).is_ok()
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

src/component.rs

@@ -55,6 +55,7 @@ pub(crate) trait Component {
         dest_root: &str,
         device: &str,
         update_firmware: bool,
+        bootloader: &crate::bootupd::Bootloader,
     ) -> Result<InstalledContent>;
 
     /// Implementation of `bootupd generate-update-metadata` for a given component.

src/efi.rs

@@ -22,7 +22,7 @@ use rustix::fd::BorrowedFd;
 use walkdir::WalkDir;
 use widestring::U16CString;
 
-use crate::bootupd::RootContext;
+use crate::bootupd::{Bootloader, RootContext};
 use crate::freezethaw::fsfreeze_thaw_cycle;
 use crate::model::*;
 use crate::ostreeutil;
@@ -50,6 +50,10 @@ pub(crate) const SHIM: &str = "shimriscv64.efi";
 /// Systemd boot loader info EFI variable names
 const LOADER_INFO_VAR_STR: &str = "LoaderInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f";
 const STUB_INFO_VAR_STR: &str = "StubInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f";
+#[cfg(target_arch = "aarch64")]
+pub(crate) const SYSTEMD_BOOT_EFI: &str = "usr/lib/systemd/boot/efi/systemd-bootaarch64.efi";
+#[cfg(target_arch = "x86_64")]
+pub(crate) const SYSTEMD_BOOT_EFI: &str = "usr/lib/systemd/boot/efi/systemd-bootx64.efi";
 
 /// Return `true` if the system is booted via EFI
 pub(crate) fn is_efi_booted() -> Result<bool> {
@@ -342,14 +346,8 @@ impl Component for Efi {
         dest_root: &str,
         device: &str,
         update_firmware: bool,
+        bootloader: &Bootloader,
     ) -> Result<InstalledContent> {
-        let Some(meta) = get_component_update(src_root, self)? else {
-            anyhow::bail!("No update metadata for component {} found", self.name());
-        };
-        log::debug!("Found metadata {}", meta.version);
-        let srcdir_name = component_updatedirname(self);
-        let ft = crate::filetree::FileTree::new_from_dir(&src_root.sub_dir(&srcdir_name)?)?;
-
         // Let's attempt to use an already mounted ESP at the target
         // dest_root if one is already mounted there in a known ESP location.
         let destpath = if let Some(destdir) = self.get_mounted_esp(Path::new(dest_root))? {
@@ -365,6 +363,31 @@ impl Component for Efi {
             self.mount_esp_device(Path::new(dest_root), Path::new(&esp_device))?
         };
 
+        match bootloader {
+            #[cfg(feature = "systemd-boot")]
+            Bootloader::SystemdBoot => {
+                log::info!("Installing systemd-boot via bootctl");
+                let esp_dir = openat::Dir::open(&destpath)?;
+                crate::systemdbootconfigs::install(&esp_dir)?;
+                return Ok(InstalledContent {
+                    meta: ContentMetadata {
+                        timestamp: Utc::now(),
+                        version: "systemd-boot".to_string(),
+                    },
+                    filetree: None,
+                    adopted_from: None,
+                });
+            }
+            _ => {}
+        }
+
+        let Some(meta) = get_component_update(src_root, self)? else {
+            anyhow::bail!("No update metadata for component {} found", self.name());
+        };
+        log::debug!("Found metadata {}", meta.version);
+        let srcdir_name = component_updatedirname(self);
+        let ft = crate::filetree::FileTree::new_from_dir(&src_root.sub_dir(&srcdir_name)?)?;
+
         let destd = &openat::Dir::open(&destpath)
             .with_context(|| format!("opening dest dir {}", destpath.display()))?;
         validate_esp_fstype(destd)?;

src/main.rs

@@ -48,6 +48,9 @@ mod packagesystem;
 mod sha512string;
 mod util;
 
+#[cfg(feature = "systemd-boot")]
+mod systemdbootconfigs;
+
 use clap::crate_name;
 
 /// Binary entrypoint, for both daemon and client logic.

src/systemdbootconfigs.rs

@@ -0,0 +1,43 @@
+use std::path::Path;
+
+use anyhow::{Context, Result};
+use fn_error_context::context;
+
+/// Install files required for systemd-boot
+/// This mostly proxies the bootctl install command
+#[context("Installing systemd-boot")]
+pub(crate) fn install(esp_path: &openat::Dir) -> Result<()> {
+    let esp_path = esp_path.recover_path().context("ESP path is not valid")?;
+    let status = std::process::Command::new("bootctl")
+        .args([
+            "install",
+            "--esp-path",
+            esp_path.to_str().context("ESP path is not valid UTF-8")?,
+        ])
+        .status()
+        .context("Failed to execute bootctl")?;
+
+    if !status.success() {
+        anyhow::bail!(
+            "bootctl install failed with status code {}",
+            status.code().unwrap_or(-1)
+        );
+    }
+
+    // If loader.conf is present in the bootupd configuration, replace the original config with it
+    let src_loader_conf = "/usr/lib/bootupd/systemd-boot/loader.conf";
+    let dst_loader_conf = Path::new(&esp_path).join("loader/loader.conf");
+    if Path::new(src_loader_conf).exists() {
+        std::fs::copy(src_loader_conf, &dst_loader_conf)
+            .context("Failed to copy loader.conf to ESP")?;
+        log::info!(
+            "Copied {} to {}",
+            src_loader_conf,
+            dst_loader_conf.display()
+        );
+    } else {
+        log::warn!("{} does not exist, skipping copy", src_loader_conf);
+    }
+
+    Ok(())
+}