16 files changed, 97 insertions, 45 deletions

diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf
index 79622c83f7..524ffa0de5 100644
--- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf
@@ -49,9 +49,6 @@ Packages=
         rpm
         rpm-build
         rpmautospec
-        selinux-policy
-        selinux-policy-targeted
-        setools-console
         squashfs-tools
         util-linux
         vim-common
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
new file mode 100644
index 0000000000..3dc1143fc8
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Profile=!particle
+
+[Content]
+# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're
+# building a /usr-only image.
+Packages=
+        selinux-policy
+        selinux-policy-targeted
+        setools-console
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
index 053f11be55..54f8f1c1bd 100644
--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
@@ -3,6 +3,9 @@
 [Match]
 Distribution=centos
 
+[Output]
+RepartDirectories=mkosi.repart
+
 [Content]
 Packages=
         rpmautospec-rpm-macros
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
deleted file mode 100644
index 99b846d3a8..0000000000
--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-# CentOS does not support btrfs so we use xfs instead.
-[Partition]
-Format=xfs
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-groups.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-groups.conf
deleted file mode 100644
index d69ff91cc3..0000000000
--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-groups.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-g root 0
-g bin 1
-g daemon 2
-g sys 3
-g adm 4
-g tty 5
-g disk 6
-g lp 7
-g mem 8
-g kmem 9
-g wheel 10
-g cdrom 11
-g mail 12
-g man 15
-g dialout 18
-g floppy 19
-g games 20
-g tape 33
-g video 39
-g ftp 50
-g lock 54
-g audio 63
-g users 100
-g nobody 65534
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-users.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-users.conf
deleted file mode 100644
index bea0ab3447..0000000000
--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/sysusers.d/20-setup-users.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-u root 0:0 "Super User" /root /bin/bash
-u bin 1:1 "bin" /bin -
-u daemon 2:2 "daemon" /sbin -
-u adm 3:4 "adm" /var/adm -
-u lp 4:7 "lp" /var/spool/lpd -
-u sync 5:0 "sync" /sbin /bin/sync
-u shutdown 6:0 "shutdown" /sbin /sbin/shutdown
-u halt 7:0 "halt" /sbin /sbin/halt
-u mail 8:12 "mail" /var/spool/mail -
-u operator 11:0 "operator" /root -
-u games 12:100 "games" /usr/games -
-u ftp 14:50 "FTP User" /var/ftp -
-u nobody 65534:65534 "Kernel Overflow User" - -
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-root.conf.d/xfs.conf
new file mode 100644
index 0000000000..a50de68110
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-root.conf.d/xfs.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+# btrfs isn't supported on CentOS. Ideally we'd use xfs instead but we lose xattrs when doing rootless
+# population of xfs which is required for testing SELinux so let's do ext4 instead.
+Format=ext4
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf
new file mode 100644
index 0000000000..8c1920b0ce
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.conf
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Profile=particle
+
+[Output]
+RepartDirectories=
+RepartDirectories=mkosi.repart
+
+[Validation]
+@SecureBoot=yes
+@SignExpectedPcr=yes
+
+[Host]
+@RuntimeSize=8G
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf
new file mode 100644
index 0000000000..3755278462
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/15-swap.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=swap
+SizeMinBytes=100M
+SizeMaxBytes=100M
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf
new file mode 100644
index 0000000000..2f92af248f
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/repart.d/20-root.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=root
+Format=btrfs
+SizeMinBytes=1G
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
new file mode 100644
index 0000000000..dac79ba4ed
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+C+! /etc - - - - /usr/share/factory/mkosi
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize
new file mode 100755
index 0000000000..f5523983d2
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize
@@ -0,0 +1,15 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+mkdir -p "$BUILDROOT"/usr/share/factory/mkosi
+cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
+
+# sbsign is not available on CentOS Stream
+if command -v sbsign &>/dev/null; then
+    # Ensure that side-loaded PE addons are loaded if signed, and ignored if not
+    addons_dir=/efi/loader/addons
+    mkdir -p "$addons_dir"
+    ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
+    ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
+fi
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf
new file mode 100644
index 0000000000..391543d1e7
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/00-esp.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/boot:/
+CopyFiles=/efi:/
+SizeMinBytes=1G
+SizeMaxBytes=1G
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf
new file mode 100644
index 0000000000..343761d097
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/10-usr.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr
+Format=erofs
+CopyFiles=/usr:/
+Verity=data
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf
new file mode 100644
index 0000000000..b4d45dd7ef
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/11-usr-verity.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity
+Verity=hash
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf
new file mode 100644
index 0000000000..1841d0a6db
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.repart/12-usr-verity-sig.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity-sig
+Verity=signature
+VerityMatchKey=usr