[RFC PATCH 0/3] Add support of Discoverable Disk Image

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.g...@siemens.com>

This patchset allows to build Discoverable Disk Image(DDI)s, like
systemd-sysext
systemd-portable
systemd-confext

In the current implementation the images are not stripped so
especially sysext contain a full copy of /usr and /opt.

This patchset uses systemd-repart instead of wic as it is
easier to describe interdepended partiton layout as required
by DDIs.


Quirin Gylstorff (3):
Add Discoverable Disk Image definitions to ISAR
Add imagetype Discoverable Disk Image(DDI)
classes/image: Add DDI imagetype

meta/classes/image.bbclass | 3 +-
meta/classes/imagetypes_ddi.bbclass | 47 +++++++++++++++++++
.../definitions/confext.repart.d/10-root.conf | 16 +++++++
.../confext.repart.d/20-root-verity.conf | 14 ++++++
.../confext.repart.d/30-root-verity-sig.conf | 13 +++++
.../portable.repart.d/10-root.conf | 16 +++++++
.../portable.repart.d/20-root-verity.conf | 14 ++++++
.../portable.repart.d/30-root-verity-sig.conf | 13 +++++
.../definitions/sysext.repart.d/10-root.conf | 17 +++++++
.../sysext.repart.d/20-root-verity.conf | 14 ++++++
.../sysext.repart.d/30-root-verity-sig.conf | 13 +++++
.../isar-ddi-definitions_0.1.bb | 17 +++++++
12 files changed, 196 insertions(+), 1 deletion(-)
create mode 100644 meta/classes/imagetypes_ddi.bbclass
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/10-root.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/20-root-verity.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/30-root-verity-sig.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/10-root.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/20-root-verity.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/30-root-verity-sig.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/10-root.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/20-root-verity.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/30-root-verity-sig.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/isar-ddi-definitions_0.1.bb

--
2.51.0

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.g...@siemens.com>

This allows to generate with the help of systemd-repart Discoverable
Disk Images[1] like systemd-sysext and systemd-confext.

Systemd-repart was choose as is easier to setup multiple partitions
which depend on each other. As for example a SYSEXT image contains
three partitions.

[1]: https://uapi-group.org/specifications/specs/discoverable_disk_image/

Signed-off-by: Quirin Gylstorff <quirin.g...@siemens.com>
---
meta/classes/imagetypes_ddi.bbclass | 47 +++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
create mode 100644 meta/classes/imagetypes_ddi.bbclass

diff --git a/meta/classes/imagetypes_ddi.bbclass b/meta/classes/imagetypes_ddi.bbclass
new file mode 100644
index 00000000..7020508a
--- /dev/null
+++ b/meta/classes/imagetypes_ddi.bbclass
@@ -0,0 +1,47 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+# Class to generate discoverable disk images (DDI)
+
+DEPENDS += "isar-ddi-definitions"
+IMAGER_BUILD_DEPS:ddi += " isar-ddi-definitions"
+IMAGER_INSTALL:ddi += " isar-ddi-definitions"
+
+DDI_SIGNING_KEY_PATH ?= ""
+DDI_SIGNING_CERTIFICATE_PATH ?= ""
+DDI_TYPE ?= "sysext"
+DDI_DEFINITION_PATH ?= "/usr/share/isar-ddi-definitions/${DDI_TYPE}.repart.d"
+DDI_OUTPUT_IMAGE ?= "${IMAGE_FULLNAME}.ddi"
+ddi_not_supported() {
+ bberror "IMAGE TYPE DDI is not supported in distribution Release '${BASE_DISTRO_CODENAME}'"
+}
+
+create_ddi_image() {
+ local_extra_arguments=""
+ if [ -n "${DDI_SIGNING_KEY_PATH}" ]; then
+ local_extra_arguments="${local_extra_arguments} --private-key=${DDI_SIGNING_KEY_PATH}"
+ fi
+ if [ -n "${DDI_SIGNING_CERTIFICATE_PATH}" ]; then
+ local_extra_arguments="${local_extra_arguments} --certificate=${DDI_SIGNING_CERTIFICATE_PATH}"
+ fi
+
+ rm -rf ${DEPLOY_DIR_IMAGE}/${DDI_OUTPUT_IMAGE}
+
+ ${SUDO_CHROOT} << EOF
+ if [ -z ${DDI_SIGNING_KEY_PATH} ]; then
+ rm -f ${DDI_DEFINITION_PATH}/30-root-verity-sig.conf
+ fi
+ /usr/bin/systemd-repart \
+ --definitions='${DDI_DEFINITION_PATH}' \
+ --copy-source=${PP_ROOTFS} \
+ --empty=create --size=auto --dry-run=no \
+ --no-pager $local_extra_arguments \
+ ${PP_DEPLOY}/${DDI_OUTPUT_IMAGE}
+EOF
+}
+
+IMAGE_CMD:ddi:buster = "ddi_not_supported"
+IMAGE_CMD:ddi:bullseye = "ddi_not_supported"
+IMAGE_CMD:ddi:bookworm = "ddi_not_supported"
+IMAGE_CMD:ddi = "create_ddi_image"
--
2.51.0

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.g...@siemens.com>

This allows to use ddi as an image type

Signed-off-by: Quirin Gylstorff <quirin.g...@siemens.com>
---

meta/classes/image.bbclass | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index f4b9989c..5d551c20 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -146,7 +146,8 @@ IMAGE_BASETYPES = "${@get_image_basetypes(d)}"

# image types
IMAGE_CLASSES ??= ""
-IMGCLASSES = "imagetypes imagetypes_wic imagetypes_vm imagetypes_container squashfs"
+IMGCLASSES = "imagetypes imagetypes_wic imagetypes_vm imagetypes_container squashfs \
+ imagetypes_ddi"
IMGCLASSES += "${IMAGE_CLASSES}"
inherit ${IMGCLASSES}

--
2.51.0

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.g...@siemens.com>

This is in preparation to support Discoverable Disk Image as a
image type.

Signed-off-by: Quirin Gylstorff <quirin.g...@siemens.com>
---

.../definitions/confext.repart.d/10-root.conf | 16 ++++++++++++++++
.../confext.repart.d/20-root-verity.conf | 14 ++++++++++++++
.../confext.repart.d/30-root-verity-sig.conf | 13 +++++++++++++
.../definitions/portable.repart.d/10-root.conf | 16 ++++++++++++++++
.../portable.repart.d/20-root-verity.conf | 14 ++++++++++++++
.../portable.repart.d/30-root-verity-sig.conf | 13 +++++++++++++
.../definitions/sysext.repart.d/10-root.conf | 17 +++++++++++++++++
.../sysext.repart.d/20-root-verity.conf | 14 ++++++++++++++
.../sysext.repart.d/30-root-verity-sig.conf | 13 +++++++++++++
.../isar-ddi-definitions_0.1.bb | 17 +++++++++++++++++
10 files changed, 147 insertions(+)

create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/10-root.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/20-root-verity.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/30-root-verity-sig.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/10-root.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/20-root-verity.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/30-root-verity-sig.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/10-root.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/20-root-verity.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/30-root-verity-sig.conf
create mode 100644 meta/recipes-support/isar-ddi-definitions/isar-ddi-definitions_0.1.bb

diff --git a/meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/10-root.conf b/meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/10-root.conf
new file mode 100644
index 00000000..f728ab66
--- /dev/null
+++ b/meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/10-root.conf
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Partition]
+Type=root
+Format=erofs
+CopyFiles=/etc/
+Verity=data
+VerityMatchKey=root
+Minimize=best
diff --git a/meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/20-root-verity.conf b/meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/20-root-verity.conf
new file mode 100644
index 00000000..8179351b
--- /dev/null
+++ b/meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/20-root-verity.conf
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Partition]
+Type=root-verity
+Verity=hash
+VerityMatchKey=root
+Minimize=best
diff --git a/meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/30-root-verity-sig.conf b/meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/30-root-verity-sig.conf
new file mode 100644
index 00000000..df160154
--- /dev/null
+++ b/meta/recipes-support/isar-ddi-definitions/files/definitions/confext.repart.d/30-root-verity-sig.conf
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Partition]
+Type=root-verity-sig
+Verity=signature
+VerityMatchKey=root
diff --git a/meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/10-root.conf b/meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/10-root.conf
new file mode 100644
index 00000000..6f500d04
--- /dev/null
+++ b/meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/10-root.conf
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Partition]
+Type=root
+Format=erofs
+CopyFiles=/
+Verity=data
+VerityMatchKey=root
+Minimize=best
diff --git a/meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/20-root-verity.conf b/meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/20-root-verity.conf
new file mode 100644
index 00000000..8179351b
--- /dev/null
+++ b/meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/20-root-verity.conf
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Partition]
+Type=root-verity
+Verity=hash
+VerityMatchKey=root
+Minimize=best
diff --git a/meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/30-root-verity-sig.conf b/meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/30-root-verity-sig.conf
new file mode 100644
index 00000000..df160154
--- /dev/null
+++ b/meta/recipes-support/isar-ddi-definitions/files/definitions/portable.repart.d/30-root-verity-sig.conf
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Partition]
+Type=root-verity-sig
+Verity=signature
+VerityMatchKey=root
diff --git a/meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/10-root.conf b/meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/10-root.conf
new file mode 100644
index 00000000..b8ef985b
--- /dev/null
+++ b/meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/10-root.conf
@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Partition]
+Type=root
+Format=erofs
+CopyFiles=/usr/
+CopyFiles=/opt/
+Verity=data
+VerityMatchKey=root
+Minimize=best
diff --git a/meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/20-root-verity.conf b/meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/20-root-verity.conf
new file mode 100644
index 00000000..8179351b
--- /dev/null
+++ b/meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/20-root-verity.conf
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Partition]
+Type=root-verity
+Verity=hash
+VerityMatchKey=root
+Minimize=best
diff --git a/meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/30-root-verity-sig.conf b/meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/30-root-verity-sig.conf
new file mode 100644
index 00000000..df160154
--- /dev/null
+++ b/meta/recipes-support/isar-ddi-definitions/files/definitions/sysext.repart.d/30-root-verity-sig.conf
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Partition]
+Type=root-verity-sig
+Verity=signature
+VerityMatchKey=root
diff --git a/meta/recipes-support/isar-ddi-definitions/isar-ddi-definitions_0.1.bb b/meta/recipes-support/isar-ddi-definitions/isar-ddi-definitions_0.1.bb
new file mode 100644
index 00000000..25c437f0
--- /dev/null
+++ b/meta/recipes-support/isar-ddi-definitions/isar-ddi-definitions_0.1.bb
@@ -0,0 +1,17 @@

+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+

+inherit dpkg-raw
+
+DESCRIPTION = "Definitions to generate Discoverable Disk Image"
+DPKG_ARCH = "all"
+
+DEBIAN_DEPENDS = "systemd, systemd-repart, cryptsetup, openssl, erofs-utils"
+SRC_URI = "file://definitions"
+
+do_install[cleandirs] = "${D}/usr/share/${BPN}"
+do_install() {
+ cp -a ${WORKDIR}/definitions/* ${D}/usr/share/${BPN}/
+}
--
2.51.0

[Jan Kiszka]

On 10.11.25 11:50, 'Quirin Gylstorff' via isar-users wrote:
> From: Quirin Gylstorff <quirin.g...@siemens.com>
>
> This patchset allows to build Discoverable Disk Image(DDI)s, like
> systemd-sysext
> systemd-portable
> systemd-confext
>

...and that will allow... ? Would be good to draft the use case here as
well.

Jan

Siemens AG, Foundational Technologies
Linux Expert Center