josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

live-image: fix firmware so i915 actually loads at boot
CI / Lint + build + test (push) Successful in 1m35s
Details
Release / release (push) Failing after 22s
Details

Browse Source 
Previous attempt (c962d6d) added firmware-linux-nonfree to mkosi.conf,
but the CI bundle was still 63 MB and Tiger Lake wedged on tgl_guc.
Two reasons: (1) firmware-linux-nonfree on bookworm is a thin
metapackage that doesn't include firmware-misc-nonfree, which is where
i915 GuC/HuC blobs actually live; (2) Ubuntu's apt-packaged mkosi is
old enough that Repositories=non-free-firmware shorthand likely isn't
wired through to the debootstrap invocation, so firmware packages
silently miss the bootstrap step entirely.

Changes:
- Enumerate firmware packages explicitly in mkosi.conf (firmware-
  misc-nonfree, firmware-iwlwifi, firmware-realtek, firmware-amd-
  graphics, firmware-intel-sound, intel/amd64-microcode).
- Ship mkosi.sources.d/debian.sources with explicit deb822 so the
  non-free-firmware component is unambiguously available.
- Install mkosi 24.3 via pip in CI instead of apt's older build.
- Pin MODULES=most and COMPRESS=zstd via a tracked initramfs-tools
  config under mkosi.extra/.
- Narrow .gitignore so only the generated agent binary is ignored,
  not the whole mkosi.extra/ tree.
- New check-initrd Makefile target asserts both size (>=150 MB) and
  actual presence of i915/tgl_guc_*.bin inside the built initrd, so
  a silent firmware-drop regression fails the build loudly.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Josh Wright
2026-04-18 13:38:40 -04:00
parent c962d6d8ab
commit 28918bad15
7 changed files with 73 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/e2e.yml
+5 -2
View File
@@ -36,11 +36,14 @@ jobs:
run: | run: |
sudo apt-get update sudo apt-get update
sudo apt-get install -y --no-install-recommends \ sudo apt-get install -y --no-install-recommends \
mkosi debootstrap squashfs-tools \ debootstrap squashfs-tools \
systemd-ukify systemd-boot kmod \ systemd-ukify systemd-boot kmod \
debian-archive-keyring \ debian-archive-keyring python3-pip zstd \
qemu-system-x86 qemu-utils \ qemu-system-x86 qemu-utils \
dnsmasq iperf3 ipxe-qemu dnsmasq iperf3 ipxe-qemu
# See release.yml for rationale — Ubuntu's apt mkosi is too old
# to handle bookworm's non-free-firmware component correctly.
sudo pip install --break-system-packages mkosi==24.3
- name: Install templ - name: Install templ
run: go install github.com/a-h/templ/cmd/templ@v0.3.1001 run: go install github.com/a-h/templ/cmd/templ@v0.3.1001
.gitea/workflows/release.yml
+7 -2
View File
@@ -33,9 +33,14 @@ jobs:
run: | run: |
sudo apt-get update sudo apt-get update
sudo apt-get install -y --no-install-recommends \ sudo apt-get install -y --no-install-recommends \
mkosi debootstrap squashfs-tools dosfstools \ debootstrap squashfs-tools dosfstools \
systemd-ukify systemd-boot kmod \ systemd-ukify systemd-boot kmod \
debian-archive-keyring debian-archive-keyring python3-pip zstd
# Ubuntu's apt-packaged mkosi is too old to wire
# non-free-firmware shorthand through to debootstrap.
# Install a pinned recent version directly; mkosi is
# pure-Python so --break-system-packages is harmless here.
sudo pip install --break-system-packages mkosi==24.3
- name: Install templ - name: Install templ
run: go install github.com/a-h/templ/cmd/templ@v0.3.1001 run: go install github.com/a-h/templ/cmd/templ@v0.3.1001
.gitignore
+3 -1
View File
@@ -12,7 +12,9 @@
vetting.yaml vetting.yaml
!deploy/vetting.example.yaml !deploy/vetting.example.yaml
live-image/out/ live-image/out/
live-image/mkosi.extra/ # Only the generated agent binary is ignored — source-controlled
# files under mkosi.extra/ (e.g. initramfs-tools config) must ship.
live-image/mkosi.extra/usr/local/sbin/vetting-agent
live-image/mkosi.cache/ live-image/mkosi.cache/
live-image/mkosi.output/ live-image/mkosi.output/
live-image/build/ live-image/build/
live-image/Makefile
+32 -2
View File
@@ -12,9 +12,38 @@ REPO_ROOT := $(abspath ..)
AGENT_BIN := $(REPO_ROOT)/bin/vetting-agent.linux-amd64 AGENT_BIN := $(REPO_ROOT)/bin/vetting-agent.linux-amd64
MKOSI_EXTRA_AGENT := mkosi.extra/usr/local/sbin/vetting-agent MKOSI_EXTRA_AGENT := mkosi.extra/usr/local/sbin/vetting-agent
.PHONY: all check-linux agent clean .PHONY: all check-linux check-initrd agent clean
all: check-linux $(MKOSI_EXTRA_AGENT) all: check-linux $(MKOSI_EXTRA_AGENT)
mkosi --force build mkosi --force build
$(MAKE) check-initrd
# Fail the build if the initrd doesn't actually contain the firmware
# blobs we need. Catches two failure modes:
# 1. Packages didn't install (apt/bootstrap component misconfigured) —
# the size check trips.
# 2. Packages installed but update-initramfs didn't pack them
# (MODULES=dep regression, initramfs-tools default drift) — the
# blob presence check trips.
# Requires unmkinitramfs (from initramfs-tools on the build host).
check-initrd:
@size=$$(stat -c%s build/initrd.img); \
min=$$((150 * 1024 * 1024)); \
if [ "$$size" -lt "$$min" ]; then \
echo "ERROR: initrd.img is $$size bytes (< $$min) — firmware almost certainly missing."; \
echo " Check mkosi build log for missing packages or apt failures."; \
exit 1; \
fi
@tmp=$$(mktemp -d); \
trap 'rm -rf "$$tmp"' EXIT; \
unmkinitramfs build/initrd.img "$$tmp" >/dev/null 2>&1 || { \
echo "ERROR: unmkinitramfs failed — initrd.img may be corrupt."; exit 1; }; \
if ! find "$$tmp" -path '*lib/firmware/i915/tgl_guc*' -print -quit | grep -q .; then \
echo "ERROR: i915/tgl_guc firmware missing from initrd."; \
echo " Package installed but update-initramfs didn't pack /lib/firmware."; \
echo " Check MODULES= in /etc/initramfs-tools/initramfs.conf."; \
exit 1; \
fi
@echo "initrd.img OK ($$(du -h build/initrd.img | cut -f1), i915 firmware present)"
agent: $(AGENT_BIN) agent: $(AGENT_BIN)
@@ -35,4 +64,5 @@ endif
@command -v mkosi >/dev/null 2>&1 || { echo "ERROR: mkosi not installed. Try: apt install mkosi"; exit 1; } @command -v mkosi >/dev/null 2>&1 || { echo "ERROR: mkosi not installed. Try: apt install mkosi"; exit 1; }
clean: clean:
rm -rf build mkosi.output mkosi.cache mkosi.extra rm -rf build mkosi.output mkosi.cache
rm -f $(MKOSI_EXTRA_AGENT)
live-image/mkosi.conf
+17
View File
@@ -12,6 +12,11 @@ Release=bookworm
# amdgpu, nvidia-*, realtek NIC firmware, etc. — anything we'd want # amdgpu, nvidia-*, realtek NIC firmware, etc. — anything we'd want
# when PXE-booting a random repaired host. Without it i915 wedges # when PXE-booting a random repaired host. Without it i915 wedges
# on Tiger Lake+ and drags the serial console with it. # on Tiger Lake+ and drags the serial console with it.
#
# Belt-and-suspenders: mkosi.sources.d/debian.sources ships an
# explicit deb822 sources drop-in so the bootstrap step sees the
# component regardless of how this shorthand is interpreted by the
# mkosi version doing the build.
Repositories=main non-free-firmware Repositories=main non-free-firmware
[Output] [Output]
@@ -39,6 +44,18 @@ Packages=
dmidecode dmidecode
pciutils pciutils
usbutils usbutils
initramfs-tools
# Firmware. firmware-linux-nonfree on bookworm is a thin metapackage
# that does NOT pull i915 GuC/HuC — those live in firmware-misc-nonfree.
# Enumerate explicitly so the blob for whatever hardware we boot on
# actually lands in /lib/firmware and then in the initrd.
firmware-misc-nonfree
firmware-iwlwifi
firmware-realtek
firmware-amd-graphics
firmware-intel-sound
intel-microcode
amd64-microcode
firmware-linux-nonfree firmware-linux-nonfree
# Phase 4 will add: smartmontools stress-ng fio iperf3 lshw lm-sensors # Phase 4 will add: smartmontools stress-ng fio iperf3 lshw lm-sensors
live-image/mkosi.extra/etc/initramfs-tools/initramfs.conf
+4
View File
@@ -0,0 +1,4 @@
MODULES=most
BUSYBOX=auto
KEYMAP=n
COMPRESS=zstd
live-image/mkosi.sources.d/debian.sources
+5
View File
@@ -0,0 +1,5 @@
Types: deb
URIs: http://deb.debian.org/debian
Suites: bookworm
Components: main non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg