# live-image/Makefile — builds the Debian live image that PXE-booted # hosts land in. Requires a Linux host (or WSL) with mkosi installed. # On native Windows this Makefile short-circuits with a clear message. ifeq ($(OS),Windows_NT) UNAME_S := Windows else UNAME_S := $(shell uname -s) endif REPO_ROOT := $(abspath ..) AGENT_BIN := $(REPO_ROOT)/bin/vetting-agent.linux-amd64 MKOSI_EXTRA_AGENT := mkosi.extra/usr/local/sbin/vetting-agent .PHONY: all check-linux check-initrd agent clean all: check-linux $(MKOSI_EXTRA_AGENT) mkosi --force build $(MAKE) check-initrd # Fail the build if the initrd doesn't actually contain the firmware # blobs we need. Catches two failure modes: # 1. Packages didn't install (apt/bootstrap component misconfigured) — # the size check trips. # 2. Packages installed but update-initramfs didn't pack them # (MODULES=dep regression, initramfs-tools default drift) — the # blob presence check trips. # Requires unmkinitramfs (from initramfs-tools on the build host). check-initrd: @# build/initrd.img is a symlink into build/boot/; use wc -c (which @# follows symlinks) to get the real byte count. `stat -c%s` without @# -L returns the symlink's path length instead of the target size. @size=$$(wc -c < build/initrd.img); \ min=$$((150 * 1024 * 1024)); \ if [ "$$size" -lt "$$min" ]; then \ echo "ERROR: initrd.img is $$size bytes (< $$min) — firmware almost certainly missing."; \ echo " Check mkosi build log for missing packages or apt failures."; \ exit 1; \ fi @tmp=$$(mktemp -d); \ trap 'rm -rf "$$tmp"' EXIT; \ unmkinitramfs build/initrd.img "$$tmp" >/dev/null 2>&1 || { \ echo "ERROR: unmkinitramfs failed — initrd.img may be corrupt."; exit 1; }; \ if ! find "$$tmp" -path '*lib/firmware/i915/tgl_guc*' -print -quit | grep -q .; then \ echo "ERROR: i915/tgl_guc firmware missing from initrd."; \ echo " Package installed but update-initramfs didn't pack /lib/firmware."; \ echo " Check MODULES= in /etc/initramfs-tools/initramfs.conf."; \ exit 1; \ fi @echo "initrd.img OK ($$(du -hL build/initrd.img | cut -f1), i915 firmware present)" agent: $(AGENT_BIN) $(AGENT_BIN): cd $(REPO_ROOT) && GOOS=linux GOARCH=amd64 go build -o $(AGENT_BIN) ./cmd/vetting-agent # Stage the prebuilt agent into mkosi.extra/ so mkosi copies it into the # image root without the postinst needing to reach outside the source tree. $(MKOSI_EXTRA_AGENT): $(AGENT_BIN) install -D -m 0755 $< $@ check-linux: ifneq ($(UNAME_S),Linux) @echo "ERROR: live-image must be built on Linux (you're on $(UNAME_S))." @echo "Run 'wsl make -C live-image all' from Windows instead." @exit 1 endif @command -v mkosi >/dev/null 2>&1 || { echo "ERROR: mkosi not installed. Try: apt install mkosi"; exit 1; } clean: rm -rf build mkosi.output mkosi.cache rm -f $(MKOSI_EXTRA_AGENT)