josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
28918bad153dce1c809114729b177bf9629a2a44
Vetting/live-image/Makefile
T
josh 28918bad15
CI / Lint + build + test (push) Successful in 1m35s
Details
Release / release (push) Failing after 22s
Details
live-image: fix firmware so i915 actually loads at boot 
Previous attempt (c962d6d) added firmware-linux-nonfree to mkosi.conf,
but the CI bundle was still 63 MB and Tiger Lake wedged on tgl_guc.
Two reasons: (1) firmware-linux-nonfree on bookworm is a thin
metapackage that doesn't include firmware-misc-nonfree, which is where
i915 GuC/HuC blobs actually live; (2) Ubuntu's apt-packaged mkosi is
old enough that Repositories=non-free-firmware shorthand likely isn't
wired through to the debootstrap invocation, so firmware packages
silently miss the bootstrap step entirely.

Changes:
- Enumerate firmware packages explicitly in mkosi.conf (firmware-
  misc-nonfree, firmware-iwlwifi, firmware-realtek, firmware-amd-
  graphics, firmware-intel-sound, intel/amd64-microcode).
- Ship mkosi.sources.d/debian.sources with explicit deb822 so the
  non-free-firmware component is unambiguously available.
- Install mkosi 24.3 via pip in CI instead of apt's older build.
- Pin MODULES=most and COMPRESS=zstd via a tracked initramfs-tools
  config under mkosi.extra/.
- Narrow .gitignore so only the generated agent binary is ignored,
  not the whole mkosi.extra/ tree.
- New check-initrd Makefile target asserts both size (>=150 MB) and
  actual presence of i915/tgl_guc_*.bin inside the built initrd, so
  a silent firmware-drop regression fails the build loudly.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-18 13:38:40 -04:00

69 lines
2.6 KiB
Makefile
Raw Blame History

# live-image/Makefile — builds the Debian live image that PXE-booted
# hosts land in. Requires a Linux host (or WSL) with mkosi installed.
# On native Windows this Makefile short-circuits with a clear message.
ifeq ($(OS),Windows_NT)
UNAME_S := Windows
else
UNAME_S := $(shell uname -s)
endif
REPO_ROOT := $(abspath ..)
AGENT_BIN := $(REPO_ROOT)/bin/vetting-agent.linux-amd64
MKOSI_EXTRA_AGENT := mkosi.extra/usr/local/sbin/vetting-agent
.PHONY: all check-linux check-initrd agent clean
all: check-linux $(MKOSI_EXTRA_AGENT)
mkosi --force build
$(MAKE) check-initrd
# Fail the build if the initrd doesn't actually contain the firmware
# blobs we need. Catches two failure modes:
# 1. Packages didn't install (apt/bootstrap component misconfigured) —
# the size check trips.
# 2. Packages installed but update-initramfs didn't pack them
# (MODULES=dep regression, initramfs-tools default drift) — the
# blob presence check trips.
# Requires unmkinitramfs (from initramfs-tools on the build host).
check-initrd:
@size=$$(stat -c%s build/initrd.img); \
min=$$((150 * 1024 * 1024)); \
if [ "$$size" -lt "$$min" ]; then \
echo "ERROR: initrd.img is $$size bytes (< $$min) — firmware almost certainly missing."; \
echo " Check mkosi build log for missing packages or apt failures."; \
exit 1; \
fi
@tmp=$$(mktemp -d); \
trap 'rm -rf "$$tmp"' EXIT; \
unmkinitramfs build/initrd.img "$$tmp" >/dev/null 2>&1 || { \
echo "ERROR: unmkinitramfs failed — initrd.img may be corrupt."; exit 1; }; \
if ! find "$$tmp" -path '*lib/firmware/i915/tgl_guc*' -print -quit | grep -q .; then \
echo "ERROR: i915/tgl_guc firmware missing from initrd."; \
echo " Package installed but update-initramfs didn't pack /lib/firmware."; \
echo " Check MODULES= in /etc/initramfs-tools/initramfs.conf."; \
exit 1; \
fi
@echo "initrd.img OK ($$(du -h build/initrd.img | cut -f1), i915 firmware present)"
agent: $(AGENT_BIN)
$(AGENT_BIN):
cd $(REPO_ROOT) && GOOS=linux GOARCH=amd64 go build -o $(AGENT_BIN) ./cmd/vetting-agent
# Stage the prebuilt agent into mkosi.extra/ so mkosi copies it into the
# image root without the postinst needing to reach outside the source tree.
$(MKOSI_EXTRA_AGENT): $(AGENT_BIN)
install -D -m 0755 $< $@
check-linux:
ifneq ($(UNAME_S),Linux)
@echo "ERROR: live-image must be built on Linux (you're on $(UNAME_S))."
@echo "Run 'wsl make -C live-image all' from Windows instead."
@exit 1
endif
@command -v mkosi >/dev/null 2>&1 || { echo "ERROR: mkosi not installed. Try: apt install mkosi"; exit 1; }
clean:
rm -rf build mkosi.output mkosi.cache
rm -f $(MKOSI_EXTRA_AGENT)
Reference in New Issue View Git Blame Copy Permalink