mirror of
https://github.com/gentoo-mirror/guru.git
synced 2026-07-19 12:03:02 -04:00
sys-boot/lamboot: new package
Memory-safe UEFI bootloader (Rust), prebuilt Secure Boot-signed -bin. Build-tested on gentoo-stage3 (pkgcheck rc=0, emerge OK). Signed-off-by: Greg Lamberson <greg@lamco.io>
This commit is contained in:
1
sys-boot/lamboot/Manifest
Normal file
1
sys-boot/lamboot/Manifest
Normal file
@@ -0,0 +1 @@
|
||||
DIST lamboot-0.16.5-x86_64.tar.gz 3190092 BLAKE2B 59be1503f8c8636b7b81222ef3f5302518e5fc93a5e1b4a2a95a8d2a660b45f77d3d8771ca362c19b4649c399a4ac2751c6ebed639f7b29f5e1c2c6348746424 SHA512 33ee1e989c418546da29550b95c3d0c982165cc782d6ceea6192f1a0c8396f3c535b415243a81978271e5e08a02cfdd93ac6cdc502f1cb3da3cb93daba911705
|
||||
149
sys-boot/lamboot/lamboot-0.16.5.ebuild
Normal file
149
sys-boot/lamboot/lamboot-0.16.5.ebuild
Normal file
@@ -0,0 +1,149 @@
|
||||
# Copyright 2026 Lamco Development LLC
|
||||
# Distributed under the terms of the MIT or Apache-2.0 license
|
||||
|
||||
EAPI=8
|
||||
|
||||
PYTHON_COMPAT=( python3_{11..14} )
|
||||
inherit python-single-r1 shell-completion
|
||||
|
||||
DESCRIPTION="Memory-safe UEFI bootloader for Linux, written in Rust"
|
||||
HOMEPAGE="https://lamco.ai/products/lamboot/ https://github.com/lamco-admin/lamboot"
|
||||
|
||||
# Prebuilt binary ebuild: this repackages the published Secure Boot-signed
|
||||
# -bin release artifact (the same tarball AUR lamboot-bin and apt.lamco.ai
|
||||
# consume). It does not build from source, so no nightly Rust toolchain and
|
||||
# no signing keys are needed at merge time. A build-from-source ebuild is a
|
||||
# separate track, gated on whether LamBoot builds on stable rustc for the
|
||||
# *-unknown-uefi targets without -Z build-std (see ../../../PACKAGING.md).
|
||||
SRC_URI="https://github.com/lamco-admin/lamboot/releases/download/v${PV}/lamboot-${PV}-x86_64.tar.gz"
|
||||
S="${WORKDIR}/lamboot-${PV}"
|
||||
|
||||
LICENSE="MIT Apache-2.0"
|
||||
SLOT="0"
|
||||
KEYWORDS="~amd64"
|
||||
|
||||
# The shipped .efi is a Secure Boot-signed PE binary. Stripping it (or running
|
||||
# any ELF post-processing over it) rewrites the file and invalidates the
|
||||
# signature, so the firmware rejects it under Secure Boot. Forbid strip.
|
||||
RESTRICT="strip"
|
||||
|
||||
# efibootmgr: lamboot-install registers the UEFI boot entry through it.
|
||||
# python: lamboot-inspect and lamboot-monitor.py are Python 3 programs; the
|
||||
# python-single-r1 eclass declares the dependency and pins the script shebangs.
|
||||
REQUIRED_USE="${PYTHON_REQUIRED_USE}"
|
||||
RDEPEND="
|
||||
sys-boot/efibootmgr
|
||||
${PYTHON_DEPS}
|
||||
"
|
||||
|
||||
# The signed PE binaries are not ELF; tell the QA scanners not to treat them
|
||||
# as broken ELF objects or to expect them to be stripped.
|
||||
QA_PREBUILT="usr/share/lamboot/EFI/LamBoot/*.efi
|
||||
usr/share/lamboot/EFI/LamBoot/modules/*.efi
|
||||
usr/share/lamboot/EFI/LamBoot/drivers/*/*.efi"
|
||||
|
||||
src_install() {
|
||||
# Stage the whole distribution under /usr/share/lamboot. This is
|
||||
# lamboot-install's SRC_DIR: it searches /usr/share/lamboot,
|
||||
# /usr/local/share/lamboot, then /opt/lamboot, and copies the .efi to the
|
||||
# operator's ESP from there. We copy the tree wholesale (preserving the
|
||||
# tarball's +x bits on scripts) rather than using doins, which would force
|
||||
# 0644 and break lamboot-install's exec of its sibling helpers.
|
||||
#
|
||||
# Exclude build/packaging metadata, the man page, completions, docs, the
|
||||
# top-level README/CHANGELOG/SECURITY/LICENSE files, the manifest, and
|
||||
# Python bytecode: those are installed to their own paths below (or not at
|
||||
# all), and lamboot-install does not read them from SRC_DIR.
|
||||
local share="${ED}/usr/share/lamboot"
|
||||
dodir /usr/share/lamboot
|
||||
cp -a "${S}"/. "${share}"/ || die "failed to stage distribution"
|
||||
rm -rf \
|
||||
"${share}"/packaging \
|
||||
"${share}"/man \
|
||||
"${share}"/completions \
|
||||
"${share}"/docs \
|
||||
"${share}"/README.md \
|
||||
"${share}"/CHANGELOG.md \
|
||||
"${share}"/SECURITY.md \
|
||||
"${share}"/LICENSE-MIT \
|
||||
"${share}"/LICENSE-APACHE \
|
||||
"${share}"/MANIFEST.sha256 \
|
||||
|| die "failed to prune staged tree"
|
||||
# Drop any Python bytecode the artifact carried; it is regenerated at
|
||||
# runtime and would otherwise pull host paths into the package.
|
||||
find "${share}" -type d -name __pycache__ -exec rm -rf {} + || die
|
||||
find "${share}" -type f -name '*.pyc' -delete || die
|
||||
|
||||
# Normalise staged permissions: directories 0755, files 0644, but keep the
|
||||
# executable bit on the scripts/binaries that carried it (lamboot-install,
|
||||
# lamboot-inspect, sign-lamboot.sh and its sign-lock/sign-unlock helpers,
|
||||
# the .efi loaders, etc.). No group/other write. Mirror the deb's
|
||||
# `chmod -R u=rwX,go=rX`, which preserves +x where it was already set.
|
||||
chmod -R u=rwX,go=rX "${share}" || die "failed to normalise staged perms"
|
||||
|
||||
# Pin the Python diagnostic scripts' shebangs to the selected interpreter
|
||||
# (python-single-r1). lamboot-host-sampler and the rest are bash, left as-is.
|
||||
python_fix_shebang \
|
||||
"${share}"/lamboot-inspect \
|
||||
"${share}"/lamboot-monitor.py
|
||||
|
||||
# esp-deploy.sh at the canonical literal path. lamboot-install checks
|
||||
# /usr/lib/lamboot/esp-deploy.sh first, then the script-relative
|
||||
# ../lib/esp-deploy.sh. Use the literal /usr/lib (NOT $(get_libdir)):
|
||||
# on amd64 that resolves to /usr/lib64, where lamboot-install does not
|
||||
# look. It is a sourced shell library, so 0644 is correct.
|
||||
insinto /usr/lib/lamboot
|
||||
doins lib/esp-deploy.sh
|
||||
|
||||
# Operator CLIs on PATH as relative symlinks into the staged tree, so each
|
||||
# script's realpath-based sibling lookups resolve: lamboot-inspect imports
|
||||
# the adjacent lamboot_inspect package, and sign-lamboot.sh execs the
|
||||
# adjacent sign-unlock/sign-lock. The staged systemd units hardcode
|
||||
# /usr/bin/lamboot-install, so these must land in /usr/bin, not /usr/sbin.
|
||||
dodir /usr/bin
|
||||
dosym ../share/lamboot/lamboot-install /usr/bin/lamboot-install
|
||||
dosym ../share/lamboot/lamboot-inspect /usr/bin/lamboot-inspect
|
||||
dosym ../share/lamboot/sign-lamboot.sh /usr/bin/lamboot-sign
|
||||
|
||||
# Man page, shell completions (newbashcomp + dozshcomp from shell-completion).
|
||||
doman man/man1/lamboot-inspect.1
|
||||
newbashcomp completions/lamboot-inspect.bash lamboot-inspect
|
||||
dozshcomp completions/_lamboot-inspect
|
||||
|
||||
# Documentation and dual license.
|
||||
dodoc README.md CHANGELOG.md SECURITY.md
|
||||
# The -bin tarball is thinned (PACKAGING.md §0): the full docs/ tree lives in
|
||||
# the public repo + website, not the artifact, so it is absent here. Install
|
||||
# it only if present, otherwise dodoc dies against the thinned tarball.
|
||||
if [[ -d docs ]]; then
|
||||
dodoc -r docs/.
|
||||
fi
|
||||
# Gentoo installs license texts under /usr/share/licenses/<pkg>.
|
||||
insinto /usr/share/licenses/${PN}
|
||||
doins LICENSE-MIT LICENSE-APACHE
|
||||
|
||||
# Note what we deliberately do NOT install: the systemd units, the
|
||||
# kernel-install plugin, the kernel-event hooks, and lamboot-kernel-hook.
|
||||
# lamboot-install deploys all of those at runtime from /usr/share/lamboot.
|
||||
# The package never writes the ESP or /etc. (The AUR package's one
|
||||
# exception, the alpm kernel hook, is an Arch-only convention and has no
|
||||
# Gentoo equivalent here.)
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
elog "LamBoot is staged under /usr/share/lamboot but is NOT yet installed to"
|
||||
elog "the EFI System Partition. To deploy the bootloader and register a UEFI"
|
||||
elog "boot entry, run:"
|
||||
elog ""
|
||||
elog " sudo lamboot-install --signed"
|
||||
elog ""
|
||||
elog "Secure Boot today means MOK or sbctl enrollment; this package never"
|
||||
elog "enrolls a key for you. To trust the shipped signed bootloader under"
|
||||
elog "shim, enroll the LamBoot signing certificate:"
|
||||
elog ""
|
||||
elog " sudo mokutil --import /usr/share/lamboot/lamboot-signing.der"
|
||||
elog " (set a one-time password, reboot, complete enrollment in MokManager)"
|
||||
elog ""
|
||||
elog "Or, with sbctl, sign/enroll through your own Secure Boot key hierarchy."
|
||||
elog "Full guide: /usr/share/doc/${PF}/"
|
||||
}
|
||||
31
sys-boot/lamboot/metadata.xml
Normal file
31
sys-boot/lamboot/metadata.xml
Normal file
@@ -0,0 +1,31 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<maintainer type="person" proxied="yes">
|
||||
<email>office@lamco.io</email>
|
||||
<name>Lamco Development LLC</name>
|
||||
</maintainer>
|
||||
<maintainer type="project" proxied="proxy">
|
||||
<email>proxy-maint@gentoo.org</email>
|
||||
<name>Proxy Maintainers</name>
|
||||
</maintainer>
|
||||
<longdescription lang="en">
|
||||
LamBoot is a UEFI bootloader for Linux written in Rust. It provides a
|
||||
native PE loader, a native ext4 read backend, Boot Loader Specification
|
||||
multi-filesystem discovery, TPM measurements, and a structured
|
||||
trust-evidence log.
|
||||
|
||||
This ebuild installs the prebuilt, Secure Boot-signed bootloader, its
|
||||
filesystem drivers and diagnostic modules, the public signing
|
||||
certificate, and the host-side tooling (lamboot-install,
|
||||
lamboot-inspect, lamboot-sign) under /usr/share/lamboot. It does not
|
||||
modify the EFI System Partition: run lamboot-install to deploy LamBoot
|
||||
to the ESP and register a UEFI boot entry. Under Secure Boot, enroll
|
||||
the shipped signing certificate with mokutil or sbctl first.
|
||||
</longdescription>
|
||||
<upstream>
|
||||
<remote-id type="github">lamco-admin/lamboot</remote-id>
|
||||
<bugs-to>https://github.com/lamco-admin/lamboot/issues</bugs-to>
|
||||
<doc>https://lamco.ai/products/lamboot/</doc>
|
||||
</upstream>
|
||||
</pkgmetadata>
|
||||
Reference in New Issue
Block a user