composefs-backend/uki: Handle UKI addons

Johan-Liebert1 · cgwalters · commit 147fcf314983 · 2025-09-15T14:57:31.000-04:00
If we find UKI addons in the boot entries list, write them to ESP along
with the UKI

Signed-off-by: Pragyan Poudyal &lt;pragyanpoudyal41999@gmail.com&gt;
diff --git a/crates/lib/src/bootc_composefs/boot.rs b/crates/lib/src/bootc_composefs/boot.rs
@@ -11,7 +11,8 @@ use camino::{Utf8Path, Utf8PathBuf};
 use cap_std_ext::{cap_std, dirext::CapStdExtDirExt};
 use clap::ValueEnum;
 use composefs::fs::read_file;
-use composefs::tree::FileSystem;
+use composefs::tree::{FileSystem, RegularFile};
+use composefs_boot::bootloader::{PEType, EFI_ADDON_DIR_EXT, EFI_ADDON_FILE_EXT, EFI_EXT};
 use composefs_boot::BootOps;
 use fn_error_context::context;
 use ostree_ext::composefs::{
@@ -283,7 +284,7 @@ pub(crate) fn setup_composefs_bls_boot(
     // TODO: Make this generic
     repo: ComposefsRepository<Sha256HashValue>,
     id: &Sha256HashValue,
-    entry: ComposefsBootEntry<Sha256HashValue>,
+    entry: &ComposefsBootEntry<Sha256HashValue>,
 ) -> Result<String> {
     let id_hex = id.to_hex();
 
@@ -527,13 +528,107 @@ pub(crate) fn setup_composefs_bls_boot(
     Ok(boot_digest)
 }
 
+/// Writes a PortableExecutable to ESP along with any PE specific or Global addons
+fn write_pe_to_esp(
+    repo: &ComposefsRepository<Sha256HashValue>,
+    file: &RegularFile<Sha256HashValue>,
+    file_path: &PathBuf,
+    pe_type: PEType,
+    uki_id: &String,
+    is_insecure_from_opts: bool,
+    mounted_efi: &PathBuf,
+) -> Result<Option<String>> {
+    let efi_bin = read_file(file, &repo).context("Reading .efi binary")?;
+
+    let mut boot_label = None;
+
+    // UKI Extension might not even have a cmdline
+    // TODO: UKI Addon might also have a composefs= cmdline?
+    if matches!(pe_type, PEType::Uki) {
+        let cmdline = uki::get_cmdline(&efi_bin).context("Getting UKI cmdline")?;
+
+        let (composefs_cmdline, insecure) = get_cmdline_composefs::<Sha256HashValue>(cmdline)?;
+
+        // If the UKI cmdline does not match what the user has passed as cmdline option
+        // NOTE: This will only be checked for new installs and now upgrades/switches
+        match is_insecure_from_opts {
+            true if !insecure => {
+                tracing::warn!("--insecure passed as option but UKI cmdline does not support it");
+            }
+
+            false if insecure => {
+                tracing::warn!("UKI cmdline has composefs set as insecure");
+            }
+
+            _ => { /* no-op */ }
+        }
+
+        if composefs_cmdline.to_hex() != *uki_id {
+            anyhow::bail!(
+                "The UKI has the wrong composefs= parameter (is '{composefs_cmdline:?}', should be {uki_id:?})"
+            );
+        }
+
+        boot_label = Some(uki::get_boot_label(&efi_bin).context("Getting UKI boot label")?);
+    }
+
+    // Write the UKI to ESP
+    let efi_linux_path = mounted_efi.join(EFI_LINUX);
+    create_dir_all(&efi_linux_path).context("Creating EFI/Linux")?;
+
+    let final_pe_path = match file_path.parent() {
+        Some(parent) => {
+            let renamed_path = match parent.as_str()?.ends_with(EFI_ADDON_DIR_EXT) {
+                true => {
+                    let dir_name = format!("{}{}", uki_id, EFI_ADDON_DIR_EXT);
+
+                    parent
+                        .parent()
+                        .map(|p| p.join(&dir_name))
+                        .unwrap_or(dir_name.into())
+                }
+
+                false => parent.to_path_buf(),
+            };
+
+            let full_path = efi_linux_path.join(renamed_path);
+            create_dir_all(&full_path)?;
+
+            full_path
+        }
+
+        None => efi_linux_path,
+    };
+
+    let pe_dir = cap_std::fs::Dir::open_ambient_dir(&final_pe_path, cap_std::ambient_authority())
+        .with_context(|| format!("Opening {final_pe_path:?}"))?;
+
+    let pe_name = match pe_type {
+        PEType::Uki => format!("{}{}", uki_id, EFI_EXT),
+        PEType::UkiAddon => format!("{}{}", uki_id, EFI_ADDON_FILE_EXT),
+    };
+
+    pe_dir
+        .atomic_write(pe_name, efi_bin)
+        .context("Writing UKI")?;
+
+    rustix::fs::fsync(
+        pe_dir
+            .reopen_as_ownedfd()
+            .context("Reopening as owned fd")?,
+    )
+    .context("fsync")?;
+
+    Ok(boot_label)
+}
+
 #[context("Setting up UKI boot")]
 pub(crate) fn setup_composefs_uki_boot(
     setup_type: BootSetupType,
     // TODO: Make this generic
     repo: ComposefsRepository<Sha256HashValue>,
     id: &Sha256HashValue,
-    entry: ComposefsBootEntry<Sha256HashValue>,
+    entries: Vec<ComposefsBootEntry<Sha256HashValue>>,
 ) -> Result<()> {
     let (root_path, esp_device, is_insecure_from_opts) = match setup_type {
         BootSetupType::Setup((root_setup, state, ..)) => {
@@ -553,15 +648,19 @@ pub(crate) fn setup_composefs_uki_boot(
             (
                 root_setup.physical_root_path.clone(),
                 esp_part.node.clone(),
-                state.composefs_options.as_ref().map(|x| x.insecure),
+                state
+                    .composefs_options
+                    .as_ref()
+                    .map(|x| x.insecure)
+                    .unwrap_or(false),
             )
         }
 
         BootSetupType::Upgrade(..) => {
             let sysroot = Utf8PathBuf::from("/sysroot");
             let sysroot_parent = get_sysroot_parent_dev()?;
 
-            (sysroot, get_esp_partition(&sysroot_parent)?.0, None)
+            (sysroot, get_esp_partition(&sysroot_parent)?.0, false)
         }
     };
 
@@ -573,65 +672,32 @@ pub(crate) fn setup_composefs_uki_boot(
         .args([&PathBuf::from(&esp_device), &mounted_efi.clone()])
         .run()?;
 
-    let boot_label = match entry {
-        ComposefsBootEntry::Type1(..) => unimplemented!(),
-        ComposefsBootEntry::UsrLibModulesVmLinuz(..) => unimplemented!(),
-
-        ComposefsBootEntry::Type2(type2_entry) => {
-            let uki = read_file(&type2_entry.file, &repo).context("Reading UKI")?;
-            let cmdline = uki::get_cmdline(&uki).context("Getting UKI cmdline")?;
-            let (composefs_cmdline, insecure) = get_cmdline_composefs::<Sha256HashValue>(cmdline)?;
-
-            // If the UKI cmdline does not match what the user has passed as cmdline option
-            // NOTE: This will only be checked for new installs and now upgrades/switches
-            if let Some(is_insecure_from_opts) = is_insecure_from_opts {
-                match is_insecure_from_opts {
-                    true => {
-                        if !insecure {
-                            tracing::warn!(
-                                "--insecure passed as option but UKI cmdline does not support it"
-                            )
-                        }
-                    }
+    let mut boot_label = String::new();
 
-                    false => {
-                        if insecure {
-                            tracing::warn!("UKI cmdline has composefs set as insecure")
-                        }
-                    }
-                }
+    for entry in entries {
+        match entry {
+            ComposefsBootEntry::Type1(..) => tracing::debug!("Skipping Type1 Entry"),
+            ComposefsBootEntry::UsrLibModulesVmLinuz(..) => {
+                tracing::debug!("Skipping vmlinuz in /usr/lib/modules")
             }
 
-            let boot_label = uki::get_boot_label(&uki).context("Getting UKI boot label")?;
+            ComposefsBootEntry::Type2(entry) => {
+                let ret = write_pe_to_esp(
+                    &repo,
+                    &entry.file,
+                    &entry.file_path,
+                    entry.pe_type,
+                    &id.to_hex(),
+                    is_insecure_from_opts,
+                    &mounted_efi,
+                )?;
 
-            if composefs_cmdline != *id {
-                anyhow::bail!(
-                    "The UKI has the wrong composefs= parameter (is '{composefs_cmdline:?}', should be {id:?})"
-                );
+                if let Some(label) = ret {
+                    boot_label = label;
+                }
             }
-
-            // Write the UKI to ESP
-            let efi_linux_path = mounted_efi.join(EFI_LINUX);
-            create_dir_all(&efi_linux_path).context("Creating EFI/Linux")?;
-
-            let efi_linux =
-                cap_std::fs::Dir::open_ambient_dir(&efi_linux_path, cap_std::ambient_authority())
-                    .with_context(|| format!("Opening {efi_linux_path:?}"))?;
-
-            efi_linux
-                .atomic_write(format!("{}.efi", id.to_hex()), uki)
-                .context("Writing UKI")?;
-
-            rustix::fs::fsync(
-                efi_linux
-                    .reopen_as_ownedfd()
-                    .context("Reopening as owned fd")?,
-            )
-            .context("fsync")?;
-
-            boot_label
-        }
-    };
+        };
+    }
 
     Command::new("umount")
         .arg(&mounted_efi)
@@ -750,11 +816,11 @@ pub(crate) fn setup_composefs_boot(
     let entries = fs.transform_for_boot(&repo)?;
     let id = fs.commit_image(&repo, None)?;
 
-    let Some(entry) = entries.into_iter().next() else {
+    let Some(entry) = entries.iter().next() else {
         anyhow::bail!("No boot entries!");
     };
 
-    let boot_type = BootType::from(&entry);
+    let boot_type = BootType::from(entry);
     let mut boot_digest: Option<String> = None;
 
     match boot_type {
@@ -772,7 +838,7 @@ pub(crate) fn setup_composefs_boot(
             BootSetupType::Setup((&root_setup, &state, &fs)),
             repo,
             &id,
-            entry,
+            entries,
         )?,
     };
 
diff --git a/crates/lib/src/bootc_composefs/switch.rs b/crates/lib/src/bootc_composefs/switch.rs
@@ -39,11 +39,11 @@ pub(crate) async fn switch_composefs(opts: SwitchOpts) -> Result<()> {
     let (repo, entries, id, fs) =
         pull_composefs_repo(&target_imgref.transport, &target_imgref.image).await?;
 
-    let Some(entry) = entries.into_iter().next() else {
+    let Some(entry) = entries.iter().next() else {
         anyhow::bail!("No boot entries!");
     };
 
-    let boot_type = BootType::from(&entry);
+    let boot_type = BootType::from(entry);
     let mut boot_digest = None;
 
     match boot_type {
@@ -56,7 +56,7 @@ pub(crate) async fn switch_composefs(opts: SwitchOpts) -> Result<()> {
             )?)
         }
         BootType::Uki => {
-            setup_composefs_uki_boot(BootSetupType::Upgrade((&fs, &host)), repo, &id, entry)?
+            setup_composefs_uki_boot(BootSetupType::Upgrade((&fs, &host)), repo, &id, entries)?
         }
     };
 
diff --git a/crates/lib/src/bootc_composefs/update.rs b/crates/lib/src/bootc_composefs/update.rs
@@ -29,11 +29,11 @@ pub(crate) async fn upgrade_composefs(_opts: UpgradeOpts) -> Result<()> {
 
     let (repo, entries, id, fs) = pull_composefs_repo(&imgref.transport, &imgref.image).await?;
 
-    let Some(entry) = entries.into_iter().next() else {
+    let Some(entry) = entries.iter().next() else {
         anyhow::bail!("No boot entries!");
     };
 
-    let boot_type = BootType::from(&entry);
+    let boot_type = BootType::from(entry);
     let mut boot_digest = None;
 
     match boot_type {
@@ -47,7 +47,7 @@ pub(crate) async fn upgrade_composefs(_opts: UpgradeOpts) -> Result<()> {
         }
 
         BootType::Uki => {
-            setup_composefs_uki_boot(BootSetupType::Upgrade((&fs, &host)), repo, &id, entry)?
+            setup_composefs_uki_boot(BootSetupType::Upgrade((&fs, &host)), repo, &id, entries)?
         }
     };
 
