platforms/cloud: add Cloud-Base-UEFI-UKI profile

This is a variation of Cloud-Base-Generic which boots using UKIs.

This also adds uki-editbootconfig.sh script which makes the
image bootable via "UEFI firmware -> shim.efi -> UKI.efi".

Some background information:
https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_2

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

components/boot.xml

@@ -2,6 +2,9 @@
 	<profiles>
 		<profile name="BootCore" description="Boot core packages"/>
 	</profiles>
+	<profiles>
+		<profile name="BootCoreUKI" description="Boot core packages for UKI"/>
+	</profiles>
 	<packages type="image" patternType="plusRecommended" profiles="BootCore">
 		<package name="grub2-efi-aa64" arch="aarch64"/>
 		<package name="grub2-efi-aa64-modules" arch="aarch64"/>
@@ -16,6 +19,15 @@
 		<package name="systemd-oomd-defaults"/>
 		<package name="systemd-resolved"/>
 	</packages>
+	<packages type="image" patternType="plusRecommended" profiles="BootCoreUKI">
+		<package name="shim-signed-aa64" arch="aarch64"/>
+		<package name="shim-signed-x64" arch="x86_64"/>
+		<package name="systemd-oomd-defaults"/>
+		<package name="systemd-resolved"/>
+		<package name="kernel-uki-virt"/>
+		<package name="python3-virt-firmware"/>
+		<package name="uki-direct"/>
+	</packages>
 	<packages type="iso" patternType="plusRecommended" profiles="BootCore">
 		<package name="grub2-efi-aa64-cdboot" arch="aarch64"/>
 		<package name="grub2-efi-x64-cdboot" arch="x86_64"/>

platforms/cloud.xml

@@ -3,6 +3,9 @@
 		<profile name="CloudCore" description="Cloud spin core packages">
 			<requires profile="BootCore"/>
 		</profile>
+		<profile name="CloudCoreUKI" description="Cloud spin core packages for UKI">
+			<requires profile="BootCoreUKI"/>
+		</profile>
 		<profile name="Cloud-Base-Azure" description="Azure Base Guest Image">
 			<requires profile="CloudCore"/>
 		</profile>
@@ -15,6 +18,9 @@
 		<profile name="Cloud-Base-Generic" description="Generic Base Guest Image">
 			<requires profile="CloudCore"/>
 		</profile>
+		<profile name="Cloud-Base-UEFI-UKI" description="UEFI Base Guest Image using UKIs">
+			<requires profile="CloudCoreUKI"/>
+		</profile>
 		<profile name="Cloud-Base-OpenStack" description="OpenStack Base Guest Image">
 			<requires profile="Cloud-Base-Generic"/>
 		</profile>
@@ -78,6 +84,28 @@
 			</oemconfig>
 		</type>
 	</preferences>
+	<preferences profiles="Cloud-Base-UEFI-UKI">
+		<type image="oem" format="qcow2"
+		      firmware="uefi" efipartsize="1000"
+		      bootpartition="false"
+		      filesystem="btrfs" btrfs_root_is_subvolume="true" btrfs_set_default_volume="true"
+		      devicepersistency="by-uuid"
+		      rootfs_label="fedora"
+		      initrd_system="none"
+		      editbootconfig="uki-editbootconfig.sh"
+		      >
+			<bootloader name="custom"/>
+			<size unit="G">5</size>
+			<systemdisk>
+				<volume name="@root=root"/>
+				<volume name="home" parent="/"/>
+				<volume name="var" parent="/"/>
+			</systemdisk>
+			<oemconfig>
+				<oem-resize>false</oem-resize>
+			</oemconfig>
+		</type>
+	</preferences>
 	<packages type="image" patternType="plusRecommended" profiles="CloudCore">
 		<namedCollection name="cloud-server-environment"/>
 		<ignore name="dracut-config-rescue"/>
@@ -90,6 +118,18 @@
 		<package name="python3-dnf-plugin-tracer"/>
 		<package name="glibc-langpack-en"/>
 	</packages>
+	<packages type="image" patternType="plusRecommended" profiles="CloudCoreUKI">
+		<namedCollection name="cloud-server-environment"/>
+		<ignore name="dracut-config-rescue"/>
+		<ignore name="firewalld"/>
+		<ignore name="kernel"/>
+		<ignore name="[a-oq-z]*-firmware"/>
+		<ignore name="geolite2-city"/>
+		<ignore name="geolite2-country"/>
+		<ignore name="plymouth"/>
+		<package name="python3-dnf-plugin-tracer"/>
+		<package name="glibc-langpack-en"/>
+	</packages>
 	<packages type="image" patternType="plusRecommended" profiles="Cloud-Base-Azure">
 		<package name="WALinuxAgent"/>
 	</packages>
@@ -101,6 +141,9 @@
 	<packages type="image" patternType="plusRecommended" profiles="Cloud-Base-Generic">
 		<package name="qemu-guest-agent"/>
 	</packages>
+	<packages type="image" patternType="plusRecommended" profiles="Cloud-Base-UEFI-UKI">
+		<package name="qemu-guest-agent"/>
+	</packages>
 	<packages type="uninstall" profiles="Cloud-Base-GCE">
 		<package name="cloud-init"/>
 	</packages>

uki-editbootconfig.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+echo "###" "$0" "$@"
+
+# set arch-specific variables
+case "$(uname -m)" in
+    aarch64) arch="aa64"; ARCH="AA64"; uuid="b921b045-1df0-41c3-af44-4c6f280d3fae";;
+    x86_64)  arch="x64";  ARCH="X64";  uuid="4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709";;
+esac
+
+# figure where shim.efi and BOOT.CSV are located
+shim="$(ls boot/efi/EFI/*/shim${arch}.efi)"
+csv="${shim%/*}/BOOT${ARCH}.CSV"
+
+# copy UKI images (typically one) to ${ESP}/EFI/Linux and
+# generate BOOT.CSV with one entry per UKI.
+echo "# csv: $csv"
+echo -ne '\xff\xfe' > "$csv"
+for uki in lib/modules/*/vmlinuz*.efi; do
+    echo "# uki: $uki"
+    ver=${uki#lib/modules/}
+    ver=${ver%/*}
+    mkdir -p boot/efi/EFI/Linux
+    cp --reflink=auto $uki boot/efi/EFI/Linux/${ver}.efi
+    echo "shim${arch}.efi,$ver,\\EFI\\Linux\\${ver}.efi ,Comment" \
+        | iconv -f utf-8 -t ucs-2le >> "$csv"
+done
+
+# kiwi doesn't setup discoverable partitions, so fixup after the fact
+# here.  The UKI depends on that to find the root filesystem.
+#  * The image is loop-mounted.
+#    - partition #1 is biosboot (can this be disabled?).
+#    - partition #2 is the EFI ESP.
+#    - partition #3 is the root filesystem (this needs fixup).
+echo "# hack: rootfs: $uuid"
+sfdisk --part-type /dev/loop0 3 "$uuid"
+
+# bz2240989: shim has a hard dependency on grub.  grub has a hard
+# dependency on dracut.  Ideally we would simply not install
+# grub+dracut, but given we can't until the shim bug is fixed disable
+# their kernel-install plugins instead.
+echo "# hack: kernel-install - disable plugins"
+touch etc/kernel/install.d/20-grub.install
+touch etc/kernel/install.d/50-dracut.install
+
+# package install ran kernel-install scripts, cleanup the leftovers.
+echo "# hack: kernel-install - cleanup leftovers"
+rm -v boot/initramfs*
+rm -v boot/EFI/Linux/*