core-initrd: build snap-bootstrap and include in deb package

Include snap-bootstrap sources and other needed snapd bits into the
ubuntu-core-initramfs source package, and build it when building the
deb file. Therefore, do not pull anymore snapd bits in the system from
ubuntu-core-initramfs script. Add also a README.md to the folder and a
script to automate building the source packages, avoiding duplicated
sources where possible.

core-initrd/24.04/debian/control

@@ -15,11 +15,11 @@ Package: ubuntu-core-initramfs
 Architecture: amd64 arm64 armhf riscv64
 Depends: ${python3:Depends}, ${misc:Depends}, dracut-core (>= 051-1),
          python3:any,
+         golang-go (>=2:1.18~) [!powerpc] | golang-1.18 [!powerpc] | golang-1.21,
          dracut-core,
          busybox-initramfs,
          zstd,
          sbsigntool,
-         snapd (>= 2.50+20.04),
          linux-firmware,
          kcapi-tools (>= 1.4.0-1ubuntu3),
          dbus,

core-initrd/24.04/debian/install

@@ -4,3 +4,6 @@ snakeoil/* usr/lib/ubuntu-core-initramfs/snakeoil/
 debian/tmp/* usr/lib/ubuntu-core-initramfs/main
 modules usr/lib/ubuntu-core-initramfs/
 fips usr/lib/ubuntu-core-initramfs/
+snap-bootstrap usr/lib/ubuntu-core-initramfs/main/usr/lib/snapd/
+snapd/info usr/lib/ubuntu-core-initramfs/main/usr/lib/snapd/
+snapd/snapd.recovery-chooser-trigger.service usr/lib/ubuntu-core-initramfs/main/usr/lib/systemd/system/

core-initrd/24.04/debian/rules

@@ -1,19 +1,59 @@
 #!/usr/bin/make -f
-export DH_VERBOSE=1
 
 include /usr/share/dpkg/default.mk
 
+export DH_VERBOSE=1
+export DH_OPTIONS
+
+BUILDFLAGS:=
+# disable DWARF generation in go linker
+BUILDFLAGS+=-ldflags=-w
+# Disable -buildmode=pie mode on all our 32bit platforms
+# (i386 and armhf). For i386 because of LP: #1711052 and for
+# armhf because of LP: #1822738
+ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH_BITS),64)
+BUILDFLAGS+=-buildmode=pie
+endif
+
+# check if we need to include the testkeys in the binary
+ifneq (,$(filter testkeys,$(DEB_BUILD_OPTIONS)))
+# if enabled also enable bootloader assets testing and fault injection
+_SNAP_TAGS:=nomanagers,withtestkeys,faultinject
+else
+_SNAP_TAGS:=nomanagers
+endif
+
+ifeq (${FIPSBUILD},1)
+_SNAP_TAGS:=$(_SNAP_TAGS),goexperiment.opensslcrypto,snapdfips
+endif
+
+SNAP_TAGS=-tags "$(_SNAP_TAGS)"
+
+######## targets start here
+
 %:
 	dh $@
 
+override_dh_auto_build:
+# very ugly test for FIPS variant of a toolchain
+# see https://warthogs.atlassian.net/browse/FR-8860
+ifeq (${FIPSBUILD},1)
+	if ! test -f /usr/lib/go-1.21/src/crypto/internal/backend/openssl_linux.go; then \
+		echo "Go 1.21 FIPS toolchain not found"; \
+		exit 1; \
+	fi
+endif
+# dh-golang sets GO111MODULE=off if present, fix that
+	GO111MODULE=on go build -mod=vendor $(BUILDFLAGS) $(SNAP_TAGS) ./cmd/snap-bootstrap
+
 override_dh_auto_install:
 	rm -rf debian/tmp
 	mkdir debian/tmp
 	cp -ar factory/* debian/tmp
 
-	# splash functionality
+# splash functionality
 	mkdir -p debian/tmp/usr/share/plymouth/themes/
-	cp -a vendor/plymouth-theme-ubuntu-core/ubuntu-core \
+	cp -a plymouth-theme-ubuntu-core/ubuntu-core \
 		debian/tmp/usr/share/plymouth/themes/
 	mkdir -p debian/tmp/usr/share/fonts/
 	cp /usr/share/fonts/truetype/ubuntu/Ubuntu-R.ttf \
@@ -23,24 +63,29 @@ override_dh_auto_install:
 
 override_dh_install:
 	dh_install
-
 ifeq ($(DEB_HOST_ARCH),amd64)
 	mkdir -p debian/ubuntu-core-initramfs/usr/lib/ubuntu-core-initramfs/early/
 	debian/generate-x86-microcode debian/ubuntu-core-initramfs/usr/lib/ubuntu-core-initramfs/early/microcode.cpio
 endif
 
 override_dh_clean:
-	# Include ubuntu-core plymouth theme in sources
-	[ -d vendor/plymouth-theme-ubuntu-core ] || ( mkdir -p vendor; cd vendor; \
-		git clone https://github.com/snapcore/plymouth-theme-ubuntu-core )
 	dh_clean
+	rm -f snap-bootstrap
+
+# to avoid dh-golang breaking the build
+override_dh_auto_test:
+
+# disable dh_dwz (breaks build for go 1.22)
+override_dh_dwz:
 
 override_dh_python3:
 	dh_python3 --no-ext-rename
 
 override_dh_fixperms:
 	dh_fixperms -Xusr/lib/ubuntu-core-initramfs/main
+
 override_dh_makeshlibs:
 	dh_makeshlibs -Xusr/lib/ubuntu-core-initramfs/main
+
 override_dh_shlibdeps:
 	dh_shlibdeps -Xusr/lib/ubuntu-core-initramfs/main

core-initrd/README.md

@@ -0,0 +1,39 @@
+# Initramfs for Ubuntu Core and hybrid systems
+
+This folder contains files that are used to build the initramfs for
+Ubuntu Core 24 / hybrid 24.04 and later versions, and that were
+originally in https://github.com/canonical/core-initrd. This contains
+subfolders, each of them for a currently supported Ubuntu release.
+
+Each subfolder contains the sources for a debian package. The `latest`
+subdir contains the sources for the most recent Ubuntu release. To
+build source packages that can later be built by Launchpad, checkout
+the matching snapd release and run from this folder:
+
+```
+./build-source-pkgs.sh
+```
+
+This will pull the sources to build `snap-bootstrap` from the snapd
+tree and copy duplicated files from the `latest` folder to older
+releases. At this point `dch -i` should be run for each release to
+update version and changelog, and this should be commited to the snapd
+release and master branches. To build the source packages, run
+
+```
+gbp buildpackage -S -sa -d --git-ignore-branch
+```
+
+in each release subfolder. Then it is recommended to compare the
+sources with the previous versions in the snappy-de PPA:
+
+```
+dget https://launchpad.net/~snappy-dev/+archive/ubuntu/image/+sourcefiles/ubuntu-core-initramfs/<old_version>/ubuntu-core-initramfs_<old_version>.dsc
+debdiff ubuntu-core-initramfs_<old_version>.dsc ubuntu-core-initramfs_<new_version>.dsc > diff.txt
+```
+
+And to finally upload with:
+
+```
+dput ppa:snappy-dev/image ubuntu-core-initramfs_<new_version>_source.changes
+```

core-initrd/build-source-pkgs.sh

@@ -1,16 +1,72 @@
 #!/bin/bash -exu
 
+# This scripts cleans-up the core-initrd subfolder and pulls all necessary bits
+# from snapd to create the ubuntu-core-initramfs source package for each
+# supported Ubuntu release. It is meant to be called inside the core-initrd
+# folder.
+
 git clean -ffdx
 
+# The current commit must be in the repo to be able to get the dependencies
+# of snap-bootstrap.
+commit=$(git rev-parse HEAD)
+
+# build info file
+pushd ..
+./mkversion.sh
+popd
+
+contains_element() {
+    local e match="$1"
+    shift
+    for e; do [[ "$e" == "$match" ]] && return 0; done
+    return 1
+}
+
+# Folder for snapd bits, that will be copied to all releases
+mkdir snapd-initramfs
+pushd snapd-initramfs
+## snap-bootstrap
+mkdir cmd
+# go commands do not follow symlinks, copy instead
+cp -a ../../cmd/snap-bootstrap/ cmd/
+cat << EOF > go.mod
+module github.com/snapcore/snap-bootstrap
+
+go 1.18
+
+require	github.com/snapcore/snapd $commit
+EOF
+# solve dependencies
+go mod tidy
+# build vendor folder
+go mod vendor
+
+## info and recovery trigger service
+mkdir snapd
+cp ../../data/info snapd/
+sed 's#@libexecdir@#/usr/lib#' ../../data/systemd/snapd.recovery-chooser-trigger.service.in > \
+    snapd/snapd.recovery-chooser-trigger.service
+popd
+
+# Go through the different supported Ubuntu releases, creating source
+# packages for them.
+no_link=(debian go.mod go.sum cmd snapd vendor)
 for dir in */debian; do
     rel=${dir%/debian}
 
     if [ "$rel" != latest ]; then
-        for f in latest/*; do
-            ln -s "$f" "$rel"/"${f#latest/}"
+        for p in latest/*; do
+            file=${p#latest/}
+            if contains_element "$file" "${no_link[@]}"; then
+                continue
+            fi
+            cp -a "$p" "$rel/"
         done
     fi
+
     pushd "$rel"
+    cp -a ../snapd-initramfs/* .
     dpkg-buildpackage -S -sa -d
     popd
 done

core-initrd/latest/bin/ubuntu-core-initramfs

@@ -735,12 +735,6 @@ def create_initrd(parser, args):
         install_systemd_files(main, rootfs, ubuntu_release)
         # Other miscelanea stuff
         install_misc(main, rootfs, deb_arch)
-        # Copy snapd bits
-        snapd_lib = path_join_make_rel_paths(rootfs, "/usr/lib/snapd")
-        snapd_files = [os.path.join(snapd_lib, "snap-bootstrap"),
-                       os.path.join(snapd_lib, "info"),
-                       "/lib/systemd/system/snapd.recovery-chooser-trigger.service"]
-        install_files(snapd_files, main, rootfs)
         # Copy features
         for feature in args.features:
             # Add feature files

core-initrd/latest/debian/control

@@ -15,11 +15,11 @@ Package: ubuntu-core-initramfs
 Architecture: amd64 arm64 armhf riscv64
 Depends: ${python3:Depends}, ${misc:Depends}, dracut-core (>= 051-1),
          python3:any,
+         golang-go (>=2:1.18~) [!powerpc] | golang-1.18 [!powerpc] | golang-1.21,
          dracut-core,
          busybox-initramfs,
          zstd,
          sbsigntool,
-         snapd (>= 2.50+20.04),
          linux-firmware,
          kcapi-tools (>= 1.4.0-1ubuntu3),
          dbus,

core-initrd/latest/debian/install

@@ -4,3 +4,6 @@ snakeoil/* usr/lib/ubuntu-core-initramfs/snakeoil/
 debian/tmp/* usr/lib/ubuntu-core-initramfs/main
 modules usr/lib/ubuntu-core-initramfs/
 fips usr/lib/ubuntu-core-initramfs/
+snap-bootstrap usr/lib/ubuntu-core-initramfs/main/usr/lib/snapd/
+snapd/info usr/lib/ubuntu-core-initramfs/main/usr/lib/snapd/
+snapd/snapd.recovery-chooser-trigger.service usr/lib/ubuntu-core-initramfs/main/usr/lib/systemd/system/

core-initrd/latest/debian/rules

@@ -1,11 +1,51 @@
 #!/usr/bin/make -f
-export DH_VERBOSE=1
 
 include /usr/share/dpkg/default.mk
 
+export DH_VERBOSE=1
+export DH_OPTIONS
+
+BUILDFLAGS:=
+# disable DWARF generation in go linker
+BUILDFLAGS+=-ldflags=-w
+# Disable -buildmode=pie mode on all our 32bit platforms
+# (i386 and armhf). For i386 because of LP: #1711052 and for
+# armhf because of LP: #1822738
+ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH_BITS),64)
+BUILDFLAGS+=-buildmode=pie
+endif
+
+# check if we need to include the testkeys in the binary
+ifneq (,$(filter testkeys,$(DEB_BUILD_OPTIONS)))
+# if enabled also enable bootloader assets testing and fault injection
+_SNAP_TAGS:=nomanagers,withtestkeys,faultinject
+else
+_SNAP_TAGS:=nomanagers
+endif
+
+ifeq (${FIPSBUILD},1)
+_SNAP_TAGS:=$(_SNAP_TAGS),goexperiment.opensslcrypto,snapdfips
+endif
+
+SNAP_TAGS=-tags "$(_SNAP_TAGS)"
+
+######## targets start here
+
 %:
 	dh $@
 
+override_dh_auto_build:
+# very ugly test for FIPS variant of a toolchain
+# see https://warthogs.atlassian.net/browse/FR-8860
+ifeq (${FIPSBUILD},1)
+	if ! test -f /usr/lib/go-1.21/src/crypto/internal/backend/openssl_linux.go; then \
+		echo "Go 1.21 FIPS toolchain not found"; \
+		exit 1; \
+	fi
+endif
+# dh-golang sets GO111MODULE=off if present, fix that
+	GO111MODULE=on go build -mod=vendor $(BUILDFLAGS) $(SNAP_TAGS) ./cmd/snap-bootstrap
+
 override_dh_auto_install:
 	rm -rf debian/tmp
 	mkdir debian/tmp
@@ -23,14 +63,20 @@ override_dh_auto_install:
 
 override_dh_install:
 	dh_install
-
 ifeq ($(DEB_HOST_ARCH),amd64)
 	mkdir -p debian/ubuntu-core-initramfs/usr/lib/ubuntu-core-initramfs/early/
 	debian/generate-x86-microcode debian/ubuntu-core-initramfs/usr/lib/ubuntu-core-initramfs/early/microcode.cpio
 endif
 
 override_dh_clean:
 	dh_clean
+	rm -f snap-bootstrap
+
+# to avoid dh-golang breaking the build
+override_dh_auto_test:
+
+# disable dh_dwz (breaks build for go 1.22)
+override_dh_dwz:
 
 override_dh_python3:
 	dh_python3 --no-ext-rename