src/create_disk.sh

#!/bin/bash
set -euo pipefail

# This script is run in supermin to create a Fedora CoreOS style
# disk image, very much in the spirit of the original
# Container Linux (orig CoreOS) disk layout, although adapted
# for OSTree, and using XFS for /, among other things.
# Some more background in https://github.com/coreos/fedora-coreos-tracker/issues/18
# The layout is intentionally not very configurable at this time,
# although see also https://github.com/coreos/coreos-assembler/pull/298
# For people building "derived"/custom FCOS-like systems, feel free to file
# an issue and we can discuss configuration needs.

# This fixed UUID is detected in ignition-dracut and changed
# on firstboot:
# https://github.com/coreos/ignition-dracut/blob/6136be3d9d38d7926a61cd4d1b4ba5f9baf0892f/dracut/30ignition/coreos-gpt-setup.sh#L7
uninitialized_gpt_uuid="00000000-0000-4000-a000-000000000001"
# These UUIDs should be changed by code in fedora-coreos-config on firstboot, see
# https://github.com/coreos/fedora-coreos-tracker/issues/465
bootfs_uuid="96d15588-3596-4b3c-adca-a2ff7279ea63"
rootfs_uuid="910678ff-f77e-4a7d-8d53-86f2ac47a823"
deploy_root=

usage() {
    cat <<EOC
${0} creates a supermin virtual machine to create a
Fedora CoreOS style disk image from an OSTree.

Options:
    --config: JSON-formatted image.yaml
    --help: show this help
    --platform: Ignition platform ID
    --platforms-json: platforms.yaml in JSON format
    --no-x86-bios-bootloader: don't install BIOS bootloader on x86_64
    --with-secure-execution:  enable IBM SecureExecution

You probably don't want to run this script by hand. This script is
run as part of 'coreos-assembler build'.
EOC
}

config=
disk=
platform=metal
platforms_json=
secure_execution=0
ignition_pubkey=
x86_bios_bootloader=1

while [ $# -gt 0 ];
do
    flag="${1}"; shift;
    case "${flag}" in
        --config)                   config="${1}"; shift;;
        --help)                     usage; exit;;
        --no-x86-bios-bootloader)   x86_bios_bootloader=0;;
        --platform)                 platform="${1}"; shift;;
        --platforms-json)           platforms_json="${1}"; shift;;
        --with-secure-execution)    secure_execution=1;;
        --write-ignition-pubkey-to) ignition_pubkey="${1}"; shift;;
         *) echo "${flag} is not understood."; usage; exit 10;;
     esac;
done

udevtrig() {
    udevadm trigger
    udevadm settle
}

export PATH=$PATH:/sbin:/usr/sbin
arch="$(uname -m)"

if [ -z "$platforms_json" ]; then
    echo "Missing --platforms-json" >&2
    exit 1
fi
# just copy it over to /tmp and work from there to minimize virtiofs I/O
cp "${platforms_json}" /tmp/platforms.json
platforms_json=/tmp/platforms.json
platform_grub_cmds=$(jq -r ".${arch}.${platform}.grub_commands // [] | join(\"\\\\n\")" < "${platforms_json}")
platform_kargs=$(jq -r ".${arch}.${platform}.kernel_arguments // [] | join(\" \")" < "${platforms_json}")

disk=$(realpath /dev/disk/by-id/virtio-target)

config="${config:?--config must be defined}"

# https://github.com/coreos/coreos-assembler/pull/2480
dump_err_info () {
    lsblk -f || true
}
trap dump_err_info ERR

# Parse the passed config JSON and extract a mandatory value
getconfig() {
    k=$1
    jq -re .\""$k"\" < "${config}"
}
# Return a configuration value, or default if not set
getconfig_def() {
    k=$1
    shift
    default=$1
    shift
    jq -re .\""$k"\"//\""${default}"\" < "${config}"
}

rootfs_type=$(getconfig rootfs)
case "${rootfs_type}" in
    xfs|ext4verity|btrfs) ;;
    *) echo "Invalid rootfs type: ${rootfs_type}" 1>&2; exit 1;;
esac
rootfs_args=$(getconfig_def "rootfs-args" "")

bootfs=$(getconfig "bootfs")
composefs=$(getconfig_def "composefs" "")
grub_script=$(getconfig "grub-script")
ostree_container=$(getconfig "ostree-container")
ostree_container_spec="ostree-unverified-image:oci-archive:${ostree_container}"
commit=$(getconfig "ostree-commit")
ref=$(getconfig "ostree-ref")
# We support not setting a remote name (used by RHCOS)
remote_name=$(getconfig_def "ostree-remote" "")
deploy_via_container=$(getconfig "deploy-via-container" "")
container_imgref=$(getconfig "container-imgref" "")
os_name=$(getconfig "osname")
buildid=$(getconfig "buildid")
imgid=$(getconfig "imgid")
extra_kargs=$(getconfig "extra-kargs-string" "")

# populate remaining kargs
extra_kargs+=" ignition.platform.id=${platform}"
if [ -n "${platform_kargs}" ]; then
    extra_kargs+=" ${platform_kargs}"
fi

set -x

# Partition and create fs's. The 0...4...a...1 uuid is a sentinal used by coreos-gpt-setup
# in ignition-dracut. It signals that the disk needs to have it's uuid randomized and the
# backup header moved to the end of the disk.
# Pin /se, /boot and / to the partition number 1, 3 and 4 respectively. Also insert reserved
# partitions on aarch64/ppc64le to keep the 1,2,3,4 partition numbers aligned across
# x86_64/aarch64/ppc64le. We decided not to try to achieve partition parity on s390x
# because a bare metal install onto an s390x DASD translates the GPT to DASD partitions
# and we only get three of those. https://github.com/coreos/fedora-coreos-tracker/issues/855
BOOTPN=3
ROOTPN=4
if [[ ${secure_execution} -eq 1 ]]; then
    SDPART=1
    BOOTVERITYHASHPN=5
    ROOTVERITYHASHPN=6
    extra_kargs="${extra_kargs} swiotlb=262144"
fi
# shellcheck disable=SC2031
case "$arch" in
    x86_64)
        EFIPN=2
        sgdisk -Z "$disk" \
        -U "${uninitialized_gpt_uuid}" \
        -n 1:0:+1M -c 1:BIOS-BOOT -t 1:21686148-6449-6E6F-744E-656564454649 \
        -n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \
        -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
        -n ${ROOTPN}:0:0 -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
        ;;
    aarch64)
        RESERVEDPN=1
        EFIPN=2
        sgdisk -Z "$disk" \
        -U "${uninitialized_gpt_uuid}" \
        -n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \
        -n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \
        -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
        -n ${ROOTPN}:0:0 -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
        ;;
    s390x)
        sgdisk_args=()
        rootp_end=0
        if [[ ${secure_execution} -eq 1 ]]; then
            # shellcheck disable=SC2206
            sgdisk_args+=(-n ${SDPART}:0:+200M -c ${SDPART}:se -t ${SDPART}:0FC63DAF-8483-4772-8E79-3D69D8477DE4)
            # we need to leave space for the verity hash partitions (and add 1MB otherwise sgdisk can't fit them for some reason)
            rootp_end=-$((128+256+1))M
        fi

        # shellcheck disable=SC2206
        sgdisk_args+=(-n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
                      -n ${ROOTPN}:0:${rootp_end} -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4)
        if [[ ${secure_execution} -eq 1 ]]; then
            # note these length values are hardcoded in both rootp_end above and in `cmd-buildextend-metal`
            # shellcheck disable=SC2206
            sgdisk_args+=(-n ${BOOTVERITYHASHPN}:0:+128M -c ${BOOTVERITYHASHPN}:boothash \
                          -n ${ROOTVERITYHASHPN}:0:+256M -c ${ROOTVERITYHASHPN}:roothash)
        fi
        # NB: in the bare metal case when targeting ECKD DASD disks, this
        # partition table is not what actually gets written to disk in the end:
        # coreos-installer has code which transforms it into a DASD-compatible
        # partition table and copies each partition individually bitwise.
        sgdisk -Z "$disk" -U "${uninitialized_gpt_uuid}" "${sgdisk_args[@]}"
        ;;
    ppc64le)
        PREPPN=1
        RESERVEDPN=2
        # ppc64le doesn't use special uuid for root partition
        sgdisk -Z "$disk" \
        -U "${uninitialized_gpt_uuid}" \
        -n ${PREPPN}:0:+4M -c ${PREPPN}:PowerPC-PReP-boot -t ${PREPPN}:9E1A2D38-C612-4316-AA26-8B49521E5A8B \
        -n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \
        -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
        -n ${ROOTPN}:0:0 -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
        ;;
esac

sgdisk -p "$disk"
udevtrig

boot_dev="${disk}${BOOTPN}"
root_dev="${disk}${ROOTPN}"

bootargs=
# Detect if the target system supports orphan_file.
# https://github.com/coreos/coreos-assembler/pull/3653#issuecomment-1813181723
# Ideally, we'd do feature detection here but there's no clean way to do that.
# So just use version comparisons. (But ideally ideally, we use the mkfs.*
# binaries from the target system, not cosa.)
e2fsprogs_version=$(jq -r '.["rpmostree.rpmdb.pkglist"][] | select(.[0] == "e2fsprogs") | .[2]' \
                        "builds/${buildid}/${arch}/commitmeta.json")
if [ "${e2fsprogs_version}" != "1.47.0" ] && \
        [ "$(echo -e "${e2fsprogs_version}\n1.47.0" | sort -V | tail -n1)" = "1.47.0" ]; then
    # target system has e2fsprogs older than 1.47.0; it won't support
    # orphan_file so make sure we opt out of it
    bootargs+=" -O ^orphan_file"
fi

case "${bootfs}" in
    ext4verity)
        # Need blocks to match host page size; TODO
        # really mkfs.ext4 should know this.
        bootargs+=" -b $(getconf PAGE_SIZE) -O verity"
        ;;
    ext4) ;;
    *) echo "Unhandled bootfs: ${bootfs}" 1>&2; exit 1 ;;
esac

if [[ ${secure_execution} -eq 1 ]]; then
    # Unencrypted partition for sd-boot
    # shellcheck disable=SC2086
    mkfs.ext4 ${bootargs} "${disk}${SDPART}" -L se -U random
fi

# shellcheck disable=SC2086
mkfs.ext4 ${bootargs} "${boot_dev}" -L boot -U "${bootfs_uuid}"
udevtrig

if [ ${EFIPN:+x} ]; then
       mkfs.fat "${disk}${EFIPN}" -n EFI-SYSTEM
       # BIOS boot partition has no FS; it's for BIOS GRUB
       # partition $PREPPN has no FS; it's for PowerPC PReP Boot
fi
case "${rootfs_type}" in
    ext4verity)
        # As of today, xfs doesn't support verity, so we have a choice of fs-verity or reflinks.
        # Now, fs-verity doesn't in practice gain us a huge amount of security because
        # there are other "persistence vectors".  See
        # https://blog.verbum.org/2017/06/12/on-dm-verity-and-operating-systems/
        # https://github.com/coreos/rpm-ostree/issues/702
        # And reflinks are *very* useful for the container stack with overlayfs (and in general).
        # So basically, we're choosing performance over half-implemented security.
        # Eventually, we'd like both - once XFS gains verity (probably not too hard),
        # we could unconditionally enable it there.
        # shellcheck disable=SC2086
        mkfs.ext4 -b "$(getconf PAGE_SIZE)" -O verity -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
        ;;
    btrfs)
        # shellcheck disable=SC2086
        mkfs.btrfs -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
        ;;
    xfs|"")
        # shellcheck disable=SC2086
        mkfs.xfs "${root_dev}" -L root -m reflink=1 -m uuid="${rootfs_uuid}" ${rootfs_args}
        ;;
    *)
        echo "Unknown rootfs_type: $rootfs_type" 1>&2
        exit 1
        ;;
esac
udevtrig

# since we normally run in supermin container and we need
# support parallel runs, use /tmp
rootfs=/tmp/rootfs

# mount the partitions
rm -rf ${rootfs}
mkdir -p ${rootfs}
mount -o discard "${root_dev}" ${rootfs}
chcon "$(matchpathcon -n /)" ${rootfs}
mkdir ${rootfs}/boot
chcon "$(matchpathcon -n /boot)" $rootfs/boot
mount "${boot_dev}" $rootfs/boot
chcon "$(matchpathcon -n /boot)" $rootfs/boot
# FAT doesn't support SELinux labeling, it uses "genfscon", so we
# don't need to give it a label manually.
if [ ${EFIPN:+x} ]; then
    mkdir ${rootfs}/boot/efi
    mount "${disk}${EFIPN}" $rootfs/boot/efi
fi
if [[ ${secure_execution} -eq 1 ]]; then
    mkdir ${rootfs}/se
    chcon "$(matchpathcon -n /boot)" $rootfs/se
fi

# Now that we have the basic disk layout, initialize the basic
# OSTree layout, load in the ostree commit and deploy it.
ostree admin init-fs --modern $rootfs
# May be overridden below (e.g. s390x)
ostree config --repo $rootfs/ostree/repo set sysroot.bootloader none
# Opt-in to https://github.com/ostreedev/ostree/pull/1767 AKA
# https://github.com/ostreedev/ostree/issues/1265
ostree config --repo $rootfs/ostree/repo set sysroot.readonly true
if test -n "${composefs}"; then
    ostree config --repo $rootfs/ostree/repo set ex-integrity.composefs true
fi
# Initialize the "stateroot"
ostree admin os-init "$os_name" --sysroot $rootfs

# Propagate flags into target repository
if [ "${rootfs_type}" = "ext4verity" ] && [ -z "${composefs}" ]; then
    ostree config --repo=$rootfs/ostree/repo set ex-fsverity.required 'true'
fi

# Compute kargs
allkargs="$extra_kargs"
# shellcheck disable=SC2031
if [ "$arch" != s390x ]; then
    # Note that $ignition_firstboot is interpreted by grub at boot time,
    # *not* the shell here.  Hence the backslash escape.
    allkargs+=" \$ignition_firstboot"
fi

if test -n "${deploy_via_container}"; then
    kargsargs=""
    for karg in $allkargs
    do
        kargsargs+="--karg=$karg "
    done
    # shellcheck disable=SC2086
    ostree container image deploy --imgref "${ostree_container_spec}" \
        ${container_imgref:+--target-imgref $container_imgref} \
        --write-commitid-to /tmp/commit.txt \
        --stateroot "$os_name" --sysroot $rootfs $kargsargs
    deploy_commit=$(cat /tmp/commit.txt)
    rm /tmp/commit.txt
else
    # Pull the container image...
    time ostree container image pull $rootfs/ostree/repo "${ostree_container_spec}"
    # But we default to not leaving a ref for the image around, so the
    # layers will get GC'd on the first update if the
    # user doesn't switch to a container image.
    ostree --repo=$rootfs/ostree/repo refs --delete ostree/container/image
    ostree --repo=$rootfs/ostree/repo prune --refs-only --depth=0
    # Deploy it, using an optional remote prefix
    if test -n "${remote_name}"; then
        deploy_ref="${remote_name}:${ref}"
        ostree refs --repo $rootfs/ostree/repo --create "${deploy_ref}" "${commit}"
    else
        deploy_ref=$commit
    fi
    kargsargs=""
    for karg in $allkargs
    do
        kargsargs+="--karg-append=$karg "
    done
    # shellcheck disable=SC2086
    ostree admin deploy "${deploy_ref}" --sysroot $rootfs --os "$os_name" $kargsargs
    deploy_commit=$commit
fi
# Sanity check
deploy_root="$rootfs/ostree/deploy/${os_name}/deploy/${deploy_commit}.0"
test -d "${deploy_root}" || (echo "failed to find $deploy_root"; exit 1)

# This will allow us to track the version that an install
# originally used; if we later need to understand something
# like "exactly what mkfs.xfs version was used" we can do
# that via looking at the upstream build and finding the
# build logs for it, getting the coreos-assembler version,
# and getting the `rpm -qa` from that.
#
# build:         The coreos-assembler build ID; today we support
#                having the same ostree commit in different image builds.
# ref:           The ostree ref used; useful for cross-checking.
# ostree-commit: Similar to `ref`; one can derive this from looking
#                at the coreos-assembler builds, but it's very
#                convenient to have here as a strong cross-reference.
# imgid:         The full image name, the same as will end up in the
#                `images` dict in `meta.json`.
cat > $rootfs/.coreos-aleph-version.json << EOF
{
	"build": "${buildid}",
	"ref": "${ref}",
	"ostree-commit": "${commit}",
	"imgid": "${imgid}"
}
EOF

install_uefi() {
    # https://github.com/coreos/fedora-coreos-tracker/issues/510
    # See also https://github.com/ostreedev/ostree/pull/1873#issuecomment-524439883
    chroot_run bootupctl backend install --src-root="/" "/sysroot"
    # We have a "static" grub config file that basically configures grub to look
    # in the RAID called "md-boot", if it exists, or the partition labeled "boot".
    local target_efi="$rootfs/boot/efi"
    local grubefi
    grubefi=$(find "${target_efi}/EFI/" -maxdepth 1 -type d | grep -v BOOT)
    local vendor_id="${grubefi##*/}"
    local vendordir="${target_efi}/EFI/${vendor_id}"
    mkdir -p "${vendordir}"
    cat > "${vendordir}/grub.cfg" << 'EOF'
if [ -e (md/md-boot) ]; then
  # The search command might pick a RAID component rather than the RAID,
  # since the /boot RAID currently uses superblock 1.0.  See the comment in
  # the main grub.cfg.
  set prefix=md/md-boot
else
  if [ -f ${config_directory}/bootuuid.cfg ]; then
    source ${config_directory}/bootuuid.cfg
  fi
  if [ -n "${BOOT_UUID}" ]; then
    search --fs-uuid "${BOOT_UUID}" --set prefix --no-floppy
  else
    search --label boot --set prefix --no-floppy
  fi
fi
set prefix=($prefix)/grub2
configfile $prefix/grub.cfg
boot
EOF
    install_grub_cfg
}

# copy the grub config and any other files we might need
install_grub_cfg() {
    # 0700 to match the RPM permissions which I think are mainly in case someone has
    # manually set a grub password
    mkdir -p $rootfs/boot/grub2
    chmod 0700 $rootfs/boot/grub2
    printf "%s\n" "$grub_script" | \
        sed -E 's@(^# CONSOLE-SETTINGS-START$)@\1'"${platform_grub_cmds:+\\n${platform_grub_cmds}}"'@' \
        > $rootfs/boot/grub2/grub.cfg
    # Copy platforms table if it's non-empty for this arch
    # shellcheck disable=SC2031
    if jq -e ".$arch" < "$platforms_json" > /dev/null; then
        mkdir -p "$rootfs/boot/coreos"
        jq ".$arch" < "$platforms_json" > "$rootfs/boot/coreos/platforms.json"
    fi
}

# For some commands, we need to make sure to use the binary and userspace of the
# target system. XXX: Switch to bwrap.
chroot_run() {
    for mnt in dev proc sys run var tmp; do
        mount --rbind "/$mnt" "${deploy_root}/$mnt"
    done
    mount --rbind "${rootfs}" "${deploy_root}/sysroot"
    chroot "${deploy_root}" "$@"
    umount --recursive "${deploy_root}/sysroot"
    for mnt in dev proc sys run var tmp; do
        umount --recursive "${deploy_root}/$mnt"
    done
}

generate_gpgkeys() {
    local pkey
    pkey="${1}"
    local tmp_home
    tmp_home=$(mktemp -d /tmp/gpg-XXXXXX)
    gpg --homedir "${tmp_home}" --batch --passphrase '' --yes --quick-gen-key "Secure Execution (secex) $buildid" rsa4096 encr none
    gpg --homedir "${tmp_home}" --armor --export secex > "${ignition_pubkey}"
    gpg --homedir "${tmp_home}" --armor --export-secret-key secex > "${pkey}"
    rm -rf "${tmp_home}"
}

# Other arch-specific bootloader changes
# shellcheck disable=SC2031
case "$arch" in
x86_64)
    # UEFI
    install_uefi
    if [ "${x86_bios_bootloader}" = 1 ]; then
        # And BIOS grub in addition.  See also
        # https://github.com/coreos/fedora-coreos-tracker/issues/32
        # Install BIOS/PReP bootloader using the target system's grub2-install,
        # see https://github.com/coreos/coreos-assembler/issues/3156
        chroot_run /sbin/grub2-install \
            --target i386-pc \
            --boot-directory $rootfs/boot \
            --modules mdraid1x \
            "$disk"
    fi
    ;;
aarch64)
    # Our aarch64 is UEFI only.
    install_uefi
    ;;
ppc64le)
    # to populate PReP Boot, i.e. support pseries
    chroot_run /sbin/grub2-install --target=powerpc-ieee1275 --boot-directory $rootfs/boot --no-nvram "${disk}${PREPPN}"
    install_grub_cfg
    ;;
s390x)
    ostree config --repo $rootfs/ostree/repo set sysroot.bootloader zipl
    rdcore_zipl_args=("--boot-mount=$rootfs/boot" "--append-karg=ignition.firstboot")
    # in the secex case, we run zipl at the end; in the non-secex case, we need
    # to run it now because zipl wants rw access to the bootfs
    if [[ ${secure_execution} -ne 1 ]]; then
        # in case builder itself runs with SecureExecution
        rdcore_zipl_args+=("--secex-mode=disable")
        chroot_run /usr/lib/dracut/modules.d/50rdcore/rdcore zipl "${rdcore_zipl_args[@]}"
    fi
    ;;
esac

# enable support for GRUB password
# shellcheck disable=SC2031
if [ "$arch" != s390x ]; then
    ostree config --repo $rootfs/ostree/repo set sysroot.bls-append-except-default 'grub_users=""'
fi

# For local secex build we create an empty file and later mount-bind real private key to it,
# so rdcore could append it to initrd. Best approach is to teach rdcore how to append file
# with different source and dest- paths.
if [[ ${secure_execution} -eq 1 ]] && [[ ! -e /dev/disk/by-id/virtio-genprotimg ]]; then
    touch "${deploy_root}/usr/lib/coreos/ignition.asc"
fi
touch $rootfs/boot/ignition.firstboot

fstrim -a -v
# Ensure the filesystem journals are flushed
for fs in $rootfs/boot $rootfs; do
    mount -o remount,ro "$fs"
    fsfreeze -f "$fs"
    fsfreeze -u "$fs"
done

umount -R $rootfs

create_dmverity() {
    local partlabel=$1; shift
    local mountpoint=$1; shift
    local datapart="/dev/disk/by-partlabel/${partlabel}"
    local hashpart="/dev/disk/by-partlabel/${partlabel}hash"
    # We have to use 512 here to match the filesystem sector size. It's less
    # efficient, but meh, it's for first boot only. Alternatively we could
    # change the filesystem sector size higher up.
    veritysetup format "${datapart}" "${hashpart}" \
        --root-hash-file "/tmp/${partlabel}-roothash" \
        --data-block-size 512
    veritysetup open "${datapart}" "${partlabel}" "${hashpart}" \
        --root-hash-file "/tmp/${partlabel}-roothash"
    mount -o ro "/dev/mapper/${partlabel}" "${mountpoint}"
}

# Save genprotimg input for later and don't run zipl here
rdcore_replacement() {
    local se_kargs_append se_initrd se_kernel se_parmfile
    local blsfile kernel initrd
    local se_script_dir se_tmp_disk se_tmp_mount se_tmp_boot

    se_kargs_append=("ignition.firstboot")
    while [ $# -gt 0 ]; do
        se_kargs_append+=("$1")
        shift
    done

    se_script_dir="/usr/lib/coreos-assembler/secex-genprotimgvm-scripts"
    se_tmp_disk=$(realpath /dev/disk/by-id/virtio-genprotimg)
    se_tmp_mount=$(mktemp -d /tmp/genprotimg-XXXXXX)
    se_tmp_boot="${se_tmp_mount}/genprotimg"
    mount "${se_tmp_disk}" "${se_tmp_mount}"
    mkdir "${se_tmp_boot}"

    se_initrd="${se_tmp_boot}/initrd.img"
    se_kernel="${se_tmp_boot}/vmlinuz"
    se_parmfile="${se_tmp_boot}/parmfile"

    # Ignition GPG private key
    mkdir -p "${se_tmp_boot}/usr/lib/coreos"
    generate_gpgkeys "${se_tmp_boot}/usr/lib/coreos/ignition.asc"

    blsfile=$(find "${rootfs}"/boot/loader/entries/*.conf)
    echo "$(grep options "${blsfile}" | cut -d' ' -f2-)" "${se_kargs_append[@]}" > "${se_parmfile}"
    kernel="${rootfs}/boot/$(grep linux "${blsfile}" | cut -d' ' -f2)"
    initrd="${rootfs}/boot/$(grep initrd "${blsfile}" | cut -d' ' -f2)"
    cp "${kernel}" "${se_kernel}"
    cp "${initrd}" "${se_initrd}"

    # genprotimg and zipl will be done outside this script
    # copy scripts for that step to the tmp disk
    cp "${se_script_dir}/genprotimg-script.sh" "${se_script_dir}/post-script.sh" "${se_tmp_mount}/"

    umount "${se_tmp_mount}"
    rmdir "${se_tmp_mount}"
}

if [[ ${secure_execution} -eq 1 ]]; then
    # set up dm-verity for the rootfs and bootfs
    create_dmverity root $rootfs
    create_dmverity boot $rootfs/boot
    # We need to run the genprotimg step in a separate step for rhcos release images
    if [ ! -e /dev/disk/by-id/virtio-genprotimg ]; then
        echo "Building local Secure Execution Image, running zipl and genprotimg"
        generate_gpgkeys "/tmp/ignition.asc"
        mount --rbind "/tmp/ignition.asc" "${deploy_root}/usr/lib/coreos/ignition.asc"
        # run zipl with root hashes as kargs
        rdcore_zipl_args+=("--secex-mode=enforce" "--hostkey=/dev/disk/by-id/virtio-hostkey")
        rdcore_zipl_args+=("--append-karg=rootfs.roothash=$(cat /tmp/root-roothash)")
        rdcore_zipl_args+=("--append-karg=bootfs.roothash=$(cat /tmp/boot-roothash)")
        rdcore_zipl_args+=("--append-file=/usr/lib/coreos/ignition.asc")
        chroot_run /usr/lib/dracut/modules.d/50rdcore/rdcore zipl "${rdcore_zipl_args[@]}"
    else
        echo "Building release Secure Execution Image, zipl and genprotimg will be run later"
        rdcore_replacement "rootfs.roothash=$(cat /tmp/root-roothash)" "bootfs.roothash=$(cat /tmp/boot-roothash)"
    fi

    # unmount and close everything
    umount -R $rootfs
    veritysetup close boot
    veritysetup close root
fi

rmdir $rootfs