sprout: version 0.0.22

.github/workflows/ci-actions.yml

@@ -1,10 +1,12 @@
 name: zizmor
 
 on:
-  push:
-    branches: ["main"]
   pull_request:
-    branches: ["**"]
+    branches:
+    - main
+  push:
+    branches:
+    - main
 
 permissions:
   contents: read # Needed to checkout the repository.

.github/workflows/codeql.yml

@@ -1,10 +1,12 @@
 name: codeql
 
 on:
-  push:
-    branches: [ "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches:
+    - main
+  push:
+    branches:
+    - main
   schedule:
   - cron: '33 16 * * 0'
 

.github/workflows/publish.yml

@@ -1,19 +1,12 @@
 name: publish
 
 on:
-  push:
-    branches:
-    - main
-
   pull_request:
     branches:
     - main
-    paths:
+  push:
-    - bin/**
+    branches:
-    - src/**
+    - main
-    - Cargo.*
-    - rust-toolchain.toml
-    - .github/workflows/publish.yaml
 
 permissions:
   contents: read # Needed to checkout the repository.

Cargo.lock

@@ -66,7 +66,7 @@ dependencies = [
 
 [[package]]
 name = "edera-sprout"
-version = "0.0.21"
+version = "0.0.22"
 dependencies = [
  "anyhow",
  "bitflags",
@@ -83,7 +83,7 @@ dependencies = [
 
 [[package]]
 name = "edera-sprout-config"
-version = "0.0.21"
+version = "0.0.22"
 dependencies = [
  "serde",
 ]

Cargo.toml

@@ -7,7 +7,7 @@ resolver = "3"
 
 [workspace.package]
 license = "Apache-2.0"
-version = "0.0.21"
+version = "0.0.22"
 homepage = "https://sprout.edera.dev"
 repository = "https://github.com/edera-dev/sprout"
 edition = "2024"

Dockerfile

@@ -2,7 +2,7 @@
 ARG RUST_PROFILE=release
 ARG RUST_TARGET_SUBDIR=release
 
-FROM --platform=$BUILDPLATFORM rustlang/rust:nightly-alpine@sha256:34532121803db17008af0cdc4e2e1210466cb257cc9d3840dac42d706640fee5 AS build
+FROM --platform=$BUILDPLATFORM rust:1.91.0-alpine@sha256:a3e3d30122c08c0ed85dcd8867d956f066be23c32ed67a0453bc04ce478ad69b AS build
 RUN apk --no-cache add musl-dev busybox-static
 ARG RUST_PROFILE
 RUN adduser -S -s /bin/sh build

README.md

@@ -49,6 +49,7 @@ We recommend running Sprout without Secure Boot for development, and with Secure
 |------------------|---------------------|-------------------------------------------------------|
 | Ubuntu           | ✅                   | [Setup Guide](./docs/setup/signed/ubuntu.md)          |
 | Debian           | ✅                   | [Setup Guide](./docs/setup/signed/debian.md)          |
+| openSUSE         | ✅                   | [Setup Guide](./docs/setup/signed/opensuse.md)        |
 | Fedora           | ❌                   | [Setup Guide](./docs/setup/unsigned/fedora.md)        |
 | Alpine Edge      | ❌                   | [Setup Guide](./docs/setup/unsigned/alpine-edge.md)   |
 | Generic Linux    | ❌                   | [Setup Guide](./docs/setup/unsigned/generic-linux.md) |

crates/sprout/Cargo.toml

@@ -20,7 +20,7 @@ log.workspace = true
 
 [dependencies.uefi]
 workspace = true
-features = ["alloc", "global_allocator", "logger", "panic_handler"]
+features = ["alloc", "global_allocator", "panic_handler"]
 
 [dependencies.uefi-raw]
 workspace = true

crates/sprout/src/logger.rs

@@ -0,0 +1,94 @@
+//! Based on: https://github.com/rust-osdev/uefi-rs/blob/main/uefi/src/helpers/logger.rs
+
+use alloc::format;
+use core::fmt::Write;
+use core::ptr;
+use core::sync::atomic::{AtomicPtr, Ordering};
+use log::{Log, Record};
+use uefi::proto::console::text::Output;
+
+/// The global logger object.
+static LOGGER: Logger = Logger::new();
+
+/// Logging mechanism for Sprout.
+/// Must be initialized to be used, as we use atomic pointers to store the output to write to.
+pub struct Logger {
+    writer: AtomicPtr<Output>,
+}
+
+impl Default for Logger {
+    /// Creates a default logger, which is uninitialized with an output.
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl Logger {
+    /// Create a new logger with an output not specified.
+    /// This will cause the logger to not print anything until it is configured.
+    pub const fn new() -> Self {
+        Self {
+            writer: AtomicPtr::new(ptr::null_mut()),
+        }
+    }
+
+    /// Retrieves the pointer to the output.
+    /// SAFETY: This pointer might be null, it should be checked before use.
+    #[must_use]
+    fn output(&self) -> *mut Output {
+        self.writer.load(Ordering::Acquire)
+    }
+
+    /// Sets the output to write to.
+    ///
+    /// # Safety
+    /// This function is unsafe because the output is technically leaked and unmanaged.
+    pub unsafe fn set_output(&self, output: *mut Output) {
+        self.writer.store(output, Ordering::Release);
+    }
+}
+
+impl Log for Logger {
+    /// Enable the logger always.
+    fn enabled(&self, _metadata: &log::Metadata<'_>) -> bool {
+        true
+    }
+
+    /// Log the specified `record` to the output if one is set.
+    fn log(&self, record: &Record) {
+        // Acquire the output. If one is not set, we do nothing.
+        let Some(output) = (unsafe { self.output().as_mut() }) else {
+            return;
+        };
+
+        // Format the log message.
+        let message = format!("{}", record.args());
+
+        // Iterate over every line, formatting the message and writing it to the output.
+        for line in message.lines() {
+            // The format writes the log level in front of every line of text.
+            let _ = writeln!(output, "[{:>5}] {}", record.level(), line);
+        }
+    }
+
+    /// This log is not buffered, so flushing isn't required.
+    fn flush(&self) {}
+}
+
+/// Initialize the logging environment, calling panic if something goes wrong.
+pub fn init() {
+    // Retrieve the stdout handle and set it as the output for the global logger.
+    uefi::system::with_stdout(|stdout| unsafe {
+        // SAFETY: We are using the stdout handle to create a pointer to the output.
+        // The handle is global and is guaranteed to be valid for the lifetime of the program.
+        LOGGER.set_output(stdout);
+    });
+
+    // Set the logger to the global logger.
+    if let Err(error) = log::set_logger(&LOGGER) {
+        panic!("unable to set logger: {}", error);
+    }
+
+    // Set the max level to the level specified by the log features.
+    log::set_max_level(log::STATIC_MAX_LEVEL);
+}

crates/sprout/src/main.rs

@@ -51,18 +51,24 @@ pub mod extractors;
 /// generators: Runtime code that can generate entries with specific values.
 pub mod generators;
 
-/// platform: Integration or support code for specific hardware platforms.
+/// integrations: Code that interacts with other systems.
-pub mod platform;
+pub mod integrations;
+
+/// logger: Code for the logging mechanism of Sprout.
+pub mod logger;
 
 /// menu: Display a boot menu to select an entry to boot.
 pub mod menu;
 
-/// integrations: Code that interacts with other systems.
+/// options: Parse the options of the Sprout executable.
-pub mod integrations;
+pub mod options;
 
 /// phases: Hooks into specific parts of the boot process.
 pub mod phases;
 
+/// platform: Integration or support code for specific hardware platforms.
+pub mod platform;
+
 /// sbat: Secure Boot Attestation section.
 pub mod sbat;
 
@@ -72,9 +78,6 @@ pub mod secure;
 /// setup: Code that initializes the UEFI environment for Sprout.
 pub mod setup;
 
-/// options: Parse the options of the Sprout executable.
-pub mod options;
-
 /// utils: Utility functions that are used by other parts of Sprout.
 pub mod utils;
 
@@ -385,6 +388,9 @@ fn run() -> Result<()> {
 fn efi_main() -> Status {
     // Initialize the basic UEFI environment.
     // If initialization fails, we will return ABORTED.
+    // NOTE: This function will also initialize the logger.
+    // The logger will panic if it is unable to initialize.
+    // It is guaranteed that if this returns, the logger is initialized.
     if let Err(error) = setup::init() {
         error!("unable to initialize environment: {}", error);
         return Status::ABORTED;
@@ -394,7 +400,7 @@ fn efi_main() -> Status {
     let result = run();
     if let Err(ref error) = result {
         // Print an error trace.
-        error!("sprout encountered an error");
+        error!("sprout encountered an error:");
         for (index, stack) in error.chain().enumerate() {
             error!("[{}]: {}", index, stack);
         }

crates/sprout/src/menu.rs

@@ -66,6 +66,7 @@ fn read(input: &mut Input, timeout: &Duration) -> Result<MenuOperation> {
 
     // Close the timer event that we acquired.
     // We don't need to close the key event because it is owned globally.
+    // This should always be called in practice as events are not modified by wait_for_event.
     if let Some(timer_event) = events.into_iter().next() {
         // Store the result of the close event so we can determine if we can safely assert it.
         let close_event_result =

crates/sprout/src/platform/timer.rs

@@ -17,7 +17,7 @@ pub enum TickFrequency {
     /// The platform provides the tick frequency.
     Hardware(u64),
     /// The tick frequency is measured internally.
-    Measured(u64, Duration),
+    Measured(u64),
 }
 
 impl TickFrequency {
@@ -25,7 +25,7 @@ impl TickFrequency {
     fn ticks(&self) -> u64 {
         match self {
             TickFrequency::Hardware(frequency) => *frequency,
-            TickFrequency::Measured(frequency, _) => *frequency,
+            TickFrequency::Measured(frequency) => *frequency,
         }
     }
 

crates/sprout/src/platform/timer/aarch64.rs

@@ -10,16 +10,6 @@ pub fn ticks() -> u64 {
     counter
 }
 
-/// We can use the actual ticks value as our start value.
-pub fn start() -> u64 {
-    ticks()
-}
-
-/// We can use the actual ticks value as our stop value.
-pub fn stop() -> u64 {
-    ticks()
-}
-
 /// Our frequency is provided by cntfrq_el0 on the platform.
 pub fn frequency() -> TickFrequency {
     let frequency: u64;

crates/sprout/src/platform/timer/x86_64.rs

@@ -1,5 +1,4 @@
 use crate::platform::timer::TickFrequency;
-use core::arch::asm;
 use core::time::Duration;
 
 /// We will measure the frequency of the timer based on 1000 microseconds.
@@ -8,52 +7,16 @@ const MEASURE_FREQUENCY_DURATION: Duration = Duration::from_micros(1000);
 
 /// Read the number of ticks from the platform timer.
 pub fn ticks() -> u64 {
-    let mut eax: u32;
+    // SAFETY: Reads the platform timer, which is safe in any context.
-    let mut edx: u32;
+    unsafe { core::arch::x86_64::_rdtsc() }
-
-    unsafe {
-        asm!("rdtsc", out("eax") eax, out("edx") edx);
-    }
-
-    (edx as u64) << 32 | eax as u64
-}
-
-/// Read the starting number of ticks from the platform timer.
-pub fn start() -> u64 {
-    let rax: u64;
-    unsafe {
-        asm!(
-            "mfence",
-            "lfence",
-            "rdtsc",
-            "shl rdx, 32",
-            "or rax, rdx",
-            out("rax") rax
-        );
-    }
-    rax
-}
-
-/// Read the ending number of ticks from the platform timer.
-pub fn stop() -> u64 {
-    let rax: u64;
-    unsafe {
-        asm!(
-        "rdtsc",
-        "lfence",
-        "shl rdx, 32",
-        "or rax, rdx",
-        out("rax") rax
-        );
-    }
-    rax
 }
 
 /// Measure the frequency of the platform timer.
+/// NOTE: Intentionally, we do not synchronize rdtsc during measurement to match systemd behavior.
 fn measure_frequency() -> u64 {
-    let start = start();
+    let start = ticks();
     uefi::boot::stall(MEASURE_FREQUENCY_DURATION);
-    let stop = stop();
+    let stop = ticks();
     let elapsed = stop.wrapping_sub(start) as f64;
     (elapsed / MEASURE_FREQUENCY_DURATION.as_secs_f64()) as u64
 }
@@ -62,5 +25,5 @@ fn measure_frequency() -> u64 {
 /// On x86_64, this is slightly expensive, so it should be done once.
 pub fn frequency() -> TickFrequency {
     let frequency = measure_frequency();
-    TickFrequency::Measured(frequency, MEASURE_FREQUENCY_DURATION)
+    TickFrequency::Measured(frequency)
 }

crates/sprout/src/platform/tpm.rs

@@ -85,7 +85,9 @@ impl PlatformTpm {
         };
 
         // Check if the TPM supports `GetActivePcrBanks`, and if it doesn't return zero.
-        if handle.version().major < 1 || handle.version().major == 1 && handle.version().minor < 1 {
+        if (handle.version().major < 1)
+            || (handle.version().major == 1 && (handle.version().minor < 1))
+        {
             return Ok(0);
         }
 

crates/sprout/src/setup.rs

@@ -1,8 +1,14 @@
+use crate::logger;
 use anyhow::{Context, Result};
 
 /// Initializes the UEFI environment.
 pub fn init() -> Result<()> {
-    // Initialize the uefi internals.
+    // Initialize the logger for Sprout.
-    uefi::helpers::init().context("unable to initialize uefi")?;
+    // NOTE: This cannot use a result type as errors need to be printed
+    // using the logger, which is not initialized until this returns.
+    logger::init();
+
+    // Initialize further UEFI internals.
+    uefi::helpers::init().context("unable to initialize uefi environment")?;
     Ok(())
 }

crates/sprout/src/utils/variables.rs

@@ -145,6 +145,8 @@ impl VariableController {
         self.set(key, &value.to_le_bytes(), class)
     }
 
+    /// Remove the variable specified by `key`.
+    /// This can fail if the variable is not set.
     pub fn remove(&self, key: &str) -> Result<()> {
         let name = Self::name(key)?;
 

crates/sprout/src/utils/vercmp.rs

@@ -23,9 +23,9 @@ pub fn compare_versions_optional(a: Option<&str>, b: Option<&str>) -> Ordering {
     match (a, b) {
         // If both have values, compare them.
         (Some(a), Some(b)) => compare_versions(a, b),
-        // If the second value is None, return that it is less than the first.
+        // If the second value is None, then `a` is less than `b`.
         (Some(_a), None) => Ordering::Less,
-        // If the first value is None, return that it is greater than the second.
+        // If the first value is None, the `a` is greater than `b`.
         (None, Some(_b)) => Ordering::Greater,
         // If both values are None, return that they are equal.
         (None, None) => Ordering::Equal,

docs/setup/signed/debian.md

@@ -4,7 +4,6 @@
 
 - Modern Debian release: tested on Debian 13 ARM64
 - EFI System Partition mounted on `/boot/efi` (the default)
-- ext4 or FAT32/exFAT formatted `/boot` partition
 - You will need the following packages installed: `openssl`, `shim-signed`, `mokutil`, `sbsigntool`
 
 ## Step 1: Generate and Install Secure Boot Key
@@ -16,9 +15,9 @@ $ mkdir -p /etc/sprout/secure-boot
 $ cd /etc/sprout/secure-boot
 # Generate a MOK key and certificate.
 $ openssl req \
-  -newkey rsa:4096 -nodes -keyout mok.key \
+    -newkey rsa:4096 -nodes -keyout mok.key \
-  -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+    -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
-  -out mok.crt
+    -out mok.crt
 # Generate a DER encoded certificate for enrollment.
 $ openssl x509 -outform DER -in mok.crt -out mok.cer
 # Import the certificate into the Secure Boot environment.

docs/setup/signed/opensuse.md

@@ -0,0 +1,139 @@
+# Setup Sprout for openSUSE with Secure Boot
+
+**NOTE:** This guide may not function as written if the system validates hashes.
+If your system validates hashes in the shim, you will need to use MokManager to enroll the hashes
+of every EFI file involved, such as Sprout and any EFI drivers.
+
+## Prerequisites
+
+- Modern openSUSE release: tested on openSUSE Tumbleweed ARM64
+- EFI System Partition mounted on `/boot/efi` (the default)
+- You will need the following packages installed: `openssl`, `shim`, `mokutil`, `sbsigntools`
+
+## Step 1: Generate and Install Secure Boot Key
+
+```bash
+# Create a directory to store the Secure Boot MOK key and certificates.
+$ mkdir -p /etc/sprout/secure-boot
+# Change to the created directory.
+$ cd /etc/sprout/secure-boot
+# Generate a MOK key and certificate.
+$ openssl req \
+    -newkey rsa:4096 -nodes -keyout mok.key \
+    -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+    -out mok.crt
+# Generate a DER encoded certificate for enrollment.
+$ openssl x509 -outform DER -in mok.crt -out mok.cer
+# Import the certificate into the Secure Boot environment.
+# This will ask you to make a password that will be used during enrollment.
+$ mokutil --import mok.cer
+# Reboot your machine.
+# During boot, MOK enrollment should appear. If it doesn't, ensure you are booting into the shim.
+# Press any key to begin MOK management. Select "Enroll MOK".
+# Select "View key 0", and ensure the subject says "CN=Sprout Secure Boot".
+# If the subject does not match, something has gone wrong with MOK enrollment.
+# Press Enter to continue, then select the "Continue" option.
+# When it asks to enroll the key, select the "Yes" option.
+# Enter the password that you created during the mokutil --import step.
+# Select "Reboot" to boot back into your Operating System.
+```
+
+## Step 2: Prepare the Secure Boot Environment
+
+```bash
+# Create a directory for Sprout EFI artifacts.
+$ mkdir -p /boot/efi/EFI/sprout
+
+# For x86_64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/share/efi/x86_64/shim.efi /boot/efi/EFI/sprout/shim.efi
+$ cp /usr/share/efi/x86_64/MokManager.efi /boot/efi/EFI/sprout/MokManager.efi
+$ cp /usr/share/efi/x86_64/fallback.efi /boot/efi/EFI/sprout/fallback.efi
+
+# For aarch64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/share/efi/aarch64/shim.efi /boot/efi/EFI/sprout/shim.efi
+$ cp /usr/share/efi/aarch64/MokManager.efi /boot/efi/EFI/sprout/MokManager.efi
+$ cp /usr/share/efi/aarch64/fallback.efi /boot/efi/EFI/sprout/fallback.efi
+```
+
+## Step 3: Install Unsigned Sprout
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM64 systems, download the `sprout-aarch64.efi`
+file.
+Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.efi` on your EFI System Partition.
+
+## Step 4: Sign Sprout for Secure Boot
+
+```bash
+# Sign the unsigned Sprout artifact and name it grub.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grub.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+```
+
+## Step 5: Install and Sign EFI Drivers
+
+You will need a filesystem EFI driver if `/boot` is not FAT32 or ExFAT.
+If `/boot` is FAT32 or ExFAT, you can skip this step.
+
+Most Debian systems use an ext4 filesystem for `/boot`.
+You can download an EFI filesystem driver from [EfiFs releases](https://github.com/pbatard/EfiFs/releases).
+For ext4, download the `ext2` file for your platform. It should work for ext4 filesystems too.
+
+If you have an EFI driver, copy the driver to `/boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi` for signing.
+
+For example, the `ext4` driver, copy the `ext4.efi` file to `/boot/efi/EFI/sprout/ext4.unsigned.efi`.
+
+Then sign the driver with the Sprout Secure Boot key:
+
+```bash
+# Sign the ext4 driver at ext4.unsigned.efi, placing it at ext4.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/ext4.efi \
+    /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+## Step 6: Create Sprout Configuration
+
+Write the following to the file `/boot/efi/sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# global values.
+[values]
+# your linux kernel command line.
+linux-options = "root=UUID=MY_ROOT_UUID"
+
+# load an ext4 EFI driver.
+# skip this if you do not have a filesystem driver.
+# if your filesystem driver is not named ext4, change accordingly.
+[drivers.ext4]
+path = "\\EFI\\sprout\\ext4.efi"
+
+# global options.
+[options]
+# enable autoconfiguration by detecting bls enabled filesystems
+# or linux kernels and generating boot entries for them.
+autoconfigure = true
+```
+
+Ensure you add the signed driver paths to the configuration, not the unsigned ones.
+If you do not have any drivers, exclude the drivers section entirely.
+
+## Step 7: Configure Sprout Boot Entry
+
+In the following commands, replace /dev/ESP_PARTITION with the actual path to the ESP partition block device.
+
+```bash
+# Run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/ESP_PARTITION -c -L 'Sprout' -l '\EFI\sprout\shim.efi'
+```
+
+Reboot your machine and it should boot into Sprout.
+If Sprout fails to boot, it should boot into the original bootloader.

docs/setup/signed/ubuntu.md

@@ -4,7 +4,6 @@
 
 - Modern Ubuntu release: tested on Ubuntu 25.10 ARM64
 - EFI System Partition mounted on `/boot/efi` (the default)
-- ext4 or FAT32/exFAT formatted `/boot` partition
 
 ## Step 1: Generate and Install Secure Boot Key
 
@@ -15,9 +14,9 @@ $ mkdir -p /etc/sprout/secure-boot
 $ cd /etc/sprout/secure-boot
 # Generate a MOK key and certificate.
 $ openssl req \
-  -newkey rsa:4096 -nodes -keyout mok.key \
+    -newkey rsa:4096 -nodes -keyout mok.key \
-  -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+    -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
-  -out mok.crt
+    -out mok.crt
 # Generate a DER encoded certificate for enrollment.
 $ openssl x509 -outform DER -in mok.crt -out mok.cer
 # Import the certificate into the Secure Boot environment.

hack/clean.sh

@@ -27,4 +27,6 @@ if command -v docker >/dev/null 2>&1; then
 	delete_image sprout-kernel-build-aarch64 || true
 	delete_image sprout-boot-x86_64 || true
 	delete_image sprout-boot-aarch64 || true
+	delete_image sprout-xen-x86_64 || true
+	delete_image sprout-xen-aarch64 || true
 fi

hack/dev/boot.sh

@@ -55,6 +55,13 @@ else
 	fi
 fi
 
+if [ "${NO_INPUT}" != "1" ]; then
+	set -- "${@}" \
+		-device qemu-xhci \
+		-device usb-kbd \
+		-device usb-mouse
+fi
+
 rm -f "${FINAL_DIR}/ovmf-boot.fd"
 cp "${FINAL_DIR}/ovmf.fd" "${FINAL_DIR}/ovmf-boot.fd"
 if [ "${TARGET_ARCH}" = "aarch64" ]; then