releasing package livecd-rootfs version 25.10.16

* bryalex/bryalex/6.14-master:
  Add debian/changelog entry (LP: #2116199)
  feat(apparmor): Add missing components to 6.14 kernel apparmor features' preseeds

debian/changelog

@@ -1,3 +1,72 @@
+livecd-rootfs (25.10.16) questing; urgency=medium
+
+  * Put the uc20-style system seed for TPM backed FDE in the live layer.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Wed, 13 Aug 2025 10:34:39 +1200
+
+livecd-rootfs (25.10.15) questing; urgency=medium
+
+  * Add missing components to 6.14 kernel apparmor features' preseeds.
+    (LP: #2116199)
+
+ -- Bryan Alexander <bryan.alexander@canonical.com>  Thu, 17 Jul 2025 13:27:17 -0700
+
+livecd-rootfs (25.10.14) questing; urgency=medium
+
+  [ Didier Roche-Tolomelli ]
+  [ Tim Andersson ]
+  [ Daniel Bungert ]
+  * desktop TPMFDE: move snaps back to stable channels
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 07 Aug 2025 16:21:32 -0600
+
+livecd-rootfs (25.10.13) questing; urgency=medium
+
+  [ Olivier Gayot ]
+  * Build ubuntu-server with multipath-tools-boot installed, so that the
+    multipath stack ends up present in the initramfs.
+    The LVM stack is already present in the initramfs of the installer. And
+    since kinetic, the /dev/mapper entries for LVM devices are created during
+    the initramfs phase. This is a problem when we have LVM on top of a
+    multipath disk because LVM ends up creating /dev/mapper entries out of
+    /dev/sdX (or /dev/sdXpY) devices, not out of /dev/mapper/mpatha as it
+    should. Adding the multipath stack in the initramfs gives multipath a
+    chance to take ownership of /dev/sdX (or /dev/sdXpY) devices before LVM
+    does (LP: #2080474).
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 24 Jul 2025 17:37:33 -0600
+
+livecd-rootfs (25.10.12) questing; urgency=medium
+
+  [ Zygmunt Krynicki ]
+  * Use snap wait system seed.loaded to wait for snapd (LP: #2114923)
+
+  [ Dennis Loose ]
+  [ Didier Roche-Tolomelli ]
+  * Allow the ubuntu-desktop-installer to request snap seeding state
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Tue, 15 Jul 2025 16:30:41 +0200
+
+livecd-rootfs (25.10.11) questing; urgency=medium
+
+  * Fix installer startup to wait for snapd to be preseeded first
+    (LP: #2114923)
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Fri, 11 Jul 2025 14:57:56 +0200
+
+livecd-rootfs (25.10.10) questing; urgency=medium
+
+  * risc-v cloud images: enable cpc fixes for riscv64
+
+ -- Adriano Cordova <adriano.cordova@canonical.com>  Tue, 01 Jul 2025 09:11:16 -0400
+
+livecd-rootfs (25.10.9) questing; urgency=medium
+
+  * desktop and server: read $SUBARCH to allow the use of nvidia's kernel
+    instead of generic (LP: #2109822)
+
+ -- Antoine Lassagne <antoine.lassagne@canonical.com>  Tue, 17 Jun 2025 22:23:11 +1200
+
 livecd-rootfs (25.10.8) questing; urgency=medium
 
   [ Didier Roche-Tolomelli ]

live-build/apparmor/6.14/domain/disconnected.ipc

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/policy/unconfined_restrictions/io_uring

@@ -1 +1 @@
-0
+1

live-build/auto/build

@@ -484,6 +484,9 @@ for FLAVOUR in $LB_LINUX_FLAVOURS; do
 		lowlatency-hwe-*)
 			FLAVOUR="lowlatency"
 			;;
+		nvidia-hwe-*)
+			FLAVOUR="nvidia"
+			;;
 	esac
 	KVERS="$( (cd "binary/$INITFS"; ls vmlinu?-* 2>/dev/null || true) | (fgrep -v .efi || true) | sed -n "s/^vmlinu.-\\([^-]*-[^-]*-$FLAVOUR\\)$/\\1/p" )"
 	if [ -z "$KVERS" ]; then

live-build/auto/config

@@ -3,7 +3,7 @@ set -e
 
 case $ARCH:$SUBARCH in
 	amd64:|amd64:generic|amd64:intel-iot|\
-	arm64:|arm64:generic|arm64:raspi|arm64:snapdragon|\
+	arm64:|arm64:generic|arm64:raspi|arm64:snapdragon|arm64:nvidia|\
 	arm64:tegra|arm64:tegra-igx|arm64:tegra-jetson|arm64:x13s|\
 	arm64:largemem|\
 	armhf:|\
@@ -844,6 +844,16 @@ case $PROJECT in
 				HAS_DEFAULT_LANGUAGES=yes
 				LANGUAGE_BASE=desktop
 				KERNEL_FLAVOURS='generic-hwe-24.04'
+
+				case $SUBARCH in
+					nvidia)
+						KERNEL_FLAVOURS="nvidia-hwe-24.04"
+						;;
+					*)
+						# nothing to do here.
+						;;
+				esac
+				
 				do_layered_desktop_image
 
 				# Enchanced secureboot stuff
@@ -999,6 +1009,14 @@ case $PROJECT in
 				add_package ubuntu-server-minimal lxd-installer
 				add_task ubuntu-server-minimal.ubuntu-server minimal standard server
 				add_package ubuntu-server-minimal.ubuntu-server cloud-init
+				# If we have a multipath disk with LVM on top, we want to give
+				# multipath a chance to create the /dev/mapper/mpatha entry
+				# during the initramfs phase. Otherwise LVM will "steal" the
+				# device (e.g., /dev/sda2) and prevent multipath from using it
+				# after pivoting to the root filesystem of the live
+				# environment.
+				# See LP: #2080474 and LP: #1480399.
+				add_package ubuntu-server-minimal.ubuntu-server.installer multipath-tools-boot
 
 				add_task ubuntu-server-minimal.ubuntu-server.installer server-live
 
@@ -1023,6 +1041,9 @@ case $PROJECT in
 						# variants='ga-64k hwe-64k'
 						variants='ga-64k'
 						;;
+					nvidia)
+						variants='nvidia'
+						;;
 					*)
 						# variants='ga hwe'
 						variants='ga'
@@ -1060,6 +1081,9 @@ case $PROJECT in
 					elif [ "$variant" = "tegra-jetson" ]; then
 						kernel_metapkg=linux-nvidia-tegra-jetson
 						flavor=nvidia-tegra-jetson
+					elif [ "$variant" = "nvidia" ]; then
+						kernel_metapkg=linux-nvidia-hwe-$(lsb_release -sr)
+						flavor=nvidia
 					else
 						echo "bogus variant: $variant"
 						exit 1

live-build/functions

@@ -566,10 +566,11 @@ _snap_post_process() {
             # If the 'core' snap is not present, assume we are coreXX-only and
             # install the snapd snap.
             channel=stable
-            # FIXME: TPM-FDE spike, to be removed after the spike is over.
+            # FIXME: This can be commented and uncommented to enable snaps from
-            if [ $PROJECT = "ubuntu" ]; then
+            # edge for development spikes.
-                channel=edge
+            # if [ $PROJECT = "ubuntu" ]; then
-            fi
+            #     channel=edge
+            # fi
             if [ ! -f ${snaps_dir}/core_[0-9]*.snap ]; then
                 _snap_preseed $CHROOT_ROOT snapd "$channel"
             fi

live-build/ubuntu-cpc/hooks.d/chroot/999-cpc-fixes.chroot

@@ -100,7 +100,7 @@ fi
 
 case $arch in
 	# ppc, riscv64 and s390x images are special
-	powerpc|ppc64el|s390x|riscv64)
+	powerpc|ppc64el|s390x)
 		exit 0
 		;;
 esac

live-build/ubuntu/hooks/020-ubuntu-enhanced-sb.binary

@@ -1,71 +1,24 @@
 #! /bin/sh
 
+# We need to remove the snapd seed configuration for the layers that
+# will be the installation source for a TPM-backed FDE install or
+# snapd gets very confused on the boot of the target system.
+
 set -eux
 
 case ${PASS:-} in
-    minimal.standard.enhanced-secureboot)
+    *.enhanced-secureboot)
-        ;;
-    minimal.enhanced-secureboot)
         ;;
     *)
         exit 0
         ;;
 esac
 
+. config/functions
+
 if [ -n "${SUBPROJECT:-}" ]; then
     echo "We don't run Ubuntu Desktop hooks for this project."
     exit 0
 fi
 
-. config/binary
-. config/functions
-
-# Generation of the model:
-# * At https://github.com/canonical/models one can find a repo of raw,
-#   unsigned, input .json files, and their signed .model equivalents.
-# * At least once per cycle, update the json for the new Ubuntu version.
-#   To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file,
-#   rename for the new version, and do any necessary updates including fixing
-#   the versions of tracks.
-# * When this is done, the json needs to be signed.  This needs to be done by
-#   a Canonical employee - try asking someone who has recently opened PRs on
-#   https://github.com/canonical/models with the signed models.
-# * Ensure the signed and unsigned version of the models are updated in the
-#   models repo.
-# * The signed model can then be placed here in livecd-rootfs at
-#   live-build/${PROJECT}/ubuntu-classic-amd64.model
-
-# env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
-model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model
-
-# see below note about "dangerous" model
-CHANNEL=${CHANNEL:-stable}
-
-channel=""
-if [ -n "${CHANNEL:-}" ]; then
-    channel="--channel $CHANNEL"
-fi
-
 reset_snapd_state chroot
-
-# Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
-# snap versions regardless of phasing status
-
-# this is the normal prepare-image invocation.  This is not used right now as
-# the model in question is the "dangerous" model so that we can override the
-# channel of pc-kernel to get a matching set of snaps.
-#   env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
-#       --classic $model $channel chroot
-# so instead we're doing this, including forcing channel to stable for
-# everything but pc-kernel.
-env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
-    --classic $model $channel \
-    --snap=pc-kernel=25.10/candidate \
-    --snap=snapd=latest/edge \
-    --snap=desktop-security-center=1/edge \
-    --snap=firmware-updater=1/edge \
-    chroot
-
-mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
-rm -rf chroot/var/lib/snapd/seed
-mv chroot/system-seed chroot/var/lib/snapd/seed

live-build/ubuntu/hooks/030-ubuntu-live-system-seed.binary

@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# create the system seed for TPM-backed FDE in the live layer of the installer.
+
+set -eux
+
+case ${PASS:-} in
+    *.live)
+        ;;
+    *)
+        exit 0
+        ;;
+esac
+
+if [ -n "${SUBPROJECT:-}" ]; then
+    echo "We don't run Ubuntu Desktop hooks for this project."
+    exit 0
+fi
+
+. config/binary
+. config/functions
+
+# Generation of the model:
+# * At https://github.com/canonical/models one can find a repo of raw,
+#   unsigned, input .json files, and their signed .model equivalents.
+# * At least once per cycle, update the json for the new Ubuntu version.
+#   To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file,
+#   rename for the new version, and do any necessary updates including fixing
+#   the versions of tracks.
+# * When this is done, the json needs to be signed.  This needs to be done by
+#   a Canonical employee - try asking someone who has recently opened PRs on
+#   https://github.com/canonical/models with the signed models.
+# * Ensure the signed and unsigned version of the models are updated in the
+#   models repo.
+# * The signed model can then be placed here in livecd-rootfs at
+#   live-build/${PROJECT}/ubuntu-classic-amd64.model
+
+# env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
+model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model
+
+# see below note about "dangerous" model
+CHANNEL=${CHANNEL:-stable}
+
+channel=""
+if [ -n "${CHANNEL:-}" ]; then
+    channel="--channel $CHANNEL"
+fi
+
+# Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
+# snap versions regardless of phasing status
+
+# this is the normal prepare-image invocation.  This is not used right now as
+# the model in question is the "dangerous" model so that we can override the
+# channel of pc-kernel and others to get a matching set of snaps.
+#   env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
+#       --classic $model $channel chroot
+# FIXME - go back to the stable model and remove all the `--snap` overrides
+env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
+    --classic $model $channel \
+    --snap=pc=classic-25.10/stable \
+    --snap=pc-kernel=25.10/candidate \
+    --snap=firmware-updater=1/stable/ubuntu-25.10 \
+    --snap=desktop-security-center=1/stable/ubuntu-25.10 \
+    --snap=prompting-client=1/stable/ubuntu-25.10 \
+    --snap=snap-store=2/stable/ubuntu-25.10 \
+    --snap=gtk-common-themes=latest/stable/ubuntu-25.10 \
+    --snap=firefox=latest/stable/ubuntu-25.10 \
+    --snap=gnome-42-2204=latest/stable/ubuntu-25.10 \
+    --snap=snapd-desktop-integration=latest/stable/ubuntu-25.10 \
+    chroot
+
+mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
+rsync -av chroot/system-seed/{systems,snaps} chroot/var/lib/snapd/seed
+rm -rf chroot/system-seed/

live-build/ubuntu/includes.chroot.minimal.standard.live/etc/polkit-1/rules.d/10-allow-installer-wait-on-snap.rules

@@ -0,0 +1,13 @@
+// -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*-
+//
+// THIS FILE IS ONLY AVAILABLE ON THE LIVE SYSTEM
+//
+// Allow the ubuntu-desktop-installer to request snap seeding state
+// used before starting.
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "io.snapcraft.snapd.manage-configuration") {
+            return polkit.Result.YES;
+    }
+});
+

live-build/ubuntu/includes.chroot.minimal.standard.live/usr/lib/systemd/user/ubuntu-desktop-installer.service

@@ -10,6 +10,8 @@ Conflicts=gnome-session@gnome-login.target
 
 [Service]
 Type=oneshot
+# Make sure that the system was seeded to access the snap
+ExecStartPre=/usr/bin/snap wait system seed.loaded
 ExecStart=/snap/bin/ubuntu-desktop-bootstrap --try-or-install
 ExecStopPost=sh -c "gsettings set org.gnome.shell.extensions.dash-to-dock dock-fixed true; gsettings set org.gnome.shell.extensions.dash-to-dock intellihide true; gnome-extensions enable ding@rastersoft.com"
 Restart=no