changelog entry

patch create_manifest to produce an sbom when called by an ubuntu-cpc
project. Patch all the ubuntu-cpc hooks and series files to include the
newly generated manifests, filelists, and sboms. Generates a number of
new artifacts in the builds. the snap utilized, cpc-sbom, is an open
source repo and a provided via a hidden snap. there is no intention of
publisizing the snap or how we generate sboms, however partners require
the ability to audit if required.

defensively checks if the snap is already installed, in the case of
multiple hooks being called in a single build (thus sharing a build
host), and only if called in an ubuntu-cpc project.

(cherry picked from commit 7c7b7df89dc96169db1f255d6bba901ebb63a43c)

debian/changelog

@@ -1,3 +1,477 @@
+livecd-rootfs (2.664.54) focal; urgency=medium
+
+  * add cpc-sbom to create_manifest calls to generate sboms (LP: #2077105) 
+
+ -- jchittum <john.chittum@canonical.com>  Wed, 28 Aug 2024 09:30:19 -0400
+
+livecd-rootfs (2.664.53) focal; urgency=medium
+
+  [Catherine Redfield]
+  * add 5.15 apparmor directory for snap preseeding with 5.15 kernel
+    (LP: #2052789)
+  * bind correct apparmor feature for validating snap seed
+    (LP: #2059730)
+
+ -- Phil Roche <phil.roche@canonical.com>  Fri, 09 Feb 2024 09:41:18 +0000
+
+livecd-rootfs (2.664.52) focal; urgency=medium
+
+  * fix: use correct sshd_config.d/ ordering. (LP: #2049860)
+
+ -- Thomas Bechtold <thomas.bechtold@canonical.com>  Mon, 22 Jan 2024 17:08:05 +0530
+
+livecd-rootfs (2.664.51) focal; urgency=medium
+
+  [ Steve Langasek ]
+  * The chroot tmpfs mount should only be /var/lib/apt/lists, not
+    /var/lib/apt; the latter breaks changes to /var/lib/apt/extended_states.
+    (LP: #2036195).
+
+ -- Phil Roche <phil.roche@canonical.com>  Thu, 19 Oct 2023 18:17:20 +0100
+
+livecd-rootfs (2.664.50) focal; urgency=medium
+
+  * Do not modify /etc/ssh/sshd_config for ubuntu-cpc
+    project builds. (LP: #1968873)
+
+ -- Thomas Bechtold <thomas.bechtold@canonical.com>  Thu, 28 Sep 2023 13:16:46 +0200
+
+livecd-rootfs (2.664.49) focal; urgency=medium
+
+  * Address the missing GRUB_DISTRIBUTOR issue. LP: #2034253
+
+ -- jchittum <john.chittum@canonical.com>  Fri, 08 Sep 2023 08:35:15 -0500
+
+livecd-rootfs (2.664.48) focal; urgency=medium
+
+  * Drop use of --removable flag to grub-install from
+    live-build/buildd/hooks/02-disk-image-uefi.binary, to match the cloud
+    images (7c760864fdcb278ca37396f06f5e3f297428d63d).  This fixes
+    bootloader updates in the buildd images, but also fixes compatibility
+    with using devtmpfs for losetup. 
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 19 May 2023 00:09:01 -0700
+
+livecd-rootfs (2.664.47) focal; urgency=medium
+
+  * disk-image-uefi: bump armhf size. (LP: #2011739)
+
+ -- Simon Poirier <simon.poirier@canonical.com>  Mon, 20 Mar 2023 19:19:05 -0400
+
+livecd-rootfs (2.664.46) focal; urgency=medium
+
+  * Terrible hack workaround for clearing out the non-offline apt cache for
+    desktop related images. Backported from jammy.
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Thu, 16 Mar 2023 14:03:18 +0100
+
+livecd-rootfs (2.664.45) focal; urgency=medium
+
+  [ Samir Akarioh ]
+  * feat: Add metadata on ubuntu-oci image. (LP: #1998229)
+
+ -- Utkarsh Gupta <utkarsh@ubuntu.com>  Mon, 12 Dec 2022 15:33:48 +0530
+
+livecd-rootfs (2.664.44) focal; urgency=medium
+
+  [ Michał Sawicz ]
+  * ubuntu-buildd: Add arm64 buildd bootable image. (LP: #1966636) 
+
+ -- jchittum <john.chittum@canonical.com>  Fri, 29 Jul 2022 09:57:57 +1200
+
+livecd-rootfs (2.664.43) focal; urgency=medium
+
+  * ubuntu-cpc: Install `shim-signed` and `grub-efi-arm64-signed` to
+    enable secureboot on ARM64 images (LP: #1980358)
+
+ -- Ivan Kapelyukhin <ivan.kapelyukhin@canonical.com>  Thu, 30 Jun 2022 14:06:30 +0200
+
+livecd-rootfs (2.664.42) focal; urgency=medium
+
+  * Switch intel-iot to use intel-iotg-edge, the 5.15 based IOTG kernel
+    (LP: #1980065)
+    - While at it, build using the main kernel meta, not just with
+      linux-image-*
+  * Add support for building live-server images for intel-iot (LP: #1980067)
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Thu, 09 Jun 2022 16:46:37 +0200
+
+livecd-rootfs (2.664.41) focal; urgency=medium
+
+  [ Ivan Kapelyukhin ]
+  * Split UEFI image out of `disk-image` series file into
+    `disk-image-uefi`. (LP: #1961760)
+
+  [ Thomas Bechtold ]
+  * Optionally (when ALLOW_CORE_SNAP env var is set) allow to install
+    core snap. Still needed by some CPC projects. (LP: #1964303)
+
+ -- Thomas Bechtold <thomas.bechtold@canonical.com>  Fri, 04 Mar 2022 14:00:16 +0100
+
+livecd-rootfs (2.664.40) focal; urgency=medium
+
+  * Unset `initrdless_boot_fallback_triggered` in /boot/grub/grubenv instead
+    of setting it to 0 when the fallback is not triggered to prevent integrity
+    monitoring errors on GCE. (LP: #1960564)
+
+ -- Ivan Kapelyukhin <ivan.kapelyukhin@canonical.com>  Mon, 14 Feb 2022 21:32:01 +0100
+
+livecd-rootfs (2.664.39) focal; urgency=medium
+
+  * Switch to building raspi classic images using the 'classic' branch instead
+    of '18'. This is needed for proper Pi Zero 2 support (LP: #1960950).
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Tue, 15 Feb 2022 18:59:05 +0100
+
+livecd-rootfs (2.664.38) focal; urgency=medium
+
+  * Add sleep due to e2fsck error in umount_partition. LP: #1960537
+
+ -- Brian Murray <brian@ubuntu.com>  Thu, 10 Feb 2022 15:41:28 -0800
+
+livecd-rootfs (2.664.37) focal; urgency=medium
+
+  * Do not look for a base snap on snaps of type base, because recursive
+    dependencies are not allowed for snaps.  LP: #1957123.
+  * Treat it as a fatal error if we are asked to install a snap that would
+    pull in the core snap.  Ubuntu 20.04 and Ubuntu 22.04 official images
+    should never require snaps that depend on an Ubuntu 16.04 runtime, this
+    indicates a misconfiguration that will bloat the install.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 18 Jan 2022 16:16:18 -0800
+
+livecd-rootfs (2.664.36) focal; urgency=medium
+
+  * live-build/ubuntu-server/hooks/032-installer-squashfs.binary: be more
+    careful in deleting snaps that snap-preseed has copied up into the live
+    installer layer. (LP: #1952093)
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Thu, 02 Dec 2021 12:05:00 +1300
+
+livecd-rootfs (2.664.35) focal; urgency=medium
+
+  [ Thomas Bechtold ]
+  * magic-proxy: fix exception handling for URLError (LP: #1946520)
+
+ -- Brian Murray <brian@ubuntu.com>  Thu, 18 Nov 2021 15:42:45 -0800
+
+livecd-rootfs (2.664.34) focal; urgency=medium
+
+  * Add the capability to build an ISO image for the Intel IoT project.
+    Additionally, stop using universe with the project given that the kernel
+    is now in main. (LP: #1951173)
+
+ -- Brian Murray <brian@ubuntu.com>  Tue, 16 Nov 2021 17:18:59 -0800
+
+livecd-rootfs (2.664.33) focal; urgency=medium
+
+  * Install cloud-initramfs-growroot to actually enable rootfs resize.
+  * Fix a grub error by making sure the unicode.pf2 font is installed in the
+    right path for preinstalled amd64 desktop images.
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Fri, 29 Oct 2021 15:33:34 +0200
+
+livecd-rootfs (2.664.32) focal; urgency=medium
+
+  * 099-ubuntu-image-customization.chroot: fix a typo in it.
+
+ -- Brian Murray <brian@ubuntu.com>  Thu, 28 Oct 2021 11:12:32 -0700
+
+livecd-rootfs (2.664.31) focal; urgency=medium
+
+  [ Łukasz 'sil2100' Zemczak ]
+  * Add the 099-ubuntu-image-customization.chroot for
+    desktop-preinstalled images similar to what we have in groovy+ (for the pi
+    desktop), but improved for amd64 platforms. We need it to generate a valid
+    grub.cfg on the rootfs (similar to ubuntu-cpc) and then use that instead
+    of a static configuration locked on the boot partition (LP: #1949102).
+
+  [ Brian Murray ]
+  * Properly check ARCH when setting the intel-iot model.
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Thu, 28 Oct 2021 17:35:12 +0200
+
+livecd-rootfs (2.664.30) focal; urgency=medium
+
+  [ Thomas Bechtold ]
+  * magic-proxy: Replace http.client with urllib calls. live-build/auto/build:
+    change iptables calls to query rules and quickly check that connectivity
+    works after transparent proxy has been installed. (LP: #1917920)
+  * magic-proxy: fix TypeError when trying to call get_uri() (LP: #1944906)
+
+ -- Brian Murray <brian@ubuntu.com>  Thu, 21 Oct 2021 11:55:24 -0700
+
+livecd-rootfs (2.664.29) focal; urgency=medium
+
+  * Generate manifest for HyperV desktop image (LP: #1940136)
+
+ -- Jason C. McDonald <codemouse92@outlook.com>  Wed, 15 Sep 2021 23:41:39 +1200
+
+livecd-rootfs (2.664.28) focal; urgency=medium
+
+  [ Brian Murray ]
+  * Make sure we're using the 'classic' branch for the intel-iot gadget.
+    (LP: #1938338)
+
+  [ Łukasz 'sil2100' Zemczak ]
+  * Add support for passing SUBPROJECT to classic ubuntu-image calls. This
+    should fix running desktop-preinstalled builds. (LP: #1938338)
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Mon, 16 Aug 2021 13:02:23 +0200
+
+livecd-rootfs (2.664.27) focal; urgency=medium
+
+  * And whoops, we missed adding ARCH in the SUBARCH ubuntu-image handling for
+    intel-iot.
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Wed, 04 Aug 2021 17:32:37 +0200
+
+livecd-rootfs (2.664.26) focal; urgency=medium
+
+  * Revert previous change of fixing /dev sharing - this causes weird
+    autopkgtest issues.
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Mon, 02 Aug 2021 22:13:03 +0200
+
+livecd-rootfs (2.664.25) focal; urgency=medium
+
+  [ Brian Murray ]
+  * Add support for creating images (ubuntu-core and classic) with a kernel
+    optimized for Intel IoT devices. (LP: #1938338)
+
+  [ Michael Hudson-Doyle ]
+  * Simplify how the subiquity client is run on the serial console in the live
+    server environment, breaking a unit cycle that sometimes prevents
+    subiquity from starting up at all. (LP: #1888497)
+  * Do not set the password for the installer user via cloud-init as subiquity
+    can now do this itself. (LP: #1933523)
+
+  [ Łukasz 'sil2100' Zemczak ]
+  * Fix sharing of the /dev tree to make sure we can safely umount the chroot
+    when needed. This fixes local non-livefs-builder image builds.
+    (LP: #1938414)
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Thu, 29 Jul 2021 11:05:58 +0200
+
+livecd-rootfs (2.664.24) focal; urgency=medium
+
+  * Backport generalising of the riscv64 images from hirsute to support
+    building separate unmatched and unleashed images in focal (LP: #1932014)
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Tue, 15 Jun 2021 13:33:33 +0200
+
+livecd-rootfs (2.664.23) focal; urgency=medium
+
+  * Adding dependencies for Active Directory support (LP: #1921374)
+
+ -- Jean-Baptiste Lallement <jean-baptiste.lallement@ubuntu.com>  Thu, 20 May 2021 17:52:20 +0200
+
+livecd-rootfs (2.664.22) focal; urgency=medium
+
+  * Add grub config to produce console output and install lxd-agent loader
+    to allow buildd vm images to work in lxd without requirement for manual
+    installation (LP: #1915571)
+
+ -- Cody Shepherd <cody.shepherd@canonical.com>  Thu, 20 May 2021 17:07:01 -0700
+
+livecd-rootfs (2.664.21) focal; urgency=medium
+
+  [ Thomas Bechtold ]
+  * Add a new ubuntu-oci project that contains the customizations currently
+    performed downstream for the official Ubuntu images on dockerhub.
+    (LP: #1926732)
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Tue, 11 May 2021 11:38:16 +1200
+
+livecd-rootfs (2.664.20) focal; urgency=medium
+
+  [ Gauthier Jolly ]
+  * ubuntu-cpc: secure esp mountpoint (LP: #1881006)
+    Change mount option for ubuntu-cpc images from "defaults" to "umask=0077"
+    ESP partitions might contain sensitive data and non-root users shouldn't
+    have read access on it.
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Sat, 10 Apr 2021 05:20:11 -0500
+
+livecd-rootfs (2.664.19) focal; urgency=medium
+
+  [ Patrick Viafore ]
+  * Fix broken minimal cloud image boot on amd64 LP: #1920043
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Mon, 22 Mar 2021 10:57:50 -0500
+
+livecd-rootfs (2.664.18) focal; urgency=medium
+
+  [ Patrick Viafore ]
+  * Only try without initrd-less on replaced kernels, not all kernels
+  * Provide a mechanism to detect initrd-less fallback (LP: #1870189)
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Tue, 23 Feb 2021 14:45:23 -0600
+
+livecd-rootfs (2.664.17) focal; urgency=medium
+
+  [ David Krauser ]
+  * buildd: produce kernel and initrd as separate artifacts LP: #1910557
+  * buildd: call update-initramfs for all installed kernels
+    We only have one kernel installed, so we don't need to
+    specify an explicit version. LP: #1910557
+
+  [ Dimitri John Ledkov ]
+  * esp: install grub in ubuntu bootloader id path, instead of removable.
+    (LP: #1912830)
+  * esp: perform fsck. (LP: #1912835)
+  * Perform fsck on all rootfs. (LP: #1912835)
+  * functions: stop removing systemd-detect-virt unconditionally in undivert_grub
+    (LP: #1902260)
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 09 Feb 2021 00:52:00 +0000
+
+livecd-rootfs (2.664.16) focal; urgency=medium
+
+  [ Cody Shepherd ]
+  * Produce manifests for buildd tarball images (LP: #1914445)
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Fri, 05 Feb 2021 14:57:56 -0600
+
+livecd-rootfs (2.664.15) focal; urgency=medium
+
+  * Properly handle lowlatency-hwe-* (LP: #1914217)
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Tue, 02 Feb 2021 11:39:11 +0100
+
+livecd-rootfs (2.664.14) focal; urgency=medium
+
+  * Actually also enable the hwe kernel for all flavours for 20.04.2
+    (LP: #1914119)
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Mon, 01 Feb 2021 22:17:01 +0100
+
+livecd-rootfs (2.664.13) focal; urgency=medium
+
+  * Enable the hwe variant for ubuntu-server-live (LP: #1913314)
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Tue, 26 Jan 2021 15:47:43 +0100
+
+livecd-rootfs (2.664.12) focal; urgency=medium
+
+  * riscv64: backport HiFive unleashed & cloud-image building support
+    (LP: #1903034)
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 15 Jan 2021 17:07:20 +0000
+
+livecd-rootfs (2.664.10) focal; urgency=medium
+
+  * Do not hard-code the UC20 amd64 image size to 8GB as now ubuntu-image
+    should be able to properly calculate the needed size itself.
+  * But per discussion, we might want to keep the UC20 images a bit bigger than
+    what's defined via the gadget/rootfs contents, to make sure writable is
+    comfortably big enough. Use the same hard-coded value as for UC16 and UC18.
+    (LP: #1905990)
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Fri, 27 Nov 2020 17:58:38 +0100
+
+livecd-rootfs (2.664.9) focal; urgency=medium
+
+   [ John Chittum]
+   * Backport Ensure toolsVersion set in vmdk header (LP: #1893898) 
+
+   [ Dimitri John Ledkov & Joshua Powers ]
+   * amd64: always install grub-pc with shim-signed (LP: #1901906), and
+     ensure to autoremove packages
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Fri, 20 Nov 2020 14:35:51 -0600
+
+livecd-rootfs (2.664.8) focal; urgency=medium
+
+  Backport snap-preseed work from groovy to focal LP: #1896755
+
+  [ Robert C Jennings ]
+  * Apply snap-preseed optimizations after seeding snaps
+
+  [ Dimitri John Ledkov ]
+  * live-server: remove duplicate snaps, due to overlayfs vs snap-preseed.
+  * apparmor: Add generic v5.4 kernel apparmor features
+  * apparmor: mount more up-to-date apparmor features in the chroot.
+  * seccomp: add more up-to-date seccomp actions
+  * seccomp: mount more up-to-date seccomp features
+  * apparmor: compile all profiles
+
+  [ Robert C Jennings ]
+  * Avoid rbind /sys for chroot snap pre-seeding (cgroups fail to unmount)
+
+  [ Dimitri John Ledkov ]
+  * auto/build: use setup|teardown_mountpoint to reduce duplication
+  * functions: provide nss_systemd-less nsswitch.conf in chroots.
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 05 Oct 2020 10:33:02 +0100
+
+livecd-rootfs (2.664.7) focal; urgency=medium
+
+  [ Stanislav German-Evtushenko <giner> / John Chittum ]
+  * Send Vagrant serial connection to NULL. (LP: #1874453)
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Wed, 23 Sep 2020 13:32:32 -0500
+
+livecd-rootfs (2.664.6) focal; urgency=medium
+
+  [ Patrick Wu ]
+  * Fix xrdp support in hyper-v images.  LP: #1890980.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 26 Aug 2020 14:06:31 -0700
+
+livecd-rootfs (2.664.5) focal; urgency=medium
+
+  [ Robert C Jennings ]
+  * Handle seeded lxd snap with channel name for ubuntu-cpc:minimized
+    (LP: #1889470)
+
+  [ Cody Shepherd ]
+  * Add dist-upgrade to bootable-buildd hook to ensure the built image
+    doesn't contain vulnerable kernels or other packages.  LP: #1891061.
+  * Don't explicitly install grub-efi-amd64-signed, it's a dependency of
+    shim-signed.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 04 Aug 2020 12:39:27 -0700
+
+livecd-rootfs (2.664.4) focal; urgency=medium
+
+  * snap_preseed: support channel specification with snap name (LP: #1882374)
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 23 Jul 2020 19:12:10 +0100
+
+livecd-rootfs (2.664.3) focal; urgency=medium
+
+  [ Łukasz 'sil2100' Zemczak ]
+  * Enable overrides of UC20 grade dangerous channels - as this is possible.
+    (LP: #1879350)
+
+  [ Iain Lane ]
+  * Hack seeding of linux kernel in ubuntustudio/focal
+    ubuntustudio-default-settings in focal release has a Recommends to this
+    kernel, which makes it impossible to update the kernel later on, since we
+    would install the -updates and release kernel, which isn't allowed and
+    causes FTBFS. Hack out the focal-release kernel and let the rest of the
+    build process pull in the right one. (LP: #1884915)
+
+ -- Iain Lane <iain.lane@canonical.com>  Tue, 21 Jul 2020 16:25:18 +0100
+
+livecd-rootfs (2.664.2) focal; urgency=medium
+
+  * Revert of initramfs package removal in KVM image (LP: #1880170)
+
+ -- Phil Roche <phil.roche@canonical.com>  Fri, 22 May 2020 13:03:20 +0100
+
+livecd-rootfs (2.664.1) focal; urgency=medium
+
+  * Bump only the UC20 pc image to 8GB, and keep Pi images as small as possible.
+    (LP: #1875430)
+  * ubuntu-image: fix focal+ pi images for armhf to use pi-armhf model name.
+    (LP: #1876358)
+  * ubuntu-image: drop ubuntu-image dep on riscv64, as not installable yet.
+    (LP: #1876359)
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 01 May 2020 20:08:23 +0100
+
 livecd-rootfs (2.664) focal; urgency=medium
 
   [ Patrick Viafore ]

debian/control

@@ -32,13 +32,13 @@ Depends: ${misc:Depends},
          python3-apt,
          python3-software-properties,
          python3-yaml,
-         qemu-utils [!i386 !riscv64],
+         qemu-utils [!i386],
          rsync,
-         snapd (>= 2.39) [!i386 !riscv64],
+         snapd (>= 2.39) [!i386],
          squashfs-tools (>= 1:3.3-1),
          sudo,
          u-boot-tools [armhf arm64],
-         ubuntu-image [!i386],
+         ubuntu-image [!i386 !riscv64],
          python3-vmdkstream [amd64 i386],
          xz-utils,
          zerofree

live-build/apparmor/5.15/capability

@@ -0,0 +1 @@
+0xffffff

live-build/apparmor/5.15/caps/mask

@@ -0,0 +1 @@
+chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read

live-build/apparmor/5.15/dbus/mask

@@ -0,0 +1 @@
+acquire send receive

live-build/apparmor/5.15/domain/attach_conditions/xattr

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/domain/change_hat

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/domain/change_hatv

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/domain/change_onexec

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/domain/change_profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/domain/computed_longest_left

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/domain/fix_binfmt_elf_mmap

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/domain/post_nnp_subset

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/domain/stack

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/domain/version

@@ -0,0 +1 @@
+1.2

live-build/apparmor/5.15/file/mask

@@ -0,0 +1 @@
+create read write exec append mmap_exec link lock

live-build/apparmor/5.15/ipc/posix_mqueue

@@ -0,0 +1 @@
+create read write open delete setattr getattr

live-build/apparmor/5.15/mount/mask

@@ -0,0 +1 @@
+mount umount pivot_root

live-build/apparmor/5.15/namespaces/pivot_root

@@ -0,0 +1 @@
+no

live-build/apparmor/5.15/namespaces/profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/network/af_mask

@@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp

live-build/apparmor/5.15/network/af_unix

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/network_v8/af_mask

@@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp

live-build/apparmor/5.15/policy/set_load

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/policy/versions/v5

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/policy/versions/v6

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/policy/versions/v7

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/policy/versions/v8

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/ptrace/mask

@@ -0,0 +1 @@
+read trace

live-build/apparmor/5.15/query/label/data

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/query/label/multi_transaction

@@ -0,0 +1 @@
+yes

live-build/apparmor/5.15/query/label/perms

@@ -0,0 +1 @@
+allow deny audit quiet

live-build/apparmor/5.15/rlimit/mask

@@ -0,0 +1 @@
+cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime

live-build/apparmor/5.15/signal/mask

@@ -0,0 +1 @@
+hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost

live-build/apparmor/generic.features

@@ -0,0 +1,78 @@
+query {label {multi_transaction {yes
+}
+data {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+dbus {mask {acquire send receive
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}
+ptrace {mask {read trace
+}
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+namespaces {pivot_root {no
+}
+profile {yes
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+network {af_unix {yes
+}
+af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {version {1.2
+}
+attach_conditions {xattr {yes
+}
+}
+computed_longest_left {yes
+}
+post_nnp_subset {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+stack {yes
+}
+change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+versions {v8 {yes
+}
+v7 {yes
+}
+v6 {yes
+}
+v5 {yes
+}
+}
+}

live-build/apparmor/generic/capability

@@ -0,0 +1 @@
+0xffffff

live-build/apparmor/generic/caps/mask

@@ -0,0 +1 @@
+chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read

live-build/apparmor/generic/dbus/mask

@@ -0,0 +1 @@
+acquire send receive

live-build/apparmor/generic/domain/attach_conditions/xattr

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/change_hat

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/change_hatv

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/change_onexec

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/change_profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/computed_longest_left

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/fix_binfmt_elf_mmap

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/post_nnp_subset

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/stack

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/version

@@ -0,0 +1 @@
+1.2

live-build/apparmor/generic/file/mask

@@ -0,0 +1 @@
+create read write exec append mmap_exec link lock

live-build/apparmor/generic/mount/mask

@@ -0,0 +1 @@
+mount umount pivot_root

live-build/apparmor/generic/namespaces/pivot_root

@@ -0,0 +1 @@
+no

live-build/apparmor/generic/namespaces/profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/network/af_mask

@@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp

live-build/apparmor/generic/network/af_unix

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/network_v8/af_mask

@@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp

live-build/apparmor/generic/policy/set_load

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/policy/versions/v5

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/policy/versions/v6

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/policy/versions/v7

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/policy/versions/v8

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/ptrace/mask

@@ -0,0 +1 @@
+read trace

live-build/apparmor/generic/query/label/data

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/query/label/multi_transaction

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/query/label/perms

@@ -0,0 +1 @@
+allow deny audit quiet

live-build/apparmor/generic/rlimit/mask

@@ -0,0 +1 @@
+cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime

live-build/apparmor/generic/signal/mask

@@ -0,0 +1 @@
+hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost

live-build/auto/build

@@ -35,6 +35,18 @@ run_iptables () {
     kver="${kver#*.}"
     kver_minor="${kver%%.*}"
 
+
+    # LP: #1917920
+    # I'm seeing issues after iptables got upgraded from 1.8.5 to
+    # 1.8.7 Somehow installing our nat rule doesn't get activated, and
+    # no networking is happening at all.
+
+    # But somehow calling both iptables -S makes things start working.
+    # Maybe no default chains are installed in our network namespace?!
+    # Or 1.8.7 is somehow broken?
+    iptables -v -t nat -S
+    iptables-legacy -v -t nat -S
+
     if [ "$kver_major" -lt 4 ] || \
        ([ "$kver_major" = 4 ] && [ "$kver_minor" -lt 15 ]); then
         iptables-legacy "$@"
@@ -52,10 +64,11 @@ if [ -n "$REPO_SNAPSHOT_STAMP" ]; then
     apt-get -qyy install iptables
 
     # Redirect all outgoing traffic to port 80 to proxy instead.
-    run_iptables -t nat -A OUTPUT -p tcp --dport 80 \
+    run_iptables -v -t nat -A OUTPUT -p tcp --dport 80 \
         -m owner ! --uid-owner daemon -j REDIRECT --to 8080
 
     # Run proxy as "daemon" to avoid infinite loop.
+    LB_PARENT_MIRROR_BOOTSTRAP=$LB_PARENT_MIRROR_BOOTSTRAP \
     /usr/share/livecd-rootfs/magic-proxy \
         --address="127.0.0.1" \
         --port=8080 \
@@ -65,6 +78,9 @@ if [ -n "$REPO_SNAPSHOT_STAMP" ]; then
         --pid-file=config/magic-proxy.pid \
         --background \
         --setsid
+
+    # Quick check that magic proxy & iptables chains are working
+    timeout 3m apt-get update
 fi
 
 # Link output files somewhere launchpad-buildd will be able to find them.
@@ -106,14 +122,17 @@ fi
 Setup_cleanup
 
 preinstall_snaps() {
-	lb chroot_resolv install
+	setup_mountpoint chroot
+
 	snap_prepare chroot
 
 	for snap in "$@"; do
 		SNAP_NO_VALIDATE_SEED=1 snap_preseed chroot "${snap}"
 	done
+
 	snap_validate_seed chroot
-	lb chroot_resolv remove
+
+	teardown_mountpoint chroot
 }
 
 rm -f binary.success
@@ -242,7 +261,7 @@ if  [ "$(dpkg-divert --truename /usr/bin/man)" = "/usr/bin/man.REAL" ]; then
 fi
 EOF
 
-                if [ "$PROJECT" != "ubuntu-base" ]; then
+                if [ "$PROJECT" != "ubuntu-base" ] && [ "$PROJECT" != "ubuntu-oci" ]; then
                     	# ubuntu-minimal is too much for a docker container (it contains
                     	# systemd and other things)
 	                cat >> chroot/usr/local/sbin/unminimize <<'EOF'
@@ -438,6 +457,15 @@ serial: $BUILDSTAMP
 EOF
 		fi
 
+		if [ "$PROJECT" = "ubuntu-oci" ]; then
+			if [ -n "$BUILDSTAMP" ]; then
+				configure_oci chroot "$BUILDSTAMP"
+			else
+				echo "The \$BUILDSTAMP variable is empty"
+				exit 1
+			fi
+		fi
+
 		configure_network_manager
 
 		echo "===== Checking size of /usr/share/doc ====="
@@ -450,6 +478,18 @@ EOF
 		clean_debian_chroot
 	fi
 
+	# XXX: Terrible last-minute hack to work-around issue LP: #2008082 !
+	#  This basically needs to be done better, we simply need to make sure
+	#  that we don't update the cache after lb cleans up. Since identifying
+	#  that might take a moment, for now, for flavors that are generally
+	#  affected by this, we manually clear out the archive-related Packages
+	#  files in the cache.
+	case $PROJECT in
+		ubuntu|xubuntu|kubuntu|ubuntu-budgie|ubuntukylin|ubuntu-mate|ubuntustudio)
+			rm -f chroot/var/lib/apt/lists/*ubuntu.com*_Packages
+			;;
+	esac
+
 	if [ -n "${PASSES}" ]; then
 		PATH="config/:$PATH" lb binary_layered "$@"
 	else
@@ -823,9 +863,18 @@ for FLAVOUR in $LB_LINUX_FLAVOURS; do
 		virtual|generic-hwe-*)
 			FLAVOUR="generic"
 			;;
+		lowlatency-hwe-*)
+			FLAVOUR="lowlatency"
+			;;
 		oem-*)
 			FLAVOUR="oem"
 			;;
+		image-intel)
+			FLAVOUR="intel"
+			;;
+		intel-iotg*)
+			FLAVOUR="intel-iotg"
+			;;
 	esac
 	KVERS="$( (cd "binary/$INITFS"; ls vmlinu?-* 2>/dev/null || true) | (fgrep -v .efi || true) | sed -n "s/^vmlinu.-\\([^-]*-[^-]*-$FLAVOUR\\)$/\\1/p" )"
 	if [ -z "$KVERS" ]; then

live-build/auto/config

@@ -280,7 +280,7 @@ if [ -z "${IMAGEFORMAT:-}" ]; then
 	case $PROJECT:${SUBPROJECT:-} in
 		ubuntu-cpc:*|ubuntu:desktop-preinstalled)
 			case $SUBARCH in
-				raspi|imx6)
+				raspi|imx6|intel-iot)
 					IMAGEFORMAT=ubuntu-image
 					;;
 				*)
@@ -320,6 +320,8 @@ case $IMAGEFORMAT in
 	ubuntu-image)
 		UBUNTU_IMAGE_ARGS=""
 		case "$ARCH+${SUBARCH:-}" in
+			amd64+intel-iot)
+				MODEL=intel-iot ;;
 			amd64+*)
 				MODEL=pc-amd64 ;;
 			i386+*)
@@ -359,8 +361,10 @@ case $IMAGEFORMAT in
 			CHANNEL="${CHANNEL:-edge}"
 			case $MODEL in
 				pc-amd64|pc-i386)
-					[ -z "${SUBARCH:-}" ] \
+					if [ -z "${SUBARCH:-}" ]; then
-					&& UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS --image-size 3700M"
+						# This is to make sure there's enough writable space
+						UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS --image-size 3700M"
+					fi
 					;;
 				*) ;;
 			esac
@@ -375,7 +379,9 @@ case $IMAGEFORMAT in
 					UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS -c $CHANNEL"
 					;;
 				*)
-					UBUNTU_IMAGE_ARGS="--image-size 10G"
+					if [ "${MODEL}" = "pi" ]; then
+						MODEL=pi-armhf
+					fi
 					# Ubuntu Core 20
 					# Currently uc20 assertions do not support global
 					# channel overrides, instead we have per-channel models
@@ -386,6 +392,15 @@ case $IMAGEFORMAT in
 						candidate|beta|edge|dangerous)
 							MODEL="ubuntu-core-20-${MODEL#pc-}-${CHANNEL}"
 							;;
+						dangerous-*)
+							# That being said, the dangerous grade *does*
+							# support channel overrides, so we can use the
+							# dangerous model assertion and override the channel
+							# freely.
+							MODEL="ubuntu-core-20-${MODEL#pc-}-dangerous"
+							CHANNEL=${CHANNEL#dangerous-}
+							UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS -c $CHANNEL"
+							;;
 						*)
 							echo "Unknown CHANNEL ${CHANNEL} specification for ${SUITE}"
 							exit 1
@@ -414,24 +429,24 @@ case $IMAGEFORMAT in
 			# classic images
 
 			# Certain models have different names but are built from the same source gadget tree
-			BRANCH=18
+			BRANCH=classic
 			case $MODEL in
 				pi-arm64|pi3-arm64)
 					MODEL=pi
-					BRANCH=18-arm64
 					;;
-				pi)
+				intel-iot)
-					BRANCH=18-armhf
+					MODEL=pc
 					;;
 			esac
 
+			UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS${SUBPROJECT:+ --subproject \"$SUBPROJECT\"}"
 			UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS${PROPOSED:+ --with-proposed}"
 			UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS${EXTRA_PPAS:+ --extra-ppas \"$EXTRA_PPAS\"}"
 
 			# We need to look in two places for the gadget tree:
 			# - Launchpad hosted gadgets will be in the snap-gadget repo
 			# - Github hosted gadgets are mirrored into a github-mirror repo
-			git clone git://git.launchpad.net/~canonical-foundations/snap-$MODEL/+git/snap-$MODEL -b $BRANCH config/$PREFIX-gadget || git clone git://git.launchpad.net/~canonical-foundations/snap-$MODEL/+git/github-mirror -b $BRANCH config/$PREFIX-gadget
+			git clone git://git.launchpad.net/~canonical-foundations/snap-$MODEL/+git/snap-$MODEL -b $BRANCH config/$PREFIX-gadget || git clone git://git.launchpad.net/~canonical-foundations/snap-$MODEL/+git/github-mirror -b $BRANCH config/$PREFIX-gadget || git clone git://git.launchpad.net/~canonical-foundations/snap-$MODEL/+git/github-mirror-$ARCH -b $BRANCH config/$PREFIX-gadget
 
 			echo "IMAGEFORMAT=$IMAGEFORMAT" >> config/common
 			echo "SUITE=$SUITE" >> config/common
@@ -493,7 +508,7 @@ if [ "$PREINSTALLED" = "true" ]; then
 		ubuntu-server)
 			add_package live oem-config-debconf ubiquity-frontend-debconf
 			;;
-		ubuntu-core|ubuntu-base|base|ubuntu-cpc)
+		ubuntu-core|ubuntu-base|ubuntu-oci|base|ubuntu-cpc)
 			;;
 		ubuntu)
 			add_package live oem-config-gtk ubiquity-frontend-gtk
@@ -577,11 +592,31 @@ case $PROJECT in
 				remove_packages_from_seed_regexp minimal.standard desktop-default-languages '^desktop-(?!default-languages|minimal|common)[^.]+$'
 				remove_packages_from_seed_regexp minimal.standard desktop-default-languages ''  # none (if no default langpack is selected)
 				;;
+
+			desktop-preinstalled)
+				add_task install minimal standard ubuntu-desktop
+				if [ "$SUBARCH" = "intel-iot" ]; then
+					# Since for non-pi we don't have any seeds yet but we want to be able to
+					# grow the rootfs, manually install cloud-initramfs-growroot during build
+					add_package install cloud-initramfs-growroot
+				    	KERNEL_FLAVOURS='intel-iotg-edge'
+					COMPONENTS='main restricted'
+					OPTS="${OPTS:+$OPTS }--initramfs=none"
+					OPTS="${OPTS:+$OPTS }--system=normal"
+					OPTS="${OPTS:+$OPTS }--hdd-label=cloudimg-rootfs"
+					OPTS="${OPTS:+$OPTS }--ext-resize-blocks=536870912 --ext-block-size=4096"
+					OPTS="${OPTS:+$OPTS }--ext-fudge-factor=15"
+				fi
+				;;
 			*)
 				LIVE_TASK='ubuntu-live'
 				add_task install minimal standard ubuntu-desktop
 				add_task live ubuntu-desktop-minimal-default-languages ubuntu-desktop-default-languages
 				KERNEL_FLAVOURS='generic-hwe-20.04'
+				if [ "$SUBARCH" = "intel-iot" ]; then
+					KERNEL_FLAVOURS='intel-iotg-edge'
+					COMPONENTS='main restricted'
+				fi
 				;;
 		esac
 		;;
@@ -592,6 +627,7 @@ case $PROJECT in
 		LIVE_TASK='kubuntu-live'
 		COMPONENTS='main restricted universe'
 		add_chroot_hook remove-gnome-icon-cache
+		KERNEL_FLAVOURS='generic-hwe-20.04'
 		;;
 
 	kubuntu-active)
@@ -624,9 +660,7 @@ case $PROJECT in
 		add_package install xterm
 		LIVE_TASK='xubuntu-live'
 		COMPONENTS='main restricted universe multiverse'
-		case $ARCH in
+		KERNEL_FLAVOURS='generic-hwe-20.04'
-			amd64|i386)	KERNEL_FLAVOURS=generic ;;
-		esac
 		;;
 
 	ubuntu-netbook)
@@ -644,9 +678,7 @@ case $PROJECT in
 		add_task install minimal standard lubuntu-desktop
 		LIVE_TASK='lubuntu-live'
 		COMPONENTS='main restricted universe multiverse'
-		case $ARCH in
+		KERNEL_FLAVOURS='generic-hwe-20.04'
-			amd64|i386)	KERNEL_FLAVOURS=generic ;;
-		esac
 		;;
 
 	ubuntu-gnome)
@@ -659,20 +691,37 @@ case $PROJECT in
 		add_task install minimal standard ubuntu-budgie-desktop
 		LIVE_TASK='ubuntu-budgie-live'
 		COMPONENTS='main restricted universe'
+		KERNEL_FLAVOURS='generic-hwe-20.04'
 		;;
 
 	ubuntu-mate)
 		add_task install minimal standard ubuntu-mate-core ubuntu-mate-desktop
 		LIVE_TASK='ubuntu-mate-live'
 		COMPONENTS='main restricted universe multiverse'
+		KERNEL_FLAVOURS='generic-hwe-20.04'
 		;;
 
 	ubuntustudio-dvd)
 		add_task install minimal standard ubuntustudio-desktop ubuntustudio-audio ubuntustudio-fonts ubuntustudio-graphics ubuntustudio-video ubuntustudio-publishing ubuntustudio-photography
-		COMPONENTS='main restricted universe multiverse'
+		case $SUITE in
-		case $ARCH in
+			focal)
-			amd64|i386)	KERNEL_FLAVOURS=lowlatency ;;
+				# ubuntustudio-default-settings in focal
+				# release has a Recommends to this kernel,
+				# which makes it impossible to update the
+				# kernel later on, since we would install the
+				# -updates and release kernel, which isn't
+				# allowed and causes the squashfs to fail to
+				# build.  Hack out the focal-release kernel and
+				# let the rest of the build process pull in the
+				# right one. (See right below.)
+				for package in linux-lowlatency linux-image-lowlatency linux-headers-lowlatency linux-image-5.4.0-26-lowlatency linux-headers-5.4.0-26-lowlatency; do
+					sed -i "s/$/ -a --not -XFPackage ${package}/" \
+						"config/package-lists/livecd-rootfs.list.chroot_install"
+				done
+				;;
 		esac
+		COMPONENTS='main restricted universe multiverse'
+		KERNEL_FLAVOURS='lowlatency-hwe-20.04'
 		;;
 
 	ubuntukylin)
@@ -680,6 +729,7 @@ case $PROJECT in
 		add_package install ubuntukylin-default-settings
 		LIVE_TASK='ubuntukylin-live'
 		COMPONENTS='main restricted universe'
+		KERNEL_FLAVOURS='generic-hwe-20.04'
 		;;
 
 	base)
@@ -696,6 +746,10 @@ case $PROJECT in
 				;;
 		esac
 		COMPONENTS='main'
+		if [ "$SUBARCH" = "intel-iot" ]; then
+			KERNEL_FLAVOURS='intel-iotg-edge'
+			COMPONENTS='main restricted'
+		fi
 		PREINSTALL_POOL_SEEDS='server-ship'
 		;;
 
@@ -739,8 +793,7 @@ case $PROJECT in
 				add_package install grub-pc
 				;;
 			amd64)
-				add_package install grub-pc-bin
+				add_package install grub-pc
-				add_package install grub-efi-amd64-signed
 				add_package install shim-signed
 				;;
 		esac
@@ -758,21 +811,19 @@ case $PROJECT in
 		OPTS="${OPTS:+$OPTS }--bootstrap-flavour=minimal"
 		;;
 
+	ubuntu-oci)
+		OPTS="${OPTS:+$OPTS }--bootstrap-flavour=minimal"
+		;;
+
 	ubuntu-cpc)
+		KERNEL_FLAVOURS=virtual
+
 		if [ "${SUBPROJECT:-}" = minimized ]; then
 			add_task install cloud-image
 			add_package install sudo lxd-installer
-			# linux-kvm currently only exists for amd64, so fall back to the
-			# virtual flavour for other architectures
-			if [ "$ARCH" = "amd64" ]; then
-				KERNEL_FLAVOURS=kvm
-			else
-				KERNEL_FLAVOURS=virtual
-			fi
 		else
 			add_task install minimal standard cloud-image
 			add_package install ubuntu-minimal
-			KERNEL_FLAVOURS=virtual
 		        case $ARCH in
 				armhf|arm64|ppc64el|powerpc)
 					add_task install server
@@ -790,6 +841,18 @@ case $PROJECT in
 			arm64)
 				add_package install flash-kernel
 				;;
+			amd64*)
+				if [ "${SUBARCH:-}" = "intel-iot" ]; then
+					KERNEL_FLAVOURS=intel-iotg-edge
+					COMPONENTS='main restricted'
+					OPTS="${OPTS:+$OPTS }--initramfs=none"
+				fi
+				;;
+			riscv64)
+				if [ -n "$SUBARCH" ]; then
+					KERNEL_FLAVOURS=generic
+				fi
+				;;
 		esac
 		OPTS="${OPTS:+$OPTS }--system=normal"
 		OPTS="${OPTS:+$OPTS }--hdd-label=cloudimg-rootfs"
@@ -858,7 +921,7 @@ if [ "$PROJECT:${SUBPROJECT:-}" = ubuntu-cpc:minimized ]; then
 	# build if we see such a snap.
 	for snap in `cat config/seeded-snaps`; do
 		case $snap in
-			lxd)
+			lxd | lxd=*)
 				;;
 			*)
 				echo "Unexpected seeded snap for ubuntu-cpc:minimized build: $snap"
@@ -925,7 +988,7 @@ case $ARCH in
 esac
 
 case $PROJECT:${SUBPROJECT:-} in
-	ubuntu-server:*|ubuntu-base:*)
+	ubuntu-server:*|ubuntu-base:*|ubuntu-oci:*)
 		OPTS="${OPTS:+$OPTS }--linux-packages=none --initramfs=none"
 		KERNEL_FLAVOURS=none
 		BINARY_REMOVE_LINUX=false
@@ -944,6 +1007,15 @@ case $PROJECT in
 	_)
 		add_chroot_hook remove-python-py
 		;;
+	amd64)
+		KERNEL_FLAVOURS="${SUBARCH:-$KERNEL_FLAVOURS}"
+		case $SUBARCH in
+			intel-iot)
+				COMPONENTS='main restricted'
+				KERNEL_FLAVOURS='intel-iotg-edge'
+				;;
+		esac
+		;;
 esac
 
 lb config noauto \
@@ -992,7 +1064,7 @@ echo "SUBPROJECT=\"${SUBPROJECT:-}\"" >> config/binary
 echo "LB_DISTRIBUTION=\"$SUITE\"" >> config/binary
 
 case $PROJECT in
-  ubuntu-cpc|ubuntu-core|ubuntu-base|base)
+  ubuntu-cpc|ubuntu-core|ubuntu-base|ubuntu-oci|base)
     # ubuntu-cpc gets this added in 025-create-groups.chroot, and we do
     # not want this group in projects that are effectively just chroots
     ;;
@@ -1086,6 +1158,26 @@ EOF
 		;;
 esac
 
+if [ $PROJECT = ubuntu ]; then
+	cat > config/hooks/001-active-directory.chroot <<EOF
+#!/bin/sh
+
+set -e
+
+echo "I: Adding dependencies for Active Directory support (Workaround LP: #1921862)"
+
+apt-get -y update
+
+apt-get -y install sssd realmd adcli krb5-config
+
+echo "I: Removing /var/lib/apt/lists/*"
+find /var/lib/apt/lists/ -type f | xargs rm -f
+
+echo "I: Removing /var/cache/apt/*.bin"
+rm -f /var/cache/apt/*.bin/
+EOF
+fi
+
 if [ $PROJECT = ubuntu-server ] && [ "${SUBPROJECT:-}" != live ]; then
 	cat > config/hooks/100-remove-fstab.chroot <<EOF
 #! /bin/sh

live-build/buildd/hooks/02-disk-image-uefi.binary

@@ -1,7 +1,7 @@
 #!/bin/bash -eux
 
 case $ARCH in
-    amd64)
+    amd64|arm64)
         ;;
     *)
         echo "We don't create EFI images for $ARCH."
@@ -49,7 +49,7 @@ create_and_mount_uefi_partition() {
     mount "${uefi_dev}" "$mountpoint"/boot/efi
 
     cat << EOF >> "mountpoint/etc/fstab"
-LABEL=UEFI	/boot/efi	vfat	defaults	0 0
+LABEL=UEFI	/boot/efi	vfat	defaults	0 1
 EOF
 }
 
@@ -84,8 +84,7 @@ install_grub() {
             efi_target=arm-efi
             ;;
         amd64)
-            chroot mountpoint apt-get install -qqy grub-pc
+            chroot mountpoint apt-get install -qqy grub-pc shim-signed
-            chroot mountpoint apt-get install -qqy grub-efi-amd64-signed shim-signed
             efi_target=x86_64-efi
             ;;
     esac
@@ -99,23 +98,24 @@ install_grub() {
     # snap listings)
     chroot mountpoint dpkg-query -W > binary/boot/filesystem.packages
 
+    cat > mountpoint/etc/default/grub.d/50-builddimg-settings.cfg << EOF
+GRUB_DEFAULT=0
+GRUB_HIDDEN_TIMEOUT=0.1
+GRUB_HIDDEN_TIMEOUT_QUIET=true
+GRUB_TIMEOUT=0.1
+GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0"
+GRUB_RECORDFAIL_TIMEOUT=0
+GRUB_TERMINAL=console
+GRUB_DISTRIBUTOR=Ubuntu
+EOF
+
     chroot mountpoint grub-install "${loop_device}" \
         --boot-directory=/boot \
         --efi-directory=/boot/efi \
         --target=${efi_target} \
-        --removable \
         --uefi-secure-boot \
         --no-nvram
 
-    if [ -f mountpoint/boot/efi/EFI/BOOT/grub.cfg ]; then
-        sed -i "s| root| root hd0,gpt1|" mountpoint/boot/efi/EFI/BOOT/grub.cfg
-        sed -i "1i${IMAGE_STR}" mountpoint/boot/efi/EFI/BOOT/grub.cfg
-        # For some reason the grub disk is looking for /boot/grub/grub.cfg on
-        # part 15....
-        chroot mountpoint mkdir -p /boot/efi/boot/grub
-        chroot mountpoint cp /boot/efi/EFI/BOOT/grub.cfg /boot/efi/boot/grub
-    fi
-
     if [ "$ARCH" = "amd64" ]; then
         # Install the BIOS/GPT bits. Since GPT boots from the ESP partition,
         # it means that we just run this simple command and we're done

live-build/buildd/hooks/50-buildd-tar.binary

@@ -4,6 +4,10 @@
 # ourselves.
 set -e
 
+. config/functions
+
+create_manifest chroot "livecd.$PROJECT.rootfs.manifest"
+
 # gzip was chosen for fastest decompression speed: it decompresses buildd
 # chroots about twice as fast as xz and about five times as fast as bzip2.
 tar --transform='s,^chroot,chroot-autobuild,' --sort=name --numeric-owner \

live-build/buildd/hooks/51-buildd-lxd.binary

@@ -3,12 +3,16 @@
 set -e
 
 . config/bootstrap
+. config/functions
 
 TMPDIR="$(mktemp -d)"
 config/make-lxd-metadata "${LB_DISTRIBUTION%-*}" "$ARCH" \
 	>"$TMPDIR/metadata.yaml"
 tar --numeric-owner -cf "livecd.$PROJECT.lxd.tar" -C "$TMPDIR" metadata.yaml
 rm -rf "$TMPDIR"
+
+create_manifest chroot "livecd.$PROJECT.lxd.manifest"
+
 # When using the combined metadata/rootfs form, the rootfs must be under
 # rootfs/ rather than under chroot-autobuild/.
 tar --transform='s,^chroot,rootfs,' --sort=name --numeric-owner \

live-build/buildd/hooks/52-linux-virtual-image.binary

@@ -5,7 +5,7 @@
 #
 
 case $ARCH in
-    amd64)
+    amd64|arm64)
         ;;
     *)
         echo "We don't build bootable Buildd images for $ARCH."
@@ -39,9 +39,13 @@ trap cleanup_linux_virtual EXIT
 # Install dependencies
 env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
     update --assume-yes
+# Perform a dist-upgrade to pull in package updates
+env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
+    dist-upgrade --assume-yes
 env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
     install -y lsb-release locales initramfs-tools busybox-initramfs \
-               udev dbus netplan.io cloud-init openssh-server sudo snapd
+               udev dbus netplan.io cloud-init openssh-server sudo snapd \
+               lxd-agent-loader
 
 # Install a kernel
 divert_grub "$mount_d"
@@ -53,8 +57,11 @@ chroot "$mount_d" update-grub
 undivert_grub "$mount_d"
 
 # Update initramfs image
-chroot "$mount_d" \
+chroot "$mount_d" update-initramfs -c -v -k all
-    sh -c 'update-initramfs -c -v -k $(ls /boot/vmlinuz*generic | sed 1q | cut -d- -f2-3)'
+
+# extract kernel and initrd
+cp $mount_d/boot/initrd.img-* livecd.$PROJECT.initrd-generic
+cp $mount_d/boot/vmlinuz-* livecd.$PROJECT.vmlinuz-generic
 
 # Cleanup
 env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \

live-build/cidata/meta-data.sample

@@ -0,0 +1,8 @@
+# NB! This is a sample, copy to "meta-data" and modify to take effect
+# NB! Also see user-data.sample and network-config.sample
+
+# This is the meta-data configuration file for cloud-init. Typically this just
+# contains the instance_id. Please refer to the cloud-init documentation for
+# more information:
+#
+# https://cloudinit.readthedocs.io/

live-build/cidata/network-config.sample

@@ -0,0 +1,52 @@
+# NB! This is a sample, copy to "network-config" and mofiy to take effect
+# NB! Also see user-data.sample and meta-data.sample
+
+# This file contains a netplan-compatible configuration which cloud-init will
+# apply on first-boot (note: it will *not* update the config after the first
+# boot). Please refer to the cloud-init documentation and the netplan reference
+# for full details:
+#
+# https://cloudinit.readthedocs.io/en/latest/topics/network-config.html
+# https://cloudinit.readthedocs.io/en/latest/topics/network-config-format-v2.html
+# https://netplan.io/reference
+#
+# Please note that the YAML format employed by this file is sensitive to
+# differences in whitespace; if you are editing this file in an editor (like
+# Notepad) which uses literal tabs, take care to only use spaces for
+# indentation. See the following link for more details:
+#
+# https://en.wikipedia.org/wiki/YAML
+#
+#
+# The image has stock nocloud-net configuration that will attemp dhcp
+# v4 on all ethernet devices, similar to zz-all-en / zz-all-eth
+# stanzas below. Hence this file is optional.
+#
+#version: 2
+#ethernets:
+#  zz-all-en:
+#    match:
+#      name: "en*"
+#    dhcp4: true
+#    optional: true
+#  zz-all-eth:
+#    match:
+#      name: "eth*"
+#    dhcp4: true
+#    optional: true
+#wifis:
+#  wlan0:
+#    dhcp4: true
+#    optional: true
+#    access-points:
+#      myhomewifi:
+#        password: "S3kr1t"
+#      myworkwifi:
+#        password: "correct battery horse staple"
+#      workssid:
+#        auth:
+#          key-management: eap
+#          method: peap
+#          identity: "me@example.com"
+#          password: "passw0rd"
+#          ca-certificate: /etc/my_ca.pem

live-build/cidata/user-data.sample

@@ -0,0 +1,84 @@
+#cloud-config
+
+# NB! This is a sample, copy to "user-data" and modify to take effect
+
+# NB! meta-data is required too! See "meta-data.sample"
+
+# NB! For networking see "network-config.sample"
+
+# This is the user-data configuration file for cloud-init. This image
+# has a default nocloud-net metadata available on the first
+# partition. By default it sets up an initial user called "ubuntu"
+# with password "ubuntu", which must be changed at first
+# login. However, one can override and provide many additional actions
+# to be initiated on first boot from this file. The cloud-init
+# documentation has more details: https://cloudinit.readthedocs.io/
+# Some additional examples are provided in comments below the default
+# configuration.
+
+# On first boot, set the (default) ubuntu user's password to "ubuntu" and
+# expire user passwords
+#chpasswd:
+#  expire: true
+#  list:
+#  - ubuntu:ubuntu
+
+# Enable password authentication with the SSH daemon
+#ssh_pwauth: true
+
+## On first boot, use ssh-import-id to give the specific users SSH access to
+## the default user
+#ssh_import_id:
+#- lp:my_launchpad_username
+#- gh:my_github_username
+
+## Add users and groups to the system, and import keys with the ssh-import-id
+## utility
+#groups:
+#- robot: [robot]
+#- robotics: [robot]
+#
+#users:
+#- default
+#- name: robot
+#  gecos: Mr. Robot
+#  primary_group: robot
+#  groups: users
+#  ssh_import_id: foobar
+#  lock_passwd: false
+#  passwd: $5$hkui88$nvZgIle31cNpryjRfO9uArF7DYiBcWEnjqq7L1AQNN3
+
+## Update apt database and upgrade packages on first boot
+#package_update: true
+#package_upgrade: true
+
+## Install additional packages on first boot
+#packages:
+#- pwgen
+#- pastebinit
+#- [libpython2.7, 2.7.3-0ubuntu3.1]
+
+## Write arbitrary files to the file-system (including binaries!)
+#write_files:
+#- path: /etc/default/keyboard
+#  content: |
+#    # KEYBOARD configuration file
+#    # Consult the keyboard(5) manual page.
+#    XKBMODEL="pc105"
+#    XKBLAYOUT="gb"
+#    XKBVARIANT=""
+#    XKBOPTIONS="ctrl: nocaps"
+#  permissions: '0644'
+#  owner: root:root
+#- encoding: gzip
+#  path: /usr/bin/hello
+#  content: !!binary |
+#    H4sIAIDb/U8C/1NW1E/KzNMvzuBKTc7IV8hIzcnJVyjPL8pJ4QIA6N+MVxsAAAA=
+#  owner: root:root
+#  permissions: '0755'
+
+## Run arbitrary commands at rc.local like time
+#runcmd:
+#- [ ls, -l, / ]
+#- [ sh, -xc, "echo $(date) ': hello world!'" ]
+#- [ wget, "http://ubuntu.com", -O, /run/mydir/index.html ]

live-build/functions

@@ -46,6 +46,10 @@ create_empty_disk_image() {
 create_manifest() {
     local chroot_root=${1}
     local target_file=${2}
+    local base_default_sbom_name="ubuntu-cloud-image-$(grep "VERSION_ID" $chroot_root/etc/os-release | cut --delimiter "=" --field 2 | tr -d '"')-${ARCH}-$(date +%Y%m%dT%H:%M:%S)"
+    local sbom_file_name=${3:-"${base_default_sbom_name}.spdx"}
+    local sbom_document_name=${4:-"${base_default_sbom_name}"}
+    local sbom_log=${sbom_document_name}.log
     echo "create_manifest chroot_root: ${chroot_root}"
     dpkg-query --show --admindir="${chroot_root}/var/lib/dpkg" > ${target_file}
     echo "create_manifest call to dpkg-query finished."
@@ -54,7 +58,23 @@ create_manifest() {
     if [ "$PROJECT" = ubuntu-cpc ]; then
         echo "create_manifest creating file listing."
         local target_filelist=${2%.manifest}.filelist
-        (cd "${chroot_root}" && find -xdev) > "${target_filelist}"
+        (cd "${chroot_root}" && find -xdev) | sort > "${target_filelist}"
+        # only creating sboms for CPC project at this time
+        if [[ ! $(which cpc-sbom) ]]; then
+            # ensure the tool is installed
+            sudo snap install --classic --edge cpc-sbom
+        fi
+        # generate the SBOM
+        cpc-sbom --rootdir ${chroot_root} --ignore-copyright-parsing-errors --ignore-copyright-file-not-found-errors --document-name ${sbom_document_name} >"${sbom_file_name}" 2>"${sbom_log}"
+        SBOM_GENERATION_EXIT_CODE=$?
+        if [[ ${SBOM_GENERATION_EXIT_CODE} !=  "0" ]]; then
+        # check for failure and print log
+            echo "ERROR: SBOM generation failed. See ${sbom_log}"
+            cat "$sbom_log"
+            exit 1
+        else
+            echo "SBOM generation succeeded. see ${sbom_log} for details"
+        fi    
     fi
     echo "create_manifest finished"
 }
@@ -96,14 +116,25 @@ mount_image() {
 setup_mountpoint() {
     local mountpoint="$1"
 
+    if [ ! -c /dev/mem ]; then
+        mknod -m 660 /dev/mem c 1 1
+        chown root:kmem /dev/mem
+    fi
+
     mount --rbind /dev "$mountpoint/dev"
     mount proc-live -t proc "$mountpoint/proc"
     mount sysfs-live -t sysfs "$mountpoint/sys"
+    mount securityfs -t securityfs "$mountpoint/sys/kernel/security"
+    # Provide more up to date apparmor features, matching target kernel
+    mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "$mountpoint/sys/kernel/security/apparmor/features/"
+    mount -o bind /usr/share/livecd-rootfs/live-build/seccomp/generic.actions_avail "$mountpoint/proc/sys/kernel/seccomp/actions_avail"
     mount -t tmpfs none "$mountpoint/tmp"
-    mount -t tmpfs none "$mountpoint/var/lib/apt"
+    mount -t tmpfs none "$mountpoint/var/lib/apt/lists"
     mount -t tmpfs none "$mountpoint/var/cache/apt"
     mv "$mountpoint/etc/resolv.conf" resolv.conf.tmp
     cp /etc/resolv.conf "$mountpoint/etc/resolv.conf"
+    mv "$mountpoint/etc/nsswitch.conf" nsswitch.conf.tmp
+    sed 's/systemd//g' nsswitch.conf.tmp > "$mountpoint/etc/nsswitch.conf"
     chroot "$mountpoint" apt-get update
 
 }
@@ -121,6 +152,7 @@ teardown_mountpoint() {
         umount $submount
     done
     mv resolv.conf.tmp "$mountpoint/etc/resolv.conf"
+    mv nsswitch.conf.tmp "$mountpoint/etc/nsswitch.conf"
 }
 
 mount_partition() {
@@ -188,6 +220,8 @@ umount_partition() {
     mount --make-private $mountpoint
     umount $mountpoint
     udevadm settle
+    # workaround for LP: 1960537
+    sleep 30 
 
     if [ -n "${rootfs_dev_mapper}" -a -b "${rootfs_dev_mapper}" ]; then
         # buildd's don't have /etc/mtab symlinked
@@ -230,28 +264,46 @@ modify_vmdk_header() {
 
     # Extract the vmdk header for manipulation
     dd if="${vmdk_name}" of="${descriptor}" bs=1 skip=512 count=1024
+    echo "Cat'ing original vmdk disk descriptor to console for debugging."
+    # cat header so we are aware of the original descriptor for debugging
+    cat $descriptor
+
+    # trim null bytes to treat as standard text file
+    tr -d '\000' < $descriptor > $newdescriptor
 
-    # The sed lines below is where the magic is. Specifically:
-    #   ddb.toolsVersion: sets the open-vm-tools so that VMware shows
-    #       the tooling as current
-    #   ddb.virtualHWVersion: set the version to 7, which covers most
-    #       current versions of VMware
-    #   createType: make sure its set to stream Optimized
     #   remove the vmdk-stream-converter comment and replace with
     #       # Disk DescriptorFile. This is needed for Virtualbox
     #   remove the comments from vmdk-stream-converter which causes
     #       VirtualBox and others to fail VMDK validation
-
+    sed -i -e 's|# Description file.*|# Disk DescriptorFile|' \
-    sed -e 's|# Description file.*|# Disk DescriptorFile|' \
         -e '/# Believe this is random*/d' \
         -e '/# Indicates no parent/d' \
         -e '/# The Disk Data Base/d' \
-        -e 's|ddb.comment.*|ddb.toolsVersion = "2147483647"|' \
+            ${newdescriptor}
-            "${descriptor}" > "${newdescriptor}"
 
-    # The header is cannot be bigger than 1024
+    # add newline to newdescriptor
-    expr $(stat --format=%s ${newdescriptor}) \< 1024 > /dev/null 2>&1 || {
+    echo "" >> $newdescriptor
-        echo "descriptor is too large, VMDK will be invalid!"; exit 1; }
+
+    # add required tools version
+    echo -n 'ddb.toolsVersion = "2147483647"' >> $newdescriptor
+
+    echo "Cat'ing modified descriptor for debugging."
+    cat $newdescriptor
+
+    # diff original descriptor and new descriptor for debugging
+    # diff exits 1 if difference. pipefail not set so piping diff
+    # to cat prints diff and swallows exit 1
+    echo "Printing diff of original and new descriptors."
+    diff --text $descriptor $newdescriptor | cat
+
+    # The header must be 1024 or less before padding
+    if ! expr $(stat --format=%s ${newdescriptor}) \< 1025 > /dev/null 2>&1; then
+        echo "descriptor is too large, VMDK will be invalid!"; 
+        exit 1
+    fi
+
+    # reset newdescriptor to be 1024
+    truncate --no-create --size=1K $newdescriptor
 
     # Overwrite the vmdk header with our new, modified one
     dd conv=notrunc,nocreat \
@@ -356,7 +408,9 @@ undivert_grub() {
 		--divert /etc/grub.d/30_os-prober.dpkg-divert \
 		--rename /etc/grub.d/30_os-prober
 
+	if grep -q "^exit 1$" "$CHROOT_ROOT"/usr/bin/systemd-detect-virt; then
 		rm "$CHROOT_ROOT"/usr/bin/systemd-detect-virt
+	fi
 	chroot "$CHROOT_ROOT" dpkg-divert --remove --local \
 		--rename /usr/bin/systemd-detect-virt
 }
@@ -520,12 +574,25 @@ _snap_preseed() {
                 exit 1
             fi
 
-            local core_snap=$(echo "$snap_info" | grep '^base:' | awk '{print $2}')
+            local snap_type=$(echo "$snap_info" | awk '/^type:/ { print $2 }')
 
-            # If snap info does not list a base use 'core'
+            if [ "$snap_type" != base ]; then
+                local core_snap=$(echo "$snap_info" | awk '/^base:/ {print $2}')
+
+                # If snap info does not list a base the default is 'core'
+                # which is now an error to use.
+                if [ -z "$core_snap" ]; then
+		    if [ -z "$ALLOW_CORE_SNAP" ]; then
+			echo "Legacy snap with no base declaration found, refusing to install 'core' snap"
+			exit 1
+		    else
+			echo "Legacy snap with no base declaration found, but \$ALLOW_CORE_SNAP set. continue (but FIX YOUR SNAPS!)"
 			core_snap=${core_snap:-core}
+		    fi
+                fi
 
                 _snap_preseed $CHROOT_ROOT $core_snap stable
+            fi
             ;;
     esac
 
@@ -626,11 +693,31 @@ snap_prepare() {
 snap_preseed() {
     # Preseed a snap in the image (snap_prepare must be called once prior)
     local CHROOT_ROOT=$1
+    # $2 can be in the form of snap_name/classic=track/risk/branch
     local SNAP=$2
+    # strip CHANNEL specification
+    SNAP=${SNAP%=*}
+    # strip /classic confinement
     local SNAP_NAME=${SNAP%/*}
-    # Per Ubuntu policy, all seeded snaps (with the exception of the core
+    # Seed from the specified channel (e.g. core18 latest/stable)
-    # snap) must pull from stable/ubuntu-$(release_ver) as their channel.
+    # Or Channel endcoded in the snap name (e.g. lxd=4.0/stable/ubuntu-20.04)
-    local CHANNEL=${3:-"stable/ubuntu-$(release_ver)"}
+    # Or Ubuntu policy default channel latest/stable/ubuntu-$(release_ver)
+    local CHANNEL=${3:-}
+    if [ -z "$CHANNEL" ]; then
+        case $2 in
+            *=*)
+                CHANNEL=${2#*=}
+                ;;
+            *)
+                CHANNEL="stable/ubuntu-$(release_ver)"
+                ;;
+        esac
+    fi
+
+    # At this point:
+    # SNAP_NAME is just the snap name
+    # SNAP is either $SNAP_NAME or $SNAP_NAME/classic for classic confined
+    # CHANNEL is the channel
 
     if [ ! -e "$CHROOT_ROOT/var/lib/snapd/seed/assertions/model" ]; then
         echo "ERROR: Snap model assertion not present, snap_prepare must be called"
@@ -659,9 +746,43 @@ snap_preseed() {
 
 snap_validate_seed() {
     local CHROOT_ROOT=$1
+    local kern_major_min=undefined
+    local boot_filename=undefined
+
+    # ppc64el still uses /boot/vmlinux so we need to determine the boot file name as non ppc64el use /boot/vmlinuz
+    # We don't need to query the arch as we can use existence of the file to determine the boot file name. Both
+    # will never be present at the same time.
+    if [ -e ${CHROOT_ROOT}/boot/vmlinuz ]; then
+        boot_filename=vmlinuz
+    elif [ -e ${CHROOT_ROOT}/boot/vmlinux ]; then
+        boot_filename=vmlinux
+    fi
+    if [ ${boot_filename} != undefined ]; then  # we have a known boot file so we can proceed with checking for features to mount
+        kern_major_min=$(readlink --canonicalize --no-newline ${CHROOT_ROOT}/boot/${boot_filename} | grep  --extended-regexp --only-matching --max-count 1 '[0-9]+\.[0-9]+')
+        if [ -d /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} ]; then
+            # if an Ubuntu version has different kernel apparmor features between LTS and HWE kernels
+            # a snap pre-seeding issue can occur, where the incorrect apparmor features are reported
+            # basic copy of a directory structure overriding the "generic" feature set
+            # which is tied to the LTS kernel
+    
+            # Bind kernel apparmor directory to feature directory for snap preseeding
+            umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+            mount --bind /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+        fi
+    fi 
     
     if [ -e "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" ]; then
         snap debug validate-seed "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml"
+        /usr/lib/snapd/snap-preseed --reset $(realpath "${CHROOT_ROOT}")
+        /usr/lib/snapd/snap-preseed $(realpath "${CHROOT_ROOT}")
+        chroot "${CHROOT_ROOT}" apparmor_parser --skip-read-cache --write-cache --skip-kernel-load --verbose  -j `nproc` /etc/apparmor.d
+    fi
+    
+    # Unmount kernel specific apparmor feature
+    # mount generic apparmor feature again (cleanup)
+    if [ -d /build/config/hooks.d/extra/apparmor/${kern_major_min} ]; then
+        umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+        mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
     fi
 }
 
@@ -747,7 +868,7 @@ clean_debian_chroot() {
     rm -f chroot/var/cache/debconf/*-old chroot/var/lib/dpkg/*-old
     Chroot chroot apt clean
     # For the docker images we remove even more stuff.
-    if [ "${PROJECT}:${SUBPROJECT:-}" = "ubuntu-base:minimized" ]; then
+    if [ "${PROJECT}:${SUBPROJECT:-}" = "ubuntu-base:minimized" ] || [ "${PROJECT}:${SUBPROJECT:-}" = "ubuntu-oci:minimized" ]; then
         # Remove apt lists (that are currently removed downstream
         # anyway)
         rm -rf chroot/var/lib/apt/lists/*
@@ -820,6 +941,76 @@ EOF
 fi
 }
 
+configure_oci() {
+    # configure a chroot to be a OCI/docker container
+    # theses changes are taken from the current Dockerfile modifications done
+    # at https://github.com/tianon/docker-brew-ubuntu-core/blob/master/update.sh
+
+    local chroot=$1
+    local serial=$2
+
+    if [ ! -d "${chroot}" ]; then
+        echo "The chroot does not exist"
+        exit 1
+    fi
+
+    echo "==== Configuring OCI ===="
+
+    # https://github.com/docker/docker/blob/9a9fc01af8fb5d98b8eec0740716226fadb3735c/contrib/mkimage/debootstrap#L40-L48
+    echo '#!/bin/sh' > ${chroot}/usr/sbin/policy-rc.d
+    echo 'exit 101' >> ${chroot}/usr/sbin/policy-rc.d
+    Chroot ${chroot} "chmod +x /usr/sbin/policy-rc.d"
+
+
+    # Inject a build stamp into the image
+    mkdir -p ${chroot}/etc/cloud
+    cat > ${chroot}/etc/cloud/build.info << EOF
+serial: $serial
+EOF
+
+
+    # https://github.com/docker/docker/blob/9a9fc01af8fb5d98b8eec0740716226fadb3735c/contrib/mkimage/debootstrap#L54-L56
+    Chroot ${chroot} "dpkg-divert --local --rename --add /sbin/initctl"
+    cp -a ${chroot}/usr/sbin/policy-rc.d ${chroot}/sbin/initctl
+    sed -i 's/^exit.*/exit 0/' ${chroot}/sbin/initctl
+
+    # https://github.com/docker/docker/blob/9a9fc01af8fb5d98b8eec0740716226fadb3735c/contrib/mkimage/debootstrap#L71-L78
+    echo 'force-unsafe-io' > ${chroot}/etc/dpkg/dpkg.cfg.d/docker-apt-speedup
+
+    # https://github.com/docker/docker/blob/9a9fc01af8fb5d98b8eec0740716226fadb3735c/contrib/mkimage/debootstrap#L85-L105
+    echo 'DPkg::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; };' > ${chroot}/etc/apt/apt.conf.d/docker-clean
+
+    echo 'APT::Update::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; };' >> ${chroot}/etc/apt/apt.conf.d/docker-clean
+
+    echo 'Dir::Cache::pkgcache ""; Dir::Cache::srcpkgcache "";' >> ${chroot}/etc/apt/apt.conf.d/docker-clean
+
+    # https://github.com/docker/docker/blob/9a9fc01af8fb5d98b8eec0740716226fadb3735c/contrib/mkimage/debootstrap#L109-L115
+    echo 'Acquire::Languages "none";' > ${chroot}/etc/apt/apt.conf.d/docker-no-languages
+
+    # https://github.com/docker/docker/blob/9a9fc01af8fb5d98b8eec0740716226fadb3735c/contrib/mkimage/debootstrap#L118-L130
+    echo 'Acquire::GzipIndexes "true"; Acquire::CompressionTypes::Order:: "gz";' > ${chroot}/etc/apt/apt.conf.d/docker-gzip-indexes
+
+    # https://github.com/docker/docker/blob/9a9fc01af8fb5d98b8eec0740716226fadb3735c/contrib/mkimage/debootstrap#L134-L151
+    echo 'Apt::AutoRemove::SuggestsImportant "false";' > ${chroot}/etc/apt/apt.conf.d/docker-autoremove-suggests
+
+    # delete all the apt list files since they're big and get stale quickly
+    rm -rf ${chroot}/var/lib/apt/lists/*
+
+    # verify that the APT lists files do not exist
+    Chroot chroot "apt-get indextargets" > indextargets.out
+    [ ! -s indextargets.out ]
+    rm indextargets.out
+    # (see https://bugs.launchpad.net/cloud-images/+bug/1699913)
+
+    # make systemd-detect-virt return "docker"
+    # See: https://github.com/systemd/systemd/blob/aa0c34279ee40bce2f9681b496922dedbadfca19/src/basic/virt.c#L434
+    mkdir -p ${chroot}/run/systemd
+    echo 'docker' > ${chroot}/run/systemd/container
+
+    rm -rf ${chroot}/var/cache/apt/*.bin
+    echo "==== Configuring OCI done ===="
+}
+
 configure_network_manager() {
     # If the image pre-installs network-manager, let it manage all devices by
     # default. Installing NM on an existing system only manages wifi and wwan via
@@ -905,6 +1096,19 @@ is_live_layer () {
     return 1
 }
 
+setup_cidata() {
+    local cidata_dev=$1
+    local mountpoint=$(mktemp -d)
+    mkfs.vfat -F 32 -n CIDATA ${cidata_dev}
+    mount ${cidata_dev} ${mountpoint}
+    cp /usr/share/livecd-rootfs/live-build/cidata/* ${mountpoint}
+    cat >>${mountpoint}/meta-data.sample <<END
+#instance-id: iid-$(openssl rand -hex 8)
+
+END
+    umount ${mountpoint}
+}
+
 replace_kernel () { 
     mountpoint=$1
     new_kernel=$2
@@ -919,4 +1123,52 @@ replace_kernel () {
         install --assume-yes "${new_kernel}" 
     env DEBIAN_FRONTEND=noninteractive chroot "${mountpoint}" apt-get \
         autoremove --purge --assume-yes
+
+    # If running a custom kernel, we should try to boot without an initramfs
+    # We do this by setting GRUB_FORCE_PARTUUID, which forces initramfs-less boot
+    force_boot_without_initramfs ${mountpoint}
+}
+
+track_initramfs_boot_fallback() {
+    mountpoint=$1
+    cat <<END > "${mountpoint}/etc/grub.d/01_track_initrdless_boot_fallback"
+#! /bin/sh
+# ${IMAGE_STR}
+# This will detect if we attempt to boot with an initramfs and fail.
+# In the case of a failure, initrdless_boot_fallback_triggered is set to
+# a non-zero value in the grubenv. This value can be checked after boot
+# by looking in /boot/grub/grubenv or by using the grub-editenv list command.
+set -e
+END
+    cat <<"END" >> "${mountpoint}/etc/grub.d/01_track_initrdless_boot_fallback"
+cat <<"EOF"
+if [ -n "${have_grubenv}" ]; then
+  if [ -n "${initrdfail}" ]; then
+    set initrdless_boot_fallback_triggered="${initrdfail}"
+  else
+    unset initrdless_boot_fallback_triggered
+  fi
+  save_env initrdless_boot_fallback_triggered
+fi
+EOF
+END
+    chmod +x "${mountpoint}/etc/grub.d/01_track_initrdless_boot_fallback"
+}
+
+force_boot_without_initramfs() {
+    mountpoint=$1
+
+    partuuid=$(blkid -s PARTUUID -o value $(findmnt -n -o SOURCE --target "${mountpoint}"))
+    if [ -n "${partuuid}" ]; then
+        echo "Force booting without an initramfs..."
+        mkdir -p "${mountpoint}/etc/default/grub.d"
+        cat << EOF >> "${mountpoint}/etc/default/grub.d/40-force-partuuid.cfg"
+# Force boot without an initramfs by setting GRUB_FORCE_PARTUUID
+# Remove this line to enable boot with an initramfs
+GRUB_FORCE_PARTUUID=${partuuid}
+EOF
+        divert_grub "${mountpoint}"
+        chroot "${mountpoint}" update-grub
+        undivert_grub "${mountpoint}"
+    fi
 }

live-build/make-lxd-metadata.py

@@ -17,6 +17,7 @@ lxd_arches = {
     "powerpc": "ppc",
     "ppc64el": "ppc64le",
     "s390x": "s390x",
+    "riscv64": "riscv64",
     }
 
 

live-build/seccomp/generic.actions_avail

@@ -0,0 +1 @@
+kill_process kill_thread trap errno user_notif trace log allow

live-build/ubuntu-core/hooks/05-create_minimal_fstab.chroot

@@ -2,5 +2,5 @@
 
 cat >>/etc/fstab<<EOT
 # Minimal setup required for systemd to provide a r/w FS
-/dev/root	/	rootfs	defaults	0	0
+/dev/root	/	rootfs	defaults	0	1
 EOT

live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary

@@ -24,6 +24,6 @@ rm -rf $rootfs_dir/boot/grub
 # Keep this as some derivatives mount a tempfs here
 mkdir -p $rootfs_dir/lib/modules
 
-teardown_mountpoint $rootfs_dir
+create_manifest $rootfs_dir "livecd.ubuntu-cpc.rootfs.manifest" "livecd.ubuntu-cpc.rootfs.spdx"  "cloud-image-rootfs-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
 
-create_manifest "${rootfs_dir}" "${rootfs_dir}.manifest"
+teardown_mountpoint $rootfs_dir

live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary

@@ -33,6 +33,7 @@ install_grub() {
     chroot mountpoint apt-get -qqy update
     chroot mountpoint apt-get -qqy install grub-ieee1275
     chroot mountpoint apt-get -qqy remove --purge grub-legacy-ec2
+    chroot mountpoint apt-get autoremove --purge --assume-yes
 
     # set the kernel commandline to use hvc0
     mkdir -p mountpoint/etc/default/grub.d
@@ -74,6 +75,11 @@ make_ext4_partition "${rootfs_dev_mapper}"
 mkdir mountpoint
 mount "${rootfs_dev_mapper}" mountpoint
 cp -a chroot/* mountpoint/
+
+# the image has been modified from its disk-image-uefi base so the manifest and filelist should be regenerated
+# explicitly generate manifest and sbom
+create_manifest  "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx"  "cloud-image-$ARCH-$(date +Y%m%dT%H:%M:%S)"
+
 umount mountpoint
 rmdir mountpoint
 

live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary

@@ -1,7 +1,7 @@
 #!/bin/bash -eux
 
 case $ARCH in
-    amd64|arm64|armhf)
+    amd64|arm64|armhf|riscv64)
         ;;
     *)
         echo "We don't create EFI images for $ARCH."
@@ -21,6 +21,12 @@ case ${PROJECT:-} in
         ;;
 esac
 
+if [ "$ARCH" = "riscv64" ] && [ -n "${SUBARCH:-}" ]; then
+    IMAGE_SIZE=3758096384 # bump to 3.5G (3584*1024**2), due to linux-generic instead of virtual
+elif [ "$ARCH" = "armhf" ]; then
+    IMAGE_SIZE=3758096384 # bump to 3.5G (3584*1024**2), due to linux-generic instead of virtual
+fi
+
 . config/binary
 
 . config/functions
@@ -35,6 +41,38 @@ create_partitions() {
                 --typecode=15:ef00 \
                 --new=1:
             ;;
+        riscv64)
+            # same as arm64/armhf, but set bit 2 legacy bios bootable
+            # on the first partition for uboot
+            # and have two loader partitions of uboot SPL & real one
+            # and have CIDATA partition for preinstalled image
+            if [ -z "${SUBARCH:-}" ]; then
+                # cloud-image
+                sgdisk "${disk_image}" \
+                       --set-alignment=2 \
+                       --new=15::+106M \
+                       --typecode=15:ef00 \
+                       --new=1:: \
+                       --attributes=1:set:2
+            else
+                # preinstalled server, currently FU540
+                # FU740 too in the future
+                sgdisk "${disk_image}" \
+                       --set-alignment=2 \
+                       --new=13:34:2081 \
+                       --change-name=13:loader1 \
+                       --typecode=13:5B193300-FC78-40CD-8002-E86C45580B47 \
+                       --new=14:2082:10273 \
+                       --change-name=14:loader2 \
+                       --typecode=14:2E54B353-1271-4842-806F-E436D6AF6985 \
+                       --new=15::+106M \
+                       --typecode=15:ef00 \
+                       --new=12::+4M \
+                       --change-name=12:CIDATA \
+                       --new=1:: \
+                       --attributes=1:set:2
+            fi
+            ;;
         amd64)
             sgdisk "${disk_image}" \
                 --new=14::+4M \
@@ -58,7 +96,7 @@ create_and_mount_uefi_partition() {
     mount "${uefi_dev}" "$mountpoint"/boot/efi
 
     cat << EOF >> "mountpoint/etc/fstab"
-LABEL=UEFI	/boot/efi	vfat	defaults	0 0
+LABEL=UEFI	/boot/efi	vfat	umask=0077	0 1
 EOF
 }
 
@@ -73,14 +111,6 @@ install_grub() {
     efi_boot_dir="/boot/efi/EFI/BOOT"
     chroot mountpoint mkdir -p "${efi_boot_dir}"
 
-    if [ -n "$partuuid" ]; then
-        # FIXME: code duplicated between disk-image.binary
-        # and disk-image-uefi.binary.  We want to fix this to not
-        # have initramfs-tools installed at all on these images.
-        echo "partuuid found for root device; omitting initrd"
-        echo "GRUB_FORCE_PARTUUID=$partuuid" >> mountpoint/etc/default/grub.d/40-force-partuuid.cfg
-    fi
-
     chroot mountpoint apt-get -y update
 
     # UEFI GRUB modules are meant to be used equally by Secure Boot and
@@ -89,7 +119,7 @@ install_grub() {
     # please file a bug against grub2 to include the affected module.
     case $ARCH in
         arm64)
-            chroot mountpoint apt-get -qqy install --no-install-recommends grub-efi-arm64 grub-efi-arm64-bin
+            chroot mountpoint apt-get -qqy install --no-install-recommends shim-signed grub-efi-arm64-signed
             efi_target=arm64-efi
             ;;
         armhf)
@@ -97,11 +127,95 @@ install_grub() {
             efi_target=arm-efi
             ;;
         amd64)
-            chroot mountpoint apt-get install -qqy grub-efi-amd64-signed shim-signed
+            chroot mountpoint apt-get install -qqy grub-pc shim-signed
             efi_target=x86_64-efi
             ;;
+        riscv64)
+            # TODO grub-efi-riscv64 does not exist yet on riscv64
+            chroot mountpoint apt-get install -qqy u-boot-menu #grub-efi-riscv64
+            efi_target=riscv64-efi
+
+            chroot mountpoint u-boot-update
+
+            if [ -n "${SUBARCH:-}" ]; then
+                u_boot_arch="${SUBARCH}"
+                if [ "${u_boot_arch}" = "hifive" ]; then
+                    u_boot_arch=sifive_fu540
+                fi
+                chroot mountpoint apt-get install -qqy u-boot-sifive
+                # FSBL, which gets U-Boot SPL
+                loader1="/dev/mapper${loop_device///dev/}p13"
+                # The real U-Boot
+                loader2="/dev/mapper${loop_device///dev/}p14"
+                dd if=mountpoint/usr/lib/u-boot/${u_boot_arch}/u-boot-spl.bin of=$loader1
+                dd if=mountpoint/usr/lib/u-boot/${u_boot_arch}/u-boot.itb of=$loader2
+                # Provide end-user modifyable CIDATA
+                cidata_dev="/dev/mapper${loop_device///dev/}p12"
+                setup_cidata "${cidata_dev}"
+                # Provide stock nocloud datasource
+                # Allow interactive login on baremetal SiFive board,
+                # without a cloud datasource.
+                mkdir -p mountpoint/var/lib/cloud/seed/nocloud-net
+                cat <<EOF >mountpoint/var/lib/cloud/seed/nocloud-net/meta-data
+instance-id: iid-$(openssl rand -hex 8)
+EOF
+                cat <<EOF >mountpoint/var/lib/cloud/seed/nocloud-net/user-data
+#cloud-config
+chpasswd:
+    expire: True
+    list:
+        - ubuntu:ubuntu
+ssh_pwauth: True
+EOF
+                cat <<EOF >mountpoint/var/lib/cloud/seed/nocloud-net/network-config
+# This is the initial network config.
+# It can be overwritten by cloud-init.
+version: 2
+ethernets:
+  zz-all-en:
+    match:
+      name: "en*"
+    dhcp4: true
+    optional: true
+  zz-all-eth:
+    match:
+      name: "eth*"
+    dhcp4: true
+    optional: true
+EOF
+            fi
+            ## TODO remove below once we have grub-efi-riscv64
+            rm mountpoint/tmp/device.map
+            umount mountpoint/boot/efi
+            mount
+            umount_partition mountpoint
+            rmdir mountpoint
+            return
+            ##
+            ;;
     esac
 
+    chroot mountpoint apt-get autoremove --purge --assume-yes
+
+    chroot mountpoint grub-install "${loop_device}" \
+        --boot-directory=/boot \
+        --efi-directory=/boot/efi \
+        --target=${efi_target} \
+        --uefi-secure-boot \
+        --no-nvram
+
+    if [ "$ARCH" = "amd64" ]; then
+        # Install the BIOS/GPT bits. Since GPT boots from the ESP partition,
+        # it means that we just run this simple command and we're done
+        chroot mountpoint grub-install --target=i386-pc "${loop_device}"
+    fi
+
+    # Use the linux-kvm kernel for minimal images where available
+    # linux-kvm currently only exists for amd64
+    if [ "${SUBPROJECT:-}" = "minimized" ] && [ "$ARCH" = "amd64" ]; then
+        replace_kernel mountpoint linux-kvm
+    fi
+
     # This call to rewrite the debian package manifest is added here to capture
     # grub-efi packages that otherwise would not make it into the base
     # manifest. filesystem.packages is moved into place via symlinking to
@@ -111,30 +225,8 @@ install_grub() {
     # snap listings)
     chroot mountpoint dpkg-query -W > binary/boot/filesystem.packages
 
-    chroot mountpoint grub-install "${loop_device}" \
-        --boot-directory=/boot \
-        --efi-directory=/boot/efi \
-        --target=${efi_target} \
-        --removable \
-        --uefi-secure-boot \
-        --no-nvram
-
-    if [ -f mountpoint/boot/efi/EFI/BOOT/grub.cfg ]; then
-        sed -i "s| root| root hd0,gpt1|" mountpoint/boot/efi/EFI/BOOT/grub.cfg
-        sed -i "1i${IMAGE_STR}" mountpoint/boot/efi/EFI/BOOT/grub.cfg
-        # For some reason the grub disk is looking for /boot/grub/grub.cfg on
-        # part 15....
-        chroot mountpoint mkdir -p /boot/efi/boot/grub
-        chroot mountpoint cp /boot/efi/EFI/BOOT/grub.cfg /boot/efi/boot/grub
-    fi
-
-    if [ "$ARCH" = "amd64" ]; then
-        # Install the BIOS/GPT bits. Since GPT boots from the ESP partition,
-        # it means that we just run this simple command and we're done
-        chroot mountpoint grub-install --target=i386-pc "${loop_device}"
-    fi
-
     divert_grub mountpoint
+    track_initramfs_boot_fallback mountpoint
     chroot mountpoint update-grub
     replace_grub_root_with_label mountpoint
     undivert_grub mountpoint
@@ -144,6 +236,11 @@ install_grub() {
     rm mountpoint/tmp/device.map
     umount mountpoint/boot/efi
     mount
+
+    # create sorted filelist as the very last step before unmounting
+    # explicitly generate manifest and sbom
+    create_manifest  "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-uefi.manifest" "$PWD/livecd.ubuntu-cpc.disk-uefi.spdx"  "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
+
     umount_partition mountpoint
     rmdir mountpoint
 }
@@ -154,13 +251,12 @@ create_empty_disk_image "${disk_image}"
 create_partitions "${disk_image}"
 mount_image "${disk_image}" 1
 
-partuuid=$(blkid -s PARTUUID -o value "$rootfs_dev_mapper")
-
 # Copy the chroot in to the disk
 make_ext4_partition "${rootfs_dev_mapper}"
 mkdir mountpoint
 mount "${rootfs_dev_mapper}" mountpoint
 cp -a chroot/* mountpoint/
+
 umount mountpoint
 rmdir mountpoint
 

live-build/ubuntu-cpc/hooks.d/base/disk-image.binary

@@ -19,10 +19,6 @@ case $ARCH:$SUBARCH in
 		echo "POWER disk images are handled separately"
 		exit 0
 		;;
-	amd64|arm64|armhf)
-		echo "We only create EFI images for $ARCH."
-		exit 0
-		;;
 	armhf:raspi2)
 		# matches the size of the snappy image
 		IMAGE_SIZE=$((4*1000*1000*1000))
@@ -31,6 +27,10 @@ case $ARCH:$SUBARCH in
 		BOOTPART_END=138M
 		BOOT_MOUNTPOINT=/boot/firmware
 		;;
+	arm64:*|armhf:*|riscv64:*)
+		echo "We only create EFI images for $ARCH."
+		exit 0
+		;;
 	*)
 		;;
 esac
@@ -73,8 +73,6 @@ create_empty_partition "${disk_image}" "$ROOTPART" "$ROOTPART_START" -1 ext2 "$R
 
 mount_image "${disk_image}" "$ROOTPART"
 
-partuuid=$(blkid -s PARTUUID -o value "$rootfs_dev_mapper")
-
 # Copy the chroot in to the disk
 make_ext4_partition "${rootfs_dev_mapper}"
 mkdir mountpoint
@@ -121,21 +119,24 @@ if [ "${should_install_grub}" -eq 1 ]; then
         --device-map=/tmp/device.map \
         ${loop_device}
 
-    rm mountpoint/tmp/device.map
-
-	if [ -n "$partuuid" ]; then
-		echo "partuuid found for root device; forcing it in Grub"
-		mkdir -p mountpoint/etc/default/grub.d
-		echo "GRUB_FORCE_PARTUUID=$partuuid" >> mountpoint/etc/default/grub.d/40-force-partuuid.cfg
     divert_grub mountpoint
+    track_initramfs_boot_fallback mountpoint
     chroot mountpoint update-grub
     undivert_grub mountpoint
+
+    rm mountpoint/tmp/device.map
 fi
+
+# Use the linux-kvm kernel for minimal images where available
+# linux-kvm currently only exists for amd64
+if [ "${SUBPROJECT:-}" = "minimized" ] && [ "$ARCH" = "amd64" ]; then
+    replace_kernel mountpoint linux-kvm
 fi
 
 if [ "$ARCH" = "s390x" ]; then
     # Do ZIPL install bits
     chroot mountpoint apt-get -qqy install s390-tools sysconfig-hardware
+    chroot mountpoint apt-get autoremove --purge --assume-yes
 
     # Write out cloudy zipl.conf for future kernel updates
     cat << EOF > mountpoint/etc/zipl.conf
@@ -174,6 +175,8 @@ EOF
         $ZIPL_EXTRA_PARAMS
 fi
 
+create_manifest  "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx"  "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
+
 if [ -n "$BOOT_MOUNTPOINT" ]; then
 	umount "mountpoint/$BOOT_MOUNTPOINT"
 fi

live-build/ubuntu-cpc/hooks.d/base/kvm-image.binary

@@ -49,13 +49,6 @@ replace_kernel ${mount_d} "linux-kvm"
 chroot "${mount_d}" update-grub
 undivert_grub "${mount_d}"
 
-# Remove initramfs for kvm image
-env DEBIAN_FRONTEND=noninteractive chroot "${mount_d}" apt-get \
-    purge -y initramfs-tools busybox-initramfs
-
-env DEBIAN_FRONTEND=noninteractive chroot "${mount_d}" rm \
-    -rf /boot/initrd.img-* /boot/initrd.img
-
 # Remove indices 
 env DEBIAN_FRONTEND=noninteractive chroot "${mount_d}" apt-get \
     clean

live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary

@@ -7,12 +7,25 @@ case $ARCH:$SUBARCH in
 		xz -T4 -c binary/boot/disk.ext4 > livecd.ubuntu-cpc.disk1.img.xz
 	        exit 0
 		;;
+	riscv64:hifive|riscv64:sifive_*)
+		xz -T4 -c binary/boot/disk-uefi.ext4 > livecd.ubuntu-cpc.disk1.img.xz
+	        exit 0
+		;;
 esac
 
 . config/functions
 
+qcow_file=${PWD}/livecd.ubuntu-cpc.qcow
 if [ -f binary/boot/disk-uefi.ext4 ]; then
     convert_to_qcow2 binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.img
+    uefi_file="livecd.ubuntu-cpc.disk-uefi"
+    cp ${uefi_file}.manifest ${qcow_file}.manifest
+    cp ${uefi_file}.filelist ${qcow_file}.filelist
+    cp ${uefi_file}.spdx ${qcow_file}.spdx
 elif [ -f binary/boot/disk.ext4 ]; then
     convert_to_qcow2 binary/boot/disk.ext4 livecd.ubuntu-cpc.img
+    disk_file="livecd.ubuntu-cpc.disk-image"
+    cp ${disk_file}.manifest ${qcow_file}.manifest
+    cp ${disk_file}.filelist ${qcow_file}.filelist
+    cp ${disk_file}.spdx ${qcow_file}.spdx
 fi

live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary

@@ -13,8 +13,12 @@ rootfs_dir=rootfs.dir
 
 squashfs_f="$PWD/livecd.ubuntu-cpc.squashfs"
 
-cp $rootfs_dir.manifest $squashfs_f.manifest
+cp livecd.ubuntu-cpc.rootfs.manifest ${squashfs_f}.manifest
-cp $rootfs_dir.filelist $squashfs_f.filelist
+cp livecd.ubuntu-cpc.rootfs.filelist ${squashfs_f}.filelist
+cp livecd.ubuntu-cpc.rootfs.spdx ${squashfs_f}.spdx
+
+# fstab is omitted from the squashfs
+grep -v '^/etc/fstab$' livecd.ubuntu-cpc.rootfs.filelist >$squashfs_f.filelist
 
 (cd $rootfs_dir &&
       mksquashfs . $squashfs_f \

live-build/ubuntu-cpc/hooks.d/base/root-xz.binary

@@ -11,6 +11,4 @@ fi
 # This is the directory created by create-root-dir.binary
 rootfs_dir=rootfs.dir
 
-cp $rootfs_dir.manifest livecd.ubuntu-cpc.rootfs.manifest
-cp $rootfs_dir.filelist livecd.ubuntu-cpc.rootfs.filelist
 (cd $rootfs_dir/ && tar -c --sort=name --xattrs *) | xz > livecd.ubuntu-cpc.rootfs.tar.xz

live-build/ubuntu-cpc/hooks.d/base/series/disk-image

@@ -1,5 +1,5 @@
+depends disk-image-uefi
 base/disk-image.binary
-base/disk-image-uefi.binary
 base/disk-image-ppc64el.binary
 provides livecd.ubuntu-cpc.ext4
 provides livecd.ubuntu-cpc.initrd-generic
@@ -8,3 +8,6 @@ provides livecd.ubuntu-cpc.kernel-generic
 provides livecd.ubuntu-cpc.kernel-generic-lpae
 provides livecd.ubuntu-cpc.manifest
 provides livecd.ubuntu-cpc.filelist
+provides livecd.ubuntu-cpc.disk-image.manifest
+provides livecd.ubuntu-cpc.disk-image.filelist
+provides livecd.ubuntu-cpc.disk-image.spdx

live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi

@@ -0,0 +1,11 @@
+base/disk-image-uefi.binary
+provides livecd.ubuntu-cpc.ext4
+provides livecd.ubuntu-cpc.initrd-generic
+provides livecd.ubuntu-cpc.initrd-generic-lpae
+provides livecd.ubuntu-cpc.kernel-generic
+provides livecd.ubuntu-cpc.kernel-generic-lpae
+provides livecd.ubuntu-cpc.manifest
+provides livecd.ubuntu-cpc.filelist
+provides livecd.ubuntu-cpc.disk-uefi.manifest
+provides livecd.ubuntu-cpc.disk-uefi.filelist
+provides livecd.ubuntu-cpc.disk-uefi.spdx

live-build/ubuntu-cpc/hooks.d/base/series/qcow2

@@ -1,3 +1,6 @@
 depends disk-image
 base/qcow2-image.binary
 provides livecd.ubuntu-cpc.img
+provides livecd.ubuntu-cpc.qcow.manifest
+provides livecd.ubuntu-cpc.qcow.filelist
+provides livecd.ubuntu-cpc.qcow.spdx

live-build/ubuntu-cpc/hooks.d/base/series/squashfs

@@ -3,3 +3,4 @@ base/root-squashfs.binary
 provides livecd.ubuntu-cpc.squashfs
 provides livecd.ubuntu-cpc.squashfs.manifest
 provides livecd.ubuntu-cpc.squashfs.filelist
+provides livecd.ubuntu-cpc.squashfs.spdx

live-build/ubuntu-cpc/hooks.d/base/series/tarball

@@ -3,3 +3,4 @@ base/root-xz.binary
 provides livecd.ubuntu-cpc.rootfs.tar.xz
 provides livecd.ubuntu-cpc.rootfs.manifest
 provides livecd.ubuntu-cpc.rootfs.filelist
+provides livecd.ubuntu-cpc.rootfs.spdx

live-build/ubuntu-cpc/hooks.d/base/series/vagrant

@@ -1,3 +1,6 @@
 depends disk-image
 base/vagrant.binary
 provides livecd.ubuntu-cpc.vagrant.box
+provides livecd.ubuntu-cpc.vagrant.manifest
+provides livecd.ubuntu-cpc.vagrant.filelist
+provides livecd.ubuntu-cpc.vagrant.spdx

live-build/ubuntu-cpc/hooks.d/base/series/vmdk

@@ -3,3 +3,6 @@ base/vmdk-image.binary
 base/vmdk-ova-image.binary
 provides livecd.ubuntu-cpc.vmdk
 provides livecd.ubuntu-cpc.ova
+provides livecd.ubuntu-cpc.vmdk.manifest
+provides livecd.ubuntu-cpc.vmdk.filelist
+provides livecd.ubuntu-cpc.vmdk.spdx

live-build/ubuntu-cpc/hooks.d/base/vagrant.binary

@@ -86,6 +86,8 @@ EOF
 chroot ${mount_d} chown -R vagrant:vagrant /home/vagrant/.ssh
 chroot ${mount_d} chmod 700 /home/vagrant/.ssh
 
+create_manifest $mount_d "livecd.ubuntu-cpc.vagrant.manifest" "livecd.ubuntu-cpc.vagrant.spdx"  "cloud-image-vagrant-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
+
 umount_disk_image "$mount_d"
 rmdir "$mount_d"
 
@@ -154,8 +156,16 @@ Vagrant.configure("2") do |config|
 
   config.vm.provider "virtualbox" do |vb|
     vb.customize [ "modifyvm", :id, "--uart1", "0x3F8", "4" ]
-# Creating a console log file is not an expected behavior for vagrant boxes. LP #1777827
+    # Create a NULL serial port to skip console logging by default
+    vb.customize [ "modifyvm", :id, "--uartmode1", "file", File::NULL ]
+    # If console logging is desired, uncomment this line and remove prior
     # vb.customize [ "modifyvm", :id, "--uartmode1", "file", File.join(Dir.pwd, "${prefix}-console.log") ]
+    # Ubuntu cloud images, by default, enable console=ttyS0. This enables serial consoles to
+    # connect to the images. With the change related to LP #1777827, removing a serial
+    # file logger, Vagrant image boot times increased and now run greater than 5 minutes
+    # Creating a console log file is not an expected default behavior for vagrant boxes.
+    # As a workaround, we create a console connection to File:NULL. LP #1874453
+    # This is overrideable in user files to write to a local file
   end
 end
 EOF

live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary

@@ -20,8 +20,18 @@ esac
 
 . config/functions
 
+vmdk_file="$PWD/livecd.ubuntu-cpc.vmdk"
+
 if [ -e binary/boot/disk-uefi.ext4 ]; then
     create_vmdk binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.vmdk
+    uefi_file="livecd.ubuntu-cpc.disk-uefi"
+    cp ${uefi_file}.manifest ${vmdk_file}.manifest
+    cp ${uefi_file}.filelist ${vmdk_file}.filelist
+    cp ${uefi_file}.spdx ${vmdk_file}.spdx
 elif [ -f binary/boot/disk.ext4 ]; then
     create_vmdk binary/boot/disk.ext4 livecd.ubuntu-cpc.vmdk
+    disk_file="livecd.ubuntu-cpc.disk-image"
+    cp ${disk_file}.manifest ${vmdk_file}.manifest
+    cp ${disk_file}.filelist ${vmdk_file}.filelist
+    cp ${disk_file}.spdx ${vmdk_file}.spdx
 fi

live-build/ubuntu-cpc/hooks.d/base/wsl.binary

@@ -35,6 +35,7 @@ cp -a rootfs.dir $rootfs_dir
 setup_mountpoint $rootfs_dir
 
 env DEBIAN_FRONTEND=noninteractive chroot $rootfs_dir apt-get -y -qq install ubuntu-wsl
+env DEBIAN_FRONTEND=noninteractive chroot $rootfs_dir apt-get autoremove --purge --assume-yes
 
 create_manifest $rootfs_dir livecd.ubuntu-cpc.wsl.rootfs.manifest
 teardown_mountpoint $rootfs_dir

live-build/ubuntu-cpc/hooks.d/chroot/052-ssh_authentication.chroot

@@ -1,3 +1,8 @@
 #!/bin/bash
 
-sed -i "s|#PasswordAuthentication yes|PasswordAuthentication no|g" /etc/ssh/sshd_config
+# NOTE: the file number needs to be **higher** than the one
+# cloud-init writes (cloud-init uses 50-cloud-init.conf) so
+# the cloud-init file takes precedence
+cat << EOF >> "/etc/ssh/sshd_config.d/60-cloudimg-settings.conf"
+PasswordAuthentication no
+EOF

live-build/ubuntu-cpc/hooks.d/chroot/999-cpc-fixes.chroot

@@ -72,7 +72,7 @@ if [ -n "${root_fs_label}" ]; then
    sed -i "s,^[^#${bl}]*\([${bl}]*/[${bl}].*\),${lstr}\1," "${rootd}/etc/fstab"
 fi
 cat > /etc/fstab << EOM
-LABEL=cloudimg-rootfs	/	 ext4	defaults	0 0
+LABEL=cloudimg-rootfs	/	 ext4	defaults	0 1
 EOM
 
 # for quantal and newer, add /etc/overlayroot.local.conf
@@ -116,8 +116,8 @@ fi
 
 
 case $arch in
-	# ARM, ppc and s390 images are special
+	# ARM, ppc, riscv64 and s390x images are special
-	armhf|arm64|powerpc|ppc64el|s390x)
+	armhf|arm64|powerpc|ppc64el|s390x|riscv64)
 		exit 0
 		;;
 esac

live-build/ubuntu-server/hooks/030-root-squashfs.binary

@@ -15,13 +15,15 @@ case $IMAGE_TARGETS in
 		;;
 esac
 
-if [ -n "$SUBARCH" ]; then
+if [ -n "$SUBARCH" && "$SUBARCH" != "intel-iot" ]; then
 	echo "Skipping rootfs build for subarch flavor build"
 	exit 0
 fi
 
 . config/functions
 
+PROJECT=$PROJECT${SUBARCH:+-$SUBARCH}
+
 mkdir binary/boot/squashfs.dir
 cp -a chroot/* binary/boot/squashfs.dir