2025-08-17 11:44:10 +00:00
11 changed files with 61 additions and 201 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,72 +1,3 @@
 livecd-rootfs (25.10.16) questing; urgency=medium
  * Put the uc20-style system seed for TPM backed FDE in the live layer.
 -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Wed, 13 Aug 2025 10:34:39 +1200
 livecd-rootfs (25.10.15) questing; urgency=medium
  * Add missing components to 6.14 kernel apparmor features' preseeds.
    (LP: #2116199)
 -- Bryan Alexander <bryan.alexander@canonical.com>  Thu, 17 Jul 2025 13:27:17 -0700
 livecd-rootfs (25.10.14) questing; urgency=medium
  [ Didier Roche-Tolomelli ]
  [ Tim Andersson ]
  [ Daniel Bungert ]
  * desktop TPMFDE: move snaps back to stable channels
 -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 07 Aug 2025 16:21:32 -0600
 livecd-rootfs (25.10.13) questing; urgency=medium
  [ Olivier Gayot ]
  * Build ubuntu-server with multipath-tools-boot installed, so that the
    multipath stack ends up present in the initramfs.
    The LVM stack is already present in the initramfs of the installer. And
    since kinetic, the /dev/mapper entries for LVM devices are created during
    the initramfs phase. This is a problem when we have LVM on top of a
    multipath disk because LVM ends up creating /dev/mapper entries out of
    /dev/sdX (or /dev/sdXpY) devices, not out of /dev/mapper/mpatha as it
    should. Adding the multipath stack in the initramfs gives multipath a
    chance to take ownership of /dev/sdX (or /dev/sdXpY) devices before LVM
    does (LP: #2080474).
 -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 24 Jul 2025 17:37:33 -0600
 livecd-rootfs (25.10.12) questing; urgency=medium
  [ Zygmunt Krynicki ]
  * Use snap wait system seed.loaded to wait for snapd (LP: #2114923)
  [ Dennis Loose ]
  [ Didier Roche-Tolomelli ]
  * Allow the ubuntu-desktop-installer to request snap seeding state
 -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Tue, 15 Jul 2025 16:30:41 +0200
 livecd-rootfs (25.10.11) questing; urgency=medium
  * Fix installer startup to wait for snapd to be preseeded first
    (LP: #2114923)
 -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Fri, 11 Jul 2025 14:57:56 +0200
 livecd-rootfs (25.10.10) questing; urgency=medium
  * risc-v cloud images: enable cpc fixes for riscv64
 -- Adriano Cordova <adriano.cordova@canonical.com>  Tue, 01 Jul 2025 09:11:16 -0400
 livecd-rootfs (25.10.9) questing; urgency=medium
  * desktop and server: read $SUBARCH to allow the use of nvidia's kernel
    instead of generic (LP: #2109822)
 -- Antoine Lassagne <antoine.lassagne@canonical.com>  Tue, 17 Jun 2025 22:23:11 +1200
 livecd-rootfs (25.10.8) questing; urgency=medium
  [ Didier Roche-Tolomelli ]
--- a/live-build/apparmor/6.14/domain/disconnected.ipc
+++ b/live-build/apparmor/6.14/domain/disconnected.ipc
@ -1 +0,0 @@
 yes
--- a/live-build/apparmor/6.14/policy/unconfined_restrictions/io_uring
+++ b/live-build/apparmor/6.14/policy/unconfined_restrictions/io_uring
@ -1 +1 @@
-1
+0
--- a/live-build/auto/build
+++ b/live-build/auto/build
@ -484,9 +484,6 @@ for FLAVOUR in $LB_LINUX_FLAVOURS; do
 		lowlatency-hwe-*)
 			FLAVOUR="lowlatency"
 			;;
 		nvidia-hwe-*)
 			FLAVOUR="nvidia"
 			;;
 	esac
 	KVERS="$( (cd "binary/$INITFS"; ls vmlinu?-* 2>/dev/null || true) | (fgrep -v .efi || true) | sed -n "s/^vmlinu.-\\([^-]*-[^-]*-$FLAVOUR\\)$/\\1/p" )"
 	if [ -z "$KVERS" ]; then
--- a/live-build/auto/config
+++ b/live-build/auto/config
@ -3,7 +3,7 @@ set -e
 case $ARCH:$SUBARCH in
 	amd64:|amd64:generic|amd64:intel-iot|\
-	arm64:|arm64:generic|arm64:raspi|arm64:snapdragon|arm64:nvidia|\
+	arm64:|arm64:generic|arm64:raspi|arm64:snapdragon|\
 	arm64:tegra|arm64:tegra-igx|arm64:tegra-jetson|arm64:x13s|\
 	arm64:largemem|\
 	armhf:|\
@ -844,16 +844,6 @@ case $PROJECT in
 				HAS_DEFAULT_LANGUAGES=yes
 				LANGUAGE_BASE=desktop
 				KERNEL_FLAVOURS='generic-hwe-24.04'
 				case $SUBARCH in
 					nvidia)
 						KERNEL_FLAVOURS="nvidia-hwe-24.04"
 						;;
 					*)
 						# nothing to do here.
 						;;
 				esac
 				do_layered_desktop_image
 				# Enchanced secureboot stuff
@ -1009,14 +999,6 @@ case $PROJECT in
 				add_package ubuntu-server-minimal lxd-installer
 				add_task ubuntu-server-minimal.ubuntu-server minimal standard server
 				add_package ubuntu-server-minimal.ubuntu-server cloud-init
 				# If we have a multipath disk with LVM on top, we want to give
 				# multipath a chance to create the /dev/mapper/mpatha entry
 				# during the initramfs phase. Otherwise LVM will "steal" the
 				# device (e.g., /dev/sda2) and prevent multipath from using it
 				# after pivoting to the root filesystem of the live
 				# environment.
 				# See LP: #2080474 and LP: #1480399.
 				add_package ubuntu-server-minimal.ubuntu-server.installer multipath-tools-boot
 				add_task ubuntu-server-minimal.ubuntu-server.installer server-live
@ -1041,9 +1023,6 @@ case $PROJECT in
 						# variants='ga-64k hwe-64k'
 						variants='ga-64k'
 						;;
 					nvidia)
 						variants='nvidia'
 						;;
 					*)
 						# variants='ga hwe'
 						variants='ga'
@ -1081,9 +1060,6 @@ case $PROJECT in
 					elif [ "$variant" = "tegra-jetson" ]; then
 						kernel_metapkg=linux-nvidia-tegra-jetson
 						flavor=nvidia-tegra-jetson
 					elif [ "$variant" = "nvidia" ]; then
 						kernel_metapkg=linux-nvidia-hwe-$(lsb_release -sr)
 						flavor=nvidia
 					else
 						echo "bogus variant: $variant"
 						exit 1
--- a/live-build/functions
+++ b/live-build/functions
@ -566,11 +566,10 @@ _snap_post_process() {
            # If the 'core' snap is not present, assume we are coreXX-only and
            # install the snapd snap.
            channel=stable
-            # FIXME: This can be commented and uncommented to enable snaps from
+            # FIXME: TPM-FDE spike, to be removed after the spike is over.
-            # edge for development spikes.
+            if [ $PROJECT = "ubuntu" ]; then
-            # if [ $PROJECT = "ubuntu" ]; then
+                channel=edge
-            #     channel=edge
+            fi
            # fi
            if [ ! -f ${snaps_dir}/core_[0-9]*.snap ]; then
                _snap_preseed $CHROOT_ROOT snapd "$channel"
            fi
--- a/live-build/ubuntu-cpc/hooks.d/chroot/999-cpc-fixes.chroot
+++ b/live-build/ubuntu-cpc/hooks.d/chroot/999-cpc-fixes.chroot
@ -100,7 +100,7 @@ fi
 case $arch in
 	# ppc, riscv64 and s390x images are special
-	powerpc|ppc64el|s390x)
+	powerpc|ppc64el|s390x|riscv64)
 		exit 0
 		;;
 esac
--- a/live-build/ubuntu/hooks/020-ubuntu-enhanced-sb.binary
+++ b/live-build/ubuntu/hooks/020-ubuntu-enhanced-sb.binary
@ -1,24 +1,71 @@
 #! /bin/sh
 # We need to remove the snapd seed configuration for the layers that
 # will be the installation source for a TPM-backed FDE install or
 # snapd gets very confused on the boot of the target system.
 set -eux
 case ${PASS:-} in
-    *.enhanced-secureboot)
+    minimal.standard.enhanced-secureboot)
        ;;
    minimal.enhanced-secureboot)
        ;;
    *)
        exit 0
        ;;
 esac
 . config/functions
 if [ -n "${SUBPROJECT:-}" ]; then
    echo "We don't run Ubuntu Desktop hooks for this project."
    exit 0
 fi
 . config/binary
 . config/functions
 # Generation of the model:
 # * At https://github.com/canonical/models one can find a repo of raw,
 #   unsigned, input .json files, and their signed .model equivalents.
 # * At least once per cycle, update the json for the new Ubuntu version.
 #   To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file,
 #   rename for the new version, and do any necessary updates including fixing
 #   the versions of tracks.
 # * When this is done, the json needs to be signed.  This needs to be done by
 #   a Canonical employee - try asking someone who has recently opened PRs on
 #   https://github.com/canonical/models with the signed models.
 # * Ensure the signed and unsigned version of the models are updated in the
 #   models repo.
 # * The signed model can then be placed here in livecd-rootfs at
 #   live-build/${PROJECT}/ubuntu-classic-amd64.model
 # env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
 model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model
 # see below note about "dangerous" model
 CHANNEL=${CHANNEL:-stable}
 channel=""
 if [ -n "${CHANNEL:-}" ]; then
    channel="--channel $CHANNEL"
 fi
 reset_snapd_state chroot
 # Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
 # snap versions regardless of phasing status
 # this is the normal prepare-image invocation.  This is not used right now as
 # the model in question is the "dangerous" model so that we can override the
 # channel of pc-kernel to get a matching set of snaps.
 #   env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
 #       --classic $model $channel chroot
 # so instead we're doing this, including forcing channel to stable for
 # everything but pc-kernel.
 env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
    --classic $model $channel \
    --snap=pc-kernel=25.10/candidate \
    --snap=snapd=latest/edge \
    --snap=desktop-security-center=1/edge \
    --snap=firmware-updater=1/edge \
    chroot
 mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
 rm -rf chroot/var/lib/snapd/seed
 mv chroot/system-seed chroot/var/lib/snapd/seed
--- a/live-build/ubuntu/hooks/030-ubuntu-live-system-seed.binary
+++ b/live-build/ubuntu/hooks/030-ubuntu-live-system-seed.binary
@ -1,74 +0,0 @@
 #!/bin/bash
 # create the system seed for TPM-backed FDE in the live layer of the installer.
 set -eux
 case ${PASS:-} in
    *.live)
        ;;
    *)
        exit 0
        ;;
 esac
 if [ -n "${SUBPROJECT:-}" ]; then
    echo "We don't run Ubuntu Desktop hooks for this project."
    exit 0
 fi
 . config/binary
 . config/functions
 # Generation of the model:
 # * At https://github.com/canonical/models one can find a repo of raw,
 #   unsigned, input .json files, and their signed .model equivalents.
 # * At least once per cycle, update the json for the new Ubuntu version.
 #   To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file,
 #   rename for the new version, and do any necessary updates including fixing
 #   the versions of tracks.
 # * When this is done, the json needs to be signed.  This needs to be done by
 #   a Canonical employee - try asking someone who has recently opened PRs on
 #   https://github.com/canonical/models with the signed models.
 # * Ensure the signed and unsigned version of the models are updated in the
 #   models repo.
 # * The signed model can then be placed here in livecd-rootfs at
 #   live-build/${PROJECT}/ubuntu-classic-amd64.model
 # env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
 model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model
 # see below note about "dangerous" model
 CHANNEL=${CHANNEL:-stable}
 channel=""
 if [ -n "${CHANNEL:-}" ]; then
    channel="--channel $CHANNEL"
 fi
 # Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
 # snap versions regardless of phasing status
 # this is the normal prepare-image invocation.  This is not used right now as
 # the model in question is the "dangerous" model so that we can override the
 # channel of pc-kernel and others to get a matching set of snaps.
 #   env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
 #       --classic $model $channel chroot
 # FIXME - go back to the stable model and remove all the `--snap` overrides
 env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
    --classic $model $channel \
    --snap=pc=classic-25.10/stable \
    --snap=pc-kernel=25.10/candidate \
    --snap=firmware-updater=1/stable/ubuntu-25.10 \
    --snap=desktop-security-center=1/stable/ubuntu-25.10 \
    --snap=prompting-client=1/stable/ubuntu-25.10 \
    --snap=snap-store=2/stable/ubuntu-25.10 \
    --snap=gtk-common-themes=latest/stable/ubuntu-25.10 \
    --snap=firefox=latest/stable/ubuntu-25.10 \
    --snap=gnome-42-2204=latest/stable/ubuntu-25.10 \
    --snap=snapd-desktop-integration=latest/stable/ubuntu-25.10 \
    chroot
 mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
 rsync -av chroot/system-seed/{systems,snaps} chroot/var/lib/snapd/seed
 rm -rf chroot/system-seed/
--- a/live-build/ubuntu/includes.chroot.minimal.standard.live/etc/polkit-1/rules.d/10-allow-installer-wait-on-snap.rules
+++ b/live-build/ubuntu/includes.chroot.minimal.standard.live/etc/polkit-1/rules.d/10-allow-installer-wait-on-snap.rules
@ -1,13 +0,0 @@
 // -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*-
 //
 // THIS FILE IS ONLY AVAILABLE ON THE LIVE SYSTEM
 //
 // Allow the ubuntu-desktop-installer to request snap seeding state
 // used before starting.
 polkit.addRule(function(action, subject) {
    if (action.id == "io.snapcraft.snapd.manage-configuration") {
            return polkit.Result.YES;
    }
 });
--- a/live-build/ubuntu/includes.chroot.minimal.standard.live/usr/lib/systemd/user/ubuntu-desktop-installer.service
+++ b/live-build/ubuntu/includes.chroot.minimal.standard.live/usr/lib/systemd/user/ubuntu-desktop-installer.service
@ -10,8 +10,6 @@ Conflicts=gnome-session@gnome-login.target
 [Service]
 Type=oneshot
 # Make sure that the system was seeded to access the snap
 ExecStartPre=/usr/bin/snap wait system seed.loaded
 ExecStart=/snap/bin/ubuntu-desktop-bootstrap --try-or-install
 ExecStopPost=sh -c "gsettings set org.gnome.shell.extensions.dash-to-dock dock-fixed true; gsettings set org.gnome.shell.extensions.dash-to-dock intellihide true; gnome-extensions enable ding@rastersoft.com"
 Restart=no