dfinity · andrewbattat · Jun 6, 2025 · Jun 5, 2025 · Jun 5, 2025 · Jun 5, 2025
@@ -7,6 +7,12 @@ exports_files([
     "guestos_grub.cfg",
     "hostos_grub.cfg",
     "setupos_grub.cfg",
+    "guestos_boot_args.template",
+    "hostos_boot_args.template",
+    "setupos_boot_args.template",
+    "guestos_extra_boot_args.template",
+    "hostos_extra_boot_args.template",
+    "setupos_extra_boot_args.template",
 ])
 
 genrule(

@@ -0,0 +1,14 @@
+# Uncomment this to run system with SELinux in PERMISSIVE mode:
+# the system will use SELinux and keep track of operations that would
+# be prohibited, but will only log but not actually deny them. This is
+# useful for debug and policy development. The system behaves essentially the
+# same as if SELinux was not activated.
+#
+# EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=0 root_hash=ROOT_HASH"
+
+# Uncomment this to run system with SELinux in ENFORCING mode: All rules
+# of the policy are enforced, and forbidden actions are not just logged but
+# stopped. This causes the system to behave differently than in either
+# "no SELinux" or "permissive" mode.
+#
+EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=1 root_hash=ROOT_HASH"
@@ -0,0 +1,4 @@
+# Kernel cmdline parameters for launching the HostOS.
+# BOOT_ARGS_A targets partition set "A" while BOOT_ARGS_B targets partition set "B"
+BOOT_ARGS_A="root=/dev/hostlvm/A_root console=ttyS0,115200 console=tty0 nomodeset video=1024x768 dfinity.system=A security=selinux selinux=1 enforcing=0"
+BOOT_ARGS_B="root=/dev/hostlvm/B_root console=ttyS0,115200 console=tty0 nomodeset video=1024x768 dfinity.system=B security=selinux selinux=1 enforcing=0" 
@@ -11,4 +11,4 @@ EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=0"
 # stopped. This causes the system to behave differently than in either
 # "no SELinux" or "permissive" mode.
 #
-# EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=1"
+# EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=1"
@@ -76,14 +76,38 @@ fi
 
 echo Booting linux from system "${boot_alternative}" (state: "${boot_cycle}")...
 
-if [ -f ${boot}/extra_boot_args ]; then
-    echo Loading extra boot args ${boot}/extra_boot_args
-    source ${boot}/extra_boot_args
-    echo Extra boot arguments $EXTRA_BOOT_ARGS
-fi
-
 menuentry "Boot System ${boot_alternative} (${BOOT_STATE})" {
-    linux /vmlinuz root=$linux_root console=ttyS0,115200 console=tty0 nomodeset video=1024x768 dfinity.system=$boot_alternative $EXTRA_BOOT_ARGS
+    if [ -f "${boot}/boot_args" ]; then
+        echo "Loading boot args ${boot}/boot_args"
+        source "${boot}/boot_args"
+        # Use the appropriate boot args based on boot_alternative
+        if [ "${boot_alternative}" = "A" ]; then
+            if [ -z "${BOOT_ARGS_A}" ]; then
+                echo "Error: BOOT_ARGS_A is not defined in ${boot}/boot_args"
+                exit 1
+            fi
+            echo "Boot arguments: ${BOOT_ARGS_A}"
+            linux /vmlinuz $BOOT_ARGS_A
+        else
+            if [ -z "${BOOT_ARGS_B}" ]; then
+                echo "Error: BOOT_ARGS_B is not defined in ${boot}/boot_args"
+                exit 1
+            fi
+            echo "Boot arguments: ${BOOT_ARGS_B}"
+            linux /vmlinuz $BOOT_ARGS_B
+        fi
+    else
+        # Fallback to old method if boot_args doesn't exist
+        echo "Warning: boot_args not found, using fallback method"
+        if [ -f ${boot}/extra_boot_args ]; then
+            echo Loading extra boot args ${boot}/extra_boot_args
+            source ${boot}/extra_boot_args
+            echo Extra boot arguments $EXTRA_BOOT_ARGS
+        fi
+
+        linux /vmlinuz root=$linux_root console=ttyS0,115200 console=tty0 nomodeset video=1024x768 dfinity.system=$boot_alternative $EXTRA_BOOT_ARGS
+    fi
+
     if [ -f ${boot}/initrd.img ]; then
         echo Loading initial ram disk ${boot}/initrd.img
         initrd ${boot}/initrd.img

@@ -0,0 +1,3 @@
+# Kernel cmdline parameters for launching the SetupOS.
+# SetupOS uses a single boot configuration (no A/B partitioning)
+BOOT_ARGS="root=PARTUUID=7C0A626E-E5EA-E543-B5C5-300EB8304DB7 console=ttyS0,115200 console=tty0 nomodeset video=1024x768 security=selinux selinux=1 enforcing=0" 
@@ -11,4 +11,4 @@ EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=0"
 # stopped. This causes the system to behave differently than in either
 # "no SELinux" or "permissive" mode.
 #
-# EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=1"
+# EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=1"
@@ -11,14 +11,13 @@ set linux_root=PARTUUID=7C0A626E-E5EA-E543-B5C5-300EB8304DB7
 
 echo Booting linux...
 
-if [ -f ${boot}/extra_boot_args ]; then
-    echo Loading extra boot args ${boot}/extra_boot_args
-    source ${boot}/extra_boot_args
-    echo Extra boot arguments $EXTRA_BOOT_ARGS
+if [ -f "${boot}/boot_args" ]; then
+    echo "Loading boot args ${boot}/boot_args"
+    source "${boot}/boot_args"
+    echo "Boot arguments: ${BOOT_ARGS}"
+    linux /vmlinuz $BOOT_ARGS
 fi
 
-linux /vmlinuz root=$linux_root console=ttyS0,115200 console=tty0 nomodeset video=1024x768 $EXTRA_BOOT_ARGS
-
 if [ -f ${boot}/initrd.img ] ; then
     echo Loading initial ram disk ${boot}/initrd.img
     initrd ${boot}/initrd.img

@@ -51,15 +51,6 @@ def icos_build(
 
     image_deps = image_deps_func(mode, malicious)
 
-    # Validate that exactly one of boot_args_template or extra_boot_args is provided
-    has_boot_args_template = "boot_args_template" in image_deps
-    has_extra_boot_args = "extra_boot_args" in image_deps
-
-    if not has_boot_args_template and not has_extra_boot_args:
-        fail("Either 'boot_args_template' or 'extra_boot_args' must be provided in image_deps")
-    elif has_boot_args_template and has_extra_boot_args:
-        fail("Cannot provide both 'boot_args_template' and 'extra_boot_args' in image_deps - they are mutually exclusive")
-
     # -------------------- Version management --------------------
 
     copy_file(
@@ -192,29 +183,28 @@ def icos_build(
                 for k, v in (
                     image_deps["bootfs"].items() + [
                         (version_txt, "/version.txt:0644"),
-                    ] + ([(extra_boot_args, "/extra_boot_args:0644")] if "boot_args_template" not in image_deps else []) +
-                    ([(boot_args, "/boot_args:0644")] if "boot_args_template" in image_deps else [])
+                        (boot_args, "/boot_args:0644"),
+                        (extra_boot_args, "/extra_boot_args:0644"),
+                    ]
                 )
             },
             tags = ["manual", "no-cache"],
         )
 
-        # The kernel command line (boot args) was previously split into two parts:
-        # 1. Dynamic args calculated at boot time in grub.cfg
-        # 2. Static args stored in EXTRA_BOOT_ARGS on the boot partition
+        # The kernel command line (boot args) is generated from boot_args_template:
+        # - For OS requiring root signing: Template includes ROOT_HASH placeholder that gets substituted with dm-verity hash
+        # - For OS not requiring root signing: Template is used as-is without ROOT_HASH substitution
         #
-        # For stable and predictable measurements with AMD SEV, we now pre-calculate and combine both parts
-        # into a single complete kernel command line that is:
-        # - Generated during image build
-        # - Stored statically on the boot partition
-        # - Measured as part of the SEV launch measurement
-        #
-        # For HostOS and SetupOS, we continue
-        # to support the old way of calculating the dynamic args (see :extra_boot_args) and we derive boot_args
-        # from it.
+        # This provides:
+        # - Consistent boot argument handling across all OS types
+        # - Predictable measurements for AMD SEV (especially important for signed root partitions)
+        # - Static boot arguments stored on the boot partition
+
+        # For backwards compatibility in GuestOS and HostOS,
+        # we continue to support the old way of calculating the dynamic args (see :extra_boot_args).
 
-        # Sign only for guestos builds (which have boot_args_template)
-        if "boot_args_template" in image_deps:
+        if image_deps.get("requires_root_signing", False):
+            # Sign the root partition and substitute ROOT_HASH in boot args
             native.genrule(
                 name = "generate-" + partition_root_signed_tzst,
                 testonly = malicious,
@@ -241,9 +231,27 @@ def icos_build(
                       "< $(location :boot_args_template) > $@",
                 tags = ["manual"],
             )
+            native.genrule(
+                name = "generate-" + extra_boot_args,
+                outs = [extra_boot_args],
+                srcs = [partition_root_hash, ":extra_boot_args_template"],
+                cmd = "sed -e s/ROOT_HASH/$$(cat $(location " + partition_root_hash + "))/ " +
+                      "< $(location :extra_boot_args_template) > $@",
+                tags = ["manual"],
+            )
         else:
+            # No signing required, no ROOT_HASH substitution
             native.alias(name = partition_root_signed_tzst, actual = partition_root_unsigned_tzst, tags = ["manual", "no-cache"])
-            native.alias(name = extra_boot_args, actual = image_deps["extra_boot_args"], tags = ["manual"])
+            native.alias(
+                name = boot_args,
+                actual = ":boot_args_template",
+                tags = ["manual"],
+            )
+            native.alias(
+                name = extra_boot_args,
+                actual = ":extra_boot_args_template",
+                tags = ["manual"],
+            )
 
     component_file_references_test(
         name = name + "_component_file_references_test",
@@ -253,11 +261,15 @@ def icos_build(
         tags = tags,
     )
 
-    if "boot_args_template" in image_deps:
-        native.alias(
-            name = "boot_args_template",
-            actual = image_deps["boot_args_template"],
-        )
+    native.alias(
+        name = "boot_args_template",
+        actual = image_deps["boot_args_template"],
+    )
+
+    native.alias(
+        name = "extra_boot_args_template",
+        actual = image_deps["extra_boot_args_template"],
+    )
 
     # -------------------- Assemble disk partitions ---------------
 

@@ -67,13 +67,13 @@ def image_deps(mode, malicious = False):
         "rootfs_size": "3G",
         "bootfs_size": "1G",
         "grub_config": Label("//ic-os/bootloader:guestos_grub.cfg"),
+        "extra_boot_args_template": Label("//ic-os/bootloader:guestos_extra_boot_args.template"),
 
         # Add any custom partitions to the manifest
         "custom_partitions": lambda _: [Label("//ic-os/guestos:partition-config.tzst")],
-
-        # We will install boot_args_template onto the system, after substituting the
-        # hash of the root filesystem into it.
-        "boot_args_template": Label("//ic-os/guestos/context:boot_args.template"),
+        "boot_args_template": Label("//ic-os/bootloader:guestos_boot_args.template"),
+        # GuestOS requires dm-verity root partition signing
+        "requires_root_signing": True,
     }
 
     dev_build_args = ["BUILD_TYPE=dev", "ROOT_PASSWORD=root"]

@@ -46,7 +46,9 @@ def image_deps(mode, _malicious = False):
         "rootfs_size": "3G",
         "bootfs_size": "100M",
         "grub_config": Label("//ic-os/bootloader:hostos_grub.cfg"),
-        "extra_boot_args": Label("//ic-os/hostos/context:extra_boot_args"),
+        "extra_boot_args_template": Label("//ic-os/bootloader:hostos_extra_boot_args.template"),
+        "boot_args_template": Label("//ic-os/bootloader:hostos_boot_args.template"),
+        "requires_root_signing": False,
 
         # Add any custom partitions to the manifest
         "custom_partitions": _custom_partitions,

@@ -41,7 +41,9 @@ def image_deps(mode, _malicious = False):
         "rootfs_size": "1750M",
         "bootfs_size": "100M",
         "grub_config": Label("//ic-os/bootloader:setupos_grub.cfg"),
-        "extra_boot_args": Label("//ic-os/setupos/context:extra_boot_args"),
+        "boot_args_template": Label("//ic-os/bootloader:setupos_boot_args.template"),
+        "extra_boot_args_template": Label("//ic-os/bootloader:setupos_extra_boot_args.template"),
+        "requires_root_signing": False,
 
         # Add any custom partitions to the manifest
         "custom_partitions": _custom_partitions,