summaryrefslogtreecommitdiffstats
path: root/mkosi.images/system
diff options
context:
space:
mode:
Diffstat (limited to 'mkosi.images/system')
-rw-r--r--mkosi.images/system/mkosi.conf48
-rw-r--r--mkosi.images/system/mkosi.conf.d/05-initrd.conf12
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-arch.conf27
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf32
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf8
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf5
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf5
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf10
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf10
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf29
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-fedora.conf10
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-opensuse.conf23
-rw-r--r--mkosi.images/system/mkosi.conf.d/10-ubuntu.conf11
-rw-r--r--mkosi.images/system/mkosi.extra/etc/issue2
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf6
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf8
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf8
-rwxr-xr-xmkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh19
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service15
-rw-r--r--mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf3
-rw-r--r--mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb3
-rwxr-xr-xmkosi.images/system/mkosi.finalize4
-rwxr-xr-xmkosi.images/system/mkosi.postinst.chroot93
-rw-r--r--mkosi.images/system/mkosi.repart/00-esp.conf9
-rw-r--r--mkosi.images/system/mkosi.repart/10-usr.conf9
-rw-r--r--mkosi.images/system/mkosi.repart/11-usr-verity.conf7
-rw-r--r--mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf6
27 files changed, 422 insertions, 0 deletions
diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf
new file mode 100644
index 0000000..7612f22
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf
@@ -0,0 +1,48 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=base
+
+[Content]
+Autologin=yes
+BaseTrees=../../mkosi.output/base
+ExtraTrees=../../mkosi.output/base-systemd
+Packages=
+ acl
+ bash-completion
+ coreutils
+ diffutils
+ dnsmasq
+ dosfstools
+ e2fsprogs
+ findutils
+ gcc # Sanitizer libraries
+ gdb
+ grep
+ gzip
+ kbd
+ kexec-tools
+ less
+ mtools
+ nano
+ nftables
+ openssl
+ qrencode
+ sed
+ socat
+ strace
+ systemd
+ tmux
+ tree
+ udev
+ util-linux
+ valgrind
+ wireguard-tools
+ xfsprogs
+ zsh
+
+BuildPackages=
+
+[Validation]
+@SecureBoot=yes
+@SignExpectedPcr=yes
diff --git a/mkosi.images/system/mkosi.conf.d/05-initrd.conf b/mkosi.images/system/mkosi.conf.d/05-initrd.conf
new file mode 100644
index 0000000..9f21754
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/05-initrd.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Bootable=!no
+Format=|disk
+Format=|directory
+
+[Config]
+Dependencies=initrd
+
+[Content]
+Initrds=../../mkosi.output/initrd
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf
new file mode 100644
index 0000000..e1a511c
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-arch.conf
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=arch
+
+[Content]
+Packages=
+ bpf
+ btrfs-progs
+ compsize
+ dhcp
+ f2fs-tools
+ glib2
+ iproute
+ linux
+ man-db
+ openbsd-netcat
+ openssh
+ pacman
+ polkit
+ python-pefile
+ python-psutil
+ python-pytest
+ python3
+ quota-tools
+ shadow
+ vim
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf
new file mode 100644
index 0000000..67d4643
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf
@@ -0,0 +1,32 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+ bpftool
+ cryptsetup
+ dhcp-server
+ dnf
+ glib2
+ integritysetup
+ iproute
+ iproute-tc
+ kernel-core
+ libcap-ng-utils
+ netcat
+ openssh-server
+ p11-kit
+ pam
+ passwd
+ polkit
+ procps-ng
+ python3
+ python3dist(pefile)
+ python3dist(pluggy) # python3-pluggy is a pytest dependency that's not installed for some reason.
+ python3dist(psutil)
+ python3dist(pytest)
+ quota
+ vim-common
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
new file mode 100644
index 0000000..146e03a
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=centos
+
+[Content]
+Packages=
+ kernel-modules # For squashfs support
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
new file mode 100644
index 0000000..99b846d
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.extra/usr/lib/repart.d/20-root.conf.d/xfs.conf
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support btrfs so we use xfs instead.
+[Partition]
+Format=xfs
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
new file mode 100644
index 0000000..393d5f0
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.repart/10-usr.conf.d/squashfs.conf
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# CentOS does not support erofs so we use squashfs instead.
+[Partition]
+Format=squashfs
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf
new file mode 100644
index 0000000..d3c89f3
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-amd64.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+Architecture=x86-64
+
+[Content]
+Packages=
+ bpftool
+ linux-image-cloud-amd64
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf b/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf
new file mode 100644
index 0000000..76a6898
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-arm64.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=debian
+Architecture=arm64
+
+[Content]
+Packages=
+ bpftool
+ linux-image-cloud-arm64
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
new file mode 100644
index 0000000..588f833
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+ apt
+ btrfs-progs
+ cryptsetup-bin
+ dbus-broker
+ default-dbus-session-bus
+ f2fs-tools
+ fdisk
+ iproute2
+ isc-dhcp-server
+ libcap-ng-utils
+ netcat-openbsd
+ openssh-server
+ passwd
+ policykit-1
+ procps
+ python3
+ python3-pefile
+ python3-psutil
+ python3-pytest
+ quota
+ xxd
diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
new file mode 100644
index 0000000..42d0093
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=fedora
+
+[Content]
+Packages=
+ btrfs-progs
+ compsize
+ f2fs-tools
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
new file mode 100644
index 0000000..60a2b6d
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=opensuse
+
+[Content]
+Packages=
+ bpftool
+ btrfs-progs
+ cryptsetup
+ dbus-broker
+ f2fs-tools
+ glibc-locale-base
+ kernel-kvmsmall
+ libcap-ng-utils
+ openssh-server
+ python3
+ python3-pefile
+ python3-psutil
+ python3-pytest
+ quota
+ shadow
+ vim
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf
new file mode 100644
index 0000000..f58ee7e
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu.conf
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Match]
+Distribution=ubuntu
+
+[Content]
+Packages=
+ # We would like to use linux-image-kvm but it does not have support for SMBIOS credentials.
+ linux-image-generic
+ linux-tools-common
+ linux-tools-generic
diff --git a/mkosi.images/system/mkosi.extra/etc/issue b/mkosi.images/system/mkosi.extra/etc/issue
new file mode 100644
index 0000000..6aa6fc0
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/etc/issue
@@ -0,0 +1,2 @@
+\S (built from systemd tree)
+Kernel \r on an \m (\l)
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf
new file mode 100644
index 0000000..3755278
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/15-swap.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=swap
+SizeMinBytes=100M
+SizeMaxBytes=100M
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf
new file mode 100644
index 0000000..71eb9e3
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/repart.d/20-root.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=root
+Format=btrfs
+SizeMinBytes=1G
+Subvolumes=/home /var
+MakeDirectories=/home /var
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf
new file mode 100644
index 0000000..2f95329
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/journald.conf.d/50-persistent.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# We only ship /usr in the image so /var/log/journal won't exist on boot which means systemd-journald won't
+# persist any logs as the default Storage= setting is "auto". We can't create /var/log/journal using tmpfiles
+# as systemd-journal-flush.service runs before systemd-tmpfiles-setup.service so instead we explicitly set
+# Storage= to persistent to have systemd-journald create /var/log/journal itself.
+[Journal]
+Storage=persistent
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
new file mode 100755
index 0000000..9bb2462
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
@@ -0,0 +1,19 @@
+#!/bin/bash -eux
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# TODO: Figure out why this is failing
+systemctl reset-failed systemd-vconsole-setup.service
+
+systemctl --failed --no-legend | tee /failed-services
+
+# Check that secure boot keys were properly enrolled.
+if ! systemd-detect-virt --container; then
+ cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+ cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
+ # TODO: Figure out why this is failing
+ # grep -q this_should_be_here /proc/cmdline
+ # grep -q this_should_not_be_here /proc/cmdline && exit 1
+fi
+
+# Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
+[[ ! -s /failed-services ]]
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
new file mode 100644
index 0000000..7942cbf
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system/mkosi-check-and-shutdown.service
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Check if any service failed and then shutdown the machine
+After=multi-user.target network-online.target
+Requires=multi-user.target
+Wants=systemd-resolved.service systemd-networkd.service network-online.target
+SuccessAction=exit
+FailureAction=exit
+# On success, exit with 123 so that we can check that we receive the actual exit code from the script on the
+# host.
+SuccessActionExitStatus=123
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/systemd/mkosi-check-and-shutdown.sh
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
new file mode 100644
index 0000000..dac79ba
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/tmpfiles.d/99-mkosi.conf
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+C+! /etc - - - - /usr/share/factory/mkosi
diff --git a/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb
new file mode 100644
index 0000000..26f882b
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/share/factory/mkosi/gdbinit.d/systemd.gdb
@@ -0,0 +1,3 @@
+set debuginfod enabled off
+set build-id-verbose 0
+set substitute-path ../src /root/src/systemd
diff --git a/mkosi.images/system/mkosi.finalize b/mkosi.images/system/mkosi.finalize
new file mode 100755
index 0000000..74b810c
--- /dev/null
+++ b/mkosi.images/system/mkosi.finalize
@@ -0,0 +1,4 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot
new file mode 100755
index 0000000..0cb9b9c
--- /dev/null
+++ b/mkosi.images/system/mkosi.postinst.chroot
@@ -0,0 +1,93 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [ "$1" = "build" ]; then
+ exit 0
+fi
+
+if [ -n "$SANITIZERS" ]; then
+ LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
+
+ mkdir -p /etc/systemd/system.conf.d
+
+ cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
+[Manager]
+ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+ UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+ LD_PRELOAD=$LD_PRELOAD
+DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
+ UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
+ LD_PRELOAD=$LD_PRELOAD
+EOF
+
+ # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
+ # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
+ # sanitizer failures appear directly on the user's console.
+ mkdir -p /etc/systemd/system/systemd-journald.service.d
+ cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
+[Service]
+StandardOutput=tty
+EOF
+
+ # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
+ # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
+ # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
+ # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
+
+ mkdir -p /etc/systemd/system/console-getty.service.d
+ cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
+[Service]
+TTYVHangup=no
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+EOF
+ # ASAN and syscall filters aren't compatible with each other.
+ find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
+
+ # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
+ systemctl mask systemd-hwdb-update.service
+fi
+
+if [ -n "$IMAGE_ID" ] ; then
+ sed -n \
+ -i \
+ -e '/^IMAGE_ID=/!p' \
+ -e "\$aIMAGE_ID=$IMAGE_ID" \
+ /usr/lib/os-release
+fi
+
+if [ -n "$IMAGE_VERSION" ] ; then
+ sed -n \
+ -i \
+ -e '/^IMAGE_VERSION=/!p' \
+ -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
+ /usr/lib/os-release
+fi
+
+if command -v authselect >/dev/null; then
+ # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
+ # let's use the new name if it exists.
+ if [ -d /usr/share/authselect/default/local ]; then
+ PROFILE=local
+ else
+ PROFILE=minimal
+ fi
+
+ authselect select "$PROFILE"
+
+ if authselect list-features "$PROFILE" | grep -q "with-homed"; then
+ authselect enable-feature with-homed
+ fi
+fi
+
+# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
+# if that's the case.
+mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
+rm -f /etc/resolv.conf
+
+. /usr/lib/os-release
+
+if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
+ alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
+ alternatives --set python3 /usr/bin/python3.9
+fi
diff --git a/mkosi.images/system/mkosi.repart/00-esp.conf b/mkosi.images/system/mkosi.repart/00-esp.conf
new file mode 100644
index 0000000..4be0466
--- /dev/null
+++ b/mkosi.images/system/mkosi.repart/00-esp.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/boot:/
+CopyFiles=/efi:/
+SizeMinBytes=512M
+SizeMaxBytes=512M
diff --git a/mkosi.images/system/mkosi.repart/10-usr.conf b/mkosi.images/system/mkosi.repart/10-usr.conf
new file mode 100644
index 0000000..343761d
--- /dev/null
+++ b/mkosi.images/system/mkosi.repart/10-usr.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr
+Format=erofs
+CopyFiles=/usr:/
+Verity=data
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.images/system/mkosi.repart/11-usr-verity.conf b/mkosi.images/system/mkosi.repart/11-usr-verity.conf
new file mode 100644
index 0000000..b4d45dd
--- /dev/null
+++ b/mkosi.images/system/mkosi.repart/11-usr-verity.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity
+Verity=hash
+VerityMatchKey=usr
+Minimize=yes
diff --git a/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf b/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf
new file mode 100644
index 0000000..1841d0a
--- /dev/null
+++ b/mkosi.images/system/mkosi.repart/12-usr-verity-sig.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=usr-verity-sig
+Verity=signature
+VerityMatchKey=usr