Removed os-release function

`DownloadUser = alpm` does not appear to be suitable for mkarchiso use
since there is no guarantee that `alpm` user has access to the working
directory.

Fixes https://gitlab.archlinux.org/archlinux/archiso/-/issues/232
Fixes: 691c57fc2e ("Update pacman.conf for pacman 7")

.editorconfig

@@ -16,6 +16,10 @@ charset = utf-8
 indent_style = space
 indent_size = 4
 max_line_length = 120
+# for shfmt
+switch_case_indent = true
+binary_next_line = true
+
 
 [*.{yml,yaml}]
 end_of_line = lf
@@ -32,3 +36,6 @@ trim_trailing_whitespace = true
 charset = utf-8
 indent_style = space
 indent_size = 2
+
+[Makefile]
+indent_style = tab

.gitignore

@@ -1,7 +1,9 @@
 *~
-archiso-*.tar.gz*
+*.tar
+*.tar.*
 work/
 out/
+codesigning*
 *.iso
 *.img
 *.cer
@@ -10,3 +12,5 @@ out/
 *.pem
 user-data
 meta-data
+network-config
+man/version.rst

.gitlab-ci.yml

@@ -1,71 +0,0 @@
----
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-stages:
-  - check
-  - build
-
-check:
-  before_script:
-    # NOTE: Install latest archlinux-keyring before upgrading system. In the
-    # future this should not be needed anymore when we can guarantee a valid
-    # keyring for longer:
-    # https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/4
-    - pacman -Sy --needed --noconfirm archlinux-keyring
-    - pacman --noconfirm -Syu --needed make shellcheck
-  script:
-    - make check
-  stage: check
-  interruptible: true
-
-.build:
-  artifacts:
-    reports:
-      metrics: output/metrics.txt
-  before_script:
-    - pacman -Sy --needed --noconfirm archlinux-keyring
-    - pacman -Syu --needed --noconfirm arch-install-scripts bash dosfstools e2fsprogs erofs-utils gnupg grub jq libarchive libisoburn mtools openssl qemu-headless squashfs-tools zsync
-  script:
-    - ./.gitlab/ci/build_archiso.sh ${BUILD_SCRIPT_ARGS}
-  stage: build
-  tags:
-    - vm
-
-build_short:
-  extends: .build
-  parallel:
-    matrix:
-      - BUILD_SCRIPT_ARGS: baseline bootstrap
-      - BUILD_SCRIPT_ARGS: releng bootstrap
-  only:
-    refs:
-      - master
-      - merge_requests
-    changes:
-      - archiso/*
-      - configs/**/*
-      - Makefile
-      - .gitlab-ci.yml
-      - .gitlab/ci/*
-  interruptible: true
-
-build_long:
-  extends: .build
-  parallel:
-    matrix:
-      - BUILD_SCRIPT_ARGS: baseline iso
-      - BUILD_SCRIPT_ARGS: baseline netboot
-      - BUILD_SCRIPT_ARGS: releng iso
-      - BUILD_SCRIPT_ARGS: releng netboot
-  only:
-    refs:
-      - master
-      - merge_requests
-    changes:
-      - archiso/*
-      - configs/**/*
-      - Makefile
-      - .gitlab-ci.yml
-      - .gitlab/ci/*
-  interruptible: true

.gitlab/ci/build_archiso.sh

@@ -1,273 +0,0 @@
-#!/usr/bin/env bash
-#
-# This script is run within a virtual environment to build the available archiso profiles and their available build
-# modes and create checksum files for the resulting images.
-# The script needs to be run as root and assumes $PWD to be the root of the repository.
-#
-# Dependencies:
-# * all archiso dependencies
-# * coreutils
-# * gnupg
-# * openssl
-# * zsync
-#
-# $1: profile
-# $2: buildmode
-
-set -euo pipefail
-shopt -s extglob
-
-readonly orig_pwd="${PWD}"
-readonly output="${orig_pwd}/output"
-readonly tmpdir_base="${orig_pwd}/tmp"
-readonly profile="${1}"
-readonly buildmode="${2}"
-readonly install_dir="arch"
-
-tmpdir=""
-tmpdir="$(mktemp --dry-run --directory --tmpdir="${tmpdir_base}")"
-gnupg_homedir=""
-codesigning_dir=""
-codesigning_cert=""
-codesigning_key=""
-pgp_key_id=""
-
-print_section_start() {
-  # gitlab collapsible sections start: https://docs.gitlab.com/ee/ci/jobs/#custom-collapsible-sections
-  local _section _title
-  _section="${1}"
-  _title="${2}"
-
-  printf "\e[0Ksection_start:%(%s)T:%s\r\e[0K%s\n" '-1' "${_section}" "${_title}"
-}
-
-print_section_end() {
-  # gitlab collapsible sections end: https://docs.gitlab.com/ee/ci/jobs/#custom-collapsible-sections
-  local _section
-  _section="${1}"
-
-  printf "\e[0Ksection_end:%(%s)T:%s\r\e[0K\n" '-1' "${_section}"
-}
-
-cleanup() {
-  # clean up temporary directories
-  print_section_start "cleanup" "Cleaning up temporary directory"
-
-  if [ -n "${tmpdir_base:-}" ]; then
-    rm -fr "${tmpdir_base}"
-  fi
-
-  print_section_end "cleanup"
-}
-
-create_checksums() {
-  # create checksums for files
-  # $@: files
-  local _file_path _file_name _current_pwd
-  _current_pwd="${PWD}"
-
-  print_section_start "checksums" "Creating checksums"
-
-  for _file_path in "$@"; do
-    cd "$(dirname "${_file_path}")"
-    _file_name="$(basename "${_file_path}")"
-    b2sum "${_file_name}" > "${_file_name}.b2"
-    md5sum "${_file_name}" > "${_file_name}.md5"
-    sha1sum "${_file_name}" > "${_file_name}.sha1"
-    sha256sum "${_file_name}" > "${_file_name}.sha256"
-    sha512sum "${_file_name}" > "${_file_name}.sha512"
-    ls -lah "${_file_name}."{b2,md5,sha{1,256,512}}
-    cat "${_file_name}."{b2,md5,sha{1,256,512}}
-  done
-  cd "${_current_pwd}"
-
-  print_section_end "checksums"
-}
-
-create_zsync_delta() {
-  # create zsync control files for files
-  # $@: files
-  local _file
-
-  print_section_start "zsync_delta" "Creating zsync delta"
-
-  for _file in "$@"; do
-    if [[ "${buildmode}" == "bootstrap" ]]; then
-      # zsyncmake fails on 'too long between blocks' with default block size on bootstrap image
-      zsyncmake -v -b 512 -C -u "${_file##*/}" -o "${_file}".zsync "${_file}"
-    else
-      zsyncmake -v -C -u "${_file##*/}" -o "${_file}".zsync "${_file}"
-    fi
-  done
-
-  print_section_end "zsync_delta"
-}
-
-create_metrics() {
-  local _metrics="${output}/metrics.txt"
-  # create metrics
-  print_section_start "metrics" "Creating metrics"
-
-  {
-    # create metrics based on buildmode
-    case "${buildmode}" in
-      iso)
-        printf 'image_size_mebibytes{image="%s"} %s\n' \
-          "${profile}" \
-          "$(du -m -- "${output}/"*.iso | cut -f1)"
-        printf 'package_count{image="%s"} %s\n' \
-          "${profile}" \
-          "$(sort -u -- "${tmpdir}/iso/"*/pkglist.*.txt | wc -l)"
-        if [[ -e "${tmpdir}/efiboot.img" ]]; then
-          printf 'eltorito_efi_image_size_mebibytes{image="%s"} %s\n' \
-            "${profile}" \
-            "$(du -m -- "${tmpdir}/efiboot.img" | cut -f1)"
-        fi
-        # shellcheck disable=SC2046
-        # shellcheck disable=SC2183
-        printf 'initramfs_size_mebibytes{image="%s",initramfs="%s"} %s\n' \
-          $(du -m -- "${tmpdir}/iso/"*/boot/**/initramfs*.img | \
-            awk -v profile="${profile}" \
-            'function basename(file) {
-              sub(".*/", "", file)
-              return file
-            }
-            { print profile, basename($2), $1 }'
-          )
-        ;;
-      netboot)
-        printf 'netboot_size_mebibytes{image="%s"} %s\n' \
-          "${profile}" \
-          "$(du -m -- "${output}/${install_dir}/" | tail -n1 | cut -f1)"
-        printf 'netboot_package_count{image="%s"} %s\n' \
-          "${profile}" \
-          "$(sort -u -- "${tmpdir}/iso/"*/pkglist.*.txt | wc -l)"
-        ;;
-      bootstrap)
-        printf 'bootstrap_size_mebibytes{image="%s"} %s\n' \
-          "${profile}" \
-          "$(du -m -- "${output}/"*.tar*(.gz|.xz|.zst) | cut -f1)"
-        printf 'bootstrap_package_count{image="%s"} %s\n' \
-          "${profile}" \
-          "$(sort -u -- "${tmpdir}/"*/bootstrap/root.*/pkglist.*.txt | wc -l)"
-        ;;
-    esac
-  } > "${_metrics}"
-  ls -lah "${_metrics}"
-  cat "${_metrics}"
-
-  print_section_end "metrics"
-}
-
-create_ephemeral_pgp_key() {
-  # create an ephemeral PGP key for signing the rootfs image
-  print_section_start "ephemeral_pgp_key" "Creating ephemeral PGP key"
-
-  gnupg_homedir="$tmpdir/.gnupg"
-  mkdir -p "${gnupg_homedir}"
-  chmod 700 "${gnupg_homedir}"
-
-  cat << __EOF__ > "${gnupg_homedir}"/gpg.conf
-quiet
-batch
-no-tty
-no-permission-warning
-export-options no-export-attributes,export-clean
-list-options no-show-keyring
-armor
-no-emit-version
-__EOF__
-
-  gpg --homedir "${gnupg_homedir}" --gen-key <<EOF
-%echo Generating ephemeral Arch Linux release engineering key pair...
-Key-Type: default
-Key-Length: 3072
-Key-Usage: sign
-Name-Real: Arch Linux Release Engineering
-Name-Comment: Ephemeral Signing Key
-Name-Email: arch-releng@lists.archlinux.org
-Expire-Date: 0
-%no-protection
-%commit
-%echo Done
-EOF
-
-  pgp_key_id="$(
-    gpg --homedir "${gnupg_homedir}" \
-        --list-secret-keys \
-        --with-colons \
-        | awk -F':' '{if($1 ~ /sec/){ print $5 }}'
-  )"
-
-  pgp_sender="Arch Linux Release Engineering (Ephemeral Signing Key) <arch-releng@lists.archlinux.org>"
-
-  print_section_end "ephemeral_pgp_key"
-}
-
-create_ephemeral_codesigning_key() {
-  # create ephemeral certificates used for codesigning
-  print_section_start "ephemeral_codesigning_key" "Creating ephemeral codesigning key"
-
-  codesigning_dir="${tmpdir}/.codesigning/"
-  local codesigning_conf="${codesigning_dir}/openssl.cnf"
-  local codesigning_subj="/C=DE/ST=Berlin/L=Berlin/O=Arch Linux/OU=Release Engineering/CN=archlinux.org"
-  codesigning_cert="${codesigning_dir}/codesign.crt"
-  codesigning_key="${codesigning_dir}/codesign.key"
-  mkdir -p "${codesigning_dir}"
-  cp -- /etc/ssl/openssl.cnf "${codesigning_conf}"
-  printf "\n[codesigning]\nkeyUsage=digitalSignature\nextendedKeyUsage=codeSigning\n" >> "${codesigning_conf}"
-  openssl req \
-      -newkey rsa:4096 \
-      -keyout "${codesigning_key}" \
-      -nodes \
-      -sha256 \
-      -x509 \
-      -days 365 \
-      -out "${codesigning_cert}" \
-      -config "${codesigning_conf}" \
-      -subj "${codesigning_subj}" \
-      -extensions codesigning
-
-  print_section_end "ephemeral_codesigning_key"
-}
-
-run_mkarchiso() {
-  # run mkarchiso
-  create_ephemeral_pgp_key
-  create_ephemeral_codesigning_key
-
-  print_section_start "mkarchiso" "Running mkarchiso"
-  mkdir -p "${output}/" "${tmpdir}/"
-  GNUPGHOME="${gnupg_homedir}" ./archiso/mkarchiso \
-      -D "${install_dir}" \
-      -c "${codesigning_cert} ${codesigning_key}" \
-      -g "${pgp_key_id}" \
-      -G "${pgp_sender}" \
-      -o "${output}/" \
-      -w "${tmpdir}/" \
-      -m "${buildmode}" \
-      -v "configs/${profile}"
-
-  print_section_end "mkarchiso"
-
-  if [[ "${buildmode}" =~ "iso" ]]; then
-    create_zsync_delta "${output}/"*.iso
-    create_checksums "${output}/"*.iso
-  fi
-  if [[ "${buildmode}" == "bootstrap" ]]; then
-    create_zsync_delta "${output}/"*.tar*(.gz|.xz|.zst)
-    create_checksums "${output}/"*.tar*(.gz|.xz|.zst)
-  fi
-  create_metrics
-
-  print_section_start "ownership" "Setting ownership on output"
-
-  if [[ -n "${SUDO_UID:-}" ]] && [[ -n "${SUDO_GID:-}" ]]; then
-    chown -Rv "${SUDO_UID}:${SUDO_GID}" -- "${output}"
-  fi
-  print_section_end "ownership"
-}
-
-trap cleanup EXIT
-
-run_mkarchiso

.shellcheckrc

@@ -0,0 +1,11 @@
+# Suggest explicitly using -n in `[ $var ]`
+enable=avoid-nullary-conditions
+
+# Suggest 'command -v' instead of 'which'
+enable=deprecate-which
+
+# Suggest quoting variables without metacharacters
+enable=quote-safe-variables
+
+# Require [[ and warn about [ in Bash/Ksh
+enable=require-double-brackets

AUTHORS.rst

@@ -2,37 +2,60 @@
 Archiso Authors
 ===============
 
+* 2hexed <2hexed@protonmail.com>
 * Aaron Griffin <aaron@archlinux.org>
 * Adam Purkrt <adam@purkrt.net>
 * Alexander Epaneshnikov <aarnaarn2@gmail.com>
+* Alexander Speshilov <speshuric@gmail.com>
+* Anton Hvornum <anton@hvornum.se>
+* Antonio V <crazysnob@live.it>
 * Chandan Singh <cks071g2@gmail.com>
 * Charles Vejnar <ce@vejnar.org>
 * Christian Hesse <mail@eworm.de>
 * Christopher Brannon <cmbrannon79@gmail.com>
 * Dan McGee <dan@archlinux.org>
+* Darren Ng <un1gfn@gmail.com>
 * David Runge <dvzrv@archlinux.org>
 * David Thurstenson <thurstylark@gmail.com>
 * Dieter Plaetinck <dieter@plaetinck.be>
 * Eli Schwartz <eschwartz@archlinux.org>
+* Eric Toombs <567-ewtoombs@users.noreply.gitlab.archlinux.org>
 * Florian Pritz <bluewind@xinu.at>
 * Francois Dupoux <fdupoux@users.sourceforge.net>
 * Gerardo Exequiel Pozzi <vmlinuz386@gmail.com>
 * Gerhard Brauer <gerbra@archlinux.de>
+* Giancarlo Razzolini <grazzolini@archlinux.org>
+* Howard Hicks <deimosian@gmail.com>
 * James Sitegen <jamesm.sitegen@gmail.com>
+* John Lane <archlinux@jelmail.com>
+* Jonathan Liu <net147@gmail.com>
+* Jonathon Fernyhough <jonathon@m2x.dev>
 * Justin Kromlinger <hashworks@archlinux.org>
 * Keshav Amburay <the.ridikulus.rat@gmail.com>
+* Kristian Klausen <kristian@klausen.dk>
 * Loui Chang <louipc.ist@gmail.com>
 * Lukas Fleischer <archlinux@cryptocrack.de>
 * Martin Damian Fernandez <martin.damian.fernandez@gmail.com>
+* Michael Gilchrist <michaelgilch@gmail.com>
 * Michael Vorburger <mike@vorburger.ch>
+* Pellegrino Prevete <pellegrinoprevete@gmail.com>
 * Pierre Schmitz <pierre@archlinux.de>
 * Sean Enck <enckse@voidedtech.com>
 * Simo Leone <simo@archlinux.org>
+* Simon Wilper <sxw@chronowerks.de>
+* Sorin Pânca <sorin.panca@gmail.com>
 * Steffen Bönigk <boenki@gmx.de>
 * Sven-Hendrik Haase <svenstaro@gmail.com>
 * Thomas Bächler <thomas@archlinux.org>
+* Tobias Powalowski <tpowa@archlinux.org>
+* Tom Yan <tom.ty89@gmail.com>
 * Yu Li-Yu <afg984@gmail.com>
+* Zig Globulin <zig@zigsystem.com>
+* hayao <hayao@fascode.net>
+* kojq su <3145-kojqsu@users.noreply.gitlab.archlinux.org>
+* mono wock <aaronleemorrison@protonmail.com>
 * nl6720 <nl6720@gmail.com>
-* Øyvind Heggstad <heggstad@gmail.com>
 * plain linen <bcdedit@hotmail.com>
-* Pellegrino Prevete <pellegrinoprevete@gmail.com>
+* shivanandvp <shivanandvp.oss@gmail.com>
+* weltio weltio <weltio@web.de>
+* Øyvind Heggstad <heggstad@gmail.com>

CHANGELOG.rst

@@ -11,9 +11,359 @@ Added
 Changed
 -------
 
+Deprecated
+----------
+
+Fixed
+-----
+
 Removed
 -------
 
+
+[82] - 2024-11-27
+=================
+
+Fixed
+-----
+
+- Commented out ``DownloadUser`` in ``pacman.conf`` so that the working directory is not restricted to paths to which
+  the ``alpm`` user has access to.
+
+[81] - 2024-10-28
+=================
+
+Fixed
+-----
+
+- Change enabled services in baseline and releng profile to adapt to changes in ``cloud-init`` ≥ 24.3 (renamed
+  ``cloud-init.service`` to ``cloud-init-network.service``, introduced new ``cloud-init-main.service``).
+
+Removed
+-------
+
+- Removed gnu-netcat from releng profile, as cloud-init requires openbsd-netcat and the two netcat versions can not be
+  installed side-by-side.
+
+[80] - 2024-09-26
+=================
+
+Added
+-----
+
+- Support compressing the bootstrap tarball with ``xz``.
+
+Changed
+-------
+
+- Use an empty UUID for the EROFS image file since the file system will never be referenced by it.
+- Do not use ``mkfs.erofs`` extended options ``fragments`` and ``dedupe`` in the baseline profile. This reduces the EROFS
+  image size and compression time.
+- Update profile ``pacman.conf`` to include the new options added to ``/etc/pacman.conf`` in pacman 7.0.0.r3.g7736133-1.
+
+Fixed
+-----
+
+- Show the correct image file name, including the extension, when building a bootstrap image.
+
+Removed
+-------
+
+- Removed reiserfsprogs from packages (EOL)
+
+[79] - 2024-07-25
+=================
+
+Fixed
+-----
+
+- When downloading an automation script fail with non-zero status code instead of returning an HTML document when the
+  remote HTTP server fails to deliver the document.
+
+Removed
+-------
+
+- Remove unneeded workaround for e2fsprogs < 1.47.1.
+
+[78] - 2024-05-23
+=================
+
+Changed
+-------
+
+- Moved the ``pkglist.x86_64.txt`` file outside the bootstrap tarball's ``root.x86_64`` directly to avoid polluting the
+  root file system.
+- Use 4 MiB OVMF files in ``run_archiso`` instead of the old 2 MiB ones.
+- Increase the additional free space of the EFI partition size from 1 MiB to 8 MiB to account for file system overhead
+  when using FAT32 (needs less than 1 MiB) and to give more space for adding custom files when repacking an ISO (e.g.
+  when preparing it for Secure Boot).
+- Remove 300 KiB padding needed for CDs if the ISO exceeds the maximum size of a CD.
+- Use ``xz -9e`` as the releng profile's initramfs compression. Now that mkinitcpio does not decompress the loadable
+  kernel modules and firmware files anymore and moves them to the early uncompressed initramfs, we can compress the main
+  initramfs image with a higher compression without it having much impact on the ISO build time.
+- Format the EFI system partition image as FAT32 if the size allows it (i.e. if it is at least 36 MiB).
+
+Fixed
+-----
+
+- Look for microcode update files in the initramfs images when checking if external microcode images are needed. The
+  existence of a ``early_cpio`` file is not enough since mkinitcpio can and will place other files in the early
+  uncompressed CPIO even when the ``microcode`` hook is not used.
+
+Removed
+-------
+
+- Remove the wezterm-terminfo package from the releng profile as the relevant file is now provided by the ncurses
+  package instead.
+
+[77] - 2024-04-21
+=================
+
+Added
+-----
+
+- Copy Memtest86+ EFI binary to the EFI system partition and ISO 9660 for ``uefi-x86.systemd-boot`` boot modes.
+  Additionally, create a boot entry with it for the releng profile.
+
+Changed
+-------
+
+- Change releng profile's bootstrap tarball compression from gzip to zstd. zstd provides higher and faster compression.
+- Use mkinitcpio's ``microcode`` hook instead of external microcode images to simplify boot loader configuration.
+  Custom PXE setups will need to update their boot loader configuration.
+- Replace ``archisodevice`` boot parameter with ``archisosearchuuid`` in all boot loader configuration. This allows to
+  have "file system transposition" without relaying on GRUB-specific features.
+- Replace GRUB with systemd-boot as the UEFI boot loader for the releng profile. While this increases the ISO size, it
+  avoids all GRUB-specific annoyances and oddities.
+
+Fixed
+-----
+
+- Fix requirement validation logic for the ``uefi-ia32.systemd-boot.eltorito`` boot mode. It incorrectly applied the
+  same requirements as ``uefi-x64.systemd-boot.esp``.
+
+[76] - 2024-03-30
+=================
+
+Added
+-----
+
+- Add a man page for ``mkarchiso``.
+- Implement configurable bootstrap tarball compression. It is configured in ``profiledef.sh`` using a bash array called
+  ``bootstrap_tarball_compression``. baseline tarball now uses zstd compression while releng remains with gzip for now.
+
+Changed
+-------
+
+- Move ``/boot/grub/YYYY-mm-dd-HH-MM-SS-00.uuid`` to ``/boot/YYYY-mm-dd-HH-MM-SS-00.uuid`` and always create the file.
+  Once mkinitcpio-archiso implements searching for the file in early userspace, this file's use will not be limited to
+  just GRUB.
+- Skip including external microcode images in build artifacts if the initramfs file contains ``early_cpio`` (indicating
+  an early uncompressed CPIO archive which should have the microcode update files).
+
+Removed
+-------
+
+- Remove workaround for glibc < 2.39. ``LC_ALL=C.UTF-8`` now overrides ``LANGUAGE``, just like ``LC_ALL=C``.
+
+[75] - 2024-01-24
+=================
+
+Added
+-----
+
+- Explicitly add ldns to releng (as opposed to it only being pulled in as a dependency of another package) to ensure
+  ``drill`` remains available.
+
+Changed
+-------
+
+- Update the releng ISO description to "Arch Linux Live/Rescue DVD" since the ISO size now exceeds the maximum size of
+  a CD (900 MiB).
+
+Fixed
+-----
+
+- Update the location where ``mkarchiso`` looks for the memtest86+ license file.
+
+[74] - 2023-12-21
+=================
+
+Added
+-----
+
+- Add bcachefs-tools to releng for access to bcachefs userspace tools.
+- Add tftp as a valid protocol for downloading automated boot script.
+
+Changed
+-------
+
+- Set ``RequiredForOnline=routable`` in systemd-networkd configuration files to improve the chances that the network
+  really is *online* when ``network-online.target`` is reached.
+
+Fixed
+-----
+
+- Add missing replacement for the UUID variable in systemd-boot configuration files on ISO 9660.
+
+[73] - 2023-09-29
+=================
+
+Added
+-----
+
+- Add bolt to releng for authorizing and otherwise managing Thunderbolt and USB4 devices.
+- Add ``uefi-ia32.systemd-boot.esp`` and ``uefi-ia32.systemd-boot.eltorito`` boot modes that use systemd-boot for IA32
+  UEFI. The boot modes of baseline and releng are not changed.
+- Add GRUB configuration file ``/boot/grub/loopback.cfg`` to the releng and baseline profiles. It sets the necessary
+  boot parameters required for booting the ISO image as a file on a file system.
+
+Fixed
+-----
+
+- Add ``/etc/localtime`` to the baseline profile to ensure the ISO can be booted successfully without triggering
+  questions from systemd-firstboot.
+
+[72] - 2023-08-29
+=================
+
+Added
+-----
+
+- Add tpm2-tools to releng to allow clearing, creating and reading keys on the TPM.
+- Add sequoia-sq and openpgp-card-tools as additional tooling for working with OpenPGP certificates and smartcards.
+
+Changed
+-------
+
+- Moved custom ``mkinitcpio.conf`` files to ``/etc/mkinitcpio.conf.d/archiso.conf``.
+- Mount ``/etc/pacman.d/gnupg`` on tmpfs with option ``noswap`` instead of using ramfs. This ensures there is a limit to
+  the file system size.
+- Enable systemd-networkd's support for IPv6 Privacy Extensions globally instead of per-connection.
+- Moved custom ``sshd_config`` files to ``/ssh/sshd_config.d/10-archiso.conf``
+- Use pcsclite for interfacing with smartcards, since both gnupg and opgpcard support it.
+
+Fixed
+-----
+
+- Sign the root file system image only once.
+- Make sure xorriso does not read its configuration files to prevent interference and unintended behavior.
+
+[71] - 2023-05-28
+=================
+
+Added
+-----
+
+- Added classes for Memtest86+ and UEFI Shell menuentries.
+- Add foot-terminfo and wezterm-terminfo packages to releng to support terminal emulators using them. E.g. when
+  installing via SSH.
+- Add a new ``-r`` option to ``mkarchiso`` that deletes the working directly after the build.
+- Add support for mDNS announce and resolve.
+
+Changed
+-------
+
+- Increase EROFS compression for the baseline profile by using an extreme LZMA compression level and enabling the
+  experimental compressed fragments and data deduplication features.
+- Identify the ISO volume via a UUID instead of a file system label in all boot loader configuration files.
+- Update ``pacman.conf`` to match the one shipped with pacman 6.0.2-7 which removes the community repository.
+
+Fixed
+-----
+
+- Wait for ``network-online.target`` to become active before trying to download the script passed via the ``script=``
+  boot parameter.
+- Subdirectories from ``grub/`` are copied to the ISO.
+- Modify the commandline options to a ``cp`` command in ``mkarchiso`` so that the entire script does not exit with
+  failure when a custom ``.bashrc`` file is supplied with the archiso configuration. This fix was needed after
+  **GNU Coreutils** recently changed the behaviour of the ``-n`` (or ``--no-clobber``) commandline option to the ``cp``
+  command.
+- Ensure ``SOURCE_DATE_EPOCH`` is read from the ``build_date`` file before ``profiledef.sh`` is sourced to ensure the
+  variable has a correct value when used inside ``profiledef.sh``.
+
+[70] - 2023-02-27
+=================
+
+Added
+-----
+
+- Support *file system transposition* to simplify boot medium preparation for UEFI boot via extracting the ISO image
+  contents to a drive. ``grub.cfg`` does not hardcode the ISO volume label anymore, instead GRUB will search for volume
+  with a ``/boot/grub/YYYY-mm-dd-HH-MM-SS-00.uuid`` file on it.
+- Preload GRUB's NTFS modules for UEFI that allegedly have native NTFS support. GRUB's exFAT and UDF modules are also
+  preloaded in case someone finds them useful.
+
+Changed
+-------
+
+- Identify the ISO volume via a UUID instead of a file system label to avoid collisions of multiple ISOs created in the
+  same month.
+- Honor ``SOURCE_DATE_EPOCH`` in the ``date`` command used by ``profiledef.sh`` of the shipped profiles.
+- Do not duplicate ``grub.cfg`` in both ISO 9660 and the EFI system partition / El Torito image. GRUB will search for
+  the ISO volume and load the ``grub.cfg`` from there.
+- Moved GRUB files on ISO 9660 from ``/EFI/BOOT/`` to a boot-platform neutral place ``/boot/grub/``. This does not apply
+  to the EFI binaries that remain in the default/fallback boot path.
+- Move ``grubenv`` to ``/boot/grub/grubenv`` on ISO 9660 so that it is together with the rest of GRUB-specific files.
+  Additionally write more variables in it. The previous ``/${install_dir}/grubenv`` (``/arch/grubenv`` for releng)
+  is deprecated and a future archiso release will not create this file anymore.
+- Moved syslinux directory from ``/syslinux/`` to ``/boot/syslinux/`` to keep most boot loader files in ``/boot/``.
+- Update ``README.transfer`` documentation and convert it to reStructuredText.
+- Use ``console`` as grub's ``terminal_output``, as ``gfxterm`` leads to a blank screen on some hardware.
+
+Removed
+-------
+
+- Do not place memtest86+ in netboot artifacts.
+
+[69] - 2022-12-24
+=================
+
+Added
+-----
+
+- Add Memtest86+ to x86_64 UEFI GRUB boot menu.
+
+Changed
+-------
+
+- Check if the GPG public key file was successfully placed in the work directory before trying to use it.
+- Open the file descriptors for code signing certificates and GPG public key as read only. Nothing from the within the
+  ``pacstrap`` invoked chroot should ever be allowed to write outside of it.
+- Error out early if any of the code signing certificate files passed with option ``-c`` do not exist.
+- Use LZMA compressed EROFS image for the baseline profile. Now that xz 5.4 is out and erofs-utils is built with LZMA
+  support, using a higher compression is possible.
+- Add ``/etc/machine-id`` with special value ``uninitialized``. The final id is generated at boot time, and systemd's
+  first-boot mechanim (see ``First Boot Semantics`` in ``machine-id(5)``) applies. No functional change unless that
+  ``ConditionFirstBoot=yes`` is true and passive unit ``first-boot-complete.target`` activates for ordering.
+
+[68] - 2022-10-30
+=================
+
+Changed
+-------
+
+- Do not explicitly enable ``qemu-guest-agent.service`` as it will be started by a udev rule.
+- Remove existing signature (``.sig``) files and do not sign them when signing netboot artifacts. This is mostly
+  applicable when re-running ``mkarchiso``  after a failure.
+- Replace ``archiso_kms`` with ``kms`` in ``mkinitcpio.conf``. The hook is available in mkinitcpio since version 32.
+
+[67] - 2022-09-25
+=================
+
+Added
+-----
+
+- The ability to generate rootfs signatures using openssl CMS module if ``-c`` is given.
+
+Changed
+-------
+
+- Order ``pacman-init.service`` before ``archlinux-keyring-wkd-sync.service`` since
+  ``archlinux-keyring-wkd-sync.service`` needs an initialized pacman keyring.
+- Order ``pacman-init.service`` after ``time-sync.target`` since ``pacman-init.service`` may otherwise create local
+  signatures that are not valid on target systems after installation.
+
 [66] - 2022-08-28
 =================
 
@@ -53,6 +403,8 @@ Removed
 
 - Remove the custom pacman hook that ran ``locale-gen`` on glibc install from the releng profile. The used locale now
   ships with the glibc package itself.
+- Remove "Copy to RAM" boot entries since the ``archiso`` mkinitcpio hook enables it automatically when there is enough
+  free RAM.
 
 [64] - 2022-05-30
 =================
@@ -191,7 +543,7 @@ Removed
 -------
 
 - Remove all files related to ``mkinitcpio`` integration, as they now live in
-  https://gitlab.archlinux.org/mkinitcpio/mkinitcpio-archiso
+  https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio-archiso
 
 [57] - 2021-07-30
 =================

Makefile

@@ -4,11 +4,13 @@
 PREFIX ?= /usr/local
 BIN_DIR=$(DESTDIR)$(PREFIX)/bin
 DOC_DIR=$(DESTDIR)$(PREFIX)/share/doc/archiso
+MAN_DIR?=$(DESTDIR)$(PREFIX)/share/man
 PROFILE_DIR=$(DESTDIR)$(PREFIX)/share/archiso
 
 DOC_FILES=$(wildcard docs/*) $(wildcard *.rst)
 SCRIPT_FILES=$(wildcard archiso/*) $(wildcard scripts/*.sh) $(wildcard .gitlab/ci/*.sh) \
              $(wildcard configs/*/profiledef.sh) $(wildcard configs/*/airootfs/usr/local/bin/*)
+VERSION?=$(shell git describe --long --abbrev=7 | sed 's/^v//;s/\([^-]*-g\)/r\1/;s/-/./g;s/\.r0\.g.*//')
 
 all:
 
@@ -17,7 +19,7 @@ check: shellcheck
 shellcheck:
 	shellcheck -s bash $(SCRIPT_FILES)
 
-install: install-scripts install-profiles install-doc
+install: install-scripts install-profiles install-doc install-man
 
 install-scripts:
 	install -vDm 755 archiso/mkarchiso -t "$(BIN_DIR)/"
@@ -30,4 +32,9 @@ install-profiles:
 install-doc:
 	install -vDm 644 $(DOC_FILES) -t $(DOC_DIR)
 
-.PHONY: check install install-doc install-profiles install-scripts shellcheck
+install-man:
+	@printf '.. |version| replace:: %s\n' '$(VERSION)' > man/version.rst
+	install -d -m 755 $(MAN_DIR)/man1
+	rst2man man/mkarchiso.1.rst $(MAN_DIR)/man1/mkarchiso.1
+
+.PHONY: check install install-doc install-man install-profiles install-scripts shellcheck

README.rst

@@ -3,7 +3,7 @@ archiso
 =======
 
 The archiso project features scripts and configuration templates to build installation media (*.iso* images and
-*.tar.gz* bootstrap images) as well as netboot artifacts for BIOS and UEFI based systems on the x86_64 architecture.
+*.tar bootstrap images) as well as netboot artifacts for BIOS and UEFI based systems on the x86_64 architecture.
 Currently creating the images is only supported on Arch Linux but may work on other operating systems as well.
 
 Requirements
@@ -36,6 +36,10 @@ For linting the shell scripts the following package is required:
 
 * shellcheck
 
+For generating the man pages:
+
+* python-docutils
+
 Profiles
 ========
 
@@ -129,7 +133,7 @@ boot the iso image from GRUB with a version specific cow directory to mitigate o
 .. code:: sh
 
    loopback loop archlinux.iso
-   load_env -f (loop)/arch/grubenv
+   load_env -f (loop)/boot/grub/grubenv
    linux (loop)/arch/boot/x86_64/vmlinuz-linux ... \
        cow_directory=${NAME}/${VERSION} ...
    initrd (loop)/arch/boot/x86_64/initramfs-linux-lts.img
@@ -139,14 +143,14 @@ Contribute
 
 Development of archiso takes place on Arch Linux' Gitlab: https://gitlab.archlinux.org/archlinux/archiso.
 
-Please read our distribution-wide `Code of Conduct <https://wiki.archlinux.org/title/Code_of_conduct>`_ before
+Please read our distribution-wide `Code of Conduct <https://terms.archlinux.org/docs/code-of-conduct/>`_ before
 contributing, to understand what actions will and will not be tolerated.
 
 Read our `contributing guide <CONTRIBUTING.rst>`_ to learn more about how to provide fixes or improvements for the code
 base.
 
 Discussion around archiso takes place on the `arch-releng mailing list
-<https://lists.archlinux.org/listinfo/arch-releng>`_ and in `#archlinux-releng
+<https://lists.archlinux.org/mailman3/lists/arch-releng.lists.archlinux.org/>`_ and in `#archlinux-releng
 <ircs://irc.libera.chat/archlinux-releng>`_ on `Libera Chat <https://libera.chat/>`_.
 
 All past and present authors of archiso are listed in `AUTHORS <AUTHORS.rst>`_.
@@ -156,7 +160,7 @@ Releases
 
 `Releases of archiso <https://gitlab.archlinux.org/archlinux/archiso/-/tags>`_ are created by their current maintainers
 
-- `David Runge <https://gitlab.archlinux.org/dvzrv>`_ (``C7E7849466FE2358343588377258734B41C31549``)
+- `David Runge <https://gitlab.archlinux.org/dvzrv>`_ (``991F6E3F0765CF6295888586139B09DA5BF0D338``)
 - `nl6720 <https://gitlab.archlinux.org/nl6720>`_ (``BB8E6F1B81CF0BB301D74D1CBF425A01E68B38EF``)
 
 Tags are signed using respective PGP keys.

configs/baseline/airootfs/etc/localtime

@@ -0,0 +1 @@
+/usr/share/zoneinfo/UTC

configs/baseline/airootfs/etc/mkinitcpio.conf

@@ -1,67 +0,0 @@
-# vim:set ft=sh
-# MODULES
-# The following modules are loaded before any boot hooks are
-# run.  Advanced users may wish to specify all system modules
-# in this array.  For instance:
-#     MODULES=(piix ide_disk reiserfs)
-MODULES=()
-
-# BINARIES
-# This setting includes any additional binaries a given user may
-# wish into the CPIO image.  This is run last, so it may be used to
-# override the actual binaries included by a given hook
-# BINARIES are dependency parsed, so you may safely ignore libraries
-BINARIES=()
-
-# FILES
-# This setting is similar to BINARIES above, however, files are added
-# as-is and are not parsed in any way.  This is useful for config files.
-FILES=()
-
-# HOOKS
-# This is the most important setting in this file.  The HOOKS control the
-# modules and scripts added to the image, and what happens at boot time.
-# Order is important, and it is recommended that you do not change the
-# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
-# help on a given hook.
-# 'base' is _required_ unless you know precisely what you are doing.
-# 'udev' is _required_ in order to automatically load modules
-# 'filesystems' is _required_ unless you specify your fs modules in MODULES
-# Examples:
-##   This setup specifies all modules in the MODULES setting above.
-##   No raid, lvm2, or encrypted root is needed.
-#    HOOKS=(base)
-#
-##   This setup will autodetect all modules for your system and should
-##   work as a sane default
-#    HOOKS=(base udev autodetect block filesystems)
-#
-##   This setup will generate a 'full' image which supports most systems.
-##   No autodetection is done.
-#    HOOKS=(base udev block filesystems)
-#
-##   This setup assembles a pata mdadm array with an encrypted root FS.
-##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
-#    HOOKS=(base udev block mdadm encrypt filesystems)
-#
-##   This setup loads an lvm2 volume group on a usb device.
-#    HOOKS=(base udev block lvm2 filesystems)
-#
-##   NOTE: If you have /usr on a separate partition, you MUST include the
-#    usr, fsck and shutdown hooks.
-HOOKS=(base udev modconf archiso block filesystems)
-
-# COMPRESSION
-# Use this to compress the initramfs image. By default, gzip compression
-# is used. Use 'cat' to create an uncompressed image.
-#COMPRESSION="gzip"
-#COMPRESSION="bzip2"
-#COMPRESSION="lzma"
-#COMPRESSION="xz"
-#COMPRESSION="lzop"
-#COMPRESSION="lz4"
-#COMPRESSION="zstd"
-
-# COMPRESSION_OPTIONS
-# Additional options for the compressor
-#COMPRESSION_OPTIONS=()

configs/baseline/airootfs/etc/mkinitcpio.conf.d/archiso.conf

@@ -0,0 +1 @@
+HOOKS=(base udev modconf archiso block filesystems)

configs/baseline/airootfs/etc/mkinitcpio.d/linux.preset

@@ -3,6 +3,6 @@
 PRESETS=('archiso')
 
 ALL_kver='/boot/vmlinuz-linux'
-ALL_config='/etc/mkinitcpio.conf'
+archiso_config='/etc/mkinitcpio.conf.d/archiso.conf'
 
 archiso_image="/boot/initramfs-linux.img"

configs/baseline/airootfs/etc/ssh/sshd_config

@@ -1,116 +0,0 @@
-#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin yes
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile	.ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to no to disable s/key passwords
-#KbdInteractiveAuthentication yes
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the KbdInteractiveAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via KbdInteractiveAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and KbdInteractiveAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-PrintMotd no # pam does that
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# override default of no subsystems
-Subsystem	sftp	/usr/lib/ssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server

configs/baseline/airootfs/etc/ssh/sshd_config.d/10-archiso.conf

@@ -0,0 +1,3 @@
+# Allow root login using password authentication
+PasswordAuthentication yes
+PermitRootLogin yes

configs/baseline/airootfs/etc/systemd/network.conf.d/ipv6-privacy-extensions.conf

@@ -0,0 +1,2 @@
+[Network]
+IPv6PrivacyExtensions=yes

configs/baseline/airootfs/etc/systemd/network/20-ethernet.network

@@ -5,6 +5,9 @@
 Name=en*
 Name=eth*
 
+[Link]
+RequiredForOnline=routable
+
 [Network]
 DHCP=yes
-IPv6PrivacyExtensions=yes
+MulticastDNS=yes

configs/baseline/airootfs/etc/systemd/resolved.conf.d/archiso.conf

@@ -0,0 +1,4 @@
+# Default systemd-resolved configuration for archiso
+
+[Resolve]
+MulticastDNS=yes

configs/baseline/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init-main.service

@@ -0,0 +1 @@
+/usr/lib/systemd/system/cloud-init-main.service

configs/baseline/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init-network.service

@@ -0,0 +1 @@
+/usr/lib/systemd/system/cloud-init-network.service

configs/baseline/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init.service

@@ -1 +0,0 @@
-/usr/lib/systemd/system/cloud-init.service

configs/baseline/airootfs/etc/systemd/system/multi-user.target.wants/qemu-guest-agent.service

@@ -1 +0,0 @@
-/usr/lib/systemd/system/qemu-guest-agent.service

configs/baseline/efiboot/loader/entries/01-archiso-x86_64-linux.conf

@@ -1,4 +1,4 @@
 title   Arch Linux (x86_64, UEFI)
 linux   /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux
 initrd  /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
-options archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL%
+options archisobasedir=%INSTALL_DIR% archisosearchuuid=%ARCHISO_UUID%

configs/baseline/efiboot/loader/entries/02-archiso-x86_64-ram-linux.conf

@@ -1,4 +0,0 @@
-title   Arch Linux (x86_64, UEFI) Copy to RAM
-linux   /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux
-initrd  /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
-options archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram

configs/baseline/grub/grub.cfg

@@ -3,23 +3,46 @@ insmod part_gpt
 insmod part_msdos
 insmod fat
 insmod iso9660
+insmod ntfs
+insmod ntfscomp
+insmod exfat
+insmod udf
 
 # Use graphics-mode output
-insmod all_video
-insmod font
 if loadfont "${prefix}/fonts/unicode.pf2" ; then
-    insmod gfxterm
+    insmod all_video
     set gfxmode="auto"
     terminal_input console
-    terminal_output gfxterm
+    terminal_output console
 fi
 
 # Enable serial console
+insmod serial
+insmod usbserial_common
+insmod usbserial_ftdi
+insmod usbserial_pl2303
+insmod usbserial_usbdebug
 if serial --unit=0 --speed=115200; then
     terminal_input --append serial
     terminal_output --append serial
 fi
 
+# Get a human readable platform identifier
+if [ "${grub_platform}" == 'efi' ]; then
+    archiso_platform='UEFI'
+    if [ "${grub_cpu}" == 'x86_64' ]; then
+        archiso_platform="x64 ${archiso_platform}"
+    elif [ "${grub_cpu}" == 'i386' ]; then
+        archiso_platform="IA32 ${archiso_platform}"
+    else
+        archiso_platform="${grub_cpu} ${archiso_platform}"
+    fi
+elif [ "${grub_platform}" == 'pc' ]; then
+    archiso_platform='BIOS'
+else
+    archiso_platform="${grub_cpu} ${grub_platform}"
+fi
+
 # Set default menu entry
 default=archlinux
 timeout=15
@@ -28,16 +51,46 @@ timeout_style=menu
 
 # Menu entries
 
-menuentry "Arch Linux (x86_64, UEFI)" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' {
+menuentry "Arch Linux (%ARCH%, ${archiso_platform})" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' {
     set gfxpayload=keep
-    search --no-floppy --set=root --label %ARCHISO_LABEL%
-    linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL%
-    initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
+    linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux archisobasedir=%INSTALL_DIR% archisosearchuuid=%ARCHISO_UUID%
+    initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img
 }
 
-menuentry "Arch Linux (x86_64, UEFI) Copy to RAM" --class arch --class gnu-linux --class gnu --class os --id 'archlinux-copy-to-ram' {
-    set gfxpayload=keep
-    search --no-floppy --set=root --label %ARCHISO_LABEL%
-    linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram
-    initrd /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
+if [ "${grub_platform}" == 'efi' -a "${grub_cpu}" == 'x86_64' -a -f '/boot/memtest86+/memtest.efi' ]; then
+    menuentry 'Run Memtest86+ (RAM test)' --class memtest86 --class gnu --class tool {
+        set gfxpayload=800x600,1024x768
+        linux /boot/memtest86+/memtest.efi
+    }
+fi
+if [ "${grub_platform}" == 'pc' -a -f '/boot/memtest86+/memtest' ]; then
+    menuentry 'Run Memtest86+ (RAM test)' --class memtest86 --class gnu --class tool {
+        set gfxpayload=800x600,1024x768
+        linux /boot/memtest86+/memtest
+    }
+fi
+if [ "${grub_platform}" == 'efi' ]; then
+    if [ "${grub_cpu}" == 'x86_64' -a -f '/shellx64.efi' ]; then
+        menuentry 'UEFI Shell' {
+            chainloader /shellx64.efi
+        }
+    elif [ "${grub_cpu}" == "i386" -a -f '/shellia32.efi' ]; then
+        menuentry 'UEFI Shell' {
+            chainloader /shellia32.efi
+        }
+    fi
+
+    menuentry 'UEFI Firmware Settings' --id 'uefi-firmware' {
+        fwsetup
+    }
+fi
+
+menuentry 'System shutdown' --class shutdown --class poweroff {
+    echo 'System shutting down...'
+    halt
+}
+
+menuentry 'System restart' --class reboot --class restart {
+    echo 'System rebooting...'
+    reboot
 }

configs/baseline/grub/loopback.cfg

@@ -0,0 +1,73 @@
+# https://www.supergrubdisk.org/wiki/Loopback.cfg
+
+# Search for the ISO volume
+search --no-floppy --set=archiso_img_dev --file "${iso_path}"
+probe --set archiso_img_dev_uuid --fs-uuid "${archiso_img_dev}"
+
+# Get a human readable platform identifier
+if [ "${grub_platform}" == 'efi' ]; then
+    archiso_platform='UEFI'
+    if [ "${grub_cpu}" == 'x86_64' ]; then
+        archiso_platform="x64 ${archiso_platform}"
+    elif [ "${grub_cpu}" == 'i386' ]; then
+        archiso_platform="IA32 ${archiso_platform}"
+    else
+        archiso_platform="${grub_cpu} ${archiso_platform}"
+    fi
+elif [ "${grub_platform}" == 'pc' ]; then
+    archiso_platform='BIOS'
+else
+    archiso_platform="${grub_cpu} ${grub_platform}"
+fi
+
+# Set default menu entry
+default=archlinux
+timeout=15
+timeout_style=menu
+
+
+# Menu entries
+
+menuentry "Arch Linux (%ARCH%, ${archiso_platform})" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' {
+    set gfxpayload=keep
+    linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux archisobasedir=%INSTALL_DIR% img_dev=UUID=${archiso_img_dev_uuid} img_loop="${iso_path}"
+    initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img
+}
+
+if [ "${grub_platform}" == 'efi' -a "${grub_cpu}" == 'x86_64' -a -f '/boot/memtest86+/memtest.efi' ]; then
+    menuentry 'Run Memtest86+ (RAM test)' --class memtest86 --class gnu --class tool {
+        set gfxpayload=800x600,1024x768
+        linux /boot/memtest86+/memtest.efi
+    }
+fi
+if [ "${grub_platform}" == 'pc' -a -f '/boot/memtest86+/memtest' ]; then
+    menuentry 'Run Memtest86+ (RAM test)' --class memtest86 --class gnu --class tool {
+        set gfxpayload=800x600,1024x768
+        linux /boot/memtest86+/memtest
+    }
+fi
+if [ "${grub_platform}" == 'efi' ]; then
+    if [ "${grub_cpu}" == 'x86_64' -a -f '/shellx64.efi' ]; then
+        menuentry 'UEFI Shell' {
+            chainloader /shellx64.efi
+        }
+    elif [ "${grub_cpu}" == "i386" -a -f '/shellia32.efi' ]; then
+        menuentry 'UEFI Shell' {
+            chainloader /shellia32.efi
+        }
+    fi
+
+    menuentry 'UEFI Firmware Settings' --id 'uefi-firmware' {
+        fwsetup
+    }
+fi
+
+menuentry 'System shutdown' --class shutdown --class poweroff {
+    echo 'System shutting down...'
+    halt
+}
+
+menuentry 'System restart' --class reboot --class restart {
+    echo 'System rebooting...'
+    reboot
+}

configs/baseline/pacman.conf

@@ -36,6 +36,8 @@ Architecture = auto
 #CheckSpace
 #VerbosePkgLists
 ParallelDownloads = 5
+#DownloadUser = alpm
+#DisableSandbox
 
 # By default, pacman accepts packages signed by keys that its local keyring
 # trusts (see pacman-key and its man page), as well as unsigned packages.
@@ -70,19 +72,16 @@ LocalFileSigLevel = Optional
 # repo name header and Include lines. You can add preferred servers immediately
 # after the header, and they will be used before the default mirrors.
 
-#[testing]
+#[core-testing]
 #Include = /etc/pacman.d/mirrorlist
 
 [core]
 Include = /etc/pacman.d/mirrorlist
 
-[extra]
-Include = /etc/pacman.d/mirrorlist
-
-#[community-testing]
+#[extra-testing]
 #Include = /etc/pacman.d/mirrorlist
 
-[community]
+[extra]
 Include = /etc/pacman.d/mirrorlist
 
 # If you want to run 32 bit applications on your x86_64 system,

configs/baseline/profiledef.sh

@@ -2,10 +2,10 @@
 # shellcheck disable=SC2034
 
 iso_name="archlinux-baseline"
-iso_label="ARCH_$(date +%Y%m)"
+iso_label="ARCH_$(date --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y%m)"
 iso_publisher="Arch Linux <https://archlinux.org>"
 iso_application="Arch Linux baseline"
-iso_version="$(date +%Y.%m.%d)"
+iso_version="$(date --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y.%m.%d)"
 install_dir="arch"
 buildmodes=('iso')
 bootmodes=('bios.syslinux.mbr' 'bios.syslinux.eltorito'
@@ -14,7 +14,8 @@ bootmodes=('bios.syslinux.mbr' 'bios.syslinux.eltorito'
 arch="x86_64"
 pacman_conf="pacman.conf"
 airootfs_image_type="erofs"
-airootfs_image_tool_options=('-zlz4hc,12' -E ztailpacking)
+airootfs_image_tool_options=('-zlzma,109' -E 'ztailpacking')
+bootstrap_tarball_compression=(zstd -c -T0 --long -19)
 file_permissions=(
   ["/etc/shadow"]="0:0:400"
 )

configs/baseline/syslinux/syslinux-linux.cfg

@@ -2,10 +2,4 @@ LABEL arch
 MENU LABEL Arch Linux (x86_64, BIOS)
 LINUX /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux
 INITRD /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img
-APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL%
-
-LABEL arch-ram
-MENU LABEL Arch Linux (x86_64, BIOS) Copy to RAM
-LINUX /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux
-INITRD /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img
-APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram
+APPEND archisobasedir=%INSTALL_DIR% archisosearchuuid=%ARCHISO_UUID%

configs/releng/airootfs/etc/mkinitcpio.conf

@@ -1,67 +0,0 @@
-# vim:set ft=sh
-# MODULES
-# The following modules are loaded before any boot hooks are
-# run.  Advanced users may wish to specify all system modules
-# in this array.  For instance:
-#     MODULES=(piix ide_disk reiserfs)
-MODULES=()
-
-# BINARIES
-# This setting includes any additional binaries a given user may
-# wish into the CPIO image.  This is run last, so it may be used to
-# override the actual binaries included by a given hook
-# BINARIES are dependency parsed, so you may safely ignore libraries
-BINARIES=()
-
-# FILES
-# This setting is similar to BINARIES above, however, files are added
-# as-is and are not parsed in any way.  This is useful for config files.
-FILES=()
-
-# HOOKS
-# This is the most important setting in this file.  The HOOKS control the
-# modules and scripts added to the image, and what happens at boot time.
-# Order is important, and it is recommended that you do not change the
-# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
-# help on a given hook.
-# 'base' is _required_ unless you know precisely what you are doing.
-# 'udev' is _required_ in order to automatically load modules
-# 'filesystems' is _required_ unless you specify your fs modules in MODULES
-# Examples:
-##   This setup specifies all modules in the MODULES setting above.
-##   No raid, lvm2, or encrypted root is needed.
-#    HOOKS=(base)
-#
-##   This setup will autodetect all modules for your system and should
-##   work as a sane default
-#    HOOKS=(base udev autodetect block filesystems)
-#
-##   This setup will generate a 'full' image which supports most systems.
-##   No autodetection is done.
-#    HOOKS=(base udev block filesystems)
-#
-##   This setup assembles a pata mdadm array with an encrypted root FS.
-##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
-#    HOOKS=(base udev block mdadm encrypt filesystems)
-#
-##   This setup loads an lvm2 volume group on a usb device.
-#    HOOKS=(base udev block lvm2 filesystems)
-#
-##   NOTE: If you have /usr on a separate partition, you MUST include the
-#    usr, fsck and shutdown hooks.
-HOOKS=(base udev modconf memdisk archiso archiso_loop_mnt archiso_pxe_common archiso_pxe_nbd archiso_pxe_http archiso_pxe_nfs archiso_kms block filesystems keyboard)
-
-# COMPRESSION
-# Use this to compress the initramfs image. By default, gzip compression
-# is used. Use 'cat' to create an uncompressed image.
-#COMPRESSION="gzip"
-#COMPRESSION="bzip2"
-#COMPRESSION="lzma"
-COMPRESSION="xz"
-#COMPRESSION="lzop"
-#COMPRESSION="lz4"
-#COMPRESSION="zstd"
-
-# COMPRESSION_OPTIONS
-# Additional options for the compressor
-#COMPRESSION_OPTIONS=()

configs/releng/airootfs/etc/mkinitcpio.conf.d/archiso.conf

@@ -0,0 +1,3 @@
+HOOKS=(base udev microcode modconf kms memdisk archiso archiso_loop_mnt archiso_pxe_common archiso_pxe_nbd archiso_pxe_http archiso_pxe_nfs block filesystems keyboard)
+COMPRESSION="xz"
+COMPRESSION_OPTIONS=(-9e)

configs/releng/airootfs/etc/mkinitcpio.d/linux.preset

@@ -3,6 +3,6 @@
 PRESETS=('archiso')
 
 ALL_kver='/boot/vmlinuz-linux'
-ALL_config='/etc/mkinitcpio.conf'
+archiso_config='/etc/mkinitcpio.conf.d/archiso.conf'
 
 archiso_image="/boot/initramfs-linux.img"

configs/releng/airootfs/etc/ssh/sshd_config

@@ -1,116 +0,0 @@
-#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin yes
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile	.ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to no to disable s/key passwords
-#KbdInteractiveAuthentication yes
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the KbdInteractiveAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via KbdInteractiveAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and KbdInteractiveAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-PrintMotd no # pam does that
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# override default of no subsystems
-Subsystem	sftp	/usr/lib/ssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server

configs/releng/airootfs/etc/ssh/sshd_config.d/10-archiso.conf

@@ -0,0 +1,3 @@
+# Allow root login using password authentication
+PasswordAuthentication yes
+PermitRootLogin yes

configs/releng/airootfs/etc/systemd/network.conf.d/ipv6-privacy-extensions.conf

@@ -0,0 +1,2 @@
+[Network]
+IPv6PrivacyExtensions=yes

configs/releng/airootfs/etc/systemd/network/20-ethernet.network

@@ -5,9 +5,12 @@
 Name=en*
 Name=eth*
 
+[Link]
+RequiredForOnline=routable
+
 [Network]
 DHCP=yes
-IPv6PrivacyExtensions=yes
+MulticastDNS=yes
 
 # systemd-networkd does not set per-interface-type default route metrics
 # https://github.com/systemd/systemd/issues/17698

configs/releng/airootfs/etc/systemd/network/20-wlan.network

@@ -1,9 +1,12 @@
 [Match]
 Name=wl*
 
+[Link]
+RequiredForOnline=routable
+
 [Network]
 DHCP=yes
-IPv6PrivacyExtensions=yes
+MulticastDNS=yes
 
 # systemd-networkd does not set per-interface-type default route metrics
 # https://github.com/systemd/systemd/issues/17698

configs/releng/airootfs/etc/systemd/network/20-wwan.network

@@ -1,9 +1,11 @@
 [Match]
 Name=ww*
 
+[Link]
+RequiredForOnline=routable
+
 [Network]
 DHCP=yes
-IPv6PrivacyExtensions=yes
 
 # systemd-networkd does not set per-interface-type default route metrics
 # https://github.com/systemd/systemd/issues/17698

configs/releng/airootfs/etc/systemd/resolved.conf.d/archiso.conf

@@ -0,0 +1,4 @@
+# Default systemd-resolved configuration for archiso
+
+[Resolve]
+MulticastDNS=yes

configs/releng/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init-main.service

@@ -0,0 +1 @@
+/usr/lib/systemd/system/cloud-init-main.service

configs/releng/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init-network.service

@@ -0,0 +1 @@
+/usr/lib/systemd/system/cloud-init-network.service

configs/releng/airootfs/etc/systemd/system/cloud-init.target.wants/cloud-init.service

@@ -1 +0,0 @@
-/usr/lib/systemd/system/cloud-init.service

configs/releng/airootfs/etc/systemd/system/dbus-org.freedesktop.timesync1.service

@@ -0,0 +1 @@
+/usr/lib/systemd/system/systemd-timesyncd.service

configs/releng/airootfs/etc/systemd/system/etc-pacman.d-gnupg.mount

@@ -2,7 +2,7 @@
 Description=Temporary /etc/pacman.d/gnupg directory
 
 [Mount]
-What=ramfs
+What=tmpfs
 Where=/etc/pacman.d/gnupg
-Type=ramfs
-Options=mode=0755
+Type=tmpfs
+Options=mode=0755,noswap

configs/releng/airootfs/etc/systemd/system/multi-user.target.wants/pacman-init.service

@@ -0,0 +1 @@
+../pacman-init.service

configs/releng/airootfs/etc/systemd/system/multi-user.target.wants/qemu-guest-agent.service

@@ -1 +0,0 @@
-/usr/lib/systemd/system/qemu-guest-agent.service

configs/releng/airootfs/etc/systemd/system/pacman-init.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Initializes Pacman keyring
+Requires=etc-pacman.d-gnupg.mount
+After=etc-pacman.d-gnupg.mount time-sync.target
+BindsTo=etc-pacman.d-gnupg.mount
+Before=archlinux-keyring-wkd-sync.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/pacman-key --init
+ExecStart=/usr/bin/pacman-key --populate
+
+[Install]
+WantedBy=multi-user.target

configs/releng/airootfs/etc/systemd/system/sockets.target.wants/pcscd.socket

@@ -0,0 +1 @@
+/usr/lib/systemd/system/pcscd.socket

configs/releng/airootfs/etc/systemd/system/sysinit.target.wants/systemd-time-wait-sync.service

@@ -0,0 +1 @@
+/usr/lib/systemd/system/systemd-time-wait-sync.service

configs/releng/airootfs/etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service

@@ -0,0 +1 @@
+/usr/lib/systemd/system/systemd-timesyncd.service

configs/releng/airootfs/root/.automated_script.sh

@@ -1,22 +1,29 @@
 #!/usr/bin/env bash
 
-script_cmdline ()
-{
+script_cmdline() {
     local param
-    for param in $(< /proc/cmdline); do
+    for param in $(</proc/cmdline); do
         case "${param}" in
-            script=*) echo "${param#*=}" ; return 0 ;;
+            script=*)
+                echo "${param#*=}"
+                return 0
+                ;;
         esac
     done
 }
 
-automated_script ()
-{
+automated_script() {
     local script rt
     script="$(script_cmdline)"
     if [[ -n "${script}" && ! -x /tmp/startup_script ]]; then
-        if [[ "${script}" =~ ^((http|https|ftp)://) ]]; then
-            curl "${script}" --location --retry-connrefused --retry 10 -s -o /tmp/startup_script >/dev/null
+        if [[ "${script}" =~ ^((http|https|ftp|tftp)://) ]]; then
+            # there's no synchronization for network availability before executing this script
+            printf '%s: waiting for network-online.target\n' "$0"
+            until systemctl --quiet is-active network-online.target; do
+                sleep 1
+            done
+            printf '%s: downloading %s\n' "$0" "${script}"
+            curl "${script}" --location --retry-connrefused --retry 10 --fail -s -o /tmp/startup_script
             rt=$?
         else
             cp "${script}" /tmp/startup_script
@@ -24,6 +31,9 @@ automated_script ()
         fi
         if [[ ${rt} -eq 0 ]]; then
             chmod +x /tmp/startup_script
+            printf '%s: executing automated script\n' "$0"
+            # note that script is executed when other services (like pacman-init) may be still in progress, please
+            # synchronize to "systemctl is-system-running --wait" when your script depends on other services
             /tmp/startup_script
         fi
     fi

configs/releng/airootfs/root/.gnupg/scdaemon.conf

@@ -0,0 +1,4 @@
+disable-ccid
+disable-pinpad
+pcsc-driver /usr/lib/libpcsclite.so
+pcsc-shared

configs/releng/airootfs/root/.zlogin

@@ -1,5 +1,5 @@
 # fix for screen readers
-if grep -Fq 'accessibility=' /proc/cmdline &> /dev/null; then
+if grep -Fqa 'accessibility=' /proc/cmdline &> /dev/null; then
     setopt SINGLE_LINE_ZLE
 fi
 

configs/releng/airootfs/usr/local/bin/choose-mirror

@@ -4,21 +4,22 @@
 
 get_cmdline() {
     local param
-    for param in $(< /proc/cmdline); do
+    for param in $(</proc/cmdline); do
         case "${param}" in
-            $1=*) echo "${param##*=}";
-            return 0
-            ;;
+            "${1}="*)
+                echo "${param##*=}"
+                return 0
+                ;;
         esac
     done
 }
 
-mirror=$(get_cmdline mirror)
-[[ $mirror = auto ]] && mirror=$(get_cmdline archiso_http_srv)
-[[ $mirror ]] || exit 0
+mirror="$(get_cmdline mirror)"
+[[ "$mirror" == 'auto' ]] && mirror="$(get_cmdline archiso_http_srv)"
+[[ -n "$mirror" ]] || exit 0
 
 mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.orig
-cat >/etc/pacman.d/mirrorlist << EOF
+cat >/etc/pacman.d/mirrorlist <<EOF
 #
 # Arch Linux repository mirrorlist
 # Generated by archiso

configs/releng/airootfs/usr/local/bin/livecd-sound

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 usage() {
-    cat <<- _EOF_
+    cat <<-_EOF_
     live cd sound helper script.
     Usage: livecdsound [OPTION]
     OPTIONS
@@ -14,14 +14,13 @@ usage() {
 _EOF_
 }
 
-bugout () {
+bugout() {
     printf "/usr/local/bin/livecdsound: programming error"
     stat_fail
 }
 
-echo_card_indices()
-{
-    if [ -f /proc/asound/cards ] ; then
+echo_card_indices() {
+    if [[ -f /proc/asound/cards ]]; then
         sed -n -e's/^[[:space:]]*\([0-7]\)[[:space:]].*/\1/p' /proc/asound/cards
     fi
 }
@@ -33,8 +32,8 @@ echo_card_indices()
 # $1 <card id>
 # $2 <control>
 # $3 <level>
-unmute_and_set_level(){
-    { [ "$3" ] &&[ "$2" ] && [ "$1" ] ; } || bugout
+unmute_and_set_level() {
+    [[ -n "$3" && -n "$2" && -n "$1" ]] || bugout
     systemd-cat -t "livecdsound" printf "Setting: %s on card: %s to %s\n" "$2" "$1" "$3"
     systemd-cat -t "livecdsound" amixer -c "$1" set "$2" "$3" unmute
     return 0
@@ -42,9 +41,8 @@ unmute_and_set_level(){
 
 # $1 <card id>
 # $2 <control>
-mute_and_zero_level()
-{
-    { [ "$1" ] && [ "$2" ] ; } || bugout
+mute_and_zero_level() {
+    [[ -n "$1" && -n "$2" ]] || bugout
     systemd-cat -t "livecdsound" printf "Muting control: %s on card: %s\n" "$2" "$1"
     systemd-cat -t "livecdsound" amixer -c "$1" set "$2" "0%" mute
     return 0
@@ -53,17 +51,15 @@ mute_and_zero_level()
 # $1 <card ID>
 # $2 <control>
 # $3 "on" | "off"
-switch_control()
-{
-    { [ "$3" ] && [ "$1" ] ; } || bugout
+switch_control() {
+    [[ -n "$3" && -n "$1" ]] || bugout
     systemd-cat -t "livecdsound" printf "Switching control: %s on card: %s to %s\n" "$2" "$1" "$3"
     systemd-cat -t "livecdsound" amixer -c "$1" set "$2" "$3"
     return 0
 }
 
 # $1 <card ID>
-sanify_levels_on_card()
-{
+sanify_levels_on_card() {
     unmute_and_set_level "$1" "Front" "80%"
     unmute_and_set_level "$1" "Master" "80%"
     unmute_and_set_level "$1" "Master Mono" "80%"
@@ -134,94 +130,89 @@ sanify_levels_on_card()
 }
 
 # $1 <card ID> | "all"
-sanify_levels()
-{
+sanify_levels() {
     local ttsdml_returnstatus=0
     local card
     case "$1" in
-              all)
-        for card in $(echo_card_indices) ; do
-            sanify_levels_on_card "$card" || ttsdml_returnstatus=1
-        done
-        ;;
-      *)
-        sanify_levels_on_card "$1" || ttsdml_returnstatus=1
-        ;;
+        all)
+            for card in $(echo_card_indices); do
+                sanify_levels_on_card "$card" || ttsdml_returnstatus=1
+            done
+            ;;
+        *)
+            sanify_levels_on_card "$1" || ttsdml_returnstatus=1
+            ;;
     esac
-    return $ttsdml_returnstatus
+    return "$ttsdml_returnstatus"
 }
 
 # List all cards that *should* be usable for PCM audio.  In my experience,
 # the console speaker (handled by the pcsp driver) isn't a suitable playback
 # device, so we'll exclude it.
-list_non_pcsp_cards()
-{
+list_non_pcsp_cards() {
     for card in $(echo_card_indices); do
         local cardfile="/proc/asound/card${card}/id"
-        if [ -r "$cardfile" ] && [ -f "$cardfile" ] && \
-            [ "$(cat "$cardfile")" != pcsp ]; then
+        if [[ -r "$cardfile" && -f "$cardfile" && "$(cat "$cardfile")" != pcsp ]]; then
             echo "$card"
         fi
     done
 }
 
 # Properly initialize the sound card so that we have audio at boot.
-unmute_all_cards()
-{
+unmute_all_cards() {
     sanify_levels all
 }
 
 is_numeric() {
-    local str=$1
+    local str="$1"
     [[ "$str" =~ ^[0-9]+$ ]]
 }
 
 set_default_card() {
-    local card=$1
-    sed -e "s/%card%/$card/g" < /usr/local/share/livecd-sound/asound.conf.in \
-        > /etc/asound.conf
+    local card="$1"
+    sed -e "s/%card%/$card/g" </usr/local/share/livecd-sound/asound.conf.in \
+        >/etc/asound.conf
 }
 
 play_on_card() {
-    local card=$1 file=$2
+    local card="$1" file="$2"
     aplay -q "-Dplughw:$card,0" "$file"
 }
 
 # If there are multiple usable sound cards, prompt the user to choose one,
 # using auditory feedback.
-pick_a_card()
-{
+pick_a_card() {
     set -f
     usable_cards="$(list_non_pcsp_cards)"
-    num_usable_cards="$(wc -w <<< "$usable_cards")"
+    num_usable_cards="$(wc -w <<<"$usable_cards")"
 
-    if [ "$num_usable_cards" -eq 1 ]; then
+    if (( num_usable_cards == 1 )); then
         systemd-cat -t "livecdsound" printf "Only one sound card is detected\n"
         exit 0
     fi
     systemd-cat -t "livecdsound" printf "multiple sound cards detected\n"
-    for card in $usable_cards; do
+    for card in "${usable_cards[@]}"; do
         if ! is_numeric "$card"; then
             continue
         fi
-        play_on_card "$card" /usr/share/livecd-sounds/pick-a-card.wav&
+        play_on_card "$card" /usr/share/livecd-sounds/pick-a-card.wav &
     done
     wait
     sleep 1
-    for card in $usable_cards; do
+    for card in "${usable_cards[@]}"; do
         if ! is_numeric "$card"; then
             continue
-    fi
-    play_on_card "$card" /usr/share/livecd-sounds/beep.wav
-    if read -r -t 10; then
-        systemd-cat -t "livecdsound" printf "Selecting %s sound card as default\n" "$card"
-        set_default_card "$card"
-        break
-    fi
-done
+        fi
+        play_on_card "$card" /usr/share/livecd-sounds/beep.wav
+        if read -r -t 10; then
+            systemd-cat -t "livecdsound" printf "Selecting %s sound card as default\n" "$card"
+            set_default_card "$card"
+            break
+        fi
+    done
 }
 
-if [[  $# -eq 0 ]]; then
+if (( $# == 0 )); then
     echo "error: No argument passed."
     exit 1
 fi

configs/releng/efiboot/loader/entries/01-archiso-x86_64-linux.conf

@@ -1,7 +1,5 @@
 title    Arch Linux install medium (x86_64, UEFI)
 sort-key 01
 linux    /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux
-initrd   /%INSTALL_DIR%/boot/intel-ucode.img
-initrd   /%INSTALL_DIR%/boot/amd-ucode.img
 initrd   /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
-options  archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL%
+options  archisobasedir=%INSTALL_DIR% archisosearchuuid=%ARCHISO_UUID%

configs/releng/efiboot/loader/entries/02-archiso-x86_64-speech-linux.conf

@@ -1,7 +1,5 @@
 title    Arch Linux install medium (x86_64, UEFI) with speech
 sort-key 02
 linux    /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux
-initrd   /%INSTALL_DIR%/boot/intel-ucode.img
-initrd   /%INSTALL_DIR%/boot/amd-ucode.img
 initrd   /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
-options  archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% accessibility=on
+options  archisobasedir=%INSTALL_DIR% archisosearchuuid=%ARCHISO_UUID% accessibility=on

configs/releng/efiboot/loader/entries/03-archiso-x86_64-memtest86+.conf

@@ -0,0 +1,3 @@
+title    Memtest86+
+sort-key 03
+efi      /boot/memtest86+/memtest.efi

configs/releng/efiboot/loader/entries/03-archiso-x86_64-ram-linux.conf

@@ -1,7 +0,0 @@
-title    Arch Linux install medium (x86_64, UEFI, Copy to RAM)
-sort-key 03
-linux    /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux
-initrd   /%INSTALL_DIR%/boot/intel-ucode.img
-initrd   /%INSTALL_DIR%/boot/amd-ucode.img
-initrd   /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
-options  archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram

configs/releng/efiboot/loader/entries/04-archiso-x86_64-ram-speech-linux.conf

@@ -1,7 +0,0 @@
-title    Arch Linux install medium (x86_64, UEFI, Copy to RAM) with speech
-sort-key 04
-linux    /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux
-initrd   /%INSTALL_DIR%/boot/intel-ucode.img
-initrd   /%INSTALL_DIR%/boot/amd-ucode.img
-initrd   /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
-options  archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram accessibility=on

configs/releng/grub/grub.cfg

@@ -3,58 +3,86 @@ insmod part_gpt
 insmod part_msdos
 insmod fat
 insmod iso9660
+insmod ntfs
+insmod ntfscomp
+insmod exfat
+insmod udf
 
 # Use graphics-mode output
-insmod all_video
-insmod font
 if loadfont "${prefix}/fonts/unicode.pf2" ; then
-    insmod gfxterm
+    insmod all_video
     set gfxmode="auto"
     terminal_input console
-    terminal_output gfxterm
+    terminal_output console
 fi
 
 # Enable serial console
+insmod serial
+insmod usbserial_common
+insmod usbserial_ftdi
+insmod usbserial_pl2303
+insmod usbserial_usbdebug
 if serial --unit=0 --speed=115200; then
     terminal_input --append serial
     terminal_output --append serial
 fi
 
+# Get a human readable platform identifier
+if [ "${grub_platform}" == 'efi' ]; then
+    archiso_platform='UEFI'
+    if [ "${grub_cpu}" == 'x86_64' ]; then
+        archiso_platform="x64 ${archiso_platform}"
+    elif [ "${grub_cpu}" == 'i386' ]; then
+        archiso_platform="IA32 ${archiso_platform}"
+    else
+        archiso_platform="${grub_cpu} ${archiso_platform}"
+    fi
+elif [ "${grub_platform}" == 'pc' ]; then
+    archiso_platform='BIOS'
+else
+    archiso_platform="${grub_cpu} ${grub_platform}"
+fi
+
 # Set default menu entry
 default=archlinux
 timeout=15
 timeout_style=menu
 
-# GRUB init tune for accessibility
-play 600 988 1 1319 4
 
 # Menu entries
 
-menuentry "Arch Linux install medium (x86_64, UEFI)" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' {
+menuentry "Arch Linux install medium (%ARCH%, ${archiso_platform})" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' {
     set gfxpayload=keep
-    search --no-floppy --set=root --label %ARCHISO_LABEL%
-    linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL%
-    initrd /%INSTALL_DIR%/boot/intel-ucode.img /%INSTALL_DIR%/boot/amd-ucode.img /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
+    linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux archisobasedir=%INSTALL_DIR% archisosearchuuid=%ARCHISO_UUID%
+    initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img
 }
 
-menuentry "Arch Linux install medium with speakup screen reader (x86_64, UEFI)" --hotkey s --class arch --class gnu-linux --class gnu --class os --id 'archlinux-accessibility' {
+menuentry "Arch Linux install medium with speakup screen reader (%ARCH%, ${archiso_platform})" --hotkey s --class arch --class gnu-linux --class gnu --class os --id 'archlinux-accessibility' {
     set gfxpayload=keep
-    search --no-floppy --set=root --label %ARCHISO_LABEL%
-    linux /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% accessibility=on
-    initrd /%INSTALL_DIR%/boot/intel-ucode.img /%INSTALL_DIR%/boot/amd-ucode.img /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
+    linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux archisobasedir=%INSTALL_DIR% archisosearchuuid=%ARCHISO_UUID% accessibility=on
+    initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img
 }
 
-if [ "${grub_platform}" == "efi" ]; then
-    if [ "${grub_cpu}" == "x86_64" ]; then
-        menuentry "UEFI Shell" {
-            insmod chain
-            search --no-floppy --set=root --label %ARCHISO_LABEL%
+
+if [ "${grub_platform}" == 'efi' -a "${grub_cpu}" == 'x86_64' -a -f '/boot/memtest86+/memtest.efi' ]; then
+    menuentry 'Run Memtest86+ (RAM test)' --class memtest86 --class memtest --class gnu --class tool {
+        set gfxpayload=800x600,1024x768
+        linux /boot/memtest86+/memtest.efi
+    }
+fi
+if [ "${grub_platform}" == 'pc' -a -f '/boot/memtest86+/memtest' ]; then
+    menuentry 'Run Memtest86+ (RAM test)' --class memtest86 --class memtest --class gnu --class tool {
+        set gfxpayload=800x600,1024x768
+        linux /boot/memtest86+/memtest
+    }
+fi
+if [ "${grub_platform}" == 'efi' ]; then
+    if [ "${grub_cpu}" == 'x86_64' -a -f '/shellx64.efi' ]; then
+        menuentry 'UEFI Shell' --class efi {
             chainloader /shellx64.efi
         }
-    elif [ "${grub_cpu}" == "i386" ]; then
-        menuentry "UEFI Shell" {
-            insmod chain
-            search --no-floppy --set=root --label %ARCHISO_LABEL%
+    elif [ "${grub_cpu}" == "i386" -a -f '/shellia32.efi' ]; then
+        menuentry 'UEFI Shell' --class efi {
             chainloader /shellia32.efi
         }
     fi
@@ -64,12 +92,16 @@ if [ "${grub_platform}" == "efi" ]; then
     }
 fi
 
-menuentry "System shutdown" --class shutdown --class poweroff {
-    echo "System shutting down..."
+menuentry 'System shutdown' --class shutdown --class poweroff {
+    echo 'System shutting down...'
     halt
 }
 
-menuentry "System restart" --class reboot --class restart {
-    echo "System rebooting..."
+menuentry 'System restart' --class reboot --class restart {
+    echo 'System rebooting...'
     reboot
 }
+
+
+# GRUB init tune for accessibility
+play 600 988 1 1319 4

configs/releng/grub/loopback.cfg

@@ -0,0 +1,80 @@
+# https://www.supergrubdisk.org/wiki/Loopback.cfg
+
+# Search for the ISO volume
+search --no-floppy --set=archiso_img_dev --file "${iso_path}"
+probe --set archiso_img_dev_uuid --fs-uuid "${archiso_img_dev}"
+
+# Get a human readable platform identifier
+if [ "${grub_platform}" == 'efi' ]; then
+    archiso_platform='UEFI'
+    if [ "${grub_cpu}" == 'x86_64' ]; then
+        archiso_platform="x64 ${archiso_platform}"
+    elif [ "${grub_cpu}" == 'i386' ]; then
+        archiso_platform="IA32 ${archiso_platform}"
+    else
+        archiso_platform="${grub_cpu} ${archiso_platform}"
+    fi
+elif [ "${grub_platform}" == 'pc' ]; then
+    archiso_platform='BIOS'
+else
+    archiso_platform="${grub_cpu} ${grub_platform}"
+fi
+
+# Set default menu entry
+default=archlinux
+timeout=15
+timeout_style=menu
+
+
+# Menu entries
+
+menuentry "Arch Linux install medium (%ARCH%, ${archiso_platform})" --class arch --class gnu-linux --class gnu --class os --id 'archlinux' {
+    set gfxpayload=keep
+    linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux archisobasedir=%INSTALL_DIR% img_dev=UUID=${archiso_img_dev_uuid} img_loop="${iso_path}"
+    initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img
+}
+
+menuentry "Arch Linux install medium with speakup screen reader (%ARCH%, ${archiso_platform})" --hotkey s --class arch --class gnu-linux --class gnu --class os --id 'archlinux-accessibility' {
+    set gfxpayload=keep
+    linux /%INSTALL_DIR%/boot/%ARCH%/vmlinuz-linux archisobasedir=%INSTALL_DIR% img_dev=UUID=${archiso_img_dev_uuid} img_loop="${iso_path}" accessibility=on
+    initrd /%INSTALL_DIR%/boot/%ARCH%/initramfs-linux.img
+}
+
+
+if [ "${grub_platform}" == 'efi' -a "${grub_cpu}" == 'x86_64' -a -f '/boot/memtest86+/memtest.efi' ]; then
+    menuentry 'Run Memtest86+ (RAM test)' --class memtest86 --class memtest --class gnu --class tool {
+        set gfxpayload=800x600,1024x768
+        linux /boot/memtest86+/memtest.efi
+    }
+fi
+if [ "${grub_platform}" == 'pc' -a -f '/boot/memtest86+/memtest' ]; then
+    menuentry 'Run Memtest86+ (RAM test)' --class memtest86 --class memtest --class gnu --class tool {
+        set gfxpayload=800x600,1024x768
+        linux /boot/memtest86+/memtest
+    }
+fi
+if [ "${grub_platform}" == 'efi' ]; then
+    if [ "${grub_cpu}" == 'x86_64' -a -f '/shellx64.efi' ]; then
+        menuentry 'UEFI Shell' --class efi {
+            chainloader /shellx64.efi
+        }
+    elif [ "${grub_cpu}" == "i386" -a -f '/shellia32.efi' ]; then
+        menuentry 'UEFI Shell' --class efi {
+            chainloader /shellia32.efi
+        }
+    fi
+
+    menuentry 'UEFI Firmware Settings' --id 'uefi-firmware' {
+        fwsetup
+    }
+fi
+
+menuentry 'System shutdown' --class shutdown --class poweroff {
+    echo 'System shutting down...'
+    halt
+}
+
+menuentry 'System restart' --class reboot --class restart {
+    echo 'System rebooting...'
+    reboot
+}

configs/releng/packages.x86_64

@@ -4,7 +4,9 @@ arch-install-scripts
 archinstall
 b43-fwcutter
 base
+bcachefs-tools
 bind
+bolt
 brltty
 broadcom-wl
 btrfs-progs
@@ -28,8 +30,8 @@ ethtool
 exfatprogs
 f2fs-tools
 fatresize
+foot-terminfo
 fsarchiver
-gnu-netcat
 gpart
 gpm
 gptfdisk
@@ -38,13 +40,12 @@ grub
 hdparm
 hyperv
 intel-ucode
-ipw2100-fw
-ipw2200-fw
 irssi
 iw
 iwd
 jfsutils
 kitty-terminfo
+ldns
 less
 lftp
 libfido2
@@ -62,6 +63,7 @@ man-pages
 mc
 mdadm
 memtest86+
+memtest86+-efi
 mkinitcpio
 mkinitcpio-archiso
 mkinitcpio-nfs-utils
@@ -78,6 +80,7 @@ nvme-cli
 open-iscsi
 open-vm-tools
 openconnect
+openpgp-card-tools
 openssh
 openvpn
 partclone
@@ -90,12 +93,12 @@ pv
 qemu-guest-agent
 refind
 reflector
-reiserfsprogs
 rp-pppoe
 rsync
 rxvt-unicode-terminfo
 screen
 sdparm
+sequoia-sq
 sg3_utils
 smartmontools
 sof-firmware
@@ -107,6 +110,7 @@ tcpdump
 terminus-font
 testdisk
 tmux
+tpm2-tools
 tpm2-tss
 udftools
 usb_modeswitch

configs/releng/pacman.conf

@@ -36,6 +36,8 @@ Architecture = auto
 #CheckSpace
 #VerbosePkgLists
 ParallelDownloads = 5
+#DownloadUser = alpm
+#DisableSandbox
 
 # By default, pacman accepts packages signed by keys that its local keyring
 # trusts (see pacman-key and its man page), as well as unsigned packages.
@@ -70,19 +72,16 @@ LocalFileSigLevel = Optional
 # repo name header and Include lines. You can add preferred servers immediately
 # after the header, and they will be used before the default mirrors.
 
-#[testing]
+#[core-testing]
 #Include = /etc/pacman.d/mirrorlist
 
 [core]
 Include = /etc/pacman.d/mirrorlist
 
-[extra]
-Include = /etc/pacman.d/mirrorlist
-
-#[community-testing]
+#[extra-testing]
 #Include = /etc/pacman.d/mirrorlist
 
-[community]
+[extra]
 Include = /etc/pacman.d/mirrorlist
 
 # If you want to run 32 bit applications on your x86_64 system,

configs/releng/profiledef.sh

@@ -2,23 +2,25 @@
 # shellcheck disable=SC2034
 
 iso_name="archlinux"
-iso_label="ARCH_$(date +%Y%m)"
+iso_label="ARCH_$(date --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y%m)"
 iso_publisher="Arch Linux <https://archlinux.org>"
-iso_application="Arch Linux Live/Rescue CD"
-iso_version="$(date +%Y.%m.%d)"
+iso_application="Arch Linux Live/Rescue DVD"
+iso_version="$(date --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y.%m.%d)"
 install_dir="arch"
 buildmodes=('iso')
 bootmodes=('bios.syslinux.mbr' 'bios.syslinux.eltorito'
-           'uefi-ia32.grub.esp' 'uefi-x64.grub.esp'
-           'uefi-ia32.grub.eltorito' 'uefi-x64.grub.eltorito')
+           'uefi-ia32.systemd-boot.esp' 'uefi-x64.systemd-boot.esp'
+           'uefi-ia32.systemd-boot.eltorito' 'uefi-x64.systemd-boot.eltorito')
 arch="x86_64"
 pacman_conf="pacman.conf"
 airootfs_image_type="squashfs"
 airootfs_image_tool_options=('-comp' 'xz' '-Xbcj' 'x86' '-b' '1M' '-Xdict-size' '1M')
+bootstrap_tarball_compression=('zstd' '-c' '-T0' '--auto-threads=logical' '--long' '-19')
 file_permissions=(
   ["/etc/shadow"]="0:0:400"
   ["/root"]="0:0:750"
   ["/root/.automated_script.sh"]="0:0:755"
+  ["/root/.gnupg"]="0:0:700"
   ["/usr/local/bin/choose-mirror"]="0:0:755"
   ["/usr/local/bin/Installation_guide"]="0:0:755"
   ["/usr/local/bin/livecd-sound"]="0:0:755"

configs/releng/syslinux/archiso_head.cfg

@@ -12,7 +12,7 @@ MENU CMDLINEROW 14
 MENU HELPMSGROW 16
 MENU HELPMSGENDROW 29
 
-# Refer to http://syslinux.zytor.com/wiki/index.php/Doc/menu
+# Refer to https://wiki.syslinux.org/wiki/index.php/Comboot/menu.c32
 
 MENU COLOR border       30;44   #40ffffff #a0000000 std
 MENU COLOR title        1;36;44 #9033ccff #a0000000 std

configs/releng/syslinux/archiso_pxe-linux.cfg

@@ -5,8 +5,8 @@ It allows you to install Arch Linux or perform system maintenance.
 ENDTEXT
 MENU LABEL Arch Linux install medium (x86_64, NBD)
 LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux
-INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
-APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% archiso_nbd_srv=${pxeserver} checksum verify
+INITRD ::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
+APPEND archisobasedir=%INSTALL_DIR% archisosearchuuid=%ARCHISO_UUID% archiso_nbd_srv=${pxeserver} cms_verify=y
 SYSAPPEND 3
 
 LABEL arch64_nfs
@@ -16,8 +16,8 @@ It allows you to install Arch Linux or perform system maintenance.
 ENDTEXT
 MENU LABEL Arch Linux install medium (x86_64, NFS)
 LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux
-INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
-APPEND archisobasedir=%INSTALL_DIR% archiso_nfs_srv=${pxeserver}:/run/archiso/bootmnt checksum verify
+INITRD ::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
+APPEND archisobasedir=%INSTALL_DIR% archiso_nfs_srv=${pxeserver}:/run/archiso/bootmnt cms_verify=y
 SYSAPPEND 3
 
 LABEL arch64_http
@@ -27,6 +27,6 @@ It allows you to install Arch Linux or perform system maintenance.
 ENDTEXT
 MENU LABEL Arch Linux install medium (x86_64, HTTP)
 LINUX ::/%INSTALL_DIR%/boot/x86_64/vmlinuz-linux
-INITRD ::/%INSTALL_DIR%/boot/intel-ucode.img,::/%INSTALL_DIR%/boot/amd-ucode.img,::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
-APPEND archisobasedir=%INSTALL_DIR% archiso_http_srv=http://${pxeserver}/ checksum verify
+INITRD ::/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
+APPEND archisobasedir=%INSTALL_DIR% archiso_http_srv=http://${pxeserver}/ cms_verify=y
 SYSAPPEND 3

configs/releng/syslinux/archiso_sys-linux.cfg

@@ -5,8 +5,8 @@ It allows you to install Arch Linux or perform system maintenance.
 ENDTEXT
 MENU LABEL Arch Linux install medium (x86_64, BIOS)
 LINUX /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux
-INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
-APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL%
+INITRD /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
+APPEND archisobasedir=%INSTALL_DIR% archisosearchuuid=%ARCHISO_UUID%
 
 # Accessibility boot option
 LABEL arch64speech
@@ -16,16 +16,5 @@ It allows you to install Arch Linux or perform system maintenance with speech fe
 ENDTEXT
 MENU LABEL Arch Linux install medium (x86_64, BIOS) with ^speech
 LINUX /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux
-INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
-APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% accessibility=on
-
-# Copy to RAM boot option
-LABEL arch64ram
-TEXT HELP
-Boot the Arch Linux install medium on BIOS with Copy-to-RAM option
-It allows you to install Arch Linux or perform system maintenance.
-ENDTEXT
-MENU LABEL Arch Linux install medium (x86_64, BIOS, Copy to RAM)
-LINUX /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux
-INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
-APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram
+INITRD /%INSTALL_DIR%/boot/x86_64/initramfs-linux.img
+APPEND archisobasedir=%INSTALL_DIR% archisosearchuuid=%ARCHISO_UUID% accessibility=on

configs/releng/syslinux/archiso_tail.cfg

@@ -7,12 +7,12 @@ MENU LABEL Boot existing OS
 COM32 chain.c32
 APPEND hd0 0
 
-# http://www.memtest.org/
+# https://www.memtest.org/
 LABEL memtest
 MENU LABEL Run Memtest86+ (RAM test)
-LINUX /%INSTALL_DIR%/boot/memtest
+LINUX /boot/memtest86+/memtest
 
-# http://hdt-project.org/
+# https://wiki.syslinux.org/wiki/index.php/Hdt_(Hardware_Detection_Tool)
 LABEL hdt
 MENU LABEL Hardware Information (HDT)
 COM32 hdt.c32

docs/README.profile.rst

@@ -48,10 +48,12 @@ The image file is constructed from some of the variables in ``profiledef.sh``: `
   - ``bios.syslinux.eltorito``: Syslinux for x86 BIOS booting from an optical disc
   - ``uefi-ia32.grub.esp``: GRUB for IA32 UEFI booting from a disk
   - ``uefi-ia32.grub.eltorito``: GRUB for IA32 UEFI booting from an optical disc
-  - ``uefi-x64.grub.esp``: GRUB for x86_64 UEFI booting from a disk
-  - ``uefi-x64.grub.eltorito``: GRUB for x86_64 UEFI booting from an optical disc
-  - ``uefi-x64.systemd-boot.esp``: systemd-boot for x86_64 UEFI booting from a disk
-  - ``uefi-x64.systemd-boot.eltorito``: systemd-boot for x86_64 UEFI booting from an optical disc
+  - ``uefi-x64.grub.esp``: GRUB for x64 UEFI booting from a disk
+  - ``uefi-x64.grub.eltorito``: GRUB for x64 UEFI booting from an optical disc
+  - ``uefi-ia32.systemd-boot.esp``: systemd-boot for IA32 UEFI booting from a disk
+  - ``uefi-ia32.systemd-boot.eltorito``: systemd-boot for IA32UEFI booting from an optical disc
+  - ``uefi-x64.systemd-boot.esp``: systemd-boot for x64 UEFI booting from a disk
+  - ``uefi-x64.systemd-boot.eltorito``: systemd-boot for x64 UEFI booting from an optical disc
     Note that BIOS El Torito boot mode must always be listed before UEFI El Torito boot mode.
 * ``arch``: The architecture (e.g. ``x86_64``) to build the image for. This is also used to resolve the name of the packages
   file (e.g. ``packages.x86_64``)
@@ -64,6 +66,8 @@ The image file is constructed from some of the variables in ``profiledef.sh``: `
   - ``erofs``: Create an EROFS image for the airootfs work directory
 * ``airootfs_image_tool_options``: An array of options to pass to the tool to create the airootfs image. ``mksquashfs`` and
   ``mkfs.erofs`` are supported. See ``mksquashfs --help`` or ``mkfs.erofs --help`` for all possible options
+* ``bootstrap_tarball_compression``: An array containing the compression program and arguments passed to it for
+  compressing the bootstrap tarball (defaults to ``cat``). For example: ``bootstrap_tarball_compression=(zstd -c -T0 --long -19)``.
 * ``file_permissions``: An associative array that lists files and/or directories who need specific ownership or
   permissions. The array's keys contain the path and the value is a colon separated list of owner UID, owner GID and
   access mode. E.g. ``file_permissions=(["/etc/shadow"]="0:0:400")``. When directories are listed with a trailing backslash (``/``) **all** files and directories contained within the listed directory will have the same owner UID, owner GID, and access mode applied recursively.
@@ -137,9 +141,15 @@ The following *custom template identifiers* are understood and will be replaced
 respective variables in ``profiledef.sh``:
 
 * ``%ARCHISO_LABEL%``: Set this using the ``iso_label`` variable in ``profiledef.sh``.
-* ``%INSTALL_DIR%``: Set this using the ``iso_label`` variable in ``profiledef.sh``.
+* ``%INSTALL_DIR%``: Set this using the ``install_dir`` variable in ``profiledef.sh``.
 * ``%ARCH%``: Set this using the ``arch`` variable in ``profiledef.sh``.
 
+Additionally there are also *custom template identifiers* have harcoded values set by ``mkarchiso`` that cannot be
+overridden:
+
+* ``%ARCHISO_UUID%``: the ISO 9660 modification date in UTC, i.e. its "UUID",
+* ``%ARCHISO_SEARCH_FILENAME%``: file path on ISO 9660 that can be used by GRUB to find the ISO volume
+  (**for GRUB ``.cfg`` files only**).
 
 efiboot
 -------

docs/README.transfer

@@ -1,133 +0,0 @@
-INDEX
------
-
-* Transfer ISO file to target medium (configs/releng)
-  * To -> CD / DVD / BD
-  * To -> USB-key / SD / HDD / SSD
-    * PC-BIOS (MBR)
-    * PC-BIOS (ISOHYBRID-MBR)
-    * PC-EFI (GPT) [x86_64 only]
-    * PC-EFI (ISOHYBRID-GPT) [x86_64 only]
-
-
-
-*** Transfer ISO image to target medium (configs/releng)
-
-ISO images names consist of: archlinux-<YYYY>.<MM>.<DD>-x86_64.iso
-
-Where:
-    <YYYY> Year
-    <MM> Month
-    <DD> Day
-
-
-** To -> CD / DVD / BD
-
-Note: All ISO images are booteable on a PC-BIOS via "El Torito" in no-emulation mode,
-      All x86_64 ISO images are booteable on a PC-EFI via "El Torito" in no-emulation mode.
-
-Nomeclature:
-    <B> scsibus number
-    <T> target number
-    <L> lun number
-    (Note: see cdrecord -scanbus, for these numbers)
-
-
-1) Write it directly using your favorite recording program.
-# cdrecord dev=<B>,<T>,<L> -dao archlinux-<YYYY>.<MM>.<DD>-x86_64.iso
-
-
-** To -> USB Flash Drive (USB-key) / Memory card (SD) /
-         Hard-Disk Drive (HDD) / Solid-State Drive (SSD)
-
-Note: These steps are the general workflow, you can skip some of them,
-      using another filesystem if your bootloader supports it,
-      installing to another directory than "arch/" or using more than
-      one partition. Just ensure that main boot params options
-      (archisolabel= and archisobasedir=) are set correctly according to your setup.
-
-Nomeclature:
-<DEV-TARGET>:   Device node of the drive where ISO contents should be copied
-                (example: /dev/sdx)
-<DEV-TARGET-N>: Device node of the partition on <DEV-TARGET>
-                (example: /dev/sdx1)
-<MNT-TARGET-N>: Mount point path where <DEV-TARGET-N> is mounted
-                (example: /mnt/sdx/1)
-<ISO-SOURCE>:   Path to the ISO file archlinux-<YYYY>.<MM>.<DD>-x86_64.iso
-                (example: ~/archlinux-2017.03.01-x86_64.iso)
-<FS-LABEL>:     Represents the filesystem label of the <ISO-SOURCE>
-                (example: ARCH_201703)
-
-
-* PC-BIOS (MBR):
-
-Note: Using here a MBR partition mode as example, but GPT should also works
-      if machine firmware is not broken.
-      Just ensure that partition is set with attribute "2: legacy BIOS bootable"
-      and use gptmbr.bin instead of mbr.bin for syslinux.
-
-1) Create one partition entry in MBR and mark it as "active" (booteable).
-Note: Type "b" for FAT32, "83" for EXTFS or "7" for NTFS.
-# fdisk <DEV-TARGET>
-
-2) Create a FAT32, EXTFS or NTFS filesystem on such partition and setup a label.
-Note: COW is not supported on NTFS.
-# mkfs.fat -F 32 -n <FS-LABEL> <DEV-TARGET-N>
-# mkfs.ext4 -L <FS-LABEL> <DEV-TARGET-N>
-# mkfs.ntfs -L <FS-LABEL> <DEV-TARGET-N>
-
-3) Mount target filesystem.
-# mount <DEV-TARGET-N> <MNT-TARGET-N>
-
-4) Extract ISO image on target filesystem.
-# bsdtar -x --exclude=isolinux/ --exclude=EFI/ --exclude=loader/ -f <ISO-SOURCE> -C <MNT-TARGET-N>
-
-5) Install syslinux bootloader on target filesystem.
-# extlinux -i <MNT-TARGET-N>/arch/boot/syslinux
-
-6) Unmount target filesystem.
-# umount <MNT-TARGET-N>
-
-7) Install syslinux MBR boot code on target drive.
-# dd bs=440 count=1 conv=notrunc if=/usr/lib/syslinux/bios/mbr.bin of=<DEV-TARGET>
-
-
-* PC-BIOS (ISOHYBRID-MBR):
-
-Note: This method is the most easily, quick and dirty, but is the most limited
-      if you want to use your target medium for other purposes.
-      If using this does not work, use PC-BIOS (MBR) method instead.
-
-1) Dump ISO file to target medium.
-# dd if=<ISO-SOURCE> of=<DEV-TARGET>
-
-
-* PC-EFI (GPT) [x86_64 only]
-
-Note: Using here a GPT partition mode as example, but MBR should also works
-      if machine firmware is not broken.
-
-1) Create one partition entry in GPT (of type "ef00")
-# gdisk <DEV-TARGET>
-
-2) Create a FAT32 filesystem on such partition and setup a label.
-# mkfs.fat -F 32 -n <FS-LABEL> <DEV-TARGET-N>
-
-3) Mount target filesystem.
-# mount <DEV-TARGET-N> <MNT-TARGET-N>
-
-4) Extract ISO image on target filesystem.
-# bsdtar -x --exclude=isolinux/ --exclude=EFI/archiso/ --exclude=arch/boot/syslinux/ -f <ISO-SOURCE> -C <MNT-TARGET-N>
-
-5) Unmount target filesystem.
-# umount <MNT-TARGET-N>
-
-
-* PC-EFI (ISOHYBRID-GPT) [x86_64 only]
-
-Note: This method is the most easily, quick and dirty, but is the most limited
-      if you want to use your target medium for other purposes.
-      If using this does not work, use PC-EFI (GPT) method instead.
-
-1) Dump ISO file to target medium.
-# dd if=<ISO-SOURCE> of=<DEV-TARGET>

docs/README.transfer.rst

@@ -0,0 +1,165 @@
+==============================================
+Transfer ISO to target medium (configs/releng)
+==============================================
+
+ISO images names consist of: ``archlinux-YYYY.MM.DD-x86_64.iso``.
+
+Where: ``YYYY`` is the year, ``MM`` the month and ``DD`` the day.
+
+.. contents::
+
+Burn to an optical disc
+=======================
+
+  .. note::
+     All ISO images are BIOS and UEFI bootable via "El Torito" in no-emulation mode.
+
+Burn the ISO using your favorite disc burning program.
+
+For example:
+
+.. code:: sh
+
+   xorriso -as cdrecord -v -sao dev=/dev/sr0 archlinux-YYYY.MM.DD-x86_64.iso
+
+Write to an USB flash drive / memory card / hard disk drive / solid state drive / etc.
+======================================================================================
+
+  .. tip::
+     See https://wiki.archlinux.org/title/USB_flash_installation_medium for more detailed instructions.
+
+Nomeclature:
+
+``<DEV-TARGET>``
+  Device node of the drive where ISO contents should be copied (example: ``/dev/sdx``).
+``<DEV-TARGET-N>``
+  Device node of the partition on ``<DEV-TARGET>`` (example: ``/dev/sdx1``).
+``<FS-LABEL>``
+  Represents the file system label of the ``archlinux-YYYY.MM.DD-x86_64.iso`` (example: ``ARCH_201703``).
+
+ISOHYBRID (BIOS and UEFI)
+-------------------------
+
+  .. note::
+     This method is the most easily, quick and dirty, but is the most limited if you want to use your target medium
+     for other purposes. If using this does not work, use the `File system transposition (UEFI only)`_ method instead.
+
+Directly write the ISO file to the target medium:
+
+.. code:: sh
+
+   dd bs=4M if=archlinux-YYYY.MM.DD-x86_64.iso of=<DEV-TARGET> conv=fsync oflag=direct status=progress
+
+File system transposition (UEFI only)
+--------------------------------
+
+This method extracts the contents of the ISO onto a prepared UEFI-bootable volume.
+
+If your drive is already partitioned and formatted, skip to the "Mount the target file system" step.
+
+  .. note::
+     Using MBR with one FAT formatted active partition is the most compatible method.
+
+1. Partition the drive with *fdisk*.
+
+   .. code:: sh
+
+      fdisk <DEV-TARGET>
+
+   1) Create a new MBR partition table with command ``o``.
+
+     .. warning::
+        This will destroy all data on the drive.
+
+   2) Create a new primary partition with command ``n`` and set its type code to ``0c`` with command ``t``.
+
+   3) Mark the partition as bootable with the ``a`` command.
+
+   4) Write the changes and exit with ``w``.
+
+2. Format the newly created partition to FAT32
+
+   .. code:: sh
+
+      mkfs.fat -F 32 /dev/disk/by-id/<TARGET-DEVICE>-part1
+
+3. Mount the target file system
+
+   .. code:: sh
+
+      mount <DEV-TARGET-N> /mnt
+
+4. Extract the ISO image on the target file system.
+
+   .. code:: sh
+
+      bsdtar -x --exclude=boot/syslinux/ -f archlinux-YYYY.MM.DD-x86_64.iso -C /mnt
+
+5. Unmount the target file system.
+
+   .. code:: sh
+
+      umount /mnt
+
+Manual formatting (BIOS only)
+-----------------------------
+
+  .. note::
+     These steps are the general workflow, you can skip some of them, using another file system if your boot loader
+     supports it, installing to another directory than ``arch/`` or using more than one partition. Just ensure that
+     main boot parameters  (``archisolabel=`` and ``archisobasedir=``) are set correctly according to your setup.
+
+     Using here a MBR partition mode as example, but GPT should also work if the machine firmware is not broken. Just
+     ensure that partition is set with attribute ``2: legacy BIOS bootable`` and use ``gptmbr.bin`` instead of
+     ``mbr.bin`` for syslinux.
+
+1) Create one partition entry in MBR and mark it as "active" (bootable).
+
+     .. note::
+        Type ``b`` for FAT32, ``83`` for EXTFS or ``7`` for NTFS.
+
+   .. code:: sh
+
+      fdisk <DEV-TARGET>
+
+2) Create a FAT32, EXTFS or NTFS file system on such partition and setup a label.
+
+     .. note::
+        COW is not supported on NTFS.
+
+   .. code:: sh
+
+      mkfs.fat -F 32 -n <FS-LABEL> <DEV-TARGET-N>
+      mkfs.ext4 -L <FS-LABEL> <DEV-TARGET-N>
+      mkfs.ntfs -L <FS-LABEL> <DEV-TARGET-N>
+
+3) Mount the target file system.
+
+   .. code:: sh
+
+      mount <DEV-TARGET-N> /mnt
+
+4) Extract the ISO image on the target file system.
+
+   .. code:: sh
+
+      bsdtar -x --exclude=boot/grub/ --exclude=EFI/ -f archlinux-YYYY.MM.DD-x86_64.iso -C /mnt
+
+5) Install the syslinux boot loader on the target file system.
+
+   .. code:: sh
+
+      extlinux -i /mnt/boot/syslinux
+
+6) Unmount the target file system.
+
+   .. code:: sh
+
+      umount /mnt
+
+7) Install syslinux MBR boot code on the target drive.
+
+   .. code:: sh
+
+      dd bs=440 count=1 conv=notrunc if=/usr/lib/syslinux/bios/mbr.bin of=<DEV-TARGET>
+

man/mkarchiso.1.rst

@@ -0,0 +1,80 @@
+=========
+mkarchiso
+=========
+
+------------------------
+Arch Linux ISO generator
+------------------------
+
+:Version: archiso |version|
+:Manual section: 1
+
+Synopsis
+========
+
+**mkarchiso** [options] *profile_directory*
+
+Description
+===========
+
+**mkarchiso** creates an ISO, netboot artifacts and a bootstrap tarball and optionally signs them.
+
+Options
+=======
+
+-A application          | Set an application name for the ISO.
+                        | Default: |iso_application|.
+-C file                 | pacman configuration file.
+                        | Default: |pacman_conf|.
+-D install_dir          | Set an install_dir. All files will be located here.
+                        | Default: |install_dir|.
+                        | NOTE: Max 8 characters, use only *a-z0-9*.
+-L label                | Set the ISO volume label.
+                        | Default: |iso_label|.
+-P publisher            | Set the ISO publisher.
+                        | Default: |iso_publisher|.
+-c cert_and_key         | Provide certificates for codesigning of netboot artifacts as well as the rootfs artifact.
+                        | Multiple files are provided as quoted, space delimited list.
+                        | The first file is considered as the signing certificate, the second as the key and the third as the optional certificate authority.
+-g gpg_key              | Set the PGP key ID to be used for signing the rootfs image. Passed to gpg as the value for **--default-key**.
+-G mbox                 | Set the PGP signer (must include an email address). Passed to gpg as the value for **--sender**.
+-h                      | Help message.
+-m mode                 | Build mode(s) to use (valid modes are: *bootstrap*, *iso* and *netboot*). Multiple build modes are provided as quoted, space delimited list.
+-o out_dir              | Set the output directory.
+                        | Default: |out_dir|.
+-p packages             | Package(s) to install.
+                        | Multiple packages are provided as quoted, space delimited list.
+-r                      | Delete the working directory at the end.
+-v                      | Enable verbose output.
+-w work_dir             | Set the working directory.
+                        | Default: |work_dir|.
+
+Examples
+========
+
+Build the releng profile
+------------------------
+
+   mkarchiso |profile_dir|/configs/releng
+
+Bugs
+====
+
+https://gitlab.archlinux.org/archlinux/archiso/-/issues
+
+Authors
+=======
+
+archiso is maintained by the Arch Linux community. Refer to the *AUTHORS* file for a full list of contributors.
+
+Copyright
+=========
+
+Copyright 🄯 archiso contributors. GPL-3.0-or-later.
+
+See also
+========
+
+* /usr/share/doc/archiso/README.profile.rst
+
+.. include:: variables.rst

man/variables.rst

@@ -0,0 +1,10 @@
+.. |iso_application| replace:: '*mkarchiso iso*'
+.. |pacman_conf| replace:: */etc/pacman.conf*
+.. |install_dir| replace:: *arch*
+.. |iso_label| replace:: *MKARCHISO*
+.. |iso_publisher| replace:: *mkarchiso*
+.. |out_dir| replace:: *./out*
+.. |work_dir| replace:: *./work*
+.. |profile_dir| replace:: /usr/share/archiso
+
+.. include:: version.rst

scripts/run_archiso.sh

@@ -11,7 +11,6 @@
 # - qemu
 # - edk2-ovmf (when UEFI booting)
 
-
 set -eu
 
 print_help() {
@@ -45,11 +44,11 @@ cleanup_working_dir() {
 }
 
 copy_ovmf_vars() {
-    if [[ ! -f '/usr/share/edk2-ovmf/x64/OVMF_VARS.fd' ]]; then
-        printf 'ERROR: %s\n' "OVMF_VARS.fd not found. Install edk2-ovmf."
+    if [[ ! -f '/usr/share/edk2/x64/OVMF_VARS.4m.fd' ]]; then
+        printf 'ERROR: %s\n' "OVMF_VARS.4m.fd not found. Install edk2-ovmf."
         exit 1
     fi
-    cp -av -- '/usr/share/edk2-ovmf/x64/OVMF_VARS.fd' "${working_dir}/"
+    cp -av -- '/usr/share/edk2/x64/OVMF_VARS.4m.fd' "${working_dir}/"
 }
 
 check_image() {
@@ -68,13 +67,13 @@ run_image() {
         copy_ovmf_vars
         if [[ "${secure_boot}" == 'on' ]]; then
             printf '%s\n' 'Using Secure Boot'
-            local ovmf_code='/usr/share/edk2-ovmf/x64/OVMF_CODE.secboot.fd'
+            local ovmf_code='/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd'
         else
-            local ovmf_code='/usr/share/edk2-ovmf/x64/OVMF_CODE.fd'
+            local ovmf_code='/usr/share/edk2/x64/OVMF_CODE.4m.fd'
         fi
         qemu_options+=(
             '-drive' "if=pflash,format=raw,unit=0,file=${ovmf_code},read-only=on"
-            '-drive' "if=pflash,format=raw,unit=1,file=${working_dir}/OVMF_VARS.fd"
+            '-drive' "if=pflash,format=raw,unit=1,file=${working_dir}/OVMF_VARS.4m.fd"
             '-global' "driver=cfi.pflash01,property=secure,value=${secure_boot}"
         )
     fi