Add missing stboot-related command line tools
Most st-related operations are implemented in the stmgr tool (with some conflict between "one tool to rule them all" and the unix principle that each tool should do one thing, well). Maybe everything should be part of stmgr, maybe some tools should be separate, possibly part of the stboot repo. Leaving os-package related things like key management and signing out of scope for this issue, what is needed to get stboot running is:
A tool to create an stboot initramfs
This tool should copy a statically linked stboot executable to /init. It should also have the ability to add mandatory and optional files used by stboot, like the trust policy, host config, root certs. UI related to the stboot config is a bit challenging. One could either have command line options for all settings, and have the tool produce valid json files. Or pass in json files, the tool should then validate the syntax, and copy them to the right places. There must also be hooks to add arbitrary files to the initramfs, e.g., for adding OS packages, and for adding kernel modules and firmware files. We should also specify what kind of compression to prefer, to support kernels that don't use a kitchen sink config. We currently create this initramfs in various ways in all scripts that want to boot stboot.
A tool for bundling initramfs + kernel + command line as a bootable UEFI executable (aka uki)
The initramfs from above will be one of the inputs. stmgr supports this operation with stmgr uki create
.
A tool to wrap a bootable uefi executable into a bootable disk image
There are multiple variations, stmgr currently supports iso images, stmgr uki create -format iso
. We also need images with a gpt disk label and a vfat filesystem. A shell script to do that is here: https://git.glasklar.is/system-transparency/core/stboot/-/blob/3c3676d43163827295caec0bdaf7abb26d99d294/integration/make-vfat-disk-image.sh. It may be feasible to use the go-diskfs library and integrate with stmgr uki, but when I tried to do the same with go-diskfs, it produced a corrupt vfat filesystem. We also need images for bootable USB sticks, it is unclear to me if identical gpt + vfat images work in that case.
It's also unclear if this tool needs to be able to include additional files together with the uefi executable, or create additional partitions. E.g., we might want to add the magic partition used for efi variables, and populate some variables.