examples/bootc*: Secure Boot support

travier · jeckersb · commit 7ca4e91fb0b8 · 2025-09-03T17:06:11.000-04:00
Signed-off-by: Timothée Ravier &lt;tim@siosm.fr&gt;
diff --git a/examples/bootc-uki/Containerfile.stage2 b/examples/bootc-uki/Containerfile.stage2
@@ -4,29 +4,42 @@ FROM base as kernel
 
 ARG COMPOSEFS_FSVERITY
 
-RUN <<EOF
+RUN --mount=type=secret,id=key \
+    --mount=type=secret,id=cert <<EOF
     set -eux
 
     mkdir -p /etc/kernel /etc/dracut.conf.d
     echo "console=ttyS0,115200 composefs=${COMPOSEFS_FSVERITY} selinux=1 enforcing=0 systemd.debug_shell=1 root=UUID=6523f8ae-3eb1-4e2a-a05a-18b695ae656f rw" > /etc/kernel/cmdline
 
-    dnf install -y systemd-ukify;
-    kver=$(cd /usr/lib/modules && echo *);
+    dnf install -y systemd-ukify sbsigntools systemd-boot-unsigned
+    kver=$(cd /usr/lib/modules && echo *)
     ukify build \
-        --linux /usr/lib/modules/$kver/vmlinuz \
-        --initrd /usr/lib/modules/$kver/initramfs.img \
+        --linux "/usr/lib/modules/$kver/vmlinuz" \
+        --initrd "/usr/lib/modules/$kver/initramfs.img" \
+        --uname="${kver}" \
         --cmdline "@/etc/kernel/cmdline" \
-        --output /boot/$kver.efi
+        --os-release "@/etc/os-release" \
+        --signtool sbsign \
+        --secureboot-private-key "/run/secrets/key" \
+        --secureboot-certificate "/run/secrets/cert" \
+        --measure \
+        --json pretty \
+        --output "/boot/$kver.efi"
+    sbsign \
+        --key "/run/secrets/key" \
+        --cert "/run/secrets/cert" \
+        "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \
+        --output "/boot/systemd-bootx64.efi"
 EOF
 
 FROM base as final
 
 RUN --mount=type=bind,from=kernel,target=/_mount/kernel <<EOF
-    kver=$(cd /usr/lib/modules && echo *);
+    kver=$(cd /usr/lib/modules && echo *)
     mkdir -p /boot/EFI/Linux
     # We put the UKI in /boot for now due to composefs verity not being the
     # same due to mtime of /usr/lib/modules being changed
-    cp /_mount/kernel/boot/$kver.efi /boot/EFI/Linux/$kver.efi;
+    cp /_mount/kernel/boot/$kver.efi /boot/EFI/Linux/$kver.efi
 EOF
 
 FROM base as final-final
diff --git a/examples/bootc-uki/build.final b/examples/bootc-uki/build.final
@@ -15,38 +15,33 @@ IMAGE_ID="$(sed s/sha256:// tmp/iid)"
 ./cfsctl --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
 COMPOSEFS_FSVERITY="$(./cfsctl --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}")"
 
+# See: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
+# Alternative to generate keys for testing: `sbctl create-keys`
+if [[ ! -d "secureboot" ]]; then
+    echo "Generating test Secure Boot keys"
+    mkdir secureboot
+    pushd secureboot > /dev/null
+    uuidgen --random > GUID.txt
+    openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Platform Key/" -out PK.crt
+    openssl x509 -outform DER -in PK.crt -out PK.cer
+    openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Key Exchange Key/" -out KEK.crt
+    openssl x509 -outform DER -in KEK.crt -out KEK.cer
+    openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Signature Database key/" -out db.crt
+    openssl x509 -outform DER -in db.crt -out db.cer
+    popd > /dev/null
+fi
+
+# For debugging, add --no-cache to podman command
 sudo podman build \
     -t quay.io/fedora/fedora-bootc-uki:42 \
     --build-arg=COMPOSEFS_FSVERITY="${COMPOSEFS_FSVERITY}" \
     -f Containerfile.stage2 \
+    --secret=id=key,src=secureboot/db.key \
+    --secret=id=cert,src=secureboot/db.crt \
     --iidfile=tmp/iid2
 
 rm -rf tmp/efi
 mkdir -p tmp/efi
 ./cfsctl --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
 ./cfsctl --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}"
 ./cfsctl --repo tmp/sysroot/composefs oci prepare-boot "${IMAGE_ID}" --bootdir tmp/efi
-
-# For debugging, add --no-cache to podman command
-# mkdir tmp/internal-sysroot
-# # podman build \
-#     --iidfile=tmp/iid \
-#     -v "${PWD}/tmp/internal-sysroot:/tmp/sysroot:z,U" \
-#     --secret=id=key,src=secureboot/db.key \
-#     --secret=id=cert,src=secureboot/db.crt \
-
-# See: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
-# Alternative to generate keys for testing: `sbctl create-keys`
-# if [[ ! -d "secureboot" ]]; then
-#     echo "Generating test Secure Boot keys"
-#     mkdir secureboot
-#     pushd secureboot > /dev/null
-#     uuidgen --random > GUID.txt
-#     openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Platform Key/" -out PK.crt
-#     openssl x509 -outform DER -in PK.crt -out PK.cer
-#     openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Key Exchange Key/" -out KEK.crt
-#     openssl x509 -outform DER -in KEK.crt -out KEK.cer
-#     openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Signature Database key/" -out db.crt
-#     openssl x509 -outform DER -in db.crt -out db.cer
-#     popd > /dev/null
-# fi
diff --git a/examples/bootc-uki/build_vars b/examples/bootc-uki/build_vars
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -eux
+
+cd "${0%/*}"
+
+if [[ ! -d "secureboot" ]]; then
+    echo "fail"
+    exit 1
+fi
+
+# See: https://github.com/rhuefi/qemu-ovmf-secureboot
+# $ dnf install -y python3-virt-firmware
+GUID=$(cat secureboot/GUID.txt)
+virt-fw-vars --input "/usr/share/edk2/ovmf/OVMF_VARS_4M.secboot.qcow2" \
+    --secure-boot  \
+    --set-pk  $GUID "secureboot/PK.crt" \
+    --add-kek $GUID "secureboot/KEK.crt" \
+    --add-db  $GUID "secureboot/db.crt" \
+    -o "VARS_CUSTOM.secboot.qcow2.template"
