[UKI] Measure (#2028)

.github/workflows/uki.yaml

@@ -36,21 +36,14 @@ jobs:
           repository: quay.io/kairos/packages
           packages: utils/earthly
       - name: Build uki ISO 🔧
-        run: |
-          # Do fedora as its the smaller uki possible
-          # Use immmucore master as it has patches not released for uki
-          # Use kairos-agent main branch as it has patches not released for uki
-          earthly +iso-uki \
-            --FLAVOR=opensuse \
-            --FLAVOR_RELEASE=leap-15.5 \
-            --FAMILY=opensuse \
+        run: | # known flavors to work with uki+encryption: fedora >= 38, ubuntu >= 23.10, anything with systemd 253
+          earthly +uki-iso \
+            --FLAVOR=fedora \
+            --FLAVOR_RELEASE=38 \
+            --FAMILY=rhel \
             --MODEL=generic \
             --VARIANT=core \
-            --BASE_IMAGE=opensuse/leap:15.5 \
-            --KAIROS_AGENT_DEV=true \
-            --KAIROS_AGENT_DEV_BRANCH=main \
-            --IMMUCORE_DEV=true \
-            --IMMUCORE_DEV_BRANCH=master
+            --BASE_IMAGE=fedora:38
       - name: Run tests
         env:
           USE_QEMU: true
@@ -58,8 +51,9 @@ jobs:
           MEMORY: 4000
           CPUS: 2
           FIRMWARE: /usr/share/OVMF/OVMF_CODE.fd
+          EMULATE_TPM: true
         run: |
-          export ISO=$(ls $PWD/build/kairos-*opensuse-leap*.iso)
+          export ISO=$(ls $PWD/build/kairos-fedora-38-core-amd64-generic-*.uki.iso)
           cp tests/go.* .
           go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "uki" --fail-fast -r ./tests/
       - uses: actions/upload-artifact@v3

Earthfile

@@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0
 # renovate: datasource=docker depName=aquasec/trivy
 ARG TRIVY_VERSION=0.47.0
 # renovate: datasource=github-releases depName=kairos-io/kairos-framework
-ARG KAIROS_FRAMEWORK_VERSION="v2.4.4"
+ARG KAIROS_FRAMEWORK_VERSION="v2.5.0"
 ARG COSIGN_SKIP=".*quay.io/kairos/.*"
 # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name
 
@@ -321,31 +321,12 @@ image-rootfs:
     SAVE ARTIFACT --keep-own /. rootfs
     SAVE ARTIFACT IMAGE IMAGE
 
-uki-artifacts:
-    ARG --required FAMILY # The dockerfile to use
-    ARG --required FLAVOR # The distribution E.g. "ubuntu"
-    ARG --required FLAVOR_RELEASE # The distribution release/version E.g. "20.04"
-    ARG --required VARIANT
-    ARG --required MODEL
-    ARG --required BASE_IMAGE
 
-    FROM +base-image --BUILD_INITRD=false
-    RUN /usr/bin/immucore version
-    RUN ln -s /usr/bin/immucore /init
-    RUN mkdir -p /oem # be able to mount oem under here if found
-    RUN mkdir -p /efi # mount the esp under here if found
-    RUN find . \( -path ./sys -prune -o -path ./run -prune -o -path ./dev -prune -o -path ./tmp -prune -o -path ./proc -prune \) -o -print | cpio -R root:root -H newc -o | gzip -2 > /tmp/initramfs.cpio.gz
-    RUN echo "console=ttyS0 console=tty1 net.ifnames=1 rd.immucore.oemlabel=COS_OEM rd.immucore.oemtimeout=2 rd.immucore.debug rd.immucore.uki selinux=0" > /tmp/Cmdline
-    RUN basename $(ls /boot/vmlinuz-* |grep -v rescue | head -n1)| sed --expression "s/vmlinuz-//g" > /tmp/Uname
-    SAVE ARTIFACT /boot/vmlinuz Kernel
-    SAVE ARTIFACT /etc/os-release Osrelease
-    SAVE ARTIFACT /tmp/Cmdline Cmdline
-    SAVE ARTIFACT /tmp/Uname Uname
-    SAVE ARTIFACT /tmp/initramfs.cpio.gz Initrd
+## UKI Stuff Start
 
 # Base image for uki operations so we only run the install once
 uki-tools-image:
-    FROM fedora:38
+    FROM fedora:39
     # objcopy from binutils and systemd-stub from systemd
     RUN dnf install -y binutils systemd-boot mtools efitools sbsigntools shim openssl systemd-ukify
 
@@ -366,79 +347,151 @@ uki-tools-image:
 # NOTE: NEVER EVER EVER use this keys for signing anything that its going outside your computer
 # This is for easy testing SecureBoot locally for development purposes
 # Installing this keys in other place than a VM for testing SecureBoot is irresponsible
-uki:
-    FROM ubuntu
-
-    ARG TARGETARCH
-    COPY +version/VERSION ./
-    RUN echo "version ${VERSION}"
 
+# Base uki artifacts
+# we need:
+# kernel
+# initramfs
+# cmdline
+# os-release
+# uname
+uki-base:
     ARG --required FAMILY # The dockerfile to use
     ARG --required FLAVOR # The distribution E.g. "ubuntu"
     ARG --required FLAVOR_RELEASE # The distribution release/version E.g. "20.04"
     ARG --required VARIANT
     ARG --required MODEL
     ARG --required BASE_IMAGE
-
-    ARG KAIROS_VERSION=$(cat VERSION)
-    COPY ./images/naming.sh .
-    ARG ISO_NAME=$(./naming.sh bootable_artifact_name)
-    FROM +uki-tools-image
+    ARG TARGETARCH
     WORKDIR build
-    COPY +uki-artifacts/Kernel Kernel
-    COPY +uki-artifacts/Initrd Initrd
-    COPY +uki-artifacts/Osrelease Osrelease
-    COPY +uki-artifacts/Uname Uname
-    COPY +uki-artifacts/Cmdline Cmdline
-    ARG KVERSION=$(cat Uname)
+    # Build kernel,uname, etc artifacts
+    FROM +base-image --BUILD_INITRD=false
+
+    RUN /usr/bin/immucore version
+    RUN /usr/bin/kairos-agent version
+    RUN ln -s /usr/bin/immucore /init
+    RUN mkdir -p /oem # be able to mount oem under here if found
+    RUN mkdir -p /efi # mount the esp under here if found
+    RUN mkdir -p /usr/local/cloud-config/ # for install/upgrade they copy stuff there
+    # Put it under /tmp otherwise initramfs will contain itself. /tmp is excluded from the find
+    RUN find . \( -path ./sys -prune -o -path ./run -prune -o -path ./dev -prune -o -path ./tmp -prune -o -path ./proc -prune \) -o -print | cpio -R root:root -H newc -o | gzip -2 > /tmp/initramfs.cpio.gz
+    RUN echo "console=ttyS0 console=tty1 net.ifnames=1 rd.immucore.oemlabel=COS_OEM rd.immucore.debug rd.immucore.oemtimeout=2 rd.immucore.uki selinux=0" > Cmdline
+    RUN basename $(ls /boot/vmlinuz-* |grep -v rescue | head -n1)| sed --expression "s/vmlinuz-//g" > Uname
+    SAVE ARTIFACT /tmp/initramfs.cpio.gz initrd
+    SAVE ARTIFACT Cmdline Cmdline
+    SAVE ARTIFACT Uname Uname
+    SAVE ARTIFACT /boot/vmlinuz Kernel
+    SAVE ARTIFACT /etc/os-release Osrelease
+
+# Now build, measure and sign the uki image
+uki-build:
+    FROM +uki-tools-image
+    WORKDIR /build
     COPY tests/keys/* .
-    RUN objcopy /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
-            --add-section .osrel=Osrelease --set-section-flags .osrel=data,readonly \
-            --add-section .cmdline=Cmdline --set-section-flags .cmdline=data,readonly \
-            --add-section .initrd=Initrd --set-section-flags .initrd=data,readonly \
-            --add-section .uname=Uname --set-section-flags .uname=data,readonly \
-            --add-section .linux=Kernel --set-section-flags .linux=code,readonly \
-            uki.unsigned.efi \
-            --change-section-vma .osrel=0x17000 \
-            --change-section-vma .cmdline=0x18000 \
-            --change-section-vma .initrd=0x19000 \
-            --change-section-vma .uname=0x5a0ed000 \
-            --change-section-vma .linux=0x5a0ee000
-    # example with ukify + measure
-    #RUN /usr/lib/systemd/ukify Kernel Initrd \
-    #    --cmdline Cmdline \
-    #    --os-release Osrelease \
-    #    --uname Uname \
-    #    --stub /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
-    #    --secureboot-private-key DB.key \
-    #    --secureboot-certificate DB.crt \
-    #    --sign-kernel \
-    #    --pcr-private-key private.pem \
-    #    --pcr-public-key public.pem \
-    #    --measure \
-    #    --output $ISO_NAME.signed.efi
+    COPY +uki-base/initrd .
+    COPY +uki-base/Kernel .
+    COPY +uki-base/Cmdline .
+    COPY +uki-base/Uname .
+    COPY +uki-base/Osrelease .
+    COPY +version/VERSION .
+    ARG KAIROS_VERSION=$(cat VERSION)
+    ARG UNAME=$(cat Uname)
+    RUN /usr/lib/systemd/ukify Kernel initrd \
+        --cmdline=@Cmdline \
+        --os-release=@Osrelease \
+        --uname="${UNAME}" \
+        --stub /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
+        --secureboot-private-key DB.key \
+        --secureboot-certificate DB.crt \
+        --pcr-private-key tpm2-pcr-private.pem \
+        --measure \
+        --output uki.signed.efi
     RUN sbsign --key DB.key --cert DB.crt --output systemd-bootx64.signed.efi /usr/lib/systemd/boot/efi/systemd-bootx64.efi
-    RUN sbsign --key DB.key --cert DB.crt --output uki.signed.efi uki.unsigned.efi
+    RUN printf 'title Kairos %s\nefi /EFI/kairos/%s.efi\nversion %s' ${KAIROS_VERSION} ${KAIROS_VERSION} ${KAIROS_VERSION} > ${KAIROS_VERSION}.conf
+    RUN printf 'default @saved\ntimeout 5\nconsole-mode max\neditor no\n' > loader.conf
     SAVE ARTIFACT PK.der PK.der
     SAVE ARTIFACT KEK.der KEK.der
     SAVE ARTIFACT DB.der DB.der
-    SAVE ARTIFACT systemd-bootx64.signed.efi systemd-bootx64.efi
+    SAVE ARTIFACT systemd-bootx64.signed.efi systemd-bootx64.signed.efi
     SAVE ARTIFACT uki.signed.efi uki.signed.efi
-    SAVE ARTIFACT uki.unsigned.efi uki.unsigned.efi
+    SAVE ARTIFACT ${KAIROS_VERSION}.conf ${KAIROS_VERSION}.conf
+    SAVE ARTIFACT loader.conf loader.conf
 
-# Copy uki artifacts into local build dir
-uki-local-artifacts:
-    FROM +uki
+# Base target to set the directory structure for the image artifacts
+# as we need to create several dirs and copy files into them
+# Then we generate the image from scratch to not ring anything else
+uki-image-artifacts:
+    FROM +uki-tools-image
     COPY +version/VERSION ./
-    ARG VERSION=$(cat VERSION)
-    COPY +uki/systemd-bootx64.efi systemd-bootx64.efi
-    COPY +uki/uki.signed.efi uki.signed.efi
-    RUN printf "title Kairos ${FLAVOR} ${VERSION}\nefi /EFI/kairos/kairos.efi" > kairos.conf
-    RUN printf "default kairos.conf" > loader.conf
-    SAVE ARTIFACT systemd-bootx64.efi systemd-bootx64.efi AS LOCAL build/systemd-bootx64.efi
-    SAVE ARTIFACT uki.signed.efi uki.signed.efi AS LOCAL build/uki.${FLAVOR}.${VERSION}.efi
-    SAVE ARTIFACT kairos.conf kairos.conf AS LOCAL build/kairos.conf
-    SAVE ARTIFACT loader.conf loader.conf AS LOCAL build/loader.conf
+    ARG KAIROS_VERSION=$(cat VERSION)
+    COPY +uki-build/systemd-bootx64.signed.efi /output/efi/EFI/BOOT/BOOTX64.EFI
+    COPY +uki-build/uki.signed.efi /output/efi/EFI/kairos/${KAIROS_VERSION}.efi
+    COPY +uki-build/${KAIROS_VERSION}.conf /output/efi/loader/entries/${KAIROS_VERSION}.conf
+    COPY +uki-build/loader.conf /output/efi/loader/loader.conf
+    COPY +uki-build/PK.der /output/efi/loader/keys/kairos/PK.der
+    COPY +uki-build/KEK.der /output/efi/loader/keys/kairos/KEK.der
+    COPY +uki-build/DB.der /output/efi/loader/keys/kairos/DB.der
+    SAVE ARTIFACT /output/efi efi
+
+# This is the final artifact, only the files on it
+uki-image:
+    COPY +base-image/IMAGE .
+    ARG _CIMG=$(cat ./IMAGE)
+    FROM scratch
+    COPY +uki-image-artifacts/efi /
+    SAVE IMAGE --push $_CIMG.uki
+
+uki-iso:
+    FROM ubuntu
+    COPY +version/VERSION ./
+    ARG KAIROS_VERSION=$(cat VERSION)
+    ARG TARGETARCH
+    ARG --required FAMILY # The dockerfile to use
+    ARG --required FLAVOR # The distribution E.g. "ubuntu"
+    ARG --required FLAVOR_RELEASE # The distribution release/version E.g. "20.04"
+    ARG --required VARIANT
+    ARG --required MODEL
+    ARG --required BASE_IMAGE
+    COPY ./images/naming.sh .
+    ARG ISO_NAME=$(./naming.sh bootable_artifact_name)
+    ARG OSBUILDER_IMAGE
+    FROM $OSBUILDER_IMAGE
+    WORKDIR /build
+    COPY +uki-build/systemd-bootx64.signed.efi .
+    COPY +uki-build/uki.signed.efi .
+    COPY +uki-build/${KAIROS_VERSION}.conf .
+    COPY +uki-build/loader.conf .
+    COPY +uki-build/PK.der .
+    COPY +uki-build/KEK.der .
+    COPY +uki-build/DB.der .
+    RUN mkdir -p /tmp/efi
+    RUN ls -ltra /build
+    # get the size of the artifacts
+    ARG SIZE=$(du -sm /build | cut -f1)
+    # Create just the size we need + 50MB just in case?
+    RUN dd if=/dev/zero of=/tmp/efi/efiboot.img bs=1M count=$((SIZE + 50))
+    RUN mkfs.msdos -F 32 /tmp/efi/efiboot.img
+    RUN mmd -i /tmp/efi/efiboot.img ::EFI
+    RUN mmd -i /tmp/efi/efiboot.img ::EFI/BOOT
+    RUN mmd -i /tmp/efi/efiboot.img ::EFI/kairos
+    RUN mmd -i /tmp/efi/efiboot.img ::EFI/tools
+    RUN mmd -i /tmp/efi/efiboot.img ::loader
+    RUN mmd -i /tmp/efi/efiboot.img ::loader/entries
+    RUN mmd -i /tmp/efi/efiboot.img ::loader/keys
+    RUN mmd -i /tmp/efi/efiboot.img ::loader/keys/kairos
+    RUN mcopy -i /tmp/efi/efiboot.img PK.der ::loader/keys/kairos/PK.der
+    RUN mcopy -i /tmp/efi/efiboot.img KEK.der ::loader/keys/kairos/KEK.der
+    RUN mcopy -i /tmp/efi/efiboot.img DB.der ::loader/keys/kairos/DB.der
+    RUN mcopy -i /tmp/efi/efiboot.img ${KAIROS_VERSION}.conf ::loader/entries/${KAIROS_VERSION}.conf
+    RUN mcopy -i /tmp/efi/efiboot.img loader.conf ::loader/loader.conf
+    RUN mcopy -i /tmp/efi/efiboot.img uki.signed.efi ::EFI/kairos/${KAIROS_VERSION}.efi
+    RUN mcopy -i /tmp/efi/efiboot.img systemd-bootx64.signed.efi ::EFI/BOOT/BOOTX64.EFI
+    RUN xorriso -as mkisofs -V 'UKI_ISO_INSTALL' -e efiboot.img -no-emul-boot -o $ISO_NAME.iso /tmp/efi
+    SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.uki.iso
+
+# Uki stuff End
+
+
 
 ###
 ### Artifacts targets (ISO, netboot, ARM)
@@ -476,60 +529,6 @@ iso:
     SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso
     SAVE ARTIFACT /build/$ISO_NAME.iso.sha256 kairos.iso.sha256 AS LOCAL build/$ISO_NAME.iso.sha256
 
-iso-uki:
-    FROM ubuntu
-
-    COPY +version/VERSION ./
-    ARG KAIROS_VERSION=$(cat VERSION)
-    ARG TARGETARCH
-
-    ARG --required FAMILY # The dockerfile to use
-    ARG --required FLAVOR # The distribution E.g. "ubuntu"
-    ARG --required FLAVOR_RELEASE # The distribution release/version E.g. "20.04"
-    ARG --required VARIANT
-    ARG --required MODEL
-    ARG --required BASE_IMAGE
-
-    COPY ./images/naming.sh .
-    ARG ISO_NAME=$(./naming.sh bootable_artifact_name)
-    ARG OSBUILDER_IMAGE
-    FROM $OSBUILDER_IMAGE
-    WORKDIR /build
-    COPY +uki/uki.signed.efi .
-    COPY +uki/PK.der .
-    COPY +uki/KEK.der .
-    COPY +uki/DB.der .
-    COPY +uki/systemd-bootx64.efi .
-    # Set the name for kairos manually as otherwise it picks it from the os-release automatically
-    RUN printf "title Kairos ${FLAVOR} ${VERSION}\nefi /EFI/kairos/kairos.efi" > kairos.conf
-    RUN printf "default kairos.conf" > loader.conf
-    RUN mkdir -p /build/efi
-    # TODO: Create the img size based on the actual efi size!
-    RUN dd if=/dev/zero of=/build/efi/efiboot.img bs=1G count=1
-    RUN mkfs.msdos -F 32 /build/efi/efiboot.img
-    RUN mmd -i /build/efi/efiboot.img ::EFI
-    RUN mmd -i /build/efi/efiboot.img ::EFI/BOOT
-    RUN mmd -i /build/efi/efiboot.img ::EFI/kairos
-    RUN mmd -i /build/efi/efiboot.img ::EFI/tools
-    RUN mmd -i /build/efi/efiboot.img ::loader
-    RUN mmd -i /build/efi/efiboot.img ::loader/entries
-    RUN mmd -i /build/efi/efiboot.img ::loader/keys
-    RUN mmd -i /build/efi/efiboot.img ::loader/keys/kairos
-    # Copy keys
-    RUN mcopy -i /build/efi/efiboot.img /build/PK.der ::loader/keys/kairos/PK.der
-    RUN mcopy -i /build/efi/efiboot.img /build/KEK.der ::loader/keys/kairos/KEK.der
-    RUN mcopy -i /build/efi/efiboot.img /build/DB.der ::loader/keys/kairos/DB.der
-    # Copy kairos efi. This dir would make system-boot autosearch and add to entries automatically /EFI/Linux/
-    # but here we do it by using systemd-boot as fallback so it sets the proper efivars
-    RUN mcopy -i /build/efi/efiboot.img /build/kairos.conf ::loader/entries/kairos.conf
-    RUN mcopy -i /build/efi/efiboot.img /build/uki.signed.efi ::EFI/kairos/kairos.EFI
-    # systemd-boot as bootloader
-    RUN mcopy -i /build/efi/efiboot.img /build/loader.conf ::loader/loader.conf
-    # TODO: TARGETARCH should change the output name to BOOTAA64.EFI in arm64!
-    RUN mcopy -i /build/efi/efiboot.img /build/systemd-bootx64.efi ::EFI/BOOT/BOOTX64.EFI
-    RUN xorriso -as mkisofs -V 'UKI_ISO_INSTALL' -e efiboot.img -no-emul-boot -o /build/$ISO_NAME.iso /build/efi/
-    SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso
-
 # This target builds an iso using a remote docker image as rootfs instead of building the whole rootfs
 # This should be really fast as it uses an existing image. This requires a pushed image from the +image target
 # defaults to use the $REMOTE_IMG name (so ttl.sh/core-opensuse-leap:latest)

images/Dockerfile.kairos-rhel

@@ -34,6 +34,7 @@ RUN dnf update -y
 RUN dnf makecache
 RUN dnf install -y \
     audit \
+    cracklib-dicts \
     cloud-utils-growpart \
     device-mapper \
     dosfstools \

images/Dockerfile.opensuse

@@ -82,6 +82,7 @@ RUN zypper in --force-resolution -y \
     tmux \
     vim \
     which \
+    tpm2* \
     && zypper cc
 
 FROM common as amd64

images/Dockerfile.rhel

@@ -27,7 +27,7 @@ FROM epel AS almalinux
 FROM epel AS rockylinux
 
 FROM base AS fedora
-RUN dnf install -y "https://zfsonlinux.org/fedora/zfs-release-2-3$(rpm --eval "%{dist}").noarch.rpm" && dnf clean all
+RUN dnf install -y "https://zfsonlinux.org/fedora/zfs-release-2-4$(rpm --eval "%{dist}").noarch.rpm" && dnf clean all
 
 # install common packages
 FROM ${FLAVOR} AS common
@@ -35,6 +35,7 @@ RUN dnf update -y
 RUN dnf makecache
 RUN dnf install -y \
     audit \
+    cracklib-dicts \
     cloud-utils-growpart \
     device-mapper \
     dosfstools \

images/Dockerfile.ubuntu

@@ -90,6 +90,7 @@ RUN apt-get update \
     ubuntu-advantage-tools \
     xz-utils \
     zstd \
+    tpm2-* \
     && apt-get remove -y unattended-upgrades && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 ###############################################################

tests/encryption_test.go

@@ -16,6 +16,7 @@ import (
 )
 
 var installationOutput string
+var installError error
 var vm VM
 
 var _ = Describe("kcrypt encryption", func() {
@@ -40,8 +41,7 @@ var _ = Describe("kcrypt encryption", func() {
 		err = vm.Scp(configFile.Name(), "/tmp/config.yaml", "0744")
 		Expect(err).ToNot(HaveOccurred())
 		By("Manually installing")
-		installationOutput, err = vm.Sudo("kairos-agent --debug manual-install --device auto /tmp/config.yaml")
-		Expect(err).ToNot(HaveOccurred(), installationOutput)
+		installationOutput, installError = vm.Sudo("kairos-agent --debug manual-install --device auto /tmp/config.yaml")
 	})
 
 	AfterEach(func() {
@@ -90,6 +90,7 @@ stages:
 		})
 
 		It("boots and has an encrypted partition", func() {
+			Expect(installError).ToNot(HaveOccurred(), installationOutput)
 			By("Rebooting")
 			vm.Reboot()
 			vm.EventuallyConnects(1200)
@@ -106,6 +107,7 @@ stages:
 		var err error
 
 		BeforeEach(func() {
+			Expect(installError).ToNot(HaveOccurred(), installationOutput)
 			tpmHash, err = vm.Sudo("/system/discovery/kcrypt-discovery-challenger")
 			Expect(err).ToNot(HaveOccurred(), tpmHash)
 
@@ -152,6 +154,7 @@ kcrypt:
 		})
 
 		It("creates a passphrase and a key/pair to decrypt it", func() {
+			Expect(installError).ToNot(HaveOccurred(), installationOutput)
 			// Expect a LUKS partition
 			vm.Reboot(750)
 			vm.EventuallyConnects(1200)
@@ -245,6 +248,7 @@ kcrypt:
 		})
 
 		It("creates uses the existing passphrase to decrypt it", func() {
+			Expect(installError).ToNot(HaveOccurred(), installationOutput)
 			// Expect a LUKS partition
 			vm.Reboot()
 			vm.EventuallyConnects(1200)
@@ -256,6 +260,7 @@ kcrypt:
 	})
 
 	When("the key management server is listening on https", func() {
+		Expect(installError).ToNot(HaveOccurred(), installationOutput)
 		var tpmHash string
 		var err error
 
@@ -305,6 +310,7 @@ install:
 			})
 
 			It("successfully talks to the server", func() {
+				Expect(installError).ToNot(HaveOccurred(), installationOutput)
 				vm.Reboot()
 				vm.EventuallyConnects(1200)
 				out, err := vm.Sudo("blkid")
@@ -315,6 +321,7 @@ install:
 		})
 
 		When("the no certificate is set in the configuration", Label("remote-https-bad-cert"), func() {
+
 			BeforeEach(func() {
 				config = fmt.Sprintf(`#cloud-config
 
@@ -340,7 +347,9 @@ kcrypt:
 			})
 
 			It("fails to talk to the server", func() {
-				Expect(installationOutput).To(MatchRegexp("could not encrypt partition.*x509: certificate signed by unknown authority"))
+				// Should have failed the install
+				Expect(installError).To(HaveOccurred(), installationOutput)
+				Expect(installationOutput).To(MatchRegexp("failed to verify certificate: x509: certificate signed by unknown authority"))
 			})
 		})
 	})

tests/keys/tpm2-pcr-private.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCt2ysfpb/5gSu3
+LN9vKEAq6PMW8dJ+TcEttfDrtViMgrT0Ko7PqjyGW6LJkh8zI0iSMMErzcn22xf8
+CzSWTGX8oLtfaFearmxhTV22FFXIKj5fvwI8uAuYofwHbFlajrlMNvy4W2pbs70Z
++hdVaGbCEXOZZX7sEnN72cFt/NPcs5H/2KmCeL6wtuWiByVKxPALkkp8Gwm99hni
+kULoSwzP3qiUrh3Obxlerq+AEgNr6OfUdDsKNynaKNcdSqc1SDbFhYc3p2bCI0/u
+C3NTya4MI0itafbwPEOH8eZt6LYcQD3y/W3S6p8s155xM9cCe483eaqmYYBaA6To
+jgEKSIBnAgMBAAECggEARmT/yQir+rK6qKiar790e+tmwluYB1wkZAXPTyFWgU5L
+RrIUsTEU4LIp78QireoTcF4dWUcyB6oexAcle9XjVa8fLzpoflExwRQ6ZYdGVI4G
+Q25r0XoT9/FewwK0C17O2HVLTrp1DjxwzRveZs6nDN1UGUBna97ss7EwCQDeJ/ZC
+U11rvm+LPcqxILCKfIG60gUa/Pt6SauTOPYeMVt7RCWLSekq/2XKLl5esCaZ4ojq
+dzfn+Xdz9rSbZFiHIDPnZPo5jkt2dpA8uc2/VknCSxEcHMnc9Q0e6ZI7WSJulWDk
+g6dt4BJHxdmIxMP/QJUzHVVPBUucHhYfCEkcivY3AQKBgQDi5qq09s8xbpQcHF8/
+FvE5XvVfkMJ6P6n0XKWbq7hWlFSRqOQNrRVDbcPitYA1X1W9xNE/nInei5q2TK/A
+N55r1HtZhlXlpDfy0Y7XCGg4sl63j+tXOikfyBs7K9x6EUtInBJqPCdur1eP8191
+s/Vp9wFi5IRJBYl54mRwOILY9wKBgQDEJv8xoiqnmg/P0W3A4G8UaNnq0m6j+RvJ
+LJzJC7QCGjDMwhHyGj4w0R1Nieue4d5JoCsh2ZPZpCPpKQNx+1GU/ErKb77lqRWM
+ZtzXODrdG9aOqnEGD1mQqQ9Y9B6HSxjT9GaPv9Ha0jqvz3AqAMM8JjmllLCELt6u
+jRGERvqoEQKBgQCx6iTYmN6F6CsCj8yvb5HeZnMIaD3WFa1yCmNg2RlF6jEVtdR8
+VMdjg+IhFihdsU9N6dIZiukgM18wqpj0o6f47Td7TzZzRn0ITQEv40u1iUdzr8nd
+L6GnZgTUNORAYuchHB/kZR6WT67dFPw5Es7QM/pGTODdURYnGDmhNO6EqQKBgHmA
+/ossPOfdEvZUcHwNikFGQdany0lfQcr4C5at3S+AMcJkZOFnSCbNIi2pxX6Bw0Qw
+Jwes01z5xBTmBvBQEVUMgverCMESX/q8rQfUGQJmAB4XjjOGxqBJWOxtK4v7BMIm
+nnFlDQVTPG8zO/OIzWcw9nyPAlie/+l4EOWzYglBAoGBAKAQCfvT7QcpKtqfZiX5
+xMXOGhqnaW5b9FAH2wL6mNk9oyDdJNuVqGuyR9uPqlItmZIPwHPcJNYziwS1m8U0
+stArqaxkOKhQZW9gckBZ7ns5JfPm1Xb32GvCOqUOrgeEVFVIUbSiHs2aed0eDo3R
+oflH7j08gbqU0VGZYfUwUuzt
+-----END PRIVATE KEY-----

tests/uki_test.go

@@ -1,6 +1,7 @@
 package mos_test
 
 import (
+	"fmt"
 	"os"
 	"strings"
 
@@ -48,8 +49,14 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() {
 		})
 		By("installing kairos", func() {
 			out, err := vm.Sudo(`kairos-agent --debug uki install --device /dev/vda`)
+			fmt.Println(string(out))
 			Expect(err).ToNot(HaveOccurred(), out)
 			Expect(out).Should(ContainSubstring("Running after-install hook"))
+			Expect(out).Should(ContainSubstring("Encrypting COS_OEM"))
+			Expect(out).Should(ContainSubstring("Encrypting COS_PERSISTENT"))
+			Expect(out).Should(ContainSubstring("Done encrypting COS_OEM"))
+			Expect(out).Should(ContainSubstring("Done encrypting COS_PERSISTENT"))
+			Expect(out).Should(ContainSubstring("New TPM2 token enrolled as key slot 1."))
 			vm.Sudo("sync")
 		})
 
@@ -75,6 +82,14 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() {
 			Expect(out).To(ContainSubstring("/dev/disk/by-label/COS_OEM"))
 			Expect(out).To(ContainSubstring("/dev/disk/by-label/COS_PERSISTENT"))
 		})
+		By("Checking OEM/PERSISTENT are encrypted", func() {
+			out, err := vm.Sudo("blkid /dev/vda2")
+			Expect(err).ToNot(HaveOccurred())
+			Expect(out).To(ContainSubstring("crypto_LUKS"))
+			out, err = vm.Sudo("blkid /dev/vda3")
+			Expect(err).ToNot(HaveOccurred())
+			Expect(out).To(ContainSubstring("crypto_LUKS"))
+		})
 
 		By("checking custom cmdline", func() {
 			out, err := vm.Sudo("cat /proc/cmdline")