✨ Enable secureboot for all flavors (minus alpine) (#2140)

2025-02-09 05:18:51 +00:00 · 2024-01-16 14:27:01 +01:00 · 2024-01-16 14:27:01 +01:00 · dd5ea87dd1
commit dd5ea87dd1
parent 2e87283c83
12 changed files with 93 additions and 10 deletions
--- a/.github/workflows/image-pr.yaml
+++ b/.github/workflows/image-pr.yaml
@ -48,6 +48,16 @@ jobs:
    with:
      flavor: ubuntu
      flavor_release: "23.10"
+      secureboot: false
+    needs:
+      - core
+
+  install-secureboot:
+    uses: ./.github/workflows/reusable-install-test.yaml
+    with:
+      flavor: ubuntu
+      flavor_release: "23.10"
+      secureboot: true
    needs:
      - core

--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@ -94,6 +94,33 @@ jobs:
        include:
          - flavor: opensuse
            flavorRelease: leap-15.5
+            secureboot: false
+  install-secureboot:
+    uses: ./.github/workflows/reusable-install-test.yaml
+    with:
+      flavor: ${{ matrix.flavor }}
+      flavor_release: ${{ matrix.flavorRelease }}
+      secureboot: true
+    needs:
+      - core
+    strategy:
+      fail-fast: true
+      matrix:
+        include:
+          - flavor: "opensuse"
+            flavorRelease: "leap-15.5"
+          - flavor: "opensuse"
+            flavorRelease: "tumbleweed"
+          - flavor: "debian"
+            flavorRelease: "bookworm"
+          - flavor: "ubuntu"
+            flavorRelease: "20.04"
+          - flavor: "ubuntu"
+            flavorRelease: "22.04"
+          - flavor: "ubuntu"
+            flavorRelease: "23.10"
+          - flavor: "fedora"
+            flavorRelease: "38"
  zfs:
    uses: ./.github/workflows/reusable-zfs-test.yaml
    with:
--- a/.github/workflows/reusable-install-test.yaml
+++ b/.github/workflows/reusable-install-test.yaml
@ -9,6 +9,9 @@ on:
      flavor_release:
        required: true
        type: string
+      secureboot:
+        required: false
+        type: boolean

 jobs:
  test:
@ -55,14 +58,17 @@ jobs:
          CREATE_VM: true
          FLAVOR: ${{ inputs.flavor }}
        run: |
+          if [ "${{ inputs.secureboot }}" = "true" ]; then
+            export FIRMWARE=/usr/share/OVMF/OVMF_CODE.fd
+          fi
          ls *.iso
          export ISO=$PWD/$(ls *.iso)
          echo "ISO is: $ISO"
          cp tests/go.* .
-          go run github.com/onsi/ginkgo/v2/ginkgo --label-filter "install-test" --fail-fast -r ./tests
+          go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "install-test" --fail-fast -r ./tests
      - uses: actions/upload-artifact@v4
        if: failure()
        with:
-          name: ${{ inputs.flavor }}-vbox.logs.zip
+          name: ${{ inputs.flavor }}.logs.zip
          path: tests/**/logs/*
          if-no-files-found: warn
--- a/32
+++ b/32
@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0
 # renovate: datasource=docker depName=aquasec/trivy
 ARG TRIVY_VERSION=0.48.2
 # renovate: datasource=github-releases depName=kairos-io/kairos-framework
-ARG KAIROS_FRAMEWORK_VERSION="v2.6.0"
+ARG KAIROS_FRAMEWORK_VERSION="v2.6.3"
 ARG COSIGN_SKIP=".*quay.io/kairos/.*"
 # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name

@ -21,7 +21,7 @@ END
 ARG COSIGN_EXPERIMENTAL=0
 ARG CGO_ENABLED=0
 # renovate: datasource=docker depName=quay.io/kairos/osbuilder-tools versioning=semver-coerced
-ARG OSBUILDER_VERSION=v0.10.2
+ARG OSBUILDER_VERSION=v0.11.1
 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION
 ARG GOLINT_VERSION=1.52.2
 # renovate: datasource=docker depName=golang
@ -207,12 +207,20 @@ luet:
 kairos-dockerfile:
    ARG --required FAMILY
    COPY ./images .
-    RUN --no-cache cat <(echo "# This file is auto-generated with the command: earthly +kairos-dockerfile --FAMILY=${FAMILY}") \
-        <(sed -n '/# WARNING:/!p' Dockerfile.$FAMILY) \
-        <(echo) \
-        <(sed -n '/# WARNING:/!p' Dockerfile.kairos) \
-        > ./Dockerfile
-    SAVE ARTIFACT Dockerfile AS LOCAL images/Dockerfile.kairos-${FAMILY}
+    IF [ "$FAMILY" == "all" ]
+        ARG FAMILY_LIST="alpine debian opensuse rhel ubuntu"
+    ELSE
+        ARG FAMILY_LIST=$FAMILY
+    END
+    FOR F IN $FAMILY_LIST
+        RUN --no-cache cat <(echo "# This file is auto-generated with the command: earthly +kairos-dockerfile --FAMILY=${F}") \
+            <(sed -n '/# WARNING:/!p' Dockerfile.$F) \
+            <(echo) \
+            <(sed -n '/# WARNING:/!p' Dockerfile.kairos) \
+            > ./Dockerfile
+        SAVE ARTIFACT Dockerfile AS LOCAL images/Dockerfile.kairos-${F}
+    END
+

 extract-framework-profile:
    ARG FRAMEWORK_VERSION
@ -286,6 +294,14 @@ base-image:
    ARG _CIMG=$(cat ./IMAGE)

    COPY +git-version/GIT_VERSION VERSION
+    ARG KAIROS_AGENT_DEV_BRANCH
+
+    IF [ "$KAIROS_AGENT_DEV_BRANCH" != "" ]
+        RUN rm -rf /usr/bin/kairos-agent
+        COPY github.com/kairos-io/kairos-agent:$KAIROS_AGENT_DEV_BRANCH+build-kairos-agent/kairos-agent /usr/bin/kairos-agent
+    END
+
+    RUN --no-cache kairos-agent version

    SAVE IMAGE $_CIMG
    SAVE ARTIFACT /IMAGE AS LOCAL build/IMAGE
--- a/images/Dockerfile.debian
+++ b/images/Dockerfile.debian
@ -97,6 +97,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    python3-pynvim \
    rsync \
    shared-mime-info \
+    shim-signed \
    snapd \
    squashfs-tools \
    sudo \
--- a/images/Dockerfile.kairos-debian
+++ b/images/Dockerfile.kairos-debian
@ -96,6 +96,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    python3-pynvim \
    rsync \
    shared-mime-info \
+    shim-signed \
    snapd \
    squashfs-tools \
    sudo \
--- a/images/Dockerfile.kairos-opensuse
+++ b/images/Dockerfile.kairos-opensuse
@ -71,6 +71,7 @@ RUN zypper in --force-resolution -y \
    procps \
    rng-tools \
    rsync \
+    shim \
    squashfs \
    strace \
    sudo \
--- a/images/Dockerfile.kairos-ubuntu
+++ b/images/Dockerfile.kairos-ubuntu
@ -79,6 +79,7 @@ RUN apt-get update \
    openssh-server \
    parted \
    rsync \
+    shim-signed \
    snapd \
    snmpd \
    squashfs-tools \
--- a/images/Dockerfile.opensuse
+++ b/images/Dockerfile.opensuse
@ -72,6 +72,7 @@ RUN zypper in --force-resolution -y \
    procps \
    rng-tools \
    rsync \
+    shim \
    squashfs \
    strace \
    sudo \
--- a/images/Dockerfile.ubuntu
+++ b/images/Dockerfile.ubuntu
@ -80,6 +80,7 @@ RUN apt-get update \
    openssh-server \
    parted \
    rsync \
+    shim-signed \
    snapd \
    snmpd \
    squashfs-tools \
--- a/tests/install_test.go
+++ b/tests/install_test.go
@ -69,6 +69,9 @@ var _ = Describe("kairos install test", Label("install-test"), func() {

 	Context("install", func() {
 		It("cloud-config syntax mixed with extended syntax", func() {
+
+			expectSecureBootEnabled(vm)
+
 			_ = testInstall(`#cloud-config
 install:
  bind_mounts:
@ -94,6 +97,8 @@ bundles:
  - container://quay.io/mocaccino/extra:edgevpn-utils-0.15.0
 `, vm)

+			expectSecureBootEnabled(vm)
+
 			Eventually(func() string {
 				out, _ := vm.Sudo("cat /etc/foo")
 				return out
--- a/tests/tests_suite_test.go
+++ b/tests/tests_suite_test.go
@ -304,6 +304,19 @@ func expectRebootedToActive(vm VM) {
 	})
 }

+func expectSecureBootEnabled(vm VM) {
+	// Check for secureboot before install, based on firmware env var
+	// if we set, then the test suite will load the secureboot firmware
+	secureboot := os.Getenv("FIRMWARE")
+
+	if secureboot != "" {
+		By("checking that secureboot is enabled", func() {
+			out, _ := vm.Sudo("dmesg | grep -i secure")
+			Expect(out).To(ContainSubstring("Secure boot enabled"))
+		})
+	}
+}
+
 // return the PID of the swtpm (to be killed later) and the state directory
 func emulateTPM(stateDir string) {
 	t := path.Join(stateDir, "tpm")