✨ Enable secureboot for all flavors (minus alpine) (#2140)

.github/workflows/image-pr.yaml

@@ -48,6 +48,16 @@ jobs:
     with:
       flavor: ubuntu
       flavor_release: "23.10"
+      secureboot: false
+    needs:
+      - core
+
+  install-secureboot:
+    uses: ./.github/workflows/reusable-install-test.yaml
+    with:
+      flavor: ubuntu
+      flavor_release: "23.10"
+      secureboot: true
     needs:
       - core
 

.github/workflows/image.yaml

@@ -94,6 +94,33 @@ jobs:
         include:
           - flavor: opensuse
             flavorRelease: leap-15.5
+            secureboot: false
+  install-secureboot:
+    uses: ./.github/workflows/reusable-install-test.yaml
+    with:
+      flavor: ${{ matrix.flavor }}
+      flavor_release: ${{ matrix.flavorRelease }}
+      secureboot: true
+    needs:
+      - core
+    strategy:
+      fail-fast: true
+      matrix:
+        include:
+          - flavor: "opensuse"
+            flavorRelease: "leap-15.5"
+          - flavor: "opensuse"
+            flavorRelease: "tumbleweed"
+          - flavor: "debian"
+            flavorRelease: "bookworm"
+          - flavor: "ubuntu"
+            flavorRelease: "20.04"
+          - flavor: "ubuntu"
+            flavorRelease: "22.04"
+          - flavor: "ubuntu"
+            flavorRelease: "23.10"
+          - flavor: "fedora"
+            flavorRelease: "38"
   zfs:
     uses: ./.github/workflows/reusable-zfs-test.yaml
     with:

.github/workflows/reusable-install-test.yaml

@@ -9,6 +9,9 @@ on:
       flavor_release:
         required: true
         type: string
+      secureboot:
+        required: false
+        type: boolean
 
 jobs:
   test:
@@ -55,14 +58,17 @@ jobs:
           CREATE_VM: true
           FLAVOR: ${{ inputs.flavor }}
         run: |
+          if [ "${{ inputs.secureboot }}" = "true" ]; then
+            export FIRMWARE=/usr/share/OVMF/OVMF_CODE.fd
+          fi
           ls *.iso
           export ISO=$PWD/$(ls *.iso)
           echo "ISO is: $ISO"
           cp tests/go.* .
-          go run github.com/onsi/ginkgo/v2/ginkgo --label-filter "install-test" --fail-fast -r ./tests
+          go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "install-test" --fail-fast -r ./tests
       - uses: actions/upload-artifact@v4
         if: failure()
         with:
-          name: ${{ inputs.flavor }}-vbox.logs.zip
+          name: ${{ inputs.flavor }}.logs.zip
           path: tests/**/logs/*
           if-no-files-found: warn

Earthfile

@@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.0
 # renovate: datasource=docker depName=aquasec/trivy
 ARG TRIVY_VERSION=0.48.2
 # renovate: datasource=github-releases depName=kairos-io/kairos-framework
-ARG KAIROS_FRAMEWORK_VERSION="v2.6.0"
+ARG KAIROS_FRAMEWORK_VERSION="v2.6.3"
 ARG COSIGN_SKIP=".*quay.io/kairos/.*"
 # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name
 
@@ -21,7 +21,7 @@ END
 ARG COSIGN_EXPERIMENTAL=0
 ARG CGO_ENABLED=0
 # renovate: datasource=docker depName=quay.io/kairos/osbuilder-tools versioning=semver-coerced
-ARG OSBUILDER_VERSION=v0.10.2
+ARG OSBUILDER_VERSION=v0.11.1
 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION
 ARG GOLINT_VERSION=1.52.2
 # renovate: datasource=docker depName=golang
@@ -207,12 +207,20 @@ luet:
 kairos-dockerfile:
     ARG --required FAMILY
     COPY ./images .
-    RUN --no-cache cat <(echo "# This file is auto-generated with the command: earthly +kairos-dockerfile --FAMILY=${FAMILY}") \
+    IF [ "$FAMILY" == "all" ]
-        <(sed -n '/# WARNING:/!p' Dockerfile.$FAMILY) \
+        ARG FAMILY_LIST="alpine debian opensuse rhel ubuntu"
-        <(echo) \
+    ELSE
-        <(sed -n '/# WARNING:/!p' Dockerfile.kairos) \
+        ARG FAMILY_LIST=$FAMILY
-        > ./Dockerfile
+    END
-    SAVE ARTIFACT Dockerfile AS LOCAL images/Dockerfile.kairos-${FAMILY}
+    FOR F IN $FAMILY_LIST
+        RUN --no-cache cat <(echo "# This file is auto-generated with the command: earthly +kairos-dockerfile --FAMILY=${F}") \
+            <(sed -n '/# WARNING:/!p' Dockerfile.$F) \
+            <(echo) \
+            <(sed -n '/# WARNING:/!p' Dockerfile.kairos) \
+            > ./Dockerfile
+        SAVE ARTIFACT Dockerfile AS LOCAL images/Dockerfile.kairos-${F}
+    END
+
 
 extract-framework-profile:
     ARG FRAMEWORK_VERSION
@@ -286,6 +294,14 @@ base-image:
     ARG _CIMG=$(cat ./IMAGE)
 
     COPY +git-version/GIT_VERSION VERSION
+    ARG KAIROS_AGENT_DEV_BRANCH
+
+    IF [ "$KAIROS_AGENT_DEV_BRANCH" != "" ]
+        RUN rm -rf /usr/bin/kairos-agent
+        COPY github.com/kairos-io/kairos-agent:$KAIROS_AGENT_DEV_BRANCH+build-kairos-agent/kairos-agent /usr/bin/kairos-agent
+    END
+
+    RUN --no-cache kairos-agent version
 
     SAVE IMAGE $_CIMG
     SAVE ARTIFACT /IMAGE AS LOCAL build/IMAGE

images/Dockerfile.debian

@@ -97,6 +97,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     python3-pynvim \
     rsync \
     shared-mime-info \
+    shim-signed \
     snapd \
     squashfs-tools \
     sudo \

images/Dockerfile.kairos-debian

@@ -96,6 +96,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     python3-pynvim \
     rsync \
     shared-mime-info \
+    shim-signed \
     snapd \
     squashfs-tools \
     sudo \

images/Dockerfile.kairos-opensuse

@@ -71,6 +71,7 @@ RUN zypper in --force-resolution -y \
     procps \
     rng-tools \
     rsync \
+    shim \
     squashfs \
     strace \
     sudo \

images/Dockerfile.kairos-ubuntu

@@ -79,6 +79,7 @@ RUN apt-get update \
     openssh-server \
     parted \
     rsync \
+    shim-signed \
     snapd \
     snmpd \
     squashfs-tools \

images/Dockerfile.opensuse

@@ -72,6 +72,7 @@ RUN zypper in --force-resolution -y \
     procps \
     rng-tools \
     rsync \
+    shim \
     squashfs \
     strace \
     sudo \

images/Dockerfile.ubuntu

@@ -80,6 +80,7 @@ RUN apt-get update \
     openssh-server \
     parted \
     rsync \
+    shim-signed \
     snapd \
     snmpd \
     squashfs-tools \

tests/install_test.go

@@ -69,6 +69,9 @@ var _ = Describe("kairos install test", Label("install-test"), func() {
 
 	Context("install", func() {
 		It("cloud-config syntax mixed with extended syntax", func() {
+
+			expectSecureBootEnabled(vm)
+
 			_ = testInstall(`#cloud-config
 install:
   bind_mounts:
@@ -94,6 +97,8 @@ bundles:
   - container://quay.io/mocaccino/extra:edgevpn-utils-0.15.0
 `, vm)
 
+			expectSecureBootEnabled(vm)
+
 			Eventually(func() string {
 				out, _ := vm.Sudo("cat /etc/foo")
 				return out

tests/tests_suite_test.go

@@ -304,6 +304,19 @@ func expectRebootedToActive(vm VM) {
 	})
 }
 
+func expectSecureBootEnabled(vm VM) {
+	// Check for secureboot before install, based on firmware env var
+	// if we set, then the test suite will load the secureboot firmware
+	secureboot := os.Getenv("FIRMWARE")
+
+	if secureboot != "" {
+		By("checking that secureboot is enabled", func() {
+			out, _ := vm.Sudo("dmesg | grep -i secure")
+			Expect(out).To(ContainSubstring("Secure boot enabled"))
+		})
+	}
+}
+
 // return the PID of the swtpm (to be killed later) and the state directory
 func emulateTPM(stateDir string) {
 	t := path.Join(stateDir, "tpm")