🤖 Bump osbuilder and drop keys (#2381)

.github/workflows/uki.yaml

@@ -159,7 +159,7 @@ jobs:
           docker push $TEMP_IMAGE
       - name: Build uki ISO 🔧
         run: |
-          earthly +uki-iso --BASE_IMAGE=ttl.sh/ubuntu-2310-${{ github.head_ref || github.ref }}:24h
+          earthly +uki-iso --BASE_IMAGE=ttl.sh/ubuntu-2310-${{ github.head_ref || github.ref }}:24h --ENKI_CREATE_CI_KEYS=true
       - name: Create datasource iso 🔧
         run: |
           earthly +datasource-iso --CLOUD_CONFIG=tests/assets/uki-install.yaml
@@ -231,7 +231,7 @@ jobs:
       - name: Build uki ISO 🔧
         run: |
           earthly +uki-iso \
-            --BASE_IMAGE=ttl.sh/fedora-38-${{ github.head_ref || github.ref }}:24h
+            --BASE_IMAGE=ttl.sh/fedora-38-${{ github.head_ref || github.ref }}:24h --ENKI_CREATE_CI_KEYS=true
       - name: Create datasource iso 🔧
         run: |
           earthly +datasource-iso --CLOUD_CONFIG=tests/assets/uki-install.yaml

Earthfile

@@ -21,7 +21,7 @@ END
 ARG COSIGN_EXPERIMENTAL=0
 ARG CGO_ENABLED=0
 # renovate: datasource=docker depName=quay.io/kairos/osbuilder-tools versioning=semver-coerced
-ARG OSBUILDER_VERSION=v0.200.8
+ARG OSBUILDER_VERSION=v0.200.9
 ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools:$OSBUILDER_VERSION
 ARG GOLINT_VERSION=1.52.2
 # renovate: datasource=docker depName=golang
@@ -329,9 +329,13 @@ image-rootfs:
 uki-iso:
     ARG --required BASE_IMAGE # BASE_IMAGE is existing kairos image which needs to be converted to uki
     ARG ENKI_FLAGS
+    ARG ENKI_CREATE_CI_KEYS # If set, it will create keys for the UKI image. Good for testing
     FROM $OSBUILDER_IMAGE
-    COPY ./tests/keys /keys
     WORKDIR /build
+    RUN mkdir -p /keys
+    IF [ "$ENKI_CREATE_CI_KEYS" != "" ]
+        RUN enki genkey -e 7 --output /keys Test
+    END
     RUN --no-cache enki build-uki $BASE_IMAGE --output-dir /build/ -k /keys --output-type iso ${ENKI_FLAGS}
     SAVE ARTIFACT /build/*.iso AS LOCAL build/
 

tests/keys/KEK.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCapyZdRd6TFgnr
-JJtYYUAgfCfFSzpRQLorYgqUfaY1UnNxlE1ngcBs1GHRQAO7jdYPvL3QiIY+qKoD
-GJ12/UKs6SpfNHLQtHQ2NrQrVDXFgt+ttauhsa+T0ll46qDc3H6x9s1jUhGIFZgk
-mQ+aXj5YFHwjDtoxw5vtJw/p77rje4bEs58Fr0ovrlDm2en2kpiVvXSQdWxy1pLB
-t1QahfZf4jqgQJ13A+oURx7pgyoMayvtVjG4lLtkkPm5L5JXImGG03XkjOehckKo
-QR88oAmhzzDat96i+18dMd3HR2gkV4/hXQnPPtCffHBV5r26kqe4KojCx9riz3yE
-ylvMMtE5AgMBAAECggEAJCuz7VzKEdy1tSl6q9ETDoX7R0mw+hAJetwTXWeF2DLQ
-jWACOpM+TjXeKvKt7M/foQ6j1oIX48/O86puKcZSMd7W6i16LRYHmCZzPS8U5H0X
-k6lJ2yeTyR8Jjh5SQVXQzA7NOs2XDB0A2I5z98bTDga8gfaXUcxOS8k3D5/iNhHw
-oBWjk9MSkxXPDS67mFOZGeia+CcG/k3r/GXrakBj8Iq183X0GH53VJr+y6DLXJax
-tHdg0mio57HFvG7LvzODy25Ymr/r8RFIuSqrCEjgeQQt/oERqVToZDFB0pELgSK/
-A1JuPvPWT2CXPymXHl9uBJvNQS1eaoI+wKZ0ui7BgQKBgQDZpo6fdMR88Z9RDLgk
-E6PfVNxq4KHIVtSErpGYKVx56CIVrhOu9Jk66kJq7eQma6UCUZd6qHMx9CG/ligZ
-yk4u51kDM2btqRdtsnXbKiqONcoorn6E8UZHSJxDBrRSAUIruaJC+zxwACVtwasz
-4Pc5HNvqFGqpMi7ujs8rP1/hZwKBgQC15v3sKv54KZwOxEGxdabRE/T/hQmiasG/
-34qdNV/DRDLxIpyBPbKR/EjJyNsFzzySLG2oeDCUY7JX1B9iZ24RgT8OmTka0nSW
-yi4RhH99hzLglDCHe55Zrr6oDK9xwhxWKIHU98hNVCKGDptd5HQ140sdZTwQsJ26
-RYbbj/j0XwKBgQCQjEpqYj1gkYPyaxUceKK73vsoTBmGGQy5NcriGI4fNGj2pw7R
-ggcGFrCXnXiJf7IuEQweXSNsSKvlNo9ZWX+FLQZz1r6EFmnF4+Db9mwe2GBzljfW
-iPrYusN0zE4TrFxK99Vo0Lw50g8JjrbqFH18Q8tV8ctIpVh//P5fxY4i/wKBgDhk
-2shDNA1Q6R7y3WMFFKixRT2Ko0gFTPgNd83xZDUHibuUfWzcEeaMjoxwhuawLxkq
-SPz39ierGPl9vBUn98nZhhEik7+rC5ZMLCgmKdhi9/UEPF9khd1L/bPf6uybv2k+
-ubGq+CBxOxrQoH5le1nRk9ITNqH9/4hmUb70TbyFAoGAC0w4pJM8R3kaFqKdDVo8
-bD3buojiE0ORPeLdnhe5yc9XaLsM6Ti3MPCeiQ3gZRCuvOlsy4noDnATUXYusNfa
-u7WLPO56ne5ewAWWmtywQ/D8IZHWHkNM1n8yHWCZXyZgF7sh1CXsIXOam7F9Syzm
-8uZGoFciL4vV9F5x3CBk70M=
------END PRIVATE KEY-----

tests/keys/KEK.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCzCCAfOgAwIBAgIUFElXQYJNL9OmNok3nLKNWzDExuUwDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKS2Fpcm9zIEtFSzAeFw0yMzA5MjUxOTQ4NDVaFw0zMzA5
-MjIxOTQ4NDVaMBUxEzARBgNVBAMMCkthaXJvcyBLRUswggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCapyZdRd6TFgnrJJtYYUAgfCfFSzpRQLorYgqUfaY1
-UnNxlE1ngcBs1GHRQAO7jdYPvL3QiIY+qKoDGJ12/UKs6SpfNHLQtHQ2NrQrVDXF
-gt+ttauhsa+T0ll46qDc3H6x9s1jUhGIFZgkmQ+aXj5YFHwjDtoxw5vtJw/p77rj
-e4bEs58Fr0ovrlDm2en2kpiVvXSQdWxy1pLBt1QahfZf4jqgQJ13A+oURx7pgyoM
-ayvtVjG4lLtkkPm5L5JXImGG03XkjOehckKoQR88oAmhzzDat96i+18dMd3HR2gk
-V4/hXQnPPtCffHBV5r26kqe4KojCx9riz3yEylvMMtE5AgMBAAGjUzBRMB0GA1Ud
-DgQWBBQ8+vEr6ovmH40ZA5FJiT+zYLBitDAfBgNVHSMEGDAWgBQ8+vEr6ovmH40Z
-A5FJiT+zYLBitDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAw
-sjmqYzHnQF06SlICMh06obnXSkzf06whvkhl+mWUMBKVtMFR6D3sHs7pznNhMkpY
-Fa9j6hY44fjU+6tkQaMccz/KOMDKpJlPmILKuixraYgCV7HcoBmpKE32xwCzEId3
-NZ38JDxRFmijIDtdCUspHxeMn+PpHDhkvBdEK60+bA7BZis9b2qDoiAo6NpxjdVL
-kMBVzdGgqGcN6SPNujgy78/N/vndxGRxyN2fscmnvf0qzs1OP696AyTDQ9VZ/4fP
-Q/kmLfL9JNu8d4cx1wdgV/20FtMnHhr1Q7f1/Gqr5S2zt3L9WLwnTDOrLd3UZ9wl
-wtpRye1107RaagwlTnvh
------END CERTIFICATE-----

tests/keys/PK.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCp9fH+uSTVM9lN
-aKxAWeFGvlPy3ojuL3MrcM75RGuyDpXv7nO0zy51zVFSDVWd2RlE0wprOBWoftl8
-oeTFR1Bzher4QqxzLAmKu1yOwwpUBS0gS30z815A34IgSxKA7ISolkZrNxU+kvxD
-vHjFxnhJ7AnKhtLm763Fj0SL8QDjSKEDHJxiaGhQcsvCO0707VQp//odbcqCQxik
-C5qWsmN3vSDRaxXSUUZQIbiulIQ3oOenXvMXXLlRIIKy2DGncpIy4EWUEXMUKGPL
-rDy/QtSUUANiPpnzeg84P/bH5R4m6LwfFyuC7dWddWYuhBqCCaXUSptbty7xLdjG
-VsAfmlCvAgMBAAECggEABfVOzgC8l1LRf+K3AyyDdsDuXXnKsBruvSufveJVqjDT
-tc0UtlZ7CPsxKiC4iyeUuLJzT43wSG9l/XYJeJcG7X3Y3mor9H+rN/dYh9Kzln11
-9wdedMdH2xtayvoGxIlGH0jhYBnWv1JU0KUXUMuj5OeG8lgmpZzqaR4cJ5HD17Ph
-3e4kMdtSdNVvV4UxTp7oiX9KYrNueAnqh09O2Hq23+6LV2yB5gs+wBlzpXECLma/
-UmNJOzFpLIi1HHIDgfdwTS0JnP4lGPEV+R/VHdHfy9W9WB8jyyONPewCtaUMqgxY
-W7kZCrjRmpMVzQwA/60SIaFZpdSQjEDNIMssl4bozQKBgQDtTQX6LyT/RoOKbv5I
-n6Uqi5XFU+k3SnDHN/8sTSwK7r4xC4n+2MjR0YS2tDYgaAvqvnG3dCRP0/NYluSG
-0Ih2g2t1ct+feWbvd/a6On8f2UoNGC0X4xoLmNOe/ToqcAFTW7TJ6l6oQ5fGq+QV
-UczwkkKToYmjFjgY5GMCUTbGRQKBgQC3Wn7p9V1WadQMPGRu0LegTCV4QZlkiLqw
-OE9Ezg8GgnyJ0ny3FmBPIPAMS/h6Rex83fBzds0uDLSkRSpTprqcbLr6lFL3Mf7N
-uPXxUHOFvc4P7sHK57jVYlV8bu+OQC3XLaIkjguMIVoZZR57q1rCN3KwZ8FPXyCb
-GgVqRTlUYwKBgQDTSAPtaHJpc3AFHqP7J2FYiyWTpw17tCTLy9i/qgpvxXfDlUGN
-jZjn78NZJQUYP2t025HGRHtcNBtzog3g1uTZmFNiJCBlDiOPTWF5GEI9qirbk836
-ebKj5rNs2IwkYstbW8iRCsKy0FPfiQYv0UBGZgMvDOHOOidCSn64/nRlfQKBgDYB
-EpaIbYhxPUKpWw+ErEErjHHCKJMC7rHOtBJY+vX44wOZGqC2l4FW+z0z9yjUhZY1
-rIfluwNQPLiRoqjm19oQ8HWz0Ef80sb3LoF4J76BrDrnIO9JlxhKkVFIP4jPgHD7
-gOFxcRdCD46hSPw1+VJxEHfC554gL7NfU678WqlvAoGAMeeVuDlCbqxehBMdbtMA
-Z74LhilPklqgvF36p3l3PIqO4427Rg49m5KxiBttoofq3nYFikrYPnVY1mYFnhSl
-hwZG/eXLpRaYb/yDGdzHxzsQFYjxD3InLSfvd67fRG/T5+R8M5bDs+IZCFlGFvG/
-fA0uGH0fKEPUy7Ijex9cXag=
------END PRIVATE KEY-----

tests/keys/PK.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCTCCAfGgAwIBAgIUeKRpRkHvYxAffzrfw90J8MAlTDIwDQYJKoZIhvcNAQEL
-BQAwFDESMBAGA1UEAwwJS2Fpcm9zIFBLMB4XDTIzMDkyNTE5NDgyOFoXDTMzMDky
-MjE5NDgyOFowFDESMBAGA1UEAwwJS2Fpcm9zIFBLMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAqfXx/rkk1TPZTWisQFnhRr5T8t6I7i9zK3DO+URrsg6V
-7+5ztM8udc1RUg1VndkZRNMKazgVqH7ZfKHkxUdQc4Xq+EKscywJirtcjsMKVAUt
-IEt9M/NeQN+CIEsSgOyEqJZGazcVPpL8Q7x4xcZ4SewJyobS5u+txY9Ei/EA40ih
-AxycYmhoUHLLwjtO9O1UKf/6HW3KgkMYpAualrJjd70g0WsV0lFGUCG4rpSEN6Dn
-p17zF1y5USCCstgxp3KSMuBFlBFzFChjy6w8v0LUlFADYj6Z83oPOD/2x+UeJui8
-Hxcrgu3VnXVmLoQaggml1EqbW7cu8S3YxlbAH5pQrwIDAQABo1MwUTAdBgNVHQ4E
-FgQUHzloQNy/RNHN71Ihn0YaxwhdcrgwHwYDVR0jBBgwFoAUHzloQNy/RNHN71Ih
-n0YaxwhdcrgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAASMw
-sw9kOeNNhcA4o5MnIG6uqH/4jIMG8UjcqyuNKtH/2eLs/xNCSDIJG0VVuY2y3kzw
-GLZmphdxvtvWW6c9A9+mdM/JBi3AeGyIGk2hfFVoFcV/7VuGgphAJcTKY6KXgj7e
-F6hjatCCUUYiRkiPL50X5wJQ/COAOe7/5BzeAZhbxNQ9z6IG4StdS31uSE7Vl2Nn
-G+V1Gkqmc/6Z3Nkd2iGPiLIiqkDn8Xcincn/f0ybgnOdVljtXlzJm0pN4FrVkdPa
-en/HLiMCjKTSWl1wXF3GUZkmCITryJ4O6SWtsuWTqmvohb2QAMqdnybFW7hjzGoG
-A0UKl8yqRzdGBa0mHg==
------END CERTIFICATE-----

tests/keys/README.md

@@ -1,57 +0,0 @@
-This are TEST keys, used for development purposes.
-
-You can install this keys on a VM EFI and test secureboot.
-
-They are pregenerated so you can iterate building Kairos UKI EFI and use the same signature without generating keys
-all the time.
-
-They should never be installed anywhere different than a VM.
-
-
-Sets of keys:
-
-*.key - Private key
-*.crt - Certificate
-*.der - Public certificate in DER format. Can be used to manually add the entries to the EFI database.
-*.esl - EFI Signature List.
-*.auth - SIGNED EFI Signature List. Can be used by systemd-boot to automatically add the entries to the EFI database.
-
-
-So for a EFI firmware to trust Kairos UKI EFI, you need to add the following entries to the EFI database depending of its state.
-
-Setup mode (No keys installed, no PK key installed) systemd-boot will auto-add the following keys on the first boot and reset the system to continue booting:
- - PK: PK.auth
- - KEK: KEK.auth
- - DB: DB.auth
-
-Adding secureboot keys manually to edk2 firmware:
-[![Adding secureboot keys manually to edk2 firmware](https://img.youtube.com/vi/ITlxqQkFbwk/0.jpg)](https://www.youtube.com/watch?v=ITlxqQkFbwk "Adding secureboot keys manually to edk2 firmware")
-
-User mode (PK key installed, other certs already in there) you need to manually add the following keys in the firmware:
- - KEK: KEK.der
- - DB: DB.der
-
-Auto secureBoot key enrollment via systemd-boot:
-[![Auto secureBoot key enrollment via systemd-boot](https://img.youtube.com/vi/zmxDNQ56P7s/0.jpg)](https://www.youtube.com/watch?v=zmxDNQ56P7s "Auto secureBoot key enrollment via systemd-boot")
-
-## Generate keys from scratch (key+pem+der+esl)
-
-```bash
-uuid=$(uuidgen -N kairos --namespace @dns --sha1)
-for key in PK KEK DB; do
-  openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.pem"
-  openssl x509 -outform DER -in "${key}.pem" -out "${key}.der"
-  sbsiglist --owner "${uuid}" --type x509 --output "${key}.esl" "${key}.der"
-done
-```
-
-
-## Generate auth files for systemd-boot auto-enrollment
-
-```bash
-## Generate the auth files from the esl files by signing them.
-attr=NON_VOLATILE,RUNTIME_ACCESS,BOOTSERVICE_ACCESS,TIME_BASED_AUTHENTICATED_WRITE_ACCESS
-sbvarsign --attr "${attr}" --key PK.key --cert PK.crt --output PK.auth PK PK.esl
-sbvarsign --attr "${attr}" --key PK.key --cert PK.crt --output KEK.auth KEK KEK.esl
-sbvarsign --attr "${attr}" --key KEK.key --cert KEK.crt --output DB.auth DB DB.esl
-```

tests/keys/tpm2-pcr-private.pem

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCt2ysfpb/5gSu3
-LN9vKEAq6PMW8dJ+TcEttfDrtViMgrT0Ko7PqjyGW6LJkh8zI0iSMMErzcn22xf8
-CzSWTGX8oLtfaFearmxhTV22FFXIKj5fvwI8uAuYofwHbFlajrlMNvy4W2pbs70Z
-+hdVaGbCEXOZZX7sEnN72cFt/NPcs5H/2KmCeL6wtuWiByVKxPALkkp8Gwm99hni
-kULoSwzP3qiUrh3Obxlerq+AEgNr6OfUdDsKNynaKNcdSqc1SDbFhYc3p2bCI0/u
-C3NTya4MI0itafbwPEOH8eZt6LYcQD3y/W3S6p8s155xM9cCe483eaqmYYBaA6To
-jgEKSIBnAgMBAAECggEARmT/yQir+rK6qKiar790e+tmwluYB1wkZAXPTyFWgU5L
-RrIUsTEU4LIp78QireoTcF4dWUcyB6oexAcle9XjVa8fLzpoflExwRQ6ZYdGVI4G
-Q25r0XoT9/FewwK0C17O2HVLTrp1DjxwzRveZs6nDN1UGUBna97ss7EwCQDeJ/ZC
-U11rvm+LPcqxILCKfIG60gUa/Pt6SauTOPYeMVt7RCWLSekq/2XKLl5esCaZ4ojq
-dzfn+Xdz9rSbZFiHIDPnZPo5jkt2dpA8uc2/VknCSxEcHMnc9Q0e6ZI7WSJulWDk
-g6dt4BJHxdmIxMP/QJUzHVVPBUucHhYfCEkcivY3AQKBgQDi5qq09s8xbpQcHF8/
-FvE5XvVfkMJ6P6n0XKWbq7hWlFSRqOQNrRVDbcPitYA1X1W9xNE/nInei5q2TK/A
-N55r1HtZhlXlpDfy0Y7XCGg4sl63j+tXOikfyBs7K9x6EUtInBJqPCdur1eP8191
-s/Vp9wFi5IRJBYl54mRwOILY9wKBgQDEJv8xoiqnmg/P0W3A4G8UaNnq0m6j+RvJ
-LJzJC7QCGjDMwhHyGj4w0R1Nieue4d5JoCsh2ZPZpCPpKQNx+1GU/ErKb77lqRWM
-ZtzXODrdG9aOqnEGD1mQqQ9Y9B6HSxjT9GaPv9Ha0jqvz3AqAMM8JjmllLCELt6u
-jRGERvqoEQKBgQCx6iTYmN6F6CsCj8yvb5HeZnMIaD3WFa1yCmNg2RlF6jEVtdR8
-VMdjg+IhFihdsU9N6dIZiukgM18wqpj0o6f47Td7TzZzRn0ITQEv40u1iUdzr8nd
-L6GnZgTUNORAYuchHB/kZR6WT67dFPw5Es7QM/pGTODdURYnGDmhNO6EqQKBgHmA
-/ossPOfdEvZUcHwNikFGQdany0lfQcr4C5at3S+AMcJkZOFnSCbNIi2pxX6Bw0Qw
-Jwes01z5xBTmBvBQEVUMgverCMESX/q8rQfUGQJmAB4XjjOGxqBJWOxtK4v7BMIm
-nnFlDQVTPG8zO/OIzWcw9nyPAlie/+l4EOWzYglBAoGBAKAQCfvT7QcpKtqfZiX5
-xMXOGhqnaW5b9FAH2wL6mNk9oyDdJNuVqGuyR9uPqlItmZIPwHPcJNYziwS1m8U0
-stArqaxkOKhQZW9gckBZ7ns5JfPm1Xb32GvCOqUOrgeEVFVIUbSiHs2aed0eDo3R
-oflH7j08gbqU0VGZYfUwUuzt
------END PRIVATE KEY-----

tests/uki_test.go

@@ -1,7 +1,9 @@
 package mos_test
 
 import (
+	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -28,6 +30,12 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() {
 	})
 
 	AfterEach(func() {
+		if CurrentSpecReport().Failed() {
+			serial, _ := os.ReadFile(filepath.Join(vm.StateDir, "serial.log"))
+			_ = os.MkdirAll("logs", os.ModePerm|os.ModeDir)
+			_ = os.WriteFile(filepath.Join("logs", "serial.log"), serial, os.ModePerm)
+			fmt.Println(string(serial))
+		}
 		if CurrentSpecReport().Failed() {
 			gatherLogs(vm)
 		}