From 7daf9d3b60563a52ede61ed8e195b778359b99b5 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Nov 2025 08:47:19 -0500 Subject: [PATCH 1/2] composefs-boot: Retain SHA512 type Motivated by increased type safety. Signed-off-by: Colin Walters --- crates/lib/src/bootc_composefs/boot.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/crates/lib/src/bootc_composefs/boot.rs b/crates/lib/src/bootc_composefs/boot.rs index 9db1fd8e0..94d617f72 100644 --- a/crates/lib/src/bootc_composefs/boot.rs +++ b/crates/lib/src/bootc_composefs/boot.rs @@ -588,7 +588,7 @@ fn write_pe_to_esp( file: &RegularFile, file_path: &Utf8Path, pe_type: PEType, - uki_id: &String, + uki_id: &Sha512HashValue, is_insecure_from_opts: bool, mounted_efi: impl AsRef, bootloader: &Bootloader, @@ -619,7 +619,7 @@ fn write_pe_to_esp( _ => { /* no-op */ } } - if composefs_cmdline.to_hex() != *uki_id { + if composefs_cmdline != *uki_id { anyhow::bail!( "The UKI has the wrong composefs= parameter (is '{composefs_cmdline:?}', should be {uki_id:?})" ); @@ -648,7 +648,7 @@ fn write_pe_to_esp( Some(parent) => { let renamed_path = match parent.as_str().ends_with(EFI_ADDON_DIR_EXT) { true => { - let dir_name = format!("{}{}", uki_id, EFI_ADDON_DIR_EXT); + let dir_name = format!("{}{}", uki_id.to_hex(), EFI_ADDON_DIR_EXT); parent .parent() @@ -672,7 +672,7 @@ fn write_pe_to_esp( .with_context(|| format!("Opening {final_pe_path:?}"))?; let pe_name = match pe_type { - PEType::Uki => &format!("{}{}", uki_id, EFI_EXT), + PEType::Uki => &format!("{}{}", uki_id.to_hex(), EFI_EXT), PEType::UkiAddon => file_path .components() .last() @@ -932,7 +932,7 @@ pub(crate) fn setup_composefs_uki_boot( &entry.file, utf8_file_path, entry.pe_type, - &id.to_hex(), + &id, is_insecure_from_opts, esp_mount.dir.path(), &bootloader, From 46f6dbf9938e04536ec576c17d649b88df7eb167 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Nov 2025 09:38:34 -0500 Subject: [PATCH 2/2] cfs: Hard error on external kargs with UKIs I thought about this with the cloud-init disablement for now with bcvk. It already works to just not enable `cloud-init.target` which we were already doing. Signed-off-by: Colin Walters --- crates/lib/src/bootc_composefs/boot.rs | 6 +----- crates/lib/src/install.rs | 14 ++++++++++++++ crates/xtask/src/xtask.rs | 3 --- hack/Containerfile | 4 +--- hack/Containerfile.packit | 2 +- hack/provision-derived.sh | 19 ++++++++++++------- 6 files changed, 29 insertions(+), 19 deletions(-) diff --git a/crates/lib/src/bootc_composefs/boot.rs b/crates/lib/src/bootc_composefs/boot.rs index 94d617f72..d00908598 100644 --- a/crates/lib/src/bootc_composefs/boot.rs +++ b/crates/lib/src/bootc_composefs/boot.rs @@ -856,11 +856,7 @@ pub(crate) fn setup_composefs_uki_boot( ) -> Result<()> { let (root_path, esp_device, bootloader, is_insecure_from_opts, uki_addons) = match setup_type { BootSetupType::Setup((root_setup, state, ..)) => { - if let Some(v) = &state.config_opts.karg { - if v.len() > 0 { - tracing::warn!("kargs passed for UKI will be ignored"); - } - } + state.require_no_kargs_for_uki()?; let esp_part = esp_in(&root_setup.device_info)?; diff --git a/crates/lib/src/install.rs b/crates/lib/src/install.rs index 65a223b81..112331819 100644 --- a/crates/lib/src/install.rs +++ b/crates/lib/src/install.rs @@ -523,6 +523,20 @@ impl State { Ok(()) } + /// Return an error if kernel arguments are provided, intended to be used for UKI paths + pub(crate) fn require_no_kargs_for_uki(&self) -> Result<()> { + if self + .config_opts + .karg + .as_ref() + .map(|v| !v.is_empty()) + .unwrap_or_default() + { + anyhow::bail!("Cannot use externally specified kernel arguments with UKI"); + } + Ok(()) + } + fn stateroot(&self) -> &str { self.config_opts .stateroot diff --git a/crates/xtask/src/xtask.rs b/crates/xtask/src/xtask.rs index 817b64148..b9809e012 100644 --- a/crates/xtask/src/xtask.rs +++ b/crates/xtask/src/xtask.rs @@ -531,9 +531,6 @@ fn check_dependencies(sh: &Shell) -> Result<()> { } const COMMON_INST_ARGS: &[&str] = &[ - // We don't use cloud-init with bcvk right now, but it needs to be there for - // testing-farm+tmt - "--karg=ds=iid-datasource-none", // TODO: Pass down the Secure Boot keys for tests if present "--firmware=uefi-insecure", "--label=bootc.test=1", diff --git a/hack/Containerfile b/hack/Containerfile index 0f46ffee1..ea24df36f 100644 --- a/hack/Containerfile +++ b/hack/Containerfile @@ -9,13 +9,11 @@ COPY . / # An intermediate layer which caches the extended RPMS FROM localhost/bootc as extended -# We support e.g. adding cloud-init -ARG variant= # And this layer has additional stuff for testing, such as nushell etc. RUN --mount=type=bind,from=context,target=/run/context <&2; exit 1 ;; +esac + # Ensure this is pre-created mkdir -p -m 0700 /var/roothome mkdir -p ~/.config/nushell @@ -39,25 +46,23 @@ esac # Extra packages we install grep -Ev -e '^#' packages.txt | xargs dnf -y install -dnf clean all # Cloud bits cat <> /usr/lib/bootc/kargs.d/20-console.toml kargs = ["console=ttyS0,115200n8"] KARGEOF -# And cloud-init stuff, unless we're doing a UKI which is always -# tested with bcvk -if test '!' -d /boot/EFI; then +if test $cloudinit = 1; then + dnf -y install cloud-init ln -s ../cloud-init.target /usr/lib/systemd/system/default.target.wants -fi - -# Allow root SSH login for testing with bcvk/tmt + # Allow root SSH login for testing with bcvk/tmt mkdir -p /etc/cloud/cloud.cfg.d cat > /etc/cloud/cloud.cfg.d/80-enable-root.cfg <<'CLOUDEOF' # Enable root login for testing disable_root: false CLOUDEOF +fi +dnf clean all # Stock extra cleaning of logs and caches in general (mostly dnf) rm /var/log/* /var/cache /var/lib/{dnf,rpm-state,rhsm} -rf # And clean root's homedir