Skip to content

add support for key autoenroll to sdboot #1818

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

add support for key autoenroll to sdboot #1818

wants to merge 6 commits into from

Conversation

@gerblesh
Copy link

@gerblesh gerblesh commented Dec 2, 2025

add autoenroll to sdboot

installs .auth files from /usr/lib/bootc/keys into ESP/loader/keys/auto. Currently uses cfs file APIs and is a little rough. Not sure if this should be in composefs-boot rather than bootc. The directory /usr/lib/bootc/keys probably isn't the best choice although at least it means that the auth files are "measured" when the cfs digest is taken.

Note that this is missing some of the bits from CI for this to be properly tested. I will try to get that done when I can though

add support for key autoenroll to sdboot
1de5f0f 
Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me>

add autoenroll to sdboot

Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me>

asdf

Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me>
@bootc-bot bootc-bot bot requested a review from jmarrero December 2, 2025 02:20
@gerblesh gerblesh mentioned this pull request Dec 2, 2025
Open
gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 2, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds support for auto-enrolling Secure Boot keys for sd-boot from .auth files located in /usr/lib/bootc/keys within a composefs image. The changes look good overall. My review includes a suggestion to make the key discovery process more robust by handling cases where the keys directory does not exist, and a minor performance improvement to avoid an unnecessary allocation within a loop.

Johan-Liebert1
Johan-Liebert1 reviewed Dec 2, 2025
View reviewed changes
cleanup
d8a145d 
Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me>
Gareth Widlansky added 4 commits December 2, 2025 13:32
don't expect /usr/lib/bootc/keys to exist
f20ccd0 
Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me>
remove comment
64ef4c4 
Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me>
don't use ambient authority
16ba8ca 
Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me>
use option rather than an enum
7825e03 
Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Johan-Liebert1 Johan-Liebert1 Johan-Liebert1 left review comments

@jmarrero jmarrero Awaiting requested review from jmarrero

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gerblesh @Johan-Liebert1