feat: support systemd-boot ISO enroll keys option

Fixes #8196

Example (profile excerpt):

```yaml
output:
  kind: iso
  isoOptions:
    sdBootEnrollKeys: force
  outFormat: raw
```

Defaults are still same (`if-safe` unless explicitly overridden).

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

hack/release.toml

@@ -49,6 +49,20 @@ machine:
    features:
        localDNS: false
 ```
+"""
+
+    [notes.secureboot-image]
+        title = "Secure Boot Image"
+        description = """\
+Talos Linux now provides a way to configure systemd-boot ISO 'secure-boot-enroll' option while generating a SecureBoot ISO image:
+
+```yaml
+output:
+    kind: iso
+    isoOptions:
+        sdBootEnrollKeys: force # default is still if-safe
+    outFormat: raw
+```
 """
 
     [notes.rsa-service-account]

pkg/imager/iso/loader.conf.tmpl

@@ -0,0 +1,5 @@
+# systemd-boot configuration
+
+timeout 10
+
+secure-boot-enroll {{ .SecureBootEnroll }}

pkg/imager/iso/uefi.go

@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"text/template"
 
 	"github.com/siderolabs/go-cmd/pkg/cmd"
 
@@ -24,6 +25,9 @@ type UEFIOptions struct {
 	UKIPath    string
 	SDBootPath string
 
+	// A value in loader.conf secure-boot-enroll: off, manual, if-safe, force.
+	SDBootSecureBootEnrollKeys string
+
 	// optional, for auto-enrolling secureboot keys
 	PlatformKeyPath    string
 	KeyExchangeKeyPath string
@@ -41,8 +45,8 @@ const (
 	mib = 1024 * 1024
 )
 
-//go:embed loader.conf
-var loaderConfig []byte
+//go:embed loader.conf.tmpl
+var loaderConfigTemplate string
 
 // CreateUEFI creates an iso using a UKI, systemd-boot.
 //
@@ -54,6 +58,8 @@ func CreateUEFI(printf func(string, ...any), options UEFIOptions) error {
 		return err
 	}
 
+	printf("preparing raw image")
+
 	efiBootImg := filepath.Join(options.ScratchDir, "efiboot.img")
 
 	// initial size
@@ -75,6 +81,18 @@ func CreateUEFI(printf func(string, ...any), options UEFIOptions) error {
 		return err
 	}
 
+	printf("preparing loader.conf")
+
+	var loaderConfigOut bytes.Buffer
+
+	if err := template.Must(template.New("loader.conf").Parse(loaderConfigTemplate)).Execute(&loaderConfigOut, struct {
+		SecureBootEnroll string
+	}{
+		SecureBootEnroll: options.SDBootSecureBootEnrollKeys,
+	}); err != nil {
+		return fmt.Errorf("error rendering loader.conf: %w", err)
+	}
+
 	printf("creating vFAT EFI image")
 
 	fopts := []makefs.Option{
@@ -125,7 +143,7 @@ func CreateUEFI(printf func(string, ...any), options UEFIOptions) error {
 	}
 
 	if _, err := cmd.RunContext(
-		cmd.WithStdin(context.Background(), bytes.NewReader(loaderConfig)),
+		cmd.WithStdin(context.Background(), &loaderConfigOut),
 		"mcopy", "-i", efiBootImg, "-", "::loader/loader.conf",
 	); err != nil {
 		return err

pkg/imager/out.go

@@ -20,6 +20,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 	"github.com/google/go-containerregistry/pkg/v1/tarball"
 	"github.com/google/go-containerregistry/pkg/v1/types"
+	"github.com/siderolabs/go-pointer"
 	"github.com/siderolabs/go-procfs/procfs"
 
 	"github.com/siderolabs/talos/cmd/installer/pkg/install"
@@ -85,10 +86,14 @@ func (i *Imager) outISO(ctx context.Context, path string, report *reporter.Repor
 	var err error
 
 	if i.prof.SecureBootEnabled() {
+		isoOptions := pointer.SafeDeref(i.prof.Output.ISOOptions)
+
 		options := iso.UEFIOptions{
 			UKIPath:    i.ukiPath,
 			SDBootPath: i.sdBootPath,
 
+			SDBootSecureBootEnrollKeys: isoOptions.SDBootEnrollKeys.String(),
+
 			PlatformKeyPath:    i.prof.Input.SecureBoot.PlatformKeyPath,
 			KeyExchangeKeyPath: i.prof.Input.SecureBoot.KeyExchangeKeyPath,
 			SignatureKeyPath:   i.prof.Input.SecureBoot.SignatureKeyPath,

pkg/imager/profile/default.go

@@ -37,6 +37,9 @@ var Default = map[string]Profile{
 		Output: Output{
 			Kind:      OutKindISO,
 			OutFormat: OutFormatRaw,
+			ISOOptions: &ISOOptions{
+				SDBootEnrollKeys: SDBootEnrollKeysIfSafe,
+			},
 		},
 	},
 	// Metal images

pkg/imager/profile/output.go

@@ -15,6 +15,8 @@ type Output struct {
 	Kind OutputKind `yaml:"kind"`
 	// Options for the 'image' output.
 	ImageOptions *ImageOptions `yaml:"imageOptions,omitempty"`
+	// Options for the 'iso' output.
+	ISOOptions *ISOOptions `yaml:"isoOptions,omitempty"`
 	// OutFormat is the format for the output:
 	//  * raw - output raw file
 	//  * .tar.gz - output tar.gz archive
@@ -37,6 +39,14 @@ type ImageOptions struct {
 	DiskFormatOptions string `yaml:"diskFormatOptions,omitempty"`
 }
 
+// ISOOptions describes options for the 'iso' output.
+type ISOOptions struct {
+	// SDBootEnrollKeys is a value in loader.conf secure-boot-enroll: off, manual, if-safe, force.
+	//
+	// If not set, it defaults to if-safe.
+	SDBootEnrollKeys SDBootEnrollKeys `yaml:"sdBootEnrollKeys"`
+}
+
 //go:generate enumer -type=OutputKind -linecomment -text
 
 // OutputKind is output specification.
@@ -81,3 +91,16 @@ const (
 	DiskFormatVPC                       // vhd
 	DiskFormatOVA                       // ova
 )
+
+//go:generate enumer -type SDBootEnrollKeys -linecomment -text
+
+// SDBootEnrollKeys is a value in loader.conf secure-boot-enroll: off, manual, if-safe, force.
+type SDBootEnrollKeys int
+
+// SDBootEnrollKeys values.
+const (
+	SDBootEnrollKeysIfSafe SDBootEnrollKeys = iota // if-safe
+	SDBootEnrollKeysManual                         // manual
+	SDBootEnrollKeysForce                          // force
+	SDBootEnrollKeysOff                            // off
+)