Various composefs enhancements

- Change the install logic to detect UKIs and automatically
  enable composefs
- Change the install logic to detect absence of bootupd
  and default to installing systemd-boot
- Move sealing bits to the toplevel
- Add Justfile entrypoints
- Add basic end-to-end CI coverage (install + run) using
  our integration tests
- Change lints to ignore `/boot/EFI`

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

.github/workflows/ci.yml

@@ -192,3 +192,24 @@ jobs:
         with:
           name: tmt-log-PR-${{ github.event.number }}-${{ matrix.test_os }}-${{ env.ARCH }}-${{ matrix.tmt_plan }}
           path: /var/tmp/tmt
+  # This variant does composefs testing
+  test-integration-cfs:
+    strategy:
+      fail-fast: false
+      matrix:
+        test_os: [centos-10]
+
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Bootc Ubuntu Setup
+        uses: ./.github/actions/bootc-ubuntu-setup
+        with:
+          libvirt: true
+
+      - name: Build container
+        run: just build-sealed
+
+      - name: Test
+        run: just test-composefs

Cargo.lock

@@ -91,11 +91,21 @@ RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/rooth
 
 # The final image that derives from the original base and adds the release binaries
 FROM base
+# Set this to 1 to default to systemd-boot
+ARG sdboot=0
 RUN <<EORUN
 set -xeuo pipefail
 # Ensure we've flushed out prior state (i.e. files no longer shipped from the old version);
 # and yes, we may need to go to building an RPM in this Dockerfile by default.
 rm -vf /usr/lib/systemd/system/multi-user.target.wants/bootc-*
+if test "$sdboot" = 1; then
+  dnf -y install systemd-boot-unsigned
+  # And uninstall bootupd
+  rpm -e bootupd
+  rm /usr/lib/bootupd/updates -rf
+  dnf clean all
+  rm -rf /var/cache /var/lib/{dnf,rhsm} /var/log/*
+fi
 EORUN
 # Create a layer that is our new binaries
 COPY --from=build /out/ /

Dockerfile

@@ -0,0 +1,73 @@
+# Override via --build-arg=base=<image> to use a different base
+ARG base=localhost/bootc
+# This is where we get the tools to build the UKI
+ARG buildroot=quay.io/fedora/fedora:42
+FROM $base AS base
+
+FROM $buildroot as buildroot-base
+RUN <<EORUN
+set -xeuo pipefail
+dnf install -y systemd-ukify sbsigntools systemd-boot-unsigned
+dnf clean all
+EORUN
+
+FROM buildroot-base as kernel
+# Must be passed
+ARG COMPOSEFS_FSVERITY
+RUN --mount=type=secret,id=key \
+    --mount=type=secret,id=cert \
+    --mount=type=bind,from=base,target=/target \
+     <<EOF
+    set -eux
+
+    # Should be generated externally
+    test -n "${COMPOSEFS_FSVERITY}"
+
+    # Inject the composefs kernel argument and specify a root with the x86_64 DPS UUID.
+    # TODO: Discoverable partition fleshed out, or drop root UUID as systemd-stub extension
+    # TODO: https://github.com/containers/composefs-rs/issues/183
+    cmdline="composefs=${COMPOSEFS_FSVERITY} root=UUID=4f68bce3-e8cd-4db1-96e7-fbcaf984b709 console=ttyS0,114800n8 enforcing=0 rw"
+
+    kver=$(cd /target/usr/lib/modules && echo *)
+    ukify build \
+        --linux "/target/usr/lib/modules/$kver/vmlinuz" \
+        --initrd "/target/usr/lib/modules/$kver/initramfs.img" \
+        --uname="${kver}" \
+        --cmdline "${cmdline}" \
+        --os-release "@/target/usr/lib/os-release" \
+        --signtool sbsign \
+        --secureboot-private-key "/run/secrets/key" \
+        --secureboot-certificate "/run/secrets/cert" \
+        --measure \
+        --json pretty \
+        --output "/boot/$kver.efi"
+    # Sign systemd-boot as well
+    sdboot="/usr/lib/systemd/boot/efi/systemd-bootx64.efi"
+    sbsign \
+        --key "/run/secrets/key" \
+        --cert "/run/secrets/cert" \
+        "${sdboot}"
+    mv "${sdboot}.signed" "${sdboot}"
+EOF
+
+FROM base as final
+
+RUN --mount=type=bind,from=kernel,target=/run/kernel <<EOF
+set -xeuo pipefail
+kver=$(cd /usr/lib/modules && echo *)
+mkdir -p /boot/EFI/Linux
+# We put the UKI in /boot for now due to composefs verity not being the
+# same due to mtime of /usr/lib/modules being changed
+target=/boot/EFI/Linux/$kver.efi
+cp /run/kernel/boot/$kver.efi $target
+# And remove the defaults
+rm -v /usr/lib/modules/${kver}/{vmlinuz,initramfs.img}
+# Symlink into the /usr/lib/modules location
+ln -sr $target /usr/lib/modules/${kver}/$(basename $kver.efi)
+bootc container lint --fatal-warnings
+EOF
+
+FROM base as final-final
+COPY --from=final /boot /boot
+# Override the default
+LABEL containers.bootc=sealed

Dockerfile.cfsuki

@@ -13,12 +13,21 @@
 build *ARGS:
     podman build --jobs=4 -t localhost/bootc {{ARGS}} .
 
+# Build a sealed image from current sources. This will default to
+# generating Secure Boot keys in target/test-secureboot.
+build-sealed *ARGS:
+    podman build --build-arg=sdboot=1 --jobs=4 -t localhost/bootc-unsealed {{ARGS}} .
+    ./tests/build-sealed localhost/bootc-unsealed localhost/bootc
+
 # This container image has additional testing content and utilities
 build-integration-test-image *ARGS:
     cd hack && podman build --jobs=4 -t localhost/bootc-integration -f Containerfile {{ARGS}} .
     # Keep these in sync with what's used in hack/lbi
     podman pull -q --retry 5 --retry-delay 5s quay.io/curl/curl:latest quay.io/curl/curl-base:latest registry.access.redhat.com/ubi9/podman:latest
 
+test-composefs: build-sealed
+    cargo run --release -p tests-integration -- composefs-bcvk localhost/bootc
+
 # Only used by ci.yml right now
 build-install-test-image: build-integration-test-image
     cd hack && podman build -t localhost/bootc-integration-install -f Containerfile.drop-lbis

Justfile

@@ -29,20 +29,23 @@ use rustix::path::Arg;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
-use crate::bootc_composefs::state::{get_booted_bls, write_composefs_state};
 use crate::bootc_composefs::status::get_sorted_uki_boot_entries;
 use crate::composefs_consts::{TYPE1_ENT_PATH, TYPE1_ENT_PATH_STAGED};
 use crate::parsers::bls_config::{BLSConfig, BLSConfigType};
 use crate::parsers::grub_menuconfig::MenuEntry;
 use crate::spec::ImageReference;
 use crate::task::Task;
 use crate::{bootc_composefs::repo::open_composefs_repo, store::ComposefsFilesystem};
+use crate::{
+    bootc_composefs::state::{get_booted_bls, write_composefs_state},
+    bootloader::esp_in,
+};
 use crate::{
     composefs_consts::{
         BOOT_LOADER_ENTRIES, COMPOSEFS_CMDLINE, ORIGIN_KEY_BOOT, ORIGIN_KEY_BOOT_DIGEST,
         STAGED_BOOT_LOADER_ENTRIES, STATE_DIR_ABS, USER_CFG, USER_CFG_STAGED,
     },
-    install::{dps_uuid::DPS_UUID, ESP_GUID, RW_KARG},
+    install::{dps_uuid::DPS_UUID, RW_KARG},
     spec::{Bootloader, Host},
 };
 
@@ -51,7 +54,7 @@ use crate::install::{RootSetup, State};
 /// Contains the EFP's filesystem UUID. Used by grub
 pub(crate) const EFI_UUID_FILE: &str = "efiuuid.cfg";
 /// The EFI Linux directory
-const EFI_LINUX: &str = "EFI/Linux";
+pub(crate) const EFI_LINUX: &str = "EFI/Linux";
 
 /// Timeout for systemd-boot bootloader menu
 const SYSTEMD_TIMEOUT: &str = "timeout 5";
@@ -126,15 +129,31 @@ fi
     )
 }
 
+/// Returns `true` if detect the target rootfs carries a UKI.
+pub(crate) fn container_root_has_uki(root: &Dir) -> Result<bool> {
+    let Some(boot) = root.open_dir_optional(crate::install::BOOT)? else {
+        return Ok(false);
+    };
+    let Some(efi_linux) = boot.open_dir_optional(EFI_LINUX)? else {
+        return Ok(false);
+    };
+    for entry in efi_linux.entries()? {
+        let entry = entry?;
+        let name = entry.file_name();
+        let name = Path::new(&name);
+        let extension = name.extension().and_then(|v| v.to_str());
+        if extension == Some("efi") {
+            return Ok(true);
+        }
+    }
+    Ok(false)
+}
+
 pub fn get_esp_partition(device: &str) -> Result<(String, Option<String>)> {
     let device_info = bootc_blockdev::partitions_of(Utf8Path::new(device))?;
-    let esp = device_info
-        .partitions
-        .into_iter()
-        .find(|p| p.parttype.as_str() == ESP_GUID)
-        .ok_or(anyhow::anyhow!("ESP not found for device: {device}"))?;
+    let esp = crate::bootloader::esp_in(&device_info)?;
 
-    Ok((esp.node, esp.uuid))
+    Ok((esp.node.clone(), esp.uuid.clone()))
 }
 
 pub fn get_sysroot_parent_dev() -> Result<String> {
@@ -360,23 +379,14 @@ pub(crate) fn setup_composefs_bls_boot(
             };
 
             // Locate ESP partition device
-            let esp_part = root_setup
-                .device_info
-                .partitions
-                .iter()
-                .find(|p| p.parttype.as_str() == ESP_GUID)
-                .ok_or_else(|| anyhow::anyhow!("ESP partition not found"))?;
+            let esp_part = esp_in(&root_setup.device_info)?;
 
             (
                 root_setup.physical_root_path.clone(),
                 esp_part.node.clone(),
                 cmdline_options,
                 fs,
-                state
-                    .composefs_options
-                    .as_ref()
-                    .map(|opts| opts.bootloader.clone())
-                    .unwrap_or(Bootloader::default()),
+                state.detected_bootloader.clone(),
             )
         }
 
@@ -829,17 +839,12 @@ pub(crate) fn setup_composefs_uki_boot(
                 anyhow::bail!("ComposeFS options not found");
             };
 
-            let esp_part = root_setup
-                .device_info
-                .partitions
-                .iter()
-                .find(|p| p.parttype.as_str() == ESP_GUID)
-                .ok_or_else(|| anyhow!("ESP partition not found"))?;
+            let esp_part = esp_in(&root_setup.device_info)?;
 
             (
                 root_setup.physical_root_path.clone(),
                 esp_part.node.clone(),
-                cfs_opts.bootloader.clone(),
+                state.detected_bootloader.clone(),
                 cfs_opts.insecure,
                 cfs_opts.uki_addon.as_ref(),
             )
@@ -944,13 +949,20 @@ pub(crate) fn setup_composefs_boot(
     if cfg!(target_arch = "s390x") {
         // TODO: Integrate s390x support into install_via_bootupd
         crate::bootloader::install_via_zipl(&root_setup.device_info, boot_uuid)?;
-    } else {
+    } else if state.detected_bootloader == Bootloader::Grub {
         crate::bootloader::install_via_bootupd(
             &root_setup.device_info,
             &root_setup.physical_root_path,
             &state.config_opts,
             None,
         )?;
+    } else {
+        crate::bootloader::install_systemd_boot(
+            &root_setup.device_info,
+            &root_setup.physical_root_path,
+            &state.config_opts,
+            None,
+        )?;
     }
 
     let repo = open_composefs_repo(&root_setup.physical_root)?;
@@ -1001,3 +1013,34 @@ pub(crate) fn setup_composefs_boot(
 
     Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use cap_std_ext::cap_std;
+
+    #[test]
+    fn test_root_has_uki() -> Result<()> {
+        // Test case 1: No boot directory
+        let tempdir = cap_std_ext::cap_tempfile::tempdir(cap_std::ambient_authority())?;
+        assert_eq!(container_root_has_uki(&tempdir)?, false);
+
+        // Test case 2: boot directory exists but no EFI/Linux
+        tempdir.create_dir(crate::install::BOOT)?;
+        assert_eq!(container_root_has_uki(&tempdir)?, false);
+
+        // Test case 3: boot/EFI/Linux exists but no .efi files
+        tempdir.create_dir_all("boot/EFI/Linux")?;
+        assert_eq!(container_root_has_uki(&tempdir)?, false);
+
+        // Test case 4: boot/EFI/Linux exists with non-.efi file
+        tempdir.atomic_write("boot/EFI/Linux/readme.txt", b"some file")?;
+        assert_eq!(container_root_has_uki(&tempdir)?, false);
+
+        // Test case 5: boot/EFI/Linux exists with .efi file
+        tempdir.atomic_write("boot/EFI/Linux/bootx64.efi", b"fake efi binary")?;
+        assert_eq!(container_root_has_uki(&tempdir)?, true);
+
+        Ok(())
+    }
+}