Various composefs work

.github/actions/bootc-ubuntu-setup/action.yml

@@ -25,22 +25,22 @@ runs:
     - name: Free up disk space on runner
       shell: bash
       run: |
+        set -xeuo pipefail
         sudo df -h
         unwanted=('^aspnetcore-.*' '^dotnet-.*' '^llvm-.*' 'php.*' '^mongodb-.*' '^mysql-.*'
                   azure-cli google-chrome-stable firefox mono-devel)
         for x in ${unwanted[@]}; do
-          sudo apt-get remove -y $x > /dev/null
+          sudo apt-get remove -y $x
         done
         # Start other removal operations in parallel
-        sudo docker image prune --all --force > /dev/null &
-        sudo rm -rf /usr/share/dotnet /opt/ghc /usr/local/lib/android &
-        # Wait for all background processes to complete
-        wait
+        sudo docker image prune --all --force
+        sudo rm -rf /usr/share/dotnet /opt/ghc /usr/local/lib/android
         sudo df -h
     # This is the default on e.g. Fedora derivatives, but not Debian
     - name: Enable unprivileged /dev/kvm access
       shell: bash
       run: |
+        set -xeuo pipefail
         echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
         sudo udevadm control --reload-rules
         sudo udevadm trigger --name-match=kvm
@@ -65,5 +65,17 @@ runs:
       if: ${{ inputs.libvirt == 'true' }}
       shell: bash
       run: |
-        set -eux
-        sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm qemu-utils libvirt-daemon-system
+        set -xeuo pipefail
+        sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm virtiofsd libvirt-daemon-system
+        # Something in the stack is overriding this, but we want session right now for bcvk
+        echo LIBVIRT_DEFAULT_URI=qemu:///session >> $GITHUB_ENV
+        td=$(mktemp -d)
+        cd $td
+        # Install bcvk
+        curl -LO https://github.com/bootc-dev/bcvk/releases/download/v0.5.1/bcvk-x86_64-unknown-linux-gnu.tar.gz
+        echo '1c9bb9e2b1e39d64c93b847350dd028832da27e7f7b0296b14ebfc2fb66b5c2c  bcvk-x86_64-unknown-linux-gnu.tar.gz' > sums
+        sha256sum -c sums
+        tar zxvf bcvk*.tar.gz
+        sudo install -T bcvk-$(arch)-*linux-gnu /usr/bin/bcvk
+        cd -
+        rm -rf "$td"

.github/workflows/ci.yml

@@ -19,6 +19,9 @@ on:
 
 env:
   CARGO_TERM_COLOR: always
+  # Something seems to be setting this in the default GHA runners, which breaks bcvk
+  # as the default runner user doesn't have access
+  LIBVIRT_DEFAULT_URI: "qemu:///session"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -189,3 +192,29 @@ jobs:
         with:
           name: tmt-log-PR-${{ github.event.number }}-${{ matrix.test_os }}-${{ env.ARCH }}-${{ matrix.tmt_plan }}
           path: /var/tmp/tmt
+  # This variant does composefs testing
+  test-integration-cfs:
+    strategy:
+      fail-fast: false
+      matrix:
+        test_os: [centos-10]
+
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Bootc Ubuntu Setup
+        uses: ./.github/actions/bootc-ubuntu-setup
+        with:
+          libvirt: true
+
+      - name: Build container
+        run: just build-sealed
+
+      - name: Setup upterm session
+        uses: owenthereal/action-upterm@v1
+        with:
+          limit-access-to-users: cgwalters
+
+      - name: Test
+        run: just test-composefs

Dockerfile.cfsuki

@@ -0,0 +1,70 @@
+# Override via --build-arg=base=<image> to use a different base
+ARG base=localhost/bootc
+# This is where we get the tools to build the UKI
+ARG buildroot=quay.io/fedora/fedora:42
+FROM $base AS base
+
+FROM $buildroot as buildroot-base
+RUN <<EORUN
+set -xeuo pipefail
+dnf install -y systemd-ukify sbsigntools systemd-boot-unsigned
+dnf clean all
+EORUN
+
+FROM buildroot-base as kernel
+# Must be passed
+ARG COMPOSEFS_FSVERITY
+RUN --mount=type=secret,id=key \
+    --mount=type=secret,id=cert \
+    --mount=type=bind,from=base,target=/target \
+     <<EOF
+    set -eux
+
+    # Should be generated externally
+    test -n "${COMPOSEFS_FSVERITY}"
+
+    # Inject the composefs kernel argument and specify a root with the x86_64 DPS UUID.
+    # TODO: Discoverable partition fleshed out, or drop root UUID as systemd-stub extension
+    # TODO: https://github.com/containers/composefs-rs/issues/183
+    cmdline="composefs=${COMPOSEFS_FSVERITY} root=UUID=4f68bce3-e8cd-4db1-96e7-fbcaf984b709 console=ttyS0,114800n8 enforcing=0 rw"
+
+    kver=$(cd /target/usr/lib/modules && echo *)
+    ukify build \
+        --linux "/target/usr/lib/modules/$kver/vmlinuz" \
+        --initrd "/target/usr/lib/modules/$kver/initramfs.img" \
+        --uname="${kver}" \
+        --cmdline "${cmdline}" \
+        --os-release "@/target/usr/lib/os-release" \
+        --signtool sbsign \
+        --secureboot-private-key "/run/secrets/key" \
+        --secureboot-certificate "/run/secrets/cert" \
+        --measure \
+        --json pretty \
+        --output "/boot/$kver.efi"
+    sbsign \
+        --key "/run/secrets/key" \
+        --cert "/run/secrets/cert" \
+        "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \
+        --output "/boot/systemd-bootx64.efi"
+EOF
+
+FROM base as final
+
+RUN --mount=type=bind,from=kernel,target=/run/kernel <<EOF
+    kver=$(cd /usr/lib/modules && echo *)
+    mkdir -p /boot/EFI/Linux
+    # We put the UKI in /boot for now due to composefs verity not being the
+    # same due to mtime of /usr/lib/modules being changed
+    target=/boot/EFI/Linux/$kver.efi
+    cp /run/kernel/boot/$kver.efi $target
+    # And remove the defaults
+    rm -v /usr/lib/modules/${kver}/{vmlinuz,initramfs.img}
+    # Symlink into the /usr/lib/modules location
+    ln -sr $target /usr/lib/modules/${kver}/$(basename $kver.efi)
+    bootc container lint --fatal-warnings
+EOF
+
+FROM base as final-final
+COPY --from=final /boot /boot
+# Override the default
+LABEL containers.bootc=sealed

Justfile

@@ -13,12 +13,21 @@
 build *ARGS:
     podman build --jobs=4 -t localhost/bootc {{ARGS}} .
 
+# Build a sealed image from current sources. This will default to
+# generating Secure Boot keys in target/test-secureboot.
+build-sealed *ARGS:
+    podman build --jobs=4 -t localhost/bootc-unsealed {{ARGS}} .
+    ./tests/build-sealed localhost/bootc-unsealed localhost/bootc
+
 # This container image has additional testing content and utilities
 build-integration-test-image *ARGS:
     cd hack && podman build --jobs=4 -t localhost/bootc-integration -f Containerfile {{ARGS}} .
     # Keep these in sync with what's used in hack/lbi
     podman pull -q --retry 5 --retry-delay 5s quay.io/curl/curl:latest quay.io/curl/curl-base:latest registry.access.redhat.com/ubi9/podman:latest
 
+test-composefs: build-sealed
+    cargo run --release -p tests-integration -- composefs-bcvk localhost/bootc
+
 # Only used by ci.yml right now
 build-install-test-image: build-integration-test-image
     cd hack && podman build -t localhost/bootc-integration-install -f Containerfile.drop-lbis

Makefile

@@ -107,7 +107,6 @@ validate:
 	cargo test --no-run
 	(cd crates/ostree-ext && cargo check --no-default-features)
 	(cd crates/lib && cargo check --no-default-features)
-	cargo check --features=composefs-backend
 	cargo clippy -- $(CLIPPY_CONFIG)
 	env RUSTDOCFLAGS='-D warnings' cargo doc --lib
 .PHONY: validate

crates/initramfs/src/lib.rs

@@ -22,7 +22,7 @@ use rustix::{
 use serde::Deserialize;
 
 use composefs::{
-    fsverity::{FsVerityHashValue, Sha256HashValue},
+    fsverity::{FsVerityHashValue, Sha512HashValue},
     mount::FsHandle,
     mountcompat::{overlayfs_set_fd, overlayfs_set_lower_and_data_fds, prepare_mount},
     repository::Repository,
@@ -207,7 +207,7 @@ fn open_root_fs(path: &Path) -> Result<OwnedFd> {
 /// * insecure - Whether fsverity is optional or not
 #[context("Mounting composefs image")]
 pub fn mount_composefs_image(sysroot: &OwnedFd, name: &str, insecure: bool) -> Result<OwnedFd> {
-    let mut repo = Repository::<Sha256HashValue>::open_path(sysroot, "composefs")?;
+    let mut repo = Repository::<Sha512HashValue>::open_path(sysroot, "composefs")?;
     repo.set_insecure(insecure);
     repo.mount(name).context("Failed to mount composefs image")
 }
@@ -282,7 +282,7 @@ pub fn setup_root(args: Args) -> Result<()> {
         // TODO: Deduplicate this with composefs branch karg parser
         None => &std::fs::read_to_string("/proc/cmdline")?,
     };
-    let (image, insecure) = get_cmdline_composefs::<Sha256HashValue>(cmdline)?;
+    let (image, insecure) = get_cmdline_composefs::<Sha512HashValue>(cmdline)?;
 
     let new_root = match args.root_fs {
         Some(path) => open_root_fs(&path).context("Failed to clone specified root fs")?,

crates/lib/Cargo.toml

@@ -73,7 +73,7 @@ similar-asserts = { workspace = true }
 static_assertions = { workspace = true }
 
 [features]
-default = ["install-to-disk"]
+default = ["install-to-disk", "composefs-backend"]
 # This feature enables `bootc install to-disk`, which is considered just a "demo"
 # or reference installer; we expect most nontrivial use cases to be using
 # `bootc install to-filesystem`.