Fix systemd-boot signing on sealed image test

Gareth Widlansky · Gareth Widlansky · commit 2c3856f7bcb9 · 2025-12-01T11:22:32.000-05:00
Signed-off-by: Gareth Widlansky &lt;gareth.widlansky@proton.me&gt;
diff --git a/Dockerfile.cfsuki b/Dockerfile.cfsuki
@@ -2,6 +2,7 @@
 ARG base=localhost/bootc
 # This is where we get the tools to build the UKI
 ARG buildroot=quay.io/centos/centos:stream10
+
 FROM $base AS base
 
 FROM $buildroot as buildroot-base
@@ -12,7 +13,7 @@ set -xeuo pipefail
 # is used by ukify as invoked with the `--measure` flag below.  Not
 # strictly required, but nice to have the measured PCR values in the
 # output.
-dnf install -y systemd-ukify systemd-udev pesign openssl systemd-boot-unsigned
+dnf install -y systemd-ukify systemd-udev pesign openssl
 dnf clean all
 EORUN
 
@@ -50,19 +51,9 @@ RUN --mount=type=secret,id=key \
         --measure \
         --json pretty \
         --output "/boot/$kver.efi"
-    # Sign systemd-boot as well
-    sdboot="/usr/lib/systemd/boot/efi/systemd-bootx64.efi"
-    pesign \
-        --certdir "pesign" \
-        --certificate "${subject}" \
-        --in "${sdboot}" \
-        --out "${sdboot}.signed" \
-        --sign
-    mv "${sdboot}.signed" "${sdboot}"
 EOF
 
 FROM base as final
-
 RUN --mount=type=bind,from=kernel,target=/run/kernel <<EOF
 set -xeuo pipefail
 kver=$(cd /usr/lib/modules && echo *)
@@ -75,7 +66,7 @@ cp /run/kernel/boot/$kver.efi $target
 rm -v /usr/lib/modules/${kver}/{vmlinuz,initramfs.img}
 # Symlink into the /usr/lib/modules location
 ln -sr $target /usr/lib/modules/${kver}/$(basename $kver.efi)
-bootc container lint --fatal-warnings
+bootc container lint # --fatal-warnings no fatal warning
 EOF
 
 FROM base as final-final
diff --git a/Dockerfile.sdboot b/Dockerfile.sdboot
@@ -0,0 +1,50 @@
+# Override via --build-arg=base=<image> to use a different base
+ARG base=localhost/bootc
+# Image to sign systemd-boot first, BEFORE, installing onto the image
+ARG buildroot=quay.io/centos/centos:stream10
+
+FROM $base AS base-unsigned
+
+FROM $buildroot as buildroot-base
+RUN <<EORUN
+set -xeuo pipefail
+dnf install -y pesign openssl
+dnf clean all
+EORUN
+
+
+FROM buildroot-base as kernel
+# Sign sdboot and put it on the target first
+RUN --mount=type=secret,id=key \
+    --mount=type=secret,id=cert \
+    --mount=type=bind,from=base-unsigned,target=/target \
+<<EORUN
+set -eux
+
+    # pesign uses NSS database so create it from input cert/key
+    mkdir pesign
+    certutil -N -d pesign --empty-password
+    openssl pkcs12 -export -password 'pass:' -inkey /run/secrets/key -in /run/secrets/cert -out db.p12
+    pk12util -i db.p12 -W '' -d pesign
+    subject=$(openssl x509 -in /run/secrets/cert -subject | grep '^subject=CN=' | sed 's/^subject=CN=//')
+
+    # Sign systemd-boot as well
+    sdboot="target/usr/lib/systemd/boot/efi/systemd-bootx64.efi"
+    sdboot_out="/sdboot.efi"
+    pesign \
+        --certdir "pesign" \
+        --certificate "${subject}" \
+        --in "${sdboot}" \
+        --out "${sdboot_out}" \
+        --sign
+EORUN
+
+
+FROM base-unsigned as final
+RUN --mount=type=bind,from=kernel,target=/run/sdboot \
+    <<EORUN 
+    set -eux
+    sdboot=/usr/lib/systemd/boot/efi/systemd-bootx64.efi
+    # copy signed sdboot from buildroot
+    cp "/run/sdboot/sdboot.efi" ${sdboot}
+EORUN
diff --git a/tests/build-sealed b/tests/build-sealed
@@ -34,11 +34,6 @@ case $variant in
 esac
 
 
-graphroot=$(podman system info -f '{{.Store.GraphRoot}}')
-echo "Computing composefs digest..."
-cfs_digest=$(podman run --rm --privileged --read-only --security-opt=label=disable -v /sys:/sys:ro --net=none \
-  -v ${graphroot}:/run/host-container-storage:ro --tmpfs /var "$input_image" bootc container compute-composefs-digest)
-
 if test -z "${secureboot}"; then
   secureboot=$(pwd)/target/test-secureboot
   mkdir -p ${secureboot}
@@ -58,9 +53,30 @@ if test -z "${secureboot}"; then
   cd -
 fi
 
-runv podman build -t $output_image \
-  --build-arg=COMPOSEFS_FSVERITY=${cfs_digest} \
+# handle sdboot signing before building the sealed UKI
+# moves db, PK, and KEK test keys into /usr/lib/bootc/keys
+sdboot_signed="${input_image}_signed"
+runv podman build -t $sdboot_signed \
   --build-arg=base=${input_image} \
   --build-arg=buildroot=${BOOTC_buildroot_base} \
   --secret=id=key,src=${secureboot}/db.key \
-  --secret=id=cert,src=${secureboot}/db.crt -f Dockerfile.cfsuki .
+  --secret=id=cert,src=${secureboot}/db.crt \
+  --secret=id=cert,src=${secureboot}/db.crt \
+  --secret=id=pk_key,src=${secureboot}/PK.key \
+  --secret=id=pk_cert,src=${secureboot}/PK.crt \
+  --secret=id=kek_key,src=${secureboot}/KEK.key \
+  --secret=id=kek_cert,src=${secureboot}/KEK.crt \
+  --secret=id=guid,src=${secureboot}/GUID.txt \
+  -f Dockerfile.sdboot .
+
+graphroot=$(podman system info -f '{{.Store.GraphRoot}}')
+echo "Computing composefs digest..."
+cfs_digest=$(podman run --rm --privileged --read-only --security-opt=label=disable -v /sys:/sys:ro --net=none \
+  -v ${graphroot}:/run/host-container-storage:ro --tmpfs /var "$sdboot_signed" bootc container compute-composefs-digest)
+
+runv podman build -t $output_image \
+  --build-arg=COMPOSEFS_FSVERITY=${cfs_digest} \
+  --build-arg=base=${sdboot_signed} \
+  --secret=id=key,src=${secureboot}/db.key \
+  --secret=id=cert,src=${secureboot}/db.crt \
+  -f Dockerfile.cfsuki .
