add autoenroll to sdboot

Gareth Widlansky · Gareth Widlansky · commit 6bd32cdc212b · 2025-12-01T11:11:12.000-05:00
Signed-off-by: Gareth Widlansky &lt;gareth.widlansky@proton.me&gt;
diff --git a/Dockerfile.sdboot b/Dockerfile.sdboot
@@ -1,14 +1,15 @@
 # Override via --build-arg=base=<image> to use a different base
 ARG base=localhost/bootc
 # Image to sign systemd-boot first, BEFORE, installing onto the image
-ARG buildroot=quay.io/centos/centos:stream10
+# We need to use fedora for the `efitools` package
+ARG buildroot=quay.io/fedora/fedora:42
 
 FROM $base AS base-unsigned
 
 FROM $buildroot as buildroot-base
 RUN <<EORUN
 set -xeuo pipefail
-dnf install -y pesign openssl
+dnf install -y pesign openssl efitools
 dnf clean all
 EORUN
 
@@ -41,10 +42,29 @@ EORUN
 
 
 FROM base-unsigned as final
-RUN --mount=type=bind,from=signer,target=/run/sdboot \
+RUN --mount=type=secret,id=cert \
+    --mount=type=bind,from=signer,target=/run/sdboot \
     <<EORUN
     set -xeuo pipefail
+
+    # enable auto enrollment for systemd-boot
+    auto_enroll=/usr/lib/bootc/keys
+    mkdir -p ${auto_enroll}
+    # in prod, it would be a good idea to also enroll the microsoft keys here as well
+    openssl x509 -outform DER -in run/secrets/cert -out "${auto_enroll}/db.cer"
+
     sdboot=/usr/lib/systemd/boot/efi/systemd-bootx64.efi
     # copy signed sdboot from buildroot
     cp "/run/sdboot/sdboot.efi" ${sdboot}
+    cp -r "/run/sdboot/keys" "/usr/lib/bootc/keys/"
+
+    guid=$(cat /run/secrets/guid)
+    cert-to-efi-sig-list -g ${guid} /run/secrets/cert /db.esl
+    sign-efi-sig-list -k /run/secrets/key -c /run/secrets/cert db /db.esl ${keyout}/db.auth
+
+    cert-to-efi-sig-list -g ${guid} /run/secrets/pk_cert /pk.esl
+    sign-efi-sig-list -k /run/secrets/pk_key -c /run/secrets/pk_cert PK /pk.esl ${keyout}/pk.auth
+
+    cert-to-efi-sig-list -g ${guid} /run/secrets/kek_cert /kek.esl
+    sign-efi-sig-list -k /run/secrets/kek_key -c /run/secrets/kek_cert KEK /kek.esl ${keyout}/kek.auth
 EORUN
diff --git a/crates/lib/src/bootc_composefs/boot.rs b/crates/lib/src/bootc_composefs/boot.rs
@@ -1,9 +1,9 @@
-use std::ffi::OsStr;
 use std::fs::create_dir_all;
 use std::io::Write;
 use std::path::Path;
+use std::{ffi::OsStr, os::unix::ffi::OsStrExt};
 
-use anyhow::{anyhow, Context, Result};
+use anyhow::{anyhow, bail, Context, Result};
 use bootc_blockdev::find_parent_devices;
 use bootc_kernel_cmdline::utf8::{Cmdline, Parameter};
 use bootc_mount::inspect_filesystem_of_dir;
@@ -15,6 +15,7 @@ use cap_std_ext::{
 };
 use clap::ValueEnum;
 use composefs::fs::read_file;
+use composefs::generic_tree::{Directory, Inode, LeafContent};
 use composefs::tree::RegularFile;
 use composefs_boot::BootOps;
 use composefs_boot::{
@@ -1026,6 +1027,42 @@ pub(crate) fn setup_composefs_uki_boot(
     Ok(())
 }
 
+pub struct AuthFile {
+    pub filename: Utf8PathBuf,
+    pub file: RegularFile<Sha512HashValue>,
+}
+
+fn get_autoenroll_keys(root: &Directory<RegularFile<Sha512HashValue>>) -> Result<Vec<AuthFile>> {
+    let mut entries = vec![];
+    match root.get_directory("/usr/lib/bootc/keys".as_ref()) {
+        Ok(keys_dir) => {
+            for (filename, inode) in keys_dir.entries() {
+                if !filename.as_bytes().ends_with(b".auth") {
+                    continue;
+                }
+
+                let Inode::Leaf(leaf) = inode else {
+                    bail!("/usr/lib/bootc/keys/{filename:?} is a directory");
+                };
+
+                let LeafContent::Regular(file) = &leaf.content else {
+                    bail!("/usr/lib/bootc/keys/{filename:?} is not a regular file");
+                };
+                let path = match Utf8PathBuf::from_os_string(filename.into()) {
+                    Ok(p) => p,
+                    Err(_) => bail!("couldn't get pathbuf: /usr/lib/bootc/keys/{filename:?}"),
+                };
+                entries.push(AuthFile {
+                    filename: path,
+                    file: file.clone(),
+                });
+            }
+        }
+        Err(other) => Err(other)?,
+    };
+    Ok(entries)
+}
+
 #[context("Setting up composefs boot")]
 pub(crate) fn setup_composefs_boot(
     root_setup: &RootSetup,
@@ -1044,6 +1081,8 @@ pub(crate) fn setup_composefs_boot(
 
     let postfetch = PostFetchState::new(state, &mounted_fs)?;
 
+    let keys = get_autoenroll_keys(&fs.root)?;
+
     let boot_uuid = root_setup
         .get_boot_uuid()?
         .or(root_setup.rootfs_uuid.as_deref())
@@ -1065,6 +1104,8 @@ pub(crate) fn setup_composefs_boot(
             &root_setup.physical_root_path,
             &state.config_opts,
             None,
+            keys,
+            &repo,
         )?;
     }
 
diff --git a/crates/lib/src/bootloader.rs b/crates/lib/src/bootloader.rs
@@ -1,15 +1,19 @@
+use std::fs::create_dir_all;
 use std::process::Command;
 
 use anyhow::{anyhow, bail, Context, Result};
 use bootc_utils::CommandRunExt;
 use camino::Utf8Path;
+use cap_std_ext::cap_std::ambient_authority;
 use cap_std_ext::cap_std::fs::Dir;
+use cap_std_ext::dirext::CapStdExtDirExt;
+use composefs::fs::read_file;
 use fn_error_context::context;
 
 use bootc_blockdev::{Partition, PartitionTable};
 use bootc_mount as mount;
 
-use crate::bootc_composefs::boot::mount_esp;
+use crate::bootc_composefs::boot::{mount_esp, AuthFile};
 use crate::{discoverable_partition_specification, utils};
 
 /// The name of the mountpoint for efi (as a subdirectory of /boot, or at the toplevel)
@@ -74,6 +78,8 @@ pub(crate) fn install_systemd_boot(
     _rootfs: &Utf8Path,
     _configopts: &crate::install::InstallConfigOpts,
     _deployment_path: Option<&str>,
+    autoenroll: Vec<AuthFile>,
+    repo: &crate::store::ComposefsRepository,
 ) -> Result<()> {
     let esp_part = device
         .find_partition_of_type(discoverable_partition_specification::ESP)
@@ -87,7 +93,29 @@ pub(crate) fn install_systemd_boot(
     Command::new("bootctl")
         .args(["install", "--esp-path", esp_path.as_str()])
         .log_debug()
-        .run_inherited_with_cmd_context()
+        .run_inherited_with_cmd_context()?;
+
+    if autoenroll.len() < 1 {
+        return Ok(());
+    }
+
+    println!("Autoenrolling keys");
+    let path = esp_path.join("loader/keys/auto");
+    create_dir_all(&path)?;
+
+    let keys_dir = Dir::open_ambient_dir(&path, ambient_authority())
+        .with_context(|| format!("Opening {path}"))?;
+    for a in autoenroll.iter() {
+        let p = path.join(a.filename.clone());
+        keys_dir
+            .atomic_write(
+                &a.filename,
+                read_file(&a.file, &repo).context("reading file")?,
+            )
+            .with_context(|| format!("Writing secure boot key: {p}"))?;
+        println!("Wrote secure boot key: {p}");
+    }
+    Ok(())
 }
 
 #[context("Installing bootloader using zipl")]
diff --git a/tests/build-sealed b/tests/build-sealed
@@ -57,7 +57,14 @@ fi
 sdboot_signed="${input_image}_signed"
 podman build -t $sdboot_signed --build-arg=base=${input_image} \
   --secret=id=key,src=${secureboot}/db.key \
-  --secret=id=cert,src=${secureboot}/db.crt -f Dockerfile.sdboot .
+  --secret=id=cert,src=${secureboot}/db.crt \
+  --secret=id=pk_key,src=${secureboot}/PK.key \
+  --secret=id=pk_cert,src=${secureboot}/PK.crt \
+  --secret=id=kek_key,src=${secureboot}/KEK.key \
+  --secret=id=kek_cert,src=${secureboot}/KEK.crt \
+  --secret=id=guid,src=${secureboot}/GUID.txt \
+  -f Dockerfile.sdboot .
+
 
 graphroot=$(podman system info -f '{{.Store.GraphRoot}}')
 echo "Computing composefs digest..."
