Skip to content

Fix systemd-boot signing on sealed image test #1809

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+70 −20
Open

Fix systemd-boot signing on sealed image test #1809

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bf0d792
Fix systemd-boot signing on sealed image test
Nov 26, 2025
27d99ed
Nits
Nov 26, 2025
856492c
fix comment
Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 3 additions & 12 deletions Dockerfile.cfsuki
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
ARG base=localhost/bootc
# This is where we get the tools to build the UKI
ARG buildroot=quay.io/centos/centos:stream10

FROM $base AS base

FROM $buildroot as buildroot-base
Expand All @@ -12,7 +13,7 @@ set -xeuo pipefail
# is used by ukify as invoked with the `--measure` flag below. Not
# strictly required, but nice to have the measured PCR values in the
# output.
dnf install -y systemd-ukify systemd-udev pesign openssl systemd-boot-unsigned
dnf install -y systemd-ukify systemd-udev pesign openssl
dnf clean all
EORUN

Expand All @@ -23,7 +24,7 @@ RUN --mount=type=secret,id=key \
--mount=type=secret,id=cert \
--mount=type=bind,from=base,target=/target \
<<EOF
set -eux
set -xeuo pipefail

# Should be generated externally
test -n "${COMPOSEFS_FSVERITY}"
Expand All @@ -50,19 +51,9 @@ RUN --mount=type=secret,id=key \
--measure \
--json pretty \
--output "/boot/$kver.efi"
# Sign systemd-boot as well
sdboot="/usr/lib/systemd/boot/efi/systemd-bootx64.efi"
pesign \
--certdir "pesign" \
--certificate "${subject}" \
--in "${sdboot}" \
--out "${sdboot}.signed" \
--sign
mv "${sdboot}.signed" "${sdboot}"
EOF

FROM base as final

RUN --mount=type=bind,from=kernel,target=/run/kernel <<EOF
set -xeuo pipefail
kver=$(cd /usr/lib/modules && echo *)
Expand Down
50 changes: 50 additions & 0 deletions Dockerfile.sdboot
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Override via --build-arg=base=<image> to use a different base
ARG base=localhost/bootc
# Image to sign systemd-boot first, BEFORE, installing onto the image
ARG buildroot=quay.io/centos/centos:stream10

FROM $base AS base-unsigned

FROM $buildroot as buildroot-base
RUN <<EORUN
set -xeuo pipefail
dnf install -y pesign openssl
dnf clean all
EORUN


FROM buildroot-base as signer
# Sign sdboot and put it on the target first
RUN --mount=type=secret,id=key \
--mount=type=secret,id=cert \
--mount=type=bind,from=base-unsigned,target=/target \
<<EORUN
set -xeuo pipefail

# pesign uses NSS database so create it from input cert/key
mkdir pesign
certutil -N -d pesign --empty-password
openssl pkcs12 -export -password 'pass:' -inkey /run/secrets/key -in /run/secrets/cert -out db.p12
pk12util -i db.p12 -W '' -d pesign
subject=$(openssl x509 -in /run/secrets/cert -subject | grep '^subject=CN=' | sed 's/^subject=CN=//')
Copy link
Collaborator

@cgwalters cgwalters Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having a second copy of this code isn't fatal, but I think we could factor out a shared helper for this too.


# Sign systemd-boot as well
sdboot="target/usr/lib/systemd/boot/efi/systemd-bootx64.efi"
sdboot_out="/sdboot.efi"
pesign \
--certdir "pesign" \
--certificate "${subject}" \
--in "${sdboot}" \
--out "${sdboot_out}" \
--sign
EORUN


FROM base-unsigned as final
RUN --mount=type=bind,from=signer,target=/run/sdboot \
<<EORUN
set -xeuo pipefail
sdboot=/usr/lib/systemd/boot/efi/systemd-bootx64.efi
# copy signed sdboot from buildroot
cp "/run/sdboot/sdboot.efi" ${sdboot}
EORUN
25 changes: 17 additions & 8 deletions tests/build-sealed
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,11 +37,6 @@ case $variant in
esac


graphroot=$(podman system info -f '{{.Store.GraphRoot}}')
echo "Computing composefs digest..."
cfs_digest=$(podman run --rm --privileged --read-only --security-opt=label=disable -v /sys:/sys:ro --net=none \
-v ${graphroot}:/run/host-container-storage:ro --tmpfs /var "$input_image" bootc container compute-composefs-digest)

if test -z "${secureboot}"; then
secureboot=$(pwd)/target/test-secureboot
mkdir -p ${secureboot}
Expand All @@ -61,9 +56,23 @@ if test -z "${secureboot}"; then
cd -
fi

runv podman build -t $output_image \
--build-arg=COMPOSEFS_FSVERITY=${cfs_digest} \
# handle sdboot signing before building the sealed UKI
sdboot_signed="${input_image}_signed"
runv podman build -t $sdboot_signed \
--build-arg=base=${input_image} \
--build-arg=buildroot=${buildroot_base} \
--secret=id=key,src=${secureboot}/db.key \
--secret=id=cert,src=${secureboot}/db.crt -f Dockerfile.cfsuki .
--secret=id=cert,src=${secureboot}/db.crt \
-f Dockerfile.sdboot .

graphroot=$(podman system info -f '{{.Store.GraphRoot}}')
echo "Computing composefs digest..."
cfs_digest=$(podman run --rm --privileged --read-only --security-opt=label=disable -v /sys:/sys:ro --net=none \
-v ${graphroot}:/run/host-container-storage:ro --tmpfs /var "$sdboot_signed" bootc container compute-composefs-digest)

runv podman build -t $output_image \
--build-arg=COMPOSEFS_FSVERITY=${cfs_digest} \
--build-arg=base=${sdboot_signed} \
--secret=id=key,src=${secureboot}/db.key \
--secret=id=cert,src=${secureboot}/db.crt \
-f Dockerfile.cfsuki .
Loading