ci: Test with secure boot enabled under mkosi

This gives us some nice test coverage for secure boot enrolling and the
stub secure boot workound. The authenticated EFI variables are already
created by mkosi, all we need to do is request secure boot to be used.

diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index d952e6b31b3bedce0c6fcfe0bce2fe18038ba057..84f930abd17b7493e1e7746da19a1df5716ad4ef 100644 (file)
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -95,8 +95,11 @@ jobs:
         KernelCommandLine=${{ env.KERNEL_CMDLINE }}
         EOF
 
+    - name: Generate secure boot key
+      run: sudo mkosi genkey
+
     - name: Build ${{ matrix.distro }}
-      run: sudo mkosi --idmap no
+      run: sudo mkosi --idmap no --secure-boot
 
     - name: Show ${{ matrix.distro }} image summary
       run: sudo mkosi summary

diff --git a/test/mkosi-check-and-shutdown.sh b/test/mkosi-check-and-shutdown.sh
index ed76ef370ad9999f0d08664862d510132feef6c8..b86d2d3e6901e41c2a0a53d316f438554c946b96 100644 (file)
--- a/test/mkosi-check-and-shutdown.sh
+++ b/test/mkosi-check-and-shutdown.sh
@@ -3,6 +3,12 @@
 
 systemctl --failed --no-legend | tee /failed-services
 
+# Check that secure boot keys were properly enrolled.
+if [[ -d /sys/firmware/efi/efivars/ ]]; then
+    cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+    cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
+fi
+
 # Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
 [[ ! -s /failed-services ]]