mkosi: fix UKI addons test

The test hasn't been working for a while, since there's no /efi or /boot
in $DESTDIR.

Resolves: #31618

diff --git a/mkosi.images/base/mkosi.build.chroot b/mkosi.images/base/mkosi.build.chroot
index ce3c8e25772a74289da952daf5e72e4f7105692c..24362970aefcefe5629dee282e3056c788db0c87 100755 (executable)
--- a/mkosi.images/base/mkosi.build.chroot
+++ b/mkosi.images/base/mkosi.build.chroot
@@ -169,15 +169,3 @@ if [ "$WITH_TESTS" = 1 ]; then
 fi
 
 ( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed )
-
-# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
-if [ -d "${DESTDIR}/boot/loader" ]; then
-    addons_dir="${DESTDIR}/boot/loader/addons"
-elif [ -d "${DESTDIR}/efi/loader" ]; then
-    addons_dir="${DESTDIR}/efi/loader/addons"
-fi
-if [ -n "${addons_dir}" ]; then
-    mkdir -p "${addons_dir}"
-    ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi"
-    ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi"
-fi

diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf
index e1a511c9792153ee92e3467d316aec8293780c5d..a3d008d10f97c02f554c44a712d3a472e4ef17a4 100644 (file)
--- a/mkosi.images/system/mkosi.conf.d/10-arch.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-arch.conf
@@ -23,5 +23,6 @@ Packages=
         python-pytest
         python3
         quota-tools
+        sbsigntools
         shadow
         vim

diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
index 348bdb2992c334eaa44c3aff68712f6353b8d1db..d6e3f2022214c901d2cec1ff89c8b16594398207 100644 (file)
--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
@@ -19,6 +19,7 @@ Packages=
         netcat-openbsd
         openssh-server
         openssh-client
+        sbsigntool
         passwd
         policykit-1
         procps

diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
index 5863f03b19c0cc3740871758f8ef695714dc9099..7554ad2dc3131c3c7b959065d92fb5a829107171 100644 (file)
--- a/mkosi.images/system/mkosi.conf.d/10-fedora.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
@@ -9,3 +9,4 @@ Packages=
         compsize
         f2fs-tools
         glibc-langpack-en
+        sbsigntools

diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
index 71434b4560b50ae6615dfd74a53d6fa6f6acae30..ffcb66422469981d9e3592289e72c6026ed82d54 100644 (file)
--- a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
@@ -20,5 +20,6 @@ Packages=
         python3-psutil
         python3-pytest
         quota
+        sbsigntools
         shadow
         vim

diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot
index 692242da38fb370355d4cbdaea00446b3fe59be4..330fa3b73e254c1c49f979ee94e06eb051f52c1e 100755 (executable)
--- a/mkosi.images/system/mkosi.postinst.chroot
+++ b/mkosi.images/system/mkosi.postinst.chroot
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -e
 
@@ -100,3 +100,12 @@ mkdir -p /usr/lib/tmpfiles.d
 cat >/usr/lib/tmpfiles.d/testuser.conf <<EOF
 q      /home/testuser  0700    4711    4711
 EOF
+
+# sbsign is not available on CentOS Stream
+if command -v sbsign &>/dev/null; then
+    # Ensure that side-loaded PE addons are loaded if signed, and ignored if not
+    addons_dir=/efi/loader/addons
+    mkdir -p "$addons_dir"
+    ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
+    ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
+fi