From: Jan Janssen <medhefgo@web.de>
Date: Tue, 31 Jan 2023 17:53:28 +0000 (+0100)
Subject: ci: Test with secure boot enabled under mkosi
X-Git-Tag: v253-rc2~12^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F26287%2Fhead;p=thirdparty%2Fsystemd.git

ci: Test with secure boot enabled under mkosi

This gives us some nice test coverage for secure boot enrolling and the
stub secure boot workound. The authenticated EFI variables are already
created by mkosi, all we need to do is request secure boot to be used.
---

diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index d952e6b31b3..84f930abd17 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -95,8 +95,11 @@ jobs:
         KernelCommandLine=${{ env.KERNEL_CMDLINE }}
         EOF
 
+    - name: Generate secure boot key
+      run: sudo mkosi genkey
+
     - name: Build ${{ matrix.distro }}
-      run: sudo mkosi --idmap no
+      run: sudo mkosi --idmap no --secure-boot
 
     - name: Show ${{ matrix.distro }} image summary
       run: sudo mkosi summary
diff --git a/test/mkosi-check-and-shutdown.sh b/test/mkosi-check-and-shutdown.sh
index ed76ef370ad..b86d2d3e690 100644
--- a/test/mkosi-check-and-shutdown.sh
+++ b/test/mkosi-check-and-shutdown.sh
@@ -3,6 +3,12 @@
 
 systemctl --failed --no-legend | tee /failed-services
 
+# Check that secure boot keys were properly enrolled.
+if [[ -d /sys/firmware/efi/efivars/ ]]; then
+    cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+    cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
+fi
+
 # Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
 [[ ! -s /failed-services ]]