From 2de6cc18f9ab6ceb46fd5008847f0226388fee90 Mon Sep 17 00:00:00 2001 From: Jan Janssen Date: Tue, 31 Jan 2023 18:53:28 +0100 Subject: [PATCH] ci: Test with secure boot enabled under mkosi This gives us some nice test coverage for secure boot enrolling and the stub secure boot workound. The authenticated EFI variables are already created by mkosi, all we need to do is request secure boot to be used. --- .github/workflows/mkosi.yml | 5 ++++- test/mkosi-check-and-shutdown.sh | 6 ++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml index d952e6b31b3..84f930abd17 100644 --- a/.github/workflows/mkosi.yml +++ b/.github/workflows/mkosi.yml @@ -95,8 +95,11 @@ jobs: KernelCommandLine=${{ env.KERNEL_CMDLINE }} EOF + - name: Generate secure boot key + run: sudo mkosi genkey + - name: Build ${{ matrix.distro }} - run: sudo mkosi --idmap no + run: sudo mkosi --idmap no --secure-boot - name: Show ${{ matrix.distro }} image summary run: sudo mkosi summary diff --git a/test/mkosi-check-and-shutdown.sh b/test/mkosi-check-and-shutdown.sh index ed76ef370ad..b86d2d3e690 100644 --- a/test/mkosi-check-and-shutdown.sh +++ b/test/mkosi-check-and-shutdown.sh @@ -3,6 +3,12 @@ systemctl --failed --no-legend | tee /failed-services +# Check that secure boot keys were properly enrolled. +if [[ -d /sys/firmware/efi/efivars/ ]]; then + cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1') + cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0') +fi + # Exit with non-zero EC if the /failed-services file is not empty (we have -e set) [[ ! -s /failed-services ]] -- 2.47.3