Various composefs enhancements

- Change the install logic to detect UKIs and automatically
  enable composefs
- Move sealing bits to the toplevel
- Add Justfile entrypoints
- Add basic end-to-end CI coverage (install + run) using
  our integration tests
- Change lints to ignore `/boot/EFI`

Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

.github/workflows/ci.yml

@@ -192,3 +192,24 @@ jobs:
         with:
           name: tmt-log-PR-${{ github.event.number }}-${{ matrix.test_os }}-${{ env.ARCH }}-${{ matrix.tmt_plan }}
           path: /var/tmp/tmt
+  # This variant does composefs testing
+  test-integration-cfs:
+    strategy:
+      fail-fast: false
+      matrix:
+        test_os: [centos-10]
+
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Bootc Ubuntu Setup
+        uses: ./.github/actions/bootc-ubuntu-setup
+        with:
+          libvirt: true
+
+      - name: Build container
+        run: just build-sealed
+
+      - name: Test
+        run: just test-composefs

Cargo.lock

@@ -91,11 +91,21 @@ RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/rooth
 
 # The final image that derives from the original base and adds the release binaries
 FROM base
+# Set this to 1 to default to systemd-boot
+ARG sdboot=0
 RUN <<EORUN
 set -xeuo pipefail
 # Ensure we've flushed out prior state (i.e. files no longer shipped from the old version);
 # and yes, we may need to go to building an RPM in this Dockerfile by default.
 rm -vf /usr/lib/systemd/system/multi-user.target.wants/bootc-*
+if test "$sdboot" = 1; then
+  dnf -y install systemd-boot-unsigned
+  # And uninstall bootupd
+  rpm -e bootupd
+  rm /usr/lib/bootupd/updates -rf
+  dnf clean all
+  rm -rf /var/cache /var/lib/{dnf,rhsm} /var/log/*
+fi
 EORUN
 # Create a layer that is our new binaries
 COPY --from=build /out/ /

Dockerfile

@@ -0,0 +1,73 @@
+# Override via --build-arg=base=<image> to use a different base
+ARG base=localhost/bootc
+# This is where we get the tools to build the UKI
+ARG buildroot=quay.io/fedora/fedora:42
+FROM $base AS base
+
+FROM $buildroot as buildroot-base
+RUN <<EORUN
+set -xeuo pipefail
+dnf install -y systemd-ukify sbsigntools systemd-boot-unsigned
+dnf clean all
+EORUN
+
+FROM buildroot-base as kernel
+# Must be passed
+ARG COMPOSEFS_FSVERITY
+RUN --mount=type=secret,id=key \
+    --mount=type=secret,id=cert \
+    --mount=type=bind,from=base,target=/target \
+     <<EOF
+    set -eux
+
+    # Should be generated externally
+    test -n "${COMPOSEFS_FSVERITY}"
+
+    # Inject the composefs kernel argument and specify a root with the x86_64 DPS UUID.
+    # TODO: Discoverable partition fleshed out, or drop root UUID as systemd-stub extension
+    # TODO: https://github.com/containers/composefs-rs/issues/183
+    cmdline="composefs=${COMPOSEFS_FSVERITY} root=UUID=4f68bce3-e8cd-4db1-96e7-fbcaf984b709 console=ttyS0,114800n8 enforcing=0 rw"
+
+    kver=$(cd /target/usr/lib/modules && echo *)
+    ukify build \
+        --linux "/target/usr/lib/modules/$kver/vmlinuz" \
+        --initrd "/target/usr/lib/modules/$kver/initramfs.img" \
+        --uname="${kver}" \
+        --cmdline "${cmdline}" \
+        --os-release "@/target/usr/lib/os-release" \
+        --signtool sbsign \
+        --secureboot-private-key "/run/secrets/key" \
+        --secureboot-certificate "/run/secrets/cert" \
+        --measure \
+        --json pretty \
+        --output "/boot/$kver.efi"
+    # Sign systemd-boot as well
+    sdboot="/usr/lib/systemd/boot/efi/systemd-bootx64.efi"
+    sbsign \
+        --key "/run/secrets/key" \
+        --cert "/run/secrets/cert" \
+        "${sdboot}"
+    mv "${sdboot}.signed" "${sdboot}"
+EOF
+
+FROM base as final
+
+RUN --mount=type=bind,from=kernel,target=/run/kernel <<EOF
+set -xeuo pipefail
+kver=$(cd /usr/lib/modules && echo *)
+mkdir -p /boot/EFI/Linux
+# We put the UKI in /boot for now due to composefs verity not being the
+# same due to mtime of /usr/lib/modules being changed
+target=/boot/EFI/Linux/$kver.efi
+cp /run/kernel/boot/$kver.efi $target
+# And remove the defaults
+rm -v /usr/lib/modules/${kver}/{vmlinuz,initramfs.img}
+# Symlink into the /usr/lib/modules location
+ln -sr $target /usr/lib/modules/${kver}/$(basename $kver.efi)
+bootc container lint --fatal-warnings
+EOF
+
+FROM base as final-final
+COPY --from=final /boot /boot
+# Override the default
+LABEL containers.bootc=sealed

Dockerfile.cfsuki

@@ -13,12 +13,21 @@
 build *ARGS:
     podman build --jobs=4 -t localhost/bootc {{ARGS}} .
 
+# Build a sealed image from current sources. This will default to
+# generating Secure Boot keys in target/test-secureboot.
+build-sealed *ARGS:
+    podman build --build-arg=sdboot=1 --jobs=4 -t localhost/bootc-unsealed {{ARGS}} .
+    ./tests/build-sealed localhost/bootc-unsealed localhost/bootc
+
 # This container image has additional testing content and utilities
 build-integration-test-image *ARGS:
     cd hack && podman build --jobs=4 -t localhost/bootc-integration -f Containerfile {{ARGS}} .
     # Keep these in sync with what's used in hack/lbi
     podman pull -q --retry 5 --retry-delay 5s quay.io/curl/curl:latest quay.io/curl/curl-base:latest registry.access.redhat.com/ubi9/podman:latest
 
+test-composefs: build-sealed
+    cargo run --release -p tests-integration -- composefs-bcvk localhost/bootc
+
 # Only used by ci.yml right now
 build-install-test-image: build-integration-test-image
     cd hack && podman build -t localhost/bootc-integration-install -f Containerfile.drop-lbis

Justfile

@@ -51,7 +51,7 @@ use crate::install::{RootSetup, State};
 /// Contains the EFP's filesystem UUID. Used by grub
 pub(crate) const EFI_UUID_FILE: &str = "efiuuid.cfg";
 /// The EFI Linux directory
-const EFI_LINUX: &str = "EFI/Linux";
+pub(crate) const EFI_LINUX: &str = "EFI/Linux";
 
 /// Timeout for systemd-boot bootloader menu
 const SYSTEMD_TIMEOUT: &str = "timeout 5";
@@ -126,6 +126,26 @@ fi
     )
 }
 
+/// Returns `true` if detect the target rootfs carries a UKI.
+pub(crate) fn container_root_has_uki(root: &Dir) -> Result<bool> {
+    let Some(boot) = root.open_dir_optional(crate::install::BOOT)? else {
+        return Ok(false);
+    };
+    let Some(efi_linux) = boot.open_dir_optional(EFI_LINUX)? else {
+        return Ok(false);
+    };
+    for entry in efi_linux.entries()? {
+        let entry = entry?;
+        let name = entry.file_name();
+        let name = Path::new(&name);
+        let extension = name.extension().and_then(|v| v.to_str());
+        if extension == Some("efi") {
+            return Ok(true);
+        }
+    }
+    Ok(false)
+}
+
 pub fn get_esp_partition(device: &str) -> Result<(String, Option<String>)> {
     let device_info = bootc_blockdev::partitions_of(Utf8Path::new(device))?;
     let esp = device_info
@@ -372,11 +392,7 @@ pub(crate) fn setup_composefs_bls_boot(
                 esp_part.node.clone(),
                 cmdline_options,
                 fs,
-                state
-                    .composefs_options
-                    .as_ref()
-                    .map(|opts| opts.bootloader.clone())
-                    .unwrap_or(Bootloader::default()),
+                state.detected_bootloader.clone(),
             )
         }
 
@@ -839,7 +855,7 @@ pub(crate) fn setup_composefs_uki_boot(
             (
                 root_setup.physical_root_path.clone(),
                 esp_part.node.clone(),
-                cfs_opts.bootloader.clone(),
+                state.detected_bootloader.clone(),
                 cfs_opts.insecure,
                 cfs_opts.uki_addon.as_ref(),
             )
@@ -944,13 +960,20 @@ pub(crate) fn setup_composefs_boot(
     if cfg!(target_arch = "s390x") {
         // TODO: Integrate s390x support into install_via_bootupd
         crate::bootloader::install_via_zipl(&root_setup.device_info, boot_uuid)?;
-    } else {
+    } else if state.detected_bootloader == Bootloader::Grub {
         crate::bootloader::install_via_bootupd(
             &root_setup.device_info,
             &root_setup.physical_root_path,
             &state.config_opts,
             None,
         )?;
+    } else {
+        crate::bootloader::install_systemd_boot(
+            &root_setup.device_info,
+            &root_setup.physical_root_path,
+            &state.config_opts,
+            None,
+        )?;
     }
 
     let repo = open_composefs_repo(&root_setup.physical_root)?;
@@ -1001,3 +1024,34 @@ pub(crate) fn setup_composefs_boot(
 
     Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use cap_std_ext::cap_std;
+
+    #[test]
+    fn test_root_has_uki() -> Result<()> {
+        // Test case 1: No boot directory
+        let tempdir = cap_std_ext::cap_tempfile::tempdir(cap_std::ambient_authority())?;
+        assert_eq!(container_root_has_uki(&tempdir)?, false);
+
+        // Test case 2: boot directory exists but no EFI/Linux
+        tempdir.create_dir(crate::install::BOOT)?;
+        assert_eq!(container_root_has_uki(&tempdir)?, false);
+
+        // Test case 3: boot/EFI/Linux exists but no .efi files
+        tempdir.create_dir_all("boot/EFI/Linux")?;
+        assert_eq!(container_root_has_uki(&tempdir)?, false);
+
+        // Test case 4: boot/EFI/Linux exists with non-.efi file
+        tempdir.atomic_write("boot/EFI/Linux/readme.txt", b"some file")?;
+        assert_eq!(container_root_has_uki(&tempdir)?, false);
+
+        // Test case 5: boot/EFI/Linux exists with .efi file
+        tempdir.atomic_write("boot/EFI/Linux/bootx64.efi", b"fake efi binary")?;
+        assert_eq!(container_root_has_uki(&tempdir)?, true);
+
+        Ok(())
+    }
+}

crates/lib/src/bootc_composefs/boot.rs

@@ -7,10 +7,26 @@ use fn_error_context::context;
 
 use bootc_blockdev::PartitionTable;
 use bootc_mount as mount;
+use bootc_mount::tempmount::TempMount;
+
+use crate::{install::ESP_GUID, utils};
 
 /// The name of the mountpoint for efi (as a subdirectory of /boot, or at the toplevel)
 pub(crate) const EFI_DIR: &str = "efi";
 
+/// Determine if the invoking environment contains bootupd, and if there are bootupd-based
+/// updates in the target root.
+#[context("Querying for bootupd")]
+pub(crate) fn supports_bootupd(deployment_path: Option<&str>) -> Result<bool> {
+    if !utils::have_executable("bootupd")? {
+        return Ok(false);
+    };
+    let deployment_path = Utf8Path::new(deployment_path.unwrap_or("/"));
+    let updates = deployment_path.join("usr/lib/bootupd/updates");
+    let r = updates.try_exists()?;
+    Ok(r)
+}
+
 #[context("Installing bootloader")]
 pub(crate) fn install_via_bootupd(
     device: &PartitionTable,
@@ -40,6 +56,30 @@ pub(crate) fn install_via_bootupd(
         .run_inherited_with_cmd_context()
 }
 
+#[context("Installing bootloader")]
+pub(crate) fn install_systemd_boot(
+    device: &PartitionTable,
+    _rootfs: &Utf8Path,
+    _configopts: &crate::install::InstallConfigOpts,
+    _deployment_path: Option<&str>,
+) -> Result<()> {
+    let esp_part = device
+        .partitions
+        .iter()
+        .find(|p| p.parttype.as_str() == ESP_GUID)
+        .ok_or_else(|| anyhow::anyhow!("ESP partition not found"))?;
+
+    let esp_mount = TempMount::mount_dev(&esp_part.node).context("Mounting ESP")?;
+    let esp_path = Utf8Path::from_path(esp_mount.dir.path())
+        .ok_or_else(|| anyhow::anyhow!("Failed to convert ESP mount path to UTF-8"))?;
+
+    println!("Installing bootloader via systemd-boot");
+    Command::new("bootctl")
+        .args(["install", "--esp-path", esp_path.as_str()])
+        .log_debug()
+        .run_inherited_with_cmd_context()
+}
+
 #[context("Installing bootloader using zipl")]
 pub(crate) fn install_via_zipl(device: &PartitionTable, boot_uuid: &str) -> Result<()> {
     // Identify the target boot partition from UUID