add support for key autoenroll to sdboot

Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me>

add autoenroll to sdboot

Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me>

asdf

Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me>

Author: Gareth Widlansky

crates/lib/src/bootc_composefs/boot.rs

@@ -61,12 +61,12 @@
 //! 1. **Primary**: New/upgraded deployment (default boot target)
 //! 2. **Secondary**: Currently booted deployment (rollback option)
 
-use std::ffi::OsStr;
 use std::fs::create_dir_all;
 use std::io::Write;
 use std::path::Path;
+use std::{ffi::OsStr, os::unix::ffi::OsStrExt};
 
-use anyhow::{anyhow, Context, Result};
+use anyhow::{anyhow, bail, Context, Result};
 use bootc_blockdev::find_parent_devices;
 use bootc_kernel_cmdline::utf8::{Cmdline, Parameter};
 use bootc_mount::inspect_filesystem_of_dir;
@@ -78,6 +78,7 @@ use cap_std_ext::{
 };
 use clap::ValueEnum;
 use composefs::fs::read_file;
+use composefs::generic_tree::{Directory, Inode, LeafContent};
 use composefs::tree::RegularFile;
 use composefs_boot::BootOps;
 use composefs_boot::{
@@ -1142,6 +1143,42 @@ pub(crate) fn setup_composefs_uki_boot(
     Ok(())
 }
 
+pub struct AuthFile {
+    pub filename: Utf8PathBuf,
+    pub file: RegularFile<Sha512HashValue>,
+}
+
+fn get_autoenroll_keys(root: &Directory<RegularFile<Sha512HashValue>>) -> Result<Vec<AuthFile>> {
+    let mut entries = vec![];
+    match root.get_directory("/usr/lib/bootc/keys".as_ref()) {
+        Ok(keys_dir) => {
+            for (filename, inode) in keys_dir.entries() {
+                if !filename.as_bytes().ends_with(b".auth") {
+                    continue;
+                }
+
+                let Inode::Leaf(leaf) = inode else {
+                    bail!("/usr/lib/bootc/keys/{filename:?} is a directory");
+                };
+
+                let LeafContent::Regular(file) = &leaf.content else {
+                    bail!("/usr/lib/bootc/keys/{filename:?} is not a regular file");
+                };
+                let path = match Utf8PathBuf::from_os_string(filename.into()) {
+                    Ok(p) => p,
+                    Err(_) => bail!("couldn't get pathbuf: /usr/lib/bootc/keys/{filename:?}"),
+                };
+                entries.push(AuthFile {
+                    filename: path,
+                    file: file.clone(),
+                });
+            }
+        }
+        Err(other) => Err(other)?,
+    };
+    Ok(entries)
+}
+
 #[context("Setting up composefs boot")]
 pub(crate) fn setup_composefs_boot(
     root_setup: &RootSetup,
@@ -1160,6 +1197,8 @@ pub(crate) fn setup_composefs_boot(
 
     let postfetch = PostFetchState::new(state, &mounted_fs)?;
 
+    let keys = get_autoenroll_keys(&fs.root)?;
+
     let boot_uuid = root_setup
         .get_boot_uuid()?
         .or(root_setup.rootfs_uuid.as_deref())
@@ -1181,6 +1220,8 @@ pub(crate) fn setup_composefs_boot(
             &root_setup.physical_root_path,
             &state.config_opts,
             None,
+            keys,
+            &repo,
         )?;
     }
 

crates/lib/src/bootloader.rs

@@ -1,15 +1,19 @@
+use std::fs::create_dir_all;
 use std::process::Command;
 
 use anyhow::{anyhow, bail, Context, Result};
 use bootc_utils::CommandRunExt;
 use camino::Utf8Path;
+use cap_std_ext::cap_std::ambient_authority;
 use cap_std_ext::cap_std::fs::Dir;
+use cap_std_ext::dirext::CapStdExtDirExt;
+use composefs::fs::read_file;
 use fn_error_context::context;
 
 use bootc_blockdev::{Partition, PartitionTable};
 use bootc_mount as mount;
 
-use crate::bootc_composefs::boot::mount_esp;
+use crate::bootc_composefs::boot::{mount_esp, AuthFile};
 use crate::{discoverable_partition_specification, utils};
 
 /// The name of the mountpoint for efi (as a subdirectory of /boot, or at the toplevel)
@@ -74,6 +78,8 @@ pub(crate) fn install_systemd_boot(
     _rootfs: &Utf8Path,
     _configopts: &crate::install::InstallConfigOpts,
     _deployment_path: Option<&str>,
+    autoenroll: Vec<AuthFile>,
+    repo: &crate::store::ComposefsRepository,
 ) -> Result<()> {
     let esp_part = device
         .find_partition_of_type(discoverable_partition_specification::ESP)
@@ -87,7 +93,29 @@ pub(crate) fn install_systemd_boot(
     Command::new("bootctl")
         .args(["install", "--esp-path", esp_path.as_str()])
         .log_debug()
-        .run_inherited_with_cmd_context()
+        .run_inherited_with_cmd_context()?;
+
+    if autoenroll.len() < 1 {
+        return Ok(());
+    }
+
+    println!("Autoenrolling keys");
+    let path = esp_path.join("loader/keys/auto");
+    create_dir_all(&path)?;
+
+    let keys_dir = Dir::open_ambient_dir(&path, ambient_authority())
+        .with_context(|| format!("Opening {path}"))?;
+    for a in autoenroll.iter() {
+        let p = path.join(a.filename.clone());
+        keys_dir
+            .atomic_write(
+                &a.filename,
+                read_file(&a.file, &repo).context("reading file")?,
+            )
+            .with_context(|| format!("Writing secure boot key: {p}"))?;
+        println!("Wrote secure boot key: {p}");
+    }
+    Ok(())
 }
 
 #[context("Installing bootloader using zipl")]