sdboot: add support for autoenroll in bootc install
#1818
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds support for auto-enrolling Secure Boot keys for sd-boot from .auth files located in /usr/lib/bootc/keys within a composefs image. The changes look good overall. My review includes a suggestion to make the key discovery process more robust by handling cases where the keys directory does not exist, and a minor performance improvement to avoid an unnecessary allocation within a loop.
gerblesh
force-pushed
the
sdboot-autoenroll
branch
from
3c2bb96 to
d8a145d
Compare
|
We also use "topic prefixes" for commits, so if you could prefix your commit messages with |
gerblesh
force-pushed
the
sdboot-autoenroll
branch
from
7825e03 to
d900f21
Compare
gerblesh
changed the title
gerblesh
changed the title
bootc install
cgwalters
left a comment
cgwalters
left a comment
There was a problem hiding this comment.
As far as tests; we could unit test the key parsing easily, but not a blocker.
For the actual functionality - it looks like (combined with the systemd-boot signing fixes in #1809 ) we could actually have a test flow that does this in addition to/instead of setting up the libvirt firmware too, which would be cool. (Actually we do need to test both paths)
| const INITRD: &str = "initrd"; | ||
| const VMLINUZ: &str = "vmlinuz"; | ||
|
|
||
| const BOOTC_AUTOENROLL_PATH: &str = "usr/lib/bootc/keys"; |
There was a problem hiding this comment.
If these are only copied from the container to the bootloader state at install time, then I think this should be /usr/lib/bootc/install/secureboot-keys or so.
(Note install/ subdir)
Also can you add a section to the install manpage about this?
There was a problem hiding this comment.
sounds good, the path I chose was pretty arbitrary. Added a section in the manpage about this as well
| let path = match Utf8PathBuf::from_os_string(name.clone()) { | ||
| Ok(p) => p, | ||
| Err(_) => bail!("couldn't get pathbuf: /{p}/{name:?}"), | ||
| }; |
There was a problem hiding this comment.
There's more idiomatic ways to do this. One is to use DirUtf8 which hard enforces this, or use let path: Utf8PathBuf = name.try_into()?;
Or on this case we could probably just use PathBuf (or OSString).
There was a problem hiding this comment.
Used try_into()? here. esp_path is already a Utf8Path so I figure it's better to keep the types consistent but I dunno if there's a more preferred type here
| }; | ||
| entries.push(path); | ||
| } | ||
| if entries.len() > 0 { |
There was a problem hiding this comment.
Converting an empty result to None isn't wrong, but it's not clear we actually gain much versus just handling the empty vector in the callers instead.
To really get the benefit of combining Option + Vec, we'd use https://docs.rs/vec1/latest/vec1/ instead I think (but let's not do that yet, not clear it's worth the nontrivial external dep just for this)
There was a problem hiding this comment.
moved to the install function, not really sure what the idiomatic Rust way of doing this is but things don't break with no entries just nothing is really copied over. Added some logging for when the directory exists but no keys are to be enrolled
gerblesh
force-pushed
the
sdboot-autoenroll
branch
from
d900f21 to
cabe1ab
Compare
gerblesh
force-pushed
the
sdboot-autoenroll
branch
2 times, most recently
from
49fbaca to
e56fb5f
Compare
|
To xref I also did systemd/systemd#39993 while investigating this |
cgwalters
left a comment
cgwalters
left a comment
There was a problem hiding this comment.
Thanks! A few more nits
gerblesh
force-pushed
the
sdboot-autoenroll
branch
from
e56fb5f to
35633bc
Compare
Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me> cleanup Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me> don't expect `/usr/lib/bootc/keys` to exist Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me> remove comment Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me> don't use ambient authority Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me> use option rather than an enum Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me> use fs.open_dir_optional Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me> use basedir, link spec, add docs to `bootc install` docs: rework manpage Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me> nits typo
gerblesh
force-pushed
the
sdboot-autoenroll
branch
from
35633bc to
f80a211
Compare
|
Alright should have addressed all of the nits, lmk if there's more I should fix/tweak before merge |
cgwalters
left a comment
cgwalters
left a comment
There was a problem hiding this comment.
Thanks so much! I'm ok getting this in without integration tests for now as the whole composefs is still experimental; I hope we'll continue momentum on fleshing out a lot of those though.
|
@Johan-Liebert1 you need to clear your requested changes state here |
3 participants
add autoenroll to sdboot
installs
.authfiles from/usr/lib/bootc/keysintoESP/loader/keys/auto. Currently uses cfs file APIs and is a little rough. Not sure if this should be incomposefs-bootrather thanbootc. The directory/usr/lib/bootc/keysprobably isn't the best choice although at least it means that the auth files are "measured" when the cfs digest is taken.Note that this is missing some of the bits from CI for this to be properly tested. I will try to get that done when I can though