ci: add test coverage for secure boot and addons, and shim integration (#38377)

Now that we can enable SB on GHA do it by default in mkosi images with
selfenroll, and add a smoke test.
Also add one CI job that tests the shim integration. This will catch
regressions like https://github.com/systemd/systemd/issues/38349

.github/workflows/coverage.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@184472f0f1f831ca29953546ec01fd941ff763a6
+      - uses: systemd/mkosi@cb1a3c90490922441548d09b09c7b76426e4bc20
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
       # immediately, we remove the files in the background. However, we first move them to a different location

.github/workflows/linter.yml

@@ -38,7 +38,7 @@ jobs:
           LINTER_RULES_PATH: .github/linters
           GITHUB_ACTIONS_CONFIG_FILE: actionlint.yml
 
-      - uses: systemd/mkosi@184472f0f1f831ca29953546ec01fd941ff763a6
+      - uses: systemd/mkosi@cb1a3c90490922441548d09b09c7b76426e4bc20
 
       - name: Check that tabs are not used in Python code
         run: sh -c '! git grep -P "\\t" -- src/core/generate-bpf-delegate-configs.py src/boot/generate-hwids-section.py src/ukify/ukify.py test/integration-tests/integration-test-wrapper.py'

.github/workflows/mkosi.yml

@@ -64,6 +64,7 @@ jobs:
             vm: 1
             no_qemu: 0
             no_kvm: 0
+            shim: 0
           - distro: debian
             release: testing
             runner: ubuntu-24.04
@@ -74,6 +75,7 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
+            shim: 1
           - distro: debian
             release: testing
             runner: ubuntu-24.04-arm
@@ -84,6 +86,7 @@ jobs:
             vm: 0
             no_qemu: 1
             no_kvm: 1
+            shim: 0
           - distro: ubuntu
             release: noble
             runner: ubuntu-24.04
@@ -94,6 +97,7 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
+            shim: 0
           - distro: fedora
             release: "42"
             runner: ubuntu-24.04
@@ -104,6 +108,7 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
+            shim: 0
           - distro: fedora
             release: rawhide
             runner: ubuntu-24.04
@@ -114,6 +119,7 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
+            shim: 0
           - distro: opensuse
             release: tumbleweed
             runner: ubuntu-24.04
@@ -124,6 +130,7 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
+            shim: 0
           - distro: centos
             release: "9"
             runner: ubuntu-24.04
@@ -134,6 +141,7 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
+            shim: 0
           - distro: centos
             release: "10"
             runner: ubuntu-24.04
@@ -144,10 +152,11 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
+            shim: 0
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@184472f0f1f831ca29953546ec01fd941ff763a6
+      - uses: systemd/mkosi@cb1a3c90490922441548d09b09c7b76426e4bc20
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
       # immediately, we remove the files in the background. However, we first move them to a different location
@@ -227,6 +236,23 @@ jobs:
             -Dbpf-framework=disabled \
             build
 
+      - name: Prepare shim integration
+        run: |
+          if [ ${{ matrix.shim }} = 1 ]; then
+            { printf '[Content]\nPackages=shim-signed\nShimBootloader=signed\n'; \
+              printf '[Runtime]\nFirmware=uefi-secure-boot\nFirmwareVariables=%%O/ovmf_vars_shim.fd\n'; } \
+              >>mkosi/mkosi.local.conf
+
+            sudo mkdir -p build/mkosi.output/
+            sudo mkosi -f box -- \
+              virt-fw-vars \
+              --secure-boot \
+              --enroll-cert mkosi/mkosi.crt \
+              --add-mok 605dab50-e046-4300-abb6-3dd810dd8b23 mkosi/mkosi.crt \
+              --input /usr/share/OVMF/OVMF_VARS_4M.fd \
+              --output build/mkosi.output/ovmf_vars_shim.fd
+          fi
+
       - name: Build image
         run: sudo mkosi box -- meson compile -C build mkosi
 

mkosi/mkosi.conf

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 [Config]
-MinimumVersion=commit:184472f0f1f831ca29953546ec01fd941ff763a6
+MinimumVersion=commit:cb1a3c90490922441548d09b09c7b76426e4bc20
 Dependencies=
         exitrd
         initrd
@@ -39,6 +39,8 @@ WithTests=no
 
 [Validation]
 SignExpectedPcr=yes
+SecureBoot=yes
+SecureBootAutoEnroll=yes
 
 [Content]
 ExtraTrees=

mkosi/mkosi.finalize

@@ -3,3 +3,13 @@
 set -e
 
 touch -r "$BUILDROOT/usr" "$BUILDROOT/etc/.updated" "$BUILDROOT/var/.updated"
+
+if [ -n "$EFI_ARCHITECTURE" ]; then
+    mkdir -p "$BUILDROOT/boot/loader/addons"
+    ukify build \
+        --stub "$BUILDROOT/usr/lib/systemd/boot/efi/addon${EFI_ARCHITECTURE}.efi.stub" \
+        --cmdline="addonfoobar" \
+        --output "$BUILDROOT/boot/loader/addons/test.addon.efi" \
+        --secureboot-certificate "$SRCDIR/mkosi/mkosi.crt" \
+        --secureboot-private-key "$SRCDIR/mkosi/mkosi.key"
+fi

test/integration-tests/TEST-04-JOURNAL/TEST-04-JOURNAL.units/delegated_cgroup_filtering_payload_child.sh

@@ -5,4 +5,7 @@ echo $$ >/sys/fs/cgroup/system.slice/delegated-cgroup-filtering.service/the_chil
 
 echo "child_process: hello, world!"
 echo "child_process: hello, people!"
-sleep .15
+
+# If the service finishes extremely fast, journald cannot find the source of the
+# stream. Hence, we need to call 'journalctl --sync' before service finishes.
+journalctl --sync

test/integration-tests/TEST-87-AUX-UTILS-VM/meson.build

@@ -7,5 +7,6 @@ integration_tests += [
                 'storage': 'persistent',
                 'coredump-exclude-regex' : '/(test-usr-dump|test-dump|bash)$',
                 'vm' : true,
+                'firmware' : 'auto',
         },
 ]

test/units/TEST-70-TPM2.pcrlock.sh

@@ -156,7 +156,11 @@ test -f "$CREDENTIAL_FILE"
 CREDENTIAL_NAME=${CREDENTIAL_FILE#/tmp/fakexbootldr/loader/credentials/}
 CREDENTIAL_NAME=${CREDENTIAL_NAME%.cred}
 
-systemd-creds decrypt --name="$CREDENTIAL_NAME" "$CREDENTIAL_FILE"
+# If SB is enabled then this will fail as it's not locked but TPM2 is enabled
+if cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1'); then
+    ALLOW_NULL=--allow-null
+fi
+systemd-creds decrypt "${ALLOW_NULL:-}" --name="$CREDENTIAL_NAME" "$CREDENTIAL_FILE"
 ln -s "$CREDENTIAL_FILE" /tmp/fakexbootldr/loader/credentials/"$CREDENTIAL_NAME"
 test -f /tmp/fakexbootldr/loader/credentials/"$CREDENTIAL_NAME"
 

test/units/TEST-87-AUX-UTILS-VM.bootctl.sh

@@ -21,7 +21,42 @@ fi
 
 (! systemd-detect-virt -cq)
 
+restore_esp() {
+    if [ ! -d /tmp/esp.bak ]; then
+        return
+    fi
+
+    if [ -d /tmp/esp.bak/EFI/ ]; then
+        cp -r /tmp/esp.bak/EFI/* "$(bootctl --print-esp-path)/EFI/"
+    fi
+    if [ -d /tmp/esp.bak/loader/ ]; then
+        cp -r /tmp/esp.bak/loader/* "$(bootctl --print-esp-path)/loader/"
+    fi
+    rm -rf /tmp/esp.bak
+}
+
+backup_esp() {
+    if [ -d /tmp/esp.bak ]; then
+        return
+    fi
+
+    if [[ -d "$(bootctl --print-esp-path)/EFI" ]]; then
+        mkdir -p /tmp/esp.bak
+        cp -r "$(bootctl --print-esp-path)/EFI/" /tmp/esp.bak/
+    fi
+    if [[ -d "$(bootctl --print-esp-path)/loader" ]]; then
+        mkdir -p /tmp/esp.bak
+        cp -r "$(bootctl --print-esp-path)/loader/" /tmp/esp.bak/
+    fi
+}
+
 basic_tests() {
+    # Ensure the system's ESP (no --image/--root args) is still available for the next tests
+    if [ $# -eq 0 ]; then
+        backup_esp
+        trap restore_esp RETURN ERR
+    fi
+
     bootctl "$@" --help
     bootctl "$@" --version
 
@@ -274,6 +309,10 @@ testcase_bootctl_varlink() {
 }
 
 testcase_bootctl_secure_boot_auto_enroll() {
+    # mkosi can also add keys here, so back them up and restored them
+    backup_esp
+    trap restore_esp RETURN ERR
+
     cat >/tmp/openssl.conf <<EOF
 [ req ]
 prompt = no
@@ -293,6 +332,9 @@ EOF
             -x509 -sha256 -nodes -days 365 -newkey rsa:4096 \
             -keyout /tmp/sb.key -out /tmp/sb.crt
 
+    # This will fail if there are already keys in the ESP, so we remove them first
+    rm -rf "$(bootctl --print-esp-path)/loader/keys/auto"
+
     bootctl install --make-entry-directory=yes --secure-boot-auto-enroll=yes --certificate /tmp/sb.crt --private-key /tmp/sb.key
     for var in PK KEK db; do
         test -f "$(bootctl --print-esp-path)/loader/keys/auto/$var.auth"
@@ -300,4 +342,21 @@ EOF
     bootctl remove
 }
 
+testcase_secureboot() {
+    if [ ! -d /sys/firmware/efi ]; then
+        echo "Not booted with EFI, skipping secureboot tests."
+        return 0
+    fi
+
+    # Ensure secure boot is enabled and not in setup mode
+    cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+    cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
+    bootctl status | grep -q "Secure Boot: enabled"
+
+    # Ensure the addon is fully loaded and parsed
+    bootctl status | grep -q "global-addon: loader/addons/test.addon.efi"
+    bootctl status | grep "cmdline" | grep -q addonfoobar
+    grep -q addonfoobar /proc/cmdline
+}
+
 run_testcases