2025-10-04 19:24:44 +02:00
9 changed files with 6 additions and 111 deletions
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@ -25,7 +25,7 @@ jobs:

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@cb1a3c90490922441548d09b09c7b76426e4bc20
+      - uses: systemd/mkosi@184472f0f1f831ca29953546ec01fd941ff763a6

      # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
      # immediately, we remove the files in the background. However, we first move them to a different location
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@ -38,7 +38,7 @@ jobs:
          LINTER_RULES_PATH: .github/linters
          GITHUB_ACTIONS_CONFIG_FILE: actionlint.yml

-      - uses: systemd/mkosi@cb1a3c90490922441548d09b09c7b76426e4bc20
+      - uses: systemd/mkosi@184472f0f1f831ca29953546ec01fd941ff763a6

      - name: Check that tabs are not used in Python code
        run: sh -c '! git grep -P "\\t" -- src/core/generate-bpf-delegate-configs.py src/boot/generate-hwids-section.py src/ukify/ukify.py test/integration-tests/integration-test-wrapper.py'
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@ -64,7 +64,6 @@ jobs:
            vm: 1
            no_qemu: 0
            no_kvm: 0
-            shim: 0
          - distro: debian
            release: testing
            runner: ubuntu-24.04
@ -75,7 +74,6 @@ jobs:
            vm: 0
            no_qemu: 0
            no_kvm: 0
-            shim: 1
          - distro: debian
            release: testing
            runner: ubuntu-24.04-arm
@ -86,7 +84,6 @@ jobs:
            vm: 0
            no_qemu: 1
            no_kvm: 1
-            shim: 0
          - distro: ubuntu
            release: noble
            runner: ubuntu-24.04
@ -97,7 +94,6 @@ jobs:
            vm: 0
            no_qemu: 0
            no_kvm: 0
-            shim: 0
          - distro: fedora
            release: "42"
            runner: ubuntu-24.04
@ -108,7 +104,6 @@ jobs:
            vm: 0
            no_qemu: 0
            no_kvm: 0
-            shim: 0
          - distro: fedora
            release: rawhide
            runner: ubuntu-24.04
@ -119,7 +114,6 @@ jobs:
            vm: 0
            no_qemu: 0
            no_kvm: 0
-            shim: 0
          - distro: opensuse
            release: tumbleweed
            runner: ubuntu-24.04
@ -130,7 +124,6 @@ jobs:
            vm: 0
            no_qemu: 0
            no_kvm: 0
-            shim: 0
          - distro: centos
            release: "9"
            runner: ubuntu-24.04
@ -141,7 +134,6 @@ jobs:
            vm: 0
            no_qemu: 0
            no_kvm: 0
-            shim: 0
          - distro: centos
            release: "10"
            runner: ubuntu-24.04
@ -152,11 +144,10 @@ jobs:
            vm: 0
            no_qemu: 0
            no_kvm: 0
-            shim: 0

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@cb1a3c90490922441548d09b09c7b76426e4bc20
+      - uses: systemd/mkosi@184472f0f1f831ca29953546ec01fd941ff763a6

      # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
      # immediately, we remove the files in the background. However, we first move them to a different location
@ -236,23 +227,6 @@ jobs:
            -Dbpf-framework=disabled \
            build

-      - name: Prepare shim integration
-        run: |
-          if [ ${{ matrix.shim }} = 1 ]; then
-            { printf '[Content]\nPackages=shim-signed\nShimBootloader=signed\n'; \
-              printf '[Runtime]\nFirmware=uefi-secure-boot\nFirmwareVariables=%%O/ovmf_vars_shim.fd\n'; } \
-              >>mkosi/mkosi.local.conf
-
-            sudo mkdir -p build/mkosi.output/
-            sudo mkosi -f box -- \
-              virt-fw-vars \
-              --secure-boot \
-              --enroll-cert mkosi/mkosi.crt \
-              --add-mok 605dab50-e046-4300-abb6-3dd810dd8b23 mkosi/mkosi.crt \
-              --input /usr/share/OVMF/OVMF_VARS_4M.fd \
-              --output build/mkosi.output/ovmf_vars_shim.fd
-          fi
-
      - name: Build image
        run: sudo mkosi box -- meson compile -C build mkosi

--- a/mkosi/mkosi.conf
+++ b/mkosi/mkosi.conf
@ -1,7 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later

 [Config]
-MinimumVersion=commit:cb1a3c90490922441548d09b09c7b76426e4bc20
+MinimumVersion=commit:184472f0f1f831ca29953546ec01fd941ff763a6
 Dependencies=
        exitrd
        initrd
@ -39,8 +39,6 @@ WithTests=no

 [Validation]
 SignExpectedPcr=yes
-SecureBoot=yes
-SecureBootAutoEnroll=yes

 [Content]
 ExtraTrees=
--- a/mkosi/mkosi.finalize
+++ b/mkosi/mkosi.finalize
@ -3,13 +3,3 @@
 set -e

 touch -r "$BUILDROOT/usr" "$BUILDROOT/etc/.updated" "$BUILDROOT/var/.updated"
-
-if [ -n "$EFI_ARCHITECTURE" ]; then
-    mkdir -p "$BUILDROOT/boot/loader/addons"
-    ukify build \
-        --stub "$BUILDROOT/usr/lib/systemd/boot/efi/addon${EFI_ARCHITECTURE}.efi.stub" \
-        --cmdline="addonfoobar" \
-        --output "$BUILDROOT/boot/loader/addons/test.addon.efi" \
-        --secureboot-certificate "$SRCDIR/mkosi/mkosi.crt" \
-        --secureboot-private-key "$SRCDIR/mkosi/mkosi.key"
-fi
--- a/test/integration-tests/TEST-04-JOURNAL/TEST-04-JOURNAL.units/delegated_cgroup_filtering_payload_child.sh
+++ b/test/integration-tests/TEST-04-JOURNAL/TEST-04-JOURNAL.units/delegated_cgroup_filtering_payload_child.sh
@ -5,7 +5,4 @@ echo $$ >/sys/fs/cgroup/system.slice/delegated-cgroup-filtering.service/the_chil

 echo "child_process: hello, world!"
 echo "child_process: hello, people!"
-
-# If the service finishes extremely fast, journald cannot find the source of the
-# stream. Hence, we need to call 'journalctl --sync' before service finishes.
-journalctl --sync
+sleep .15
--- a/test/integration-tests/TEST-87-AUX-UTILS-VM/meson.build
+++ b/test/integration-tests/TEST-87-AUX-UTILS-VM/meson.build
@ -7,6 +7,5 @@ integration_tests += [
                'storage': 'persistent',
                'coredump-exclude-regex' : '/(test-usr-dump|test-dump|bash)$',
                'vm' : true,
-                'firmware' : 'auto',
        },
 ]
--- a/test/units/TEST-70-TPM2.pcrlock.sh
+++ b/test/units/TEST-70-TPM2.pcrlock.sh
@ -156,11 +156,7 @@ test -f "$CREDENTIAL_FILE"
 CREDENTIAL_NAME=${CREDENTIAL_FILE#/tmp/fakexbootldr/loader/credentials/}
 CREDENTIAL_NAME=${CREDENTIAL_NAME%.cred}

-# If SB is enabled then this will fail as it's not locked but TPM2 is enabled
-if cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1'); then
-    ALLOW_NULL=--allow-null
-fi
-systemd-creds decrypt "${ALLOW_NULL:-}" --name="$CREDENTIAL_NAME" "$CREDENTIAL_FILE"
+systemd-creds decrypt --name="$CREDENTIAL_NAME" "$CREDENTIAL_FILE"
 ln -s "$CREDENTIAL_FILE" /tmp/fakexbootldr/loader/credentials/"$CREDENTIAL_NAME"
 test -f /tmp/fakexbootldr/loader/credentials/"$CREDENTIAL_NAME"

--- a/test/units/TEST-87-AUX-UTILS-VM.bootctl.sh
+++ b/test/units/TEST-87-AUX-UTILS-VM.bootctl.sh
@ -21,42 +21,7 @@ fi

 (! systemd-detect-virt -cq)

-restore_esp() {
-    if [ ! -d /tmp/esp.bak ]; then
-        return
-    fi
-
-    if [ -d /tmp/esp.bak/EFI/ ]; then
-        cp -r /tmp/esp.bak/EFI/* "$(bootctl --print-esp-path)/EFI/"
-    fi
-    if [ -d /tmp/esp.bak/loader/ ]; then
-        cp -r /tmp/esp.bak/loader/* "$(bootctl --print-esp-path)/loader/"
-    fi
-    rm -rf /tmp/esp.bak
-}
-
-backup_esp() {
-    if [ -d /tmp/esp.bak ]; then
-        return
-    fi
-
-    if [[ -d "$(bootctl --print-esp-path)/EFI" ]]; then
-        mkdir -p /tmp/esp.bak
-        cp -r "$(bootctl --print-esp-path)/EFI/" /tmp/esp.bak/
-    fi
-    if [[ -d "$(bootctl --print-esp-path)/loader" ]]; then
-        mkdir -p /tmp/esp.bak
-        cp -r "$(bootctl --print-esp-path)/loader/" /tmp/esp.bak/
-    fi
-}
-
 basic_tests() {
-    # Ensure the system's ESP (no --image/--root args) is still available for the next tests
-    if [ $# -eq 0 ]; then
-        backup_esp
-        trap restore_esp RETURN ERR
-    fi
-
    bootctl "$@" --help
    bootctl "$@" --version

@ -309,10 +274,6 @@ testcase_bootctl_varlink() {
 }

 testcase_bootctl_secure_boot_auto_enroll() {
-    # mkosi can also add keys here, so back them up and restored them
-    backup_esp
-    trap restore_esp RETURN ERR
-
    cat >/tmp/openssl.conf <<EOF
 [ req ]
 prompt = no
@ -332,9 +293,6 @@ EOF
            -x509 -sha256 -nodes -days 365 -newkey rsa:4096 \
            -keyout /tmp/sb.key -out /tmp/sb.crt

-    # This will fail if there are already keys in the ESP, so we remove them first
-    rm -rf "$(bootctl --print-esp-path)/loader/keys/auto"
-
    bootctl install --make-entry-directory=yes --secure-boot-auto-enroll=yes --certificate /tmp/sb.crt --private-key /tmp/sb.key
    for var in PK KEK db; do
        test -f "$(bootctl --print-esp-path)/loader/keys/auto/$var.auth"
@ -342,21 +300,4 @@ EOF
    bootctl remove
 }

-testcase_secureboot() {
-    if [ ! -d /sys/firmware/efi ]; then
-        echo "Not booted with EFI, skipping secureboot tests."
-        return 0
-    fi
-
-    # Ensure secure boot is enabled and not in setup mode
-    cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
-    cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
-    bootctl status | grep -q "Secure Boot: enabled"
-
-    # Ensure the addon is fully loaded and parsed
-    bootctl status | grep -q "global-addon: loader/addons/test.addon.efi"
-    bootctl status | grep "cmdline" | grep -q addonfoobar
-    grep -q addonfoobar /proc/cmdline
-}
-
 run_testcases