.github/workflows/coverage.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@cb1a3c90490922441548d09b09c7b76426e4bc20
+      - uses: systemd/mkosi@184472f0f1f831ca29953546ec01fd941ff763a6
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
       # immediately, we remove the files in the background. However, we first move them to a different location

.github/workflows/linter.yml

@@ -38,7 +38,7 @@ jobs:
           LINTER_RULES_PATH: .github/linters
           GITHUB_ACTIONS_CONFIG_FILE: actionlint.yml
 
-      - uses: systemd/mkosi@cb1a3c90490922441548d09b09c7b76426e4bc20
+      - uses: systemd/mkosi@184472f0f1f831ca29953546ec01fd941ff763a6
 
       - name: Check that tabs are not used in Python code
         run: sh -c '! git grep -P "\\t" -- src/core/generate-bpf-delegate-configs.py src/boot/generate-hwids-section.py src/ukify/ukify.py test/integration-tests/integration-test-wrapper.py'

.github/workflows/mkosi.yml

@@ -64,7 +64,6 @@ jobs:
             vm: 1
             no_qemu: 0
             no_kvm: 0
-            shim: 0
           - distro: debian
             release: testing
             runner: ubuntu-24.04
@@ -75,7 +74,6 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
-            shim: 1
           - distro: debian
             release: testing
             runner: ubuntu-24.04-arm
@@ -86,7 +84,6 @@ jobs:
             vm: 0
             no_qemu: 1
             no_kvm: 1
-            shim: 0
           - distro: ubuntu
             release: noble
             runner: ubuntu-24.04
@@ -97,7 +94,6 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
-            shim: 0
           - distro: fedora
             release: "42"
             runner: ubuntu-24.04
@@ -108,7 +104,6 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
-            shim: 0
           - distro: fedora
             release: rawhide
             runner: ubuntu-24.04
@@ -119,7 +114,6 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
-            shim: 0
           - distro: opensuse
             release: tumbleweed
             runner: ubuntu-24.04
@@ -130,7 +124,6 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
-            shim: 0
           - distro: centos
             release: "9"
             runner: ubuntu-24.04
@@ -141,7 +134,6 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
-            shim: 0
           - distro: centos
             release: "10"
             runner: ubuntu-24.04
@@ -152,11 +144,10 @@ jobs:
             vm: 0
             no_qemu: 0
             no_kvm: 0
-            shim: 0
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@cb1a3c90490922441548d09b09c7b76426e4bc20
+      - uses: systemd/mkosi@184472f0f1f831ca29953546ec01fd941ff763a6
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
       # immediately, we remove the files in the background. However, we first move them to a different location
@@ -236,23 +227,6 @@ jobs:
             -Dbpf-framework=disabled \
             build
 
-      - name: Prepare shim integration
-        run: |
-          if [ ${{ matrix.shim }} = 1 ]; then
-            { printf '[Content]\nPackages=shim-signed\nShimBootloader=signed\n'; \
-              printf '[Runtime]\nFirmware=uefi-secure-boot\nFirmwareVariables=%%O/ovmf_vars_shim.fd\n'; } \
-              >>mkosi/mkosi.local.conf
-
-            sudo mkdir -p build/mkosi.output/
-            sudo mkosi -f box -- \
-              virt-fw-vars \
-              --secure-boot \
-              --enroll-cert mkosi/mkosi.crt \
-              --add-mok 605dab50-e046-4300-abb6-3dd810dd8b23 mkosi/mkosi.crt \
-              --input /usr/share/OVMF/OVMF_VARS_4M.fd \
-              --output build/mkosi.output/ovmf_vars_shim.fd
-          fi
-
       - name: Build image
         run: sudo mkosi box -- meson compile -C build mkosi
 

mkosi/mkosi.conf

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 [Config]
-MinimumVersion=commit:cb1a3c90490922441548d09b09c7b76426e4bc20
+MinimumVersion=commit:184472f0f1f831ca29953546ec01fd941ff763a6
 Dependencies=
         exitrd
         initrd
@@ -39,8 +39,6 @@ WithTests=no
 
 [Validation]
 SignExpectedPcr=yes
-SecureBoot=yes
-SecureBootAutoEnroll=yes
 
 [Content]
 ExtraTrees=

mkosi/mkosi.finalize

@@ -3,13 +3,3 @@
 set -e
 
 touch -r "$BUILDROOT/usr" "$BUILDROOT/etc/.updated" "$BUILDROOT/var/.updated"
-
-if [ -n "$EFI_ARCHITECTURE" ]; then
-    mkdir -p "$BUILDROOT/boot/loader/addons"
-    ukify build \
-        --stub "$BUILDROOT/usr/lib/systemd/boot/efi/addon${EFI_ARCHITECTURE}.efi.stub" \
-        --cmdline="addonfoobar" \
-        --output "$BUILDROOT/boot/loader/addons/test.addon.efi" \
-        --secureboot-certificate "$SRCDIR/mkosi/mkosi.crt" \
-        --secureboot-private-key "$SRCDIR/mkosi/mkosi.key"
-fi

test/integration-tests/TEST-04-JOURNAL/TEST-04-JOURNAL.units/delegated_cgroup_filtering_payload_child.sh

@@ -5,7 +5,4 @@ echo $$ >/sys/fs/cgroup/system.slice/delegated-cgroup-filtering.service/the_chil
 
 echo "child_process: hello, world!"
 echo "child_process: hello, people!"
-
+sleep .15
-# If the service finishes extremely fast, journald cannot find the source of the
-# stream. Hence, we need to call 'journalctl --sync' before service finishes.
-journalctl --sync

test/integration-tests/TEST-87-AUX-UTILS-VM/meson.build

@@ -7,6 +7,5 @@ integration_tests += [
                 'storage': 'persistent',
                 'coredump-exclude-regex' : '/(test-usr-dump|test-dump|bash)$',
                 'vm' : true,
-                'firmware' : 'auto',
         },
 ]

test/units/TEST-70-TPM2.pcrlock.sh

@@ -156,11 +156,7 @@ test -f "$CREDENTIAL_FILE"
 CREDENTIAL_NAME=${CREDENTIAL_FILE#/tmp/fakexbootldr/loader/credentials/}
 CREDENTIAL_NAME=${CREDENTIAL_NAME%.cred}
 
-# If SB is enabled then this will fail as it's not locked but TPM2 is enabled
+systemd-creds decrypt --name="$CREDENTIAL_NAME" "$CREDENTIAL_FILE"
-if cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1'); then
-    ALLOW_NULL=--allow-null
-fi
-systemd-creds decrypt "${ALLOW_NULL:-}" --name="$CREDENTIAL_NAME" "$CREDENTIAL_FILE"
 ln -s "$CREDENTIAL_FILE" /tmp/fakexbootldr/loader/credentials/"$CREDENTIAL_NAME"
 test -f /tmp/fakexbootldr/loader/credentials/"$CREDENTIAL_NAME"
 

test/units/TEST-87-AUX-UTILS-VM.bootctl.sh

@@ -21,42 +21,7 @@ fi
 
 (! systemd-detect-virt -cq)
 
-restore_esp() {
-    if [ ! -d /tmp/esp.bak ]; then
-        return
-    fi
-
-    if [ -d /tmp/esp.bak/EFI/ ]; then
-        cp -r /tmp/esp.bak/EFI/* "$(bootctl --print-esp-path)/EFI/"
-    fi
-    if [ -d /tmp/esp.bak/loader/ ]; then
-        cp -r /tmp/esp.bak/loader/* "$(bootctl --print-esp-path)/loader/"
-    fi
-    rm -rf /tmp/esp.bak
-}
-
-backup_esp() {
-    if [ -d /tmp/esp.bak ]; then
-        return
-    fi
-
-    if [[ -d "$(bootctl --print-esp-path)/EFI" ]]; then
-        mkdir -p /tmp/esp.bak
-        cp -r "$(bootctl --print-esp-path)/EFI/" /tmp/esp.bak/
-    fi
-    if [[ -d "$(bootctl --print-esp-path)/loader" ]]; then
-        mkdir -p /tmp/esp.bak
-        cp -r "$(bootctl --print-esp-path)/loader/" /tmp/esp.bak/
-    fi
-}
-
 basic_tests() {
-    # Ensure the system's ESP (no --image/--root args) is still available for the next tests
-    if [ $# -eq 0 ]; then
-        backup_esp
-        trap restore_esp RETURN ERR
-    fi
-
     bootctl "$@" --help
     bootctl "$@" --version
 
@@ -309,10 +274,6 @@ testcase_bootctl_varlink() {
 }
 
 testcase_bootctl_secure_boot_auto_enroll() {
-    # mkosi can also add keys here, so back them up and restored them
-    backup_esp
-    trap restore_esp RETURN ERR
-
     cat >/tmp/openssl.conf <<EOF
 [ req ]
 prompt = no
@@ -332,9 +293,6 @@ EOF
             -x509 -sha256 -nodes -days 365 -newkey rsa:4096 \
             -keyout /tmp/sb.key -out /tmp/sb.crt
 
-    # This will fail if there are already keys in the ESP, so we remove them first
-    rm -rf "$(bootctl --print-esp-path)/loader/keys/auto"
-
     bootctl install --make-entry-directory=yes --secure-boot-auto-enroll=yes --certificate /tmp/sb.crt --private-key /tmp/sb.key
     for var in PK KEK db; do
         test -f "$(bootctl --print-esp-path)/loader/keys/auto/$var.auth"
@@ -342,21 +300,4 @@ EOF
     bootctl remove
 }
 
-testcase_secureboot() {
-    if [ ! -d /sys/firmware/efi ]; then
-        echo "Not booted with EFI, skipping secureboot tests."
-        return 0
-    fi
-
-    # Ensure secure boot is enabled and not in setup mode
-    cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
-    cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
-    bootctl status | grep -q "Secure Boot: enabled"
-
-    # Ensure the addon is fully loaded and parsed
-    bootctl status | grep -q "global-addon: loader/addons/test.addon.efi"
-    bootctl status | grep "cmdline" | grep -q addonfoobar
-    grep -q addonfoobar /proc/cmdline
-}
-
 run_testcases