Merge pull request #26287 from medhefgo/mkosi-auto-enroll

ci: Test with secure boot enabled under mkosi

1 files changed, 34 insertions, 12 deletions

diff --git a/man/loader.conf.xml b/man/loader.conf.xml
index 80122177e5..22f4644d9e 100644
--- a/man/loader.conf.xml
+++ b/man/loader.conf.xml
@@ -227,12 +227,33 @@
 
         <listitem><para>Danger: this feature might soft-brick your device if used improperly.</para>
 
-        <para>Takes one of <literal>off</literal>, <literal>manual</literal> or <literal>force</literal>.
-        Controls the enrollment of Secure Boot keys. If set to <literal>off</literal>, no action whatsoever
-        is taken. If set to <literal>manual</literal> (the default) and the UEFI firmware is in setup-mode
-        then entries to manually enroll Secure Boot variables are created in the boot menu. If set to
-        <literal>force</literal>, in addition, if a directory named <filename>/loader/keys/auto/</filename>
-        exists on the ESP then the keys in that directory are enrolled automatically.</para>
+        <para>Controls enrollment of secure boot keys found on the ESP if the system is in setup mode:
+        <variablelist>
+          <varlistentry>
+            <term><option>off</option></term>
+            <listitem><para>No action is taken.</para></listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><option>manual</option></term>
+            <listitem><para>Boot entries for found secure boot keys are created that allow manual
+            enrollment.</para></listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><option>if-safe</option></term>
+            <listitem><para>Same behavior as <option>manual</option>, but will try to automatically
+            enroll the key <literal>auto</literal> if it is considered to be safe. Currently, this is only
+            the case if the system is running inside a virtual machine.</para></listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><option>force</option></term>
+            <listitem><para>Always enroll the <literal>auto</literal> key if found. Note that a warning
+            message with a timeout will still be shown if this operation is unknown to be safe.</para></listitem>
+          </varlistentry>
+        </variablelist>
+        </para>
 
         <para>The different sets of variables can be set up under
         <filename>/loader/keys/<replaceable>NAME</replaceable></filename> where
@@ -254,8 +275,8 @@
         <programlisting>uuid=$(systemd-id128 new --uuid)
 for key in PK KEK db; do
   openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.crt"
-  openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
-  cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl"
+  openssl x509 -outform DER -in "${key}.crt" -out "${key}.der"
+  sbsiglist --owner "${uuid}" --type x509 --output "${key}.esl" "${key}.der"
 done
 
 for key in MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt MicCorKEKCA2011_2011-06-24.crt; do
@@ -266,7 +287,7 @@ done
 # Optionally add Microsoft Windows Production CA 2011 (needed to boot into Windows).
 cat MicWinProPCA2011_2011-10-19.esl >> db.esl
 
-# Optionally add Microsoft Corporation UEFI CA 2011 (for firmware drivers / option ROMs
+# Optionally add Microsoft Corporation UEFI CA 2011 for firmware drivers / option ROMs
 # and third-party boot loaders (including shim). This is highly recommended on real
 # hardware as not including this may soft-brick your device (see next paragraph).
 cat MicCorUEFCA2011_2011-06-27.esl >> db.esl
@@ -276,9 +297,10 @@ cat MicCorUEFCA2011_2011-06-27.esl >> db.esl
 # key. The revocation database can be updated with <citerefentry><refentrytitle>fwupdmgr</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
 cat MicCorKEKCA2011_2011-06-24.esl >> KEK.esl
 
-sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
-sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
-sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
+attr=NON_VOLATILE,RUNTIME_ACCESS,BOOTSERVICE_ACCESS,TIME_BASED_AUTHENTICATED_WRITE_ACCESS
+sbvarsign --attr ${attr} --key PK.key --cert PK.crt --output PK.auth PK PK.esl
+sbvarsign --attr ${attr} --key PK.key --cert PK.crt --output KEK.auth KEK KEK.esl
+sbvarsign --attr ${attr} --key KEK.key --cert KEK.crt --output db.auth db db.esl
         </programlisting>
 
         <para>This feature is considered dangerous because even if all the required files are signed with the