Various composefs enhancements

- Add build infrastructure to toplevel to seal
- Change the install logic to detect UKIs and automatically
  enable composefs

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

Cargo.lock

@@ -0,0 +1,63 @@
+# Override via --build-arg=base=<image> to use a different base
+ARG base=localhost/bootc
+# This is where we get the tools to build the UKI
+ARG buildroot=quay.io/fedora/fedora:42
+FROM $base AS base
+
+FROM $buildroot as buildroot-base
+RUN <<EORUN
+set -xeuo pipefail
+dnf install -y systemd-ukify sbsigntools systemd-boot-unsigned
+dnf clean all
+EORUN
+
+# This must be provided and computed via cfs oci compute-id
+ARG COMPOSEFS_FSVERITY
+
+FROM buildroot-base as kernel
+RUN --mount=type=secret,id=key \
+    --mount=type=secret,id=cert \
+    --mount=type=bind,from=base,target=/target \
+     <<EOF
+    set -eux
+
+    # Inject the composefs kernel argument and specify a root with the x86_64 DPS UUID.
+    # TODO: Discoverable partition fleshed out, or drop root UUID as systemd-stub extension
+    cmdline="composefs=${COMPOSEFS_FSVERITY} root=UUID=4f68bce3-e8cd-4db1-96e7-fbcaf984b709 rw"
+
+    kver=$(cd /target/usr/lib/modules && echo *)
+    ukify build \
+        --linux "/target/usr/lib/modules/$kver/vmlinuz" \
+        --initrd "/target/usr/lib/modules/$kver/initramfs.img" \
+        --uname="${kver}" \
+        --cmdline "${cmdline}" \
+        --os-release "@/target/usr/lib/os-release" \
+        --signtool sbsign \
+        --secureboot-private-key "/run/secrets/key" \
+        --secureboot-certificate "/run/secrets/cert" \
+        --measure \
+        --json pretty \
+        --output "/boot/$kver.efi"
+    sbsign \
+        --key "/run/secrets/key" \
+        --cert "/run/secrets/cert" \
+        "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \
+        --output "/boot/systemd-bootx64.efi"
+
+    rm -vf /tmp/cmdline
+EOF
+
+FROM base as final
+
+RUN --mount=type=bind,from=kernel,target=/run/kernel <<EOF
+    kver=$(cd /usr/lib/modules && echo *)
+    mkdir -p /boot/EFI/Linux
+    # We put the UKI in /boot for now due to composefs verity not being the
+    # same due to mtime of /usr/lib/modules being changed
+    cp /run/kernel/boot/$kver.efi /boot/EFI/Linux/$kver.efi
+EOF
+
+FROM base as final-final
+COPY --from=final /boot /boot
+# Override the default
+LABEL containers.bootc=sealed

Dockerfile.cfsuki

@@ -13,6 +13,10 @@
 build *ARGS:
     podman build --jobs=4 -t localhost/bootc {{ARGS}} .
 
+build-sealed *ARGS:
+    podman build --jobs=4 -t localhost/bootc-unsealed {{ARGS}} .
+    cargo xtask build-sealed localhost/bootc-unsealed localhost/bootc
+
 # This container image has additional testing content and utilities
 build-integration-test-image *ARGS:
     cd hack && podman build --jobs=4 -t localhost/bootc-integration -f Containerfile {{ARGS}} .

Justfile

@@ -1,7 +1,7 @@
-use std::ffi::OsStr;
 use std::fs::create_dir_all;
 use std::io::Write;
 use std::path::Path;
+use std::ffi::OsStr;
 
 use anyhow::{anyhow, Context, Result};
 use bootc_blockdev::find_parent_devices;
@@ -129,6 +129,23 @@ fi
     )
 }
 
+/// Returns `true` if detect the target rootfs carries a UKI.
+pub(crate) fn container_root_has_uki(root: &Dir) -> Result<bool> {
+    let Some(efi_linux) = root.open_dir_optional(EFI_LINUX)? else {
+        return Ok(false);
+    };
+    for entry in efi_linux.entries()? {
+        let entry = entry?;
+        let name = entry.file_name();
+        let name = Path::new(&name);
+        let extension = name.extension().and_then(|v| v.to_str());
+        if extension == Some("efi") {
+            return Ok(true);
+        }
+    }
+    Ok(false)
+}
+
 pub fn get_esp_partition(device: &str) -> Result<(String, Option<String>)> {
     let device_info = bootc_blockdev::partitions_of(Utf8Path::new(device))?;
     let esp = device_info

crates/lib/src/bootc_composefs/boot.rs

@@ -139,7 +139,6 @@ ExecStart=bootc internals fixup-etc-fstab\n\
 #[cfg(test)]
 mod tests {
     use camino::Utf8Path;
-    use cap_std_ext::cmdext::CapStdExtCommandExt as _;
 
     use super::*;
 

crates/lib/src/generator.rs

@@ -247,7 +247,7 @@ pub(crate) struct InstallConfigOpts {
     pub(crate) stateroot: Option<String>,
 }
 
-#[derive(Debug, Clone, clap::Parser, Serialize, Deserialize, PartialEq, Eq)]
+#[derive(Debug, Default, Clone, clap::Parser, Serialize, Deserialize, PartialEq, Eq)]
 pub(crate) struct InstallComposefsOpts {
     #[clap(long, default_value_t)]
     #[serde(default)]
@@ -438,6 +438,10 @@ pub(crate) struct State {
     pub(crate) container_root: Dir,
     pub(crate) tempdir: TempDir,
 
+    /// Set if we have determined that composefs is required
+    #[allow(dead_code)]
+    pub(crate) composefs_required: bool,
+
     // If Some, then --composefs_native is passed
     #[cfg(feature = "composefs-backend")]
     pub(crate) composefs_options: Option<InstallComposefsOpts>,
@@ -793,6 +797,7 @@ async fn install_container(
     let sepolicy = sepolicy.as_ref();
     let stateroot = state.stateroot();
 
+    // TODO factor out this
     let (src_imageref, proxy_cfg) = if !state.source.in_host_mountns {
         (state.source.imageref.clone(), None)
     } else {
@@ -1221,20 +1226,28 @@ async fn verify_target_fetch(
     Ok(())
 }
 
+fn root_has_uki(root: &Dir) -> Result<bool> {
+    #[cfg(feature = "composefs-backend")]
+    return crate::bootc_composefs::boot::container_root_has_uki(root);
+
+    #[cfg(not(feature = "composefs-backend"))]
+    Ok(false)
+}
+
 /// Preparation for an install; validates and prepares some (thereafter immutable) global state.
 async fn prepare_install(
     config_opts: InstallConfigOpts,
     source_opts: InstallSourceOpts,
     target_opts: InstallTargetOpts,
-    _composefs_opts: Option<InstallComposefsOpts>,
+    composefs_options: Option<InstallComposefsOpts>,
 ) -> Result<Arc<State>> {
     tracing::trace!("Preparing install");
     let rootfs = cap_std::fs::Dir::open_ambient_dir("/", cap_std::ambient_authority())
         .context("Opening /")?;
 
     let host_is_container = crate::containerenv::is_container(&rootfs);
     let external_source = source_opts.source_imgref.is_some();
-    let source = match source_opts.source_imgref {
+    let (source, target_rootfs) = match source_opts.source_imgref {
         None => {
             ensure!(host_is_container, "Either --source-imgref must be defined or this command must be executed inside a podman container.");
 
@@ -1259,11 +1272,13 @@ async fn prepare_install(
             };
             tracing::trace!("Read container engine info {:?}", container_info);
 
-            SourceInfo::from_container(&rootfs, &container_info)?
+            let source = SourceInfo::from_container(&rootfs, &container_info)?;
+            (source, Some(rootfs.try_clone()?))
         }
         Some(source) => {
             crate::cli::require_root(false)?;
-            SourceInfo::from_imageref(&source, &rootfs)?
+            let source = SourceInfo::from_imageref(&source, &rootfs)?;
+            (source, None)
         }
     };
 
@@ -1291,6 +1306,15 @@ async fn prepare_install(
     };
     tracing::debug!("Target image reference: {target_imgref}");
 
+    let composefs_required = if let Some(root) = target_rootfs.as_ref() {
+        root_has_uki(root)?
+    } else {
+        false
+    };
+    tracing::debug!("Composefs required: {composefs_required}");
+    let composefs_options =
+        composefs_options.or_else(|| composefs_required.then_some(InstallComposefsOpts::default()));
+
     // We need to access devices that are set up by the host udev
     bootc_mount::ensure_mirrored_host_mount("/dev")?;
     // We need to read our own container image (and any logically bound images)
@@ -1371,8 +1395,9 @@ async fn prepare_install(
         container_root: rootfs,
         tempdir,
         host_is_container,
+        composefs_required,
         #[cfg(feature = "composefs-backend")]
-        composefs_options: _composefs_opts,
+        composefs_options,
     });
 
     Ok(state)

crates/lib/src/install.rs

@@ -8,9 +8,10 @@ use std::fs::File;
 use std::io::{BufRead, BufReader, BufWriter, Write};
 use std::process::Command;
 
-use anyhow::{Context, Result};
+use anyhow::{anyhow, Context, Result};
 use camino::{Utf8Path, Utf8PathBuf};
 use fn_error_context::context;
+use serde::Deserialize;
 use xshell::{cmd, Shell};
 
 mod man;
@@ -43,6 +44,7 @@ const TASKS: &[(&str, fn(&Shell) -> Result<()>)] = &[
     ("package", package),
     ("package-srpm", package_srpm),
     ("spec", spec),
+    ("build-sealed", build_sealed),
 ];
 
 fn try_main() -> Result<()> {
@@ -237,6 +239,78 @@ fn spec(sh: &Shell) -> Result<()> {
     Ok(())
 }
 
+#[derive(Debug, Deserialize)]
+#[allow(dead_code)]
+#[serde(rename_all = "PascalCase")]
+struct ImageInspect {
+    pub id: String,
+    pub digest: String,
+}
+
+fn build_sealed(sh: &Shell) -> Result<()> {
+    let args = &std::env::args().collect::<Vec<_>>()[2..];
+    let input_image = args.get(0).ok_or_else(|| anyhow!("Missing arg: IMAGE"))?;
+    let output_image = args.get(1).ok_or_else(|| anyhow!("Missing arg: IMAGE"))?;
+    // If present this should be a path to a directory with secureboot keys.
+    // If not provided, one will be generated in target/test-secureboot-keys
+    let secureboot_default = Utf8Path::new("target/test-secureboot");
+    let secureboot = args.get(2);
+    let output = cmd!(sh, "podman image inspect {input_image}").output()?;
+    let inspect: Vec<ImageInspect> = serde_json::from_slice(&output.stdout)?;
+    let inspect = inspect
+        .first()
+        .ok_or_else(|| anyhow!("Failed to get array from inspect"))?;
+    let digest = inspect.id.as_str();
+
+    let tmpdir = sh.create_temp_dir()?;
+    let tmpdir = tmpdir.path();
+    let tmpdir: &Utf8Path = tmpdir.try_into().unwrap();
+    let repoarg = format!("--repo={tmpdir}");
+    // Inject --insecure so we handle systems without fsverity on the build host
+    let cfsargs = ["internals", "cfs", "--insecure", repoarg.as_str()];
+    cmd!(
+        sh,
+        "bootc {cfsargs...} oci pull containers-storage:{digest}"
+    )
+    .run()?;
+    let output = cmd!(sh, "bootc {cfsargs...} oci compute-id --bootable {digest}").output()?;
+    let cfs_digest = String::from_utf8(output.stdout)?;
+    let cfs_digest = cfs_digest.trim();
+
+    let secureboot = if let Some(d) = secureboot.as_deref() {
+        d.to_owned().into()
+    } else {
+        sh.create_dir(secureboot_default)?;
+        let _g = sh.push_dir(secureboot_default);
+        if !sh.path_exists("db.cer") {
+            cmd!(sh, "openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj '/CN=Test Platform Key/' -out PK.crt").run()?;
+            cmd!(sh, "openssl x509 -outform DER -in PK.crt -out PK.cer").run()?;
+            cmd!(sh, "openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj '/CN=Test Key Exchange Key/' -out KEK.crt").run()?;
+            cmd!(sh, "openssl x509 -outform DER -in KEK.crt -out KEK.cer").run()?;
+            cmd!(sh, "openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj '/CN=Test Signature Database key/' -out db.crt").run()?;
+            cmd!(sh, "openssl x509 -outform DER -in db.crt -out db.cer").run()?;
+        }
+        secureboot_default.to_owned()
+    };
+
+    cmd!(sh, "podman build -t {output_image} --build-arg=COMPOSEFS_FSVERITY={cfs_digest} --build-arg=base={input_image} --secret=id=key,src={secureboot}/db.key --secret=id=cert,src={secureboot}/db.crt -f Dockerfile.cfsuki .").run()?;
+
+    sh.create_dir("efi")?;
+    cmd!(
+        sh,
+        "bootc {cfsargs...} oci pull containers-storage:{digest}"
+    )
+    .run()?;
+    cmd!(sh, "bootc {cfsargs...} oci compute-id --bootable {digest}").run()?;
+    cmd!(
+        sh,
+        "bootc {cfsargs...} oci prepare-boot --bootdir tmp/efi {digest}"
+    )
+    .run()?;
+
+    Ok(())
+}
+
 fn impl_srpm(sh: &Shell) -> Result<Utf8PathBuf> {
     {
         let _g = sh.push_dir("target");