From 84a1092df29ec9b06a844bcddf679cc4ca9579c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= <tim@siosm.fr>
Date: Tue, 10 Jun 2025 13:19:36 +0200
Subject: [PATCH 1/4] examples: Add initial bootc examples (bls & uki)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Timothée Ravier <tim@siosm.fr>
---
 examples/bootc-bls/Containerfile              | 10 ++++
 examples/bootc-bls/build                      | 17 ++++++
 .../extra/etc/dracut.conf.d/no-xattr.conf     |  1 +
 .../lib/dracut/dracut.conf.d/37composefs.conf |  6 +++
 .../37composefs/composefs-setup-root.service  | 34 ++++++++++++
 .../modules.d/37composefs/module-setup.sh     | 20 +++++++
 examples/bootc-uki/Containerfile.stage1       | 10 ++++
 examples/bootc-uki/Containerfile.stage2       | 33 ++++++++++++
 examples/bootc-uki/build.base                 | 18 +++++++
 examples/bootc-uki/build.final                | 52 +++++++++++++++++++
 .../extra/etc/dracut.conf.d/no-xattr.conf     |  1 +
 .../lib/dracut/dracut.conf.d/37composefs.conf |  6 +++
 .../37composefs/composefs-setup-root.service  | 34 ++++++++++++
 .../modules.d/37composefs/module-setup.sh     | 20 +++++++
 14 files changed, 262 insertions(+)
 create mode 100644 examples/bootc-bls/Containerfile
 create mode 100755 examples/bootc-bls/build
 create mode 100644 examples/bootc-bls/extra/etc/dracut.conf.d/no-xattr.conf
 create mode 100644 examples/bootc-bls/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf
 create mode 100644 examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service
 create mode 100755 examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh
 create mode 100644 examples/bootc-uki/Containerfile.stage1
 create mode 100644 examples/bootc-uki/Containerfile.stage2
 create mode 100755 examples/bootc-uki/build.base
 create mode 100755 examples/bootc-uki/build.final
 create mode 100644 examples/bootc-uki/extra/etc/dracut.conf.d/no-xattr.conf
 create mode 100644 examples/bootc-uki/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf
 create mode 100644 examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service
 create mode 100755 examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh

diff --git a/examples/bootc-bls/Containerfile b/examples/bootc-bls/Containerfile
new file mode 100644
index 000000000..c6fbfcdbd
--- /dev/null
+++ b/examples/bootc-bls/Containerfile
@@ -0,0 +1,10 @@
+FROM quay.io/fedora/fedora-bootc:42
+COPY extra /
+COPY cfsctl /usr/bin
+
+RUN passwd -d root
+
+# need to have composefs setup root in the initramfs so we need this
+RUN set -x; \
+    kver=$(cd /usr/lib/modules && echo *); \
+    dracut -vf --install "/etc/passwd /etc/group" /usr/lib/modules/$kver/initramfs.img $kver;
diff --git a/examples/bootc-bls/build b/examples/bootc-bls/build
new file mode 100755
index 000000000..3e3ec090c
--- /dev/null
+++ b/examples/bootc-bls/build
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -eux
+
+cd "${0%/*}"
+
+cargo build --release --features=pre-6.15 --bin cfsctl --bin composefs-setup-root
+
+cp ../../target/release/cfsctl .
+cp ../../target/release/composefs-setup-root extra/usr/lib/dracut/modules.d/37composefs/
+
+mkdir -p tmp
+
+sudo podman build \
+    -t quay.io/fedora/fedora-bootc-bls:42 \
+    -f Containerfile \
+    --iidfile=tmp/iid \
diff --git a/examples/bootc-bls/extra/etc/dracut.conf.d/no-xattr.conf b/examples/bootc-bls/extra/etc/dracut.conf.d/no-xattr.conf
new file mode 100644
index 000000000..b8d114a9c
--- /dev/null
+++ b/examples/bootc-bls/extra/etc/dracut.conf.d/no-xattr.conf
@@ -0,0 +1 @@
+export DRACUT_NO_XATTR=1
diff --git a/examples/bootc-bls/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf b/examples/bootc-bls/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf
new file mode 100644
index 000000000..1defe5de6
--- /dev/null
+++ b/examples/bootc-bls/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf
@@ -0,0 +1,6 @@
+# we want to make sure the virtio disk drivers get included
+hostonly=no
+
+# we need to force these in via the initramfs because we don't have modules in
+# the base image
+force_drivers+=" virtio_net vfat "
diff --git a/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service b/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service
new file mode 100644
index 000000000..ffc404d68
--- /dev/null
+++ b/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service
@@ -0,0 +1,34 @@
+# Copyright (C) 2013 Colin Walters <walters@verbum.org>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+DefaultDependencies=no
+ConditionKernelCommandLine=composefs
+ConditionPathExists=/etc/initrd-release
+After=sysroot.mount
+Requires=sysroot.mount
+Before=initrd-root-fs.target
+Before=initrd-switch-root.target
+
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/composefs-setup-root
+StandardInput=null
+StandardOutput=journal
+StandardError=journal+console
+RemainAfterExit=yes
diff --git a/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh b/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh
new file mode 100755
index 000000000..7fb853033
--- /dev/null
+++ b/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+check() {
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    inst \
+        "${moddir}/composefs-setup-root" /usr/bin/composefs-setup-root
+    inst \
+        "${moddir}/composefs-setup-root.service" \
+        "${systemdsystemunitdir}/composefs-setup-root.service"
+
+    $SYSTEMCTL -q --root "${initdir}" add-wants \
+        'initrd-root-fs.target' 'composefs-setup-root.service'
+}
diff --git a/examples/bootc-uki/Containerfile.stage1 b/examples/bootc-uki/Containerfile.stage1
new file mode 100644
index 000000000..c6fbfcdbd
--- /dev/null
+++ b/examples/bootc-uki/Containerfile.stage1
@@ -0,0 +1,10 @@
+FROM quay.io/fedora/fedora-bootc:42
+COPY extra /
+COPY cfsctl /usr/bin
+
+RUN passwd -d root
+
+# need to have composefs setup root in the initramfs so we need this
+RUN set -x; \
+    kver=$(cd /usr/lib/modules && echo *); \
+    dracut -vf --install "/etc/passwd /etc/group" /usr/lib/modules/$kver/initramfs.img $kver;
diff --git a/examples/bootc-uki/Containerfile.stage2 b/examples/bootc-uki/Containerfile.stage2
new file mode 100644
index 000000000..99c368bb3
--- /dev/null
+++ b/examples/bootc-uki/Containerfile.stage2
@@ -0,0 +1,33 @@
+FROM quay.io/fedora/fedora-bootc-base-uki:42 AS base
+
+FROM base as kernel
+
+ARG COMPOSEFS_FSVERITY
+
+RUN <<EOF
+    set -eux
+
+    mkdir -p /etc/kernel /etc/dracut.conf.d
+    echo "console=ttyS0,115200 composefs=${COMPOSEFS_FSVERITY} selinux=1 enforcing=0 systemd.debug_shell=1 root=UUID=6523f8ae-3eb1-4e2a-a05a-18b695ae656f rw" > /etc/kernel/cmdline
+
+    dnf install -y systemd-ukify;
+    kver=$(cd /usr/lib/modules && echo *);
+    ukify build \
+        --linux /usr/lib/modules/$kver/vmlinuz \
+        --initrd /usr/lib/modules/$kver/initramfs.img \
+        --cmdline "@/etc/kernel/cmdline" \
+        --output /boot/$kver.efi
+EOF
+
+FROM base as final
+
+RUN --mount=type=bind,from=kernel,target=/_mount/kernel <<EOF
+    kver=$(cd /usr/lib/modules && echo *);
+    mkdir -p /boot/EFI/Linux
+    # We put the UKI in /boot for now due to composefs verity not being the
+    # same due to mtime of /usr/lib/modules being changed
+    cp /_mount/kernel/boot/$kver.efi /boot/EFI/Linux/$kver.efi;
+EOF
+
+FROM base as final-final
+COPY --from=final /boot /boot
diff --git a/examples/bootc-uki/build.base b/examples/bootc-uki/build.base
new file mode 100755
index 000000000..312cb099f
--- /dev/null
+++ b/examples/bootc-uki/build.base
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -eux
+
+cd "${0%/*}"
+
+cargo build --release --features=pre-6.15 --bin cfsctl --bin composefs-setup-root
+
+cp ../../target/release/cfsctl .
+cp ../../target/release/composefs-setup-root extra/usr/lib/dracut/modules.d/37composefs/
+
+mkdir -p tmp
+
+sudo podman build \
+    -t quay.io/fedora/fedora-bootc-base-uki:42 \
+    -f Containerfile.stage1 \
+    --iidfile=tmp/iid \
+    .
diff --git a/examples/bootc-uki/build.final b/examples/bootc-uki/build.final
new file mode 100755
index 000000000..1ed285211
--- /dev/null
+++ b/examples/bootc-uki/build.final
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+set -eux
+
+cd "${0%/*}"
+
+cargo build --release --features=pre-6.15 --bin cfsctl --bin composefs-setup-root
+
+cp ../../target/release/cfsctl .
+
+rm -rf tmp/sysroot
+mkdir -p tmp/sysroot/composefs
+
+IMAGE_ID="$(sed s/sha256:// tmp/iid)"
+./cfsctl --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
+COMPOSEFS_FSVERITY="$(./cfsctl --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}")"
+
+sudo podman build \
+    -t quay.io/fedora/fedora-bootc-uki:42 \
+    --build-arg=COMPOSEFS_FSVERITY="${COMPOSEFS_FSVERITY}" \
+    -f Containerfile.stage2 \
+    --iidfile=tmp/iid2
+
+rm -rf tmp/efi
+mkdir -p tmp/efi
+./cfsctl --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
+./cfsctl --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}"
+./cfsctl --repo tmp/sysroot/composefs oci prepare-boot "${IMAGE_ID}" --bootdir tmp/efi
+
+# For debugging, add --no-cache to podman command
+# mkdir tmp/internal-sysroot
+# # podman build \
+#     --iidfile=tmp/iid \
+#     -v "${PWD}/tmp/internal-sysroot:/tmp/sysroot:z,U" \
+#     --secret=id=key,src=secureboot/db.key \
+#     --secret=id=cert,src=secureboot/db.crt \
+
+# See: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
+# Alternative to generate keys for testing: `sbctl create-keys`
+# if [[ ! -d "secureboot" ]]; then
+#     echo "Generating test Secure Boot keys"
+#     mkdir secureboot
+#     pushd secureboot > /dev/null
+#     uuidgen --random > GUID.txt
+#     openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Platform Key/" -out PK.crt
+#     openssl x509 -outform DER -in PK.crt -out PK.cer
+#     openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Key Exchange Key/" -out KEK.crt
+#     openssl x509 -outform DER -in KEK.crt -out KEK.cer
+#     openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Signature Database key/" -out db.crt
+#     openssl x509 -outform DER -in db.crt -out db.cer
+#     popd > /dev/null
+# fi
diff --git a/examples/bootc-uki/extra/etc/dracut.conf.d/no-xattr.conf b/examples/bootc-uki/extra/etc/dracut.conf.d/no-xattr.conf
new file mode 100644
index 000000000..b8d114a9c
--- /dev/null
+++ b/examples/bootc-uki/extra/etc/dracut.conf.d/no-xattr.conf
@@ -0,0 +1 @@
+export DRACUT_NO_XATTR=1
diff --git a/examples/bootc-uki/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf b/examples/bootc-uki/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf
new file mode 100644
index 000000000..1defe5de6
--- /dev/null
+++ b/examples/bootc-uki/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf
@@ -0,0 +1,6 @@
+# we want to make sure the virtio disk drivers get included
+hostonly=no
+
+# we need to force these in via the initramfs because we don't have modules in
+# the base image
+force_drivers+=" virtio_net vfat "
diff --git a/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service b/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service
new file mode 100644
index 000000000..ffc404d68
--- /dev/null
+++ b/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service
@@ -0,0 +1,34 @@
+# Copyright (C) 2013 Colin Walters <walters@verbum.org>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+DefaultDependencies=no
+ConditionKernelCommandLine=composefs
+ConditionPathExists=/etc/initrd-release
+After=sysroot.mount
+Requires=sysroot.mount
+Before=initrd-root-fs.target
+Before=initrd-switch-root.target
+
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/composefs-setup-root
+StandardInput=null
+StandardOutput=journal
+StandardError=journal+console
+RemainAfterExit=yes
diff --git a/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh b/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh
new file mode 100755
index 000000000..7fb853033
--- /dev/null
+++ b/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+check() {
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    inst \
+        "${moddir}/composefs-setup-root" /usr/bin/composefs-setup-root
+    inst \
+        "${moddir}/composefs-setup-root.service" \
+        "${systemdsystemunitdir}/composefs-setup-root.service"
+
+    $SYSTEMCTL -q --root "${initdir}" add-wants \
+        'initrd-root-fs.target' 'composefs-setup-root.service'
+}

From 7ca4e91fb0b893c2a1ec6049340fd3bb5a3db374 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= <tim@siosm.fr>
Date: Wed, 11 Jun 2025 11:16:26 +0200
Subject: [PATCH 2/4] examples/bootc*: Secure Boot support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Timothée Ravier <tim@siosm.fr>
---
 examples/bootc-uki/Containerfile.stage2 | 29 ++++++++++++-----
 examples/bootc-uki/build.final          | 43 +++++++++++--------------
 examples/bootc-uki/build_vars           | 20 ++++++++++++
 3 files changed, 60 insertions(+), 32 deletions(-)
 create mode 100755 examples/bootc-uki/build_vars

diff --git a/examples/bootc-uki/Containerfile.stage2 b/examples/bootc-uki/Containerfile.stage2
index 99c368bb3..964a6f2ae 100644
--- a/examples/bootc-uki/Containerfile.stage2
+++ b/examples/bootc-uki/Containerfile.stage2
@@ -4,29 +4,42 @@ FROM base as kernel
 
 ARG COMPOSEFS_FSVERITY
 
-RUN <<EOF
+RUN --mount=type=secret,id=key \
+    --mount=type=secret,id=cert <<EOF
     set -eux
 
     mkdir -p /etc/kernel /etc/dracut.conf.d
     echo "console=ttyS0,115200 composefs=${COMPOSEFS_FSVERITY} selinux=1 enforcing=0 systemd.debug_shell=1 root=UUID=6523f8ae-3eb1-4e2a-a05a-18b695ae656f rw" > /etc/kernel/cmdline
 
-    dnf install -y systemd-ukify;
-    kver=$(cd /usr/lib/modules && echo *);
+    dnf install -y systemd-ukify sbsigntools systemd-boot-unsigned
+    kver=$(cd /usr/lib/modules && echo *)
     ukify build \
-        --linux /usr/lib/modules/$kver/vmlinuz \
-        --initrd /usr/lib/modules/$kver/initramfs.img \
+        --linux "/usr/lib/modules/$kver/vmlinuz" \
+        --initrd "/usr/lib/modules/$kver/initramfs.img" \
+        --uname="${kver}" \
         --cmdline "@/etc/kernel/cmdline" \
-        --output /boot/$kver.efi
+        --os-release "@/etc/os-release" \
+        --signtool sbsign \
+        --secureboot-private-key "/run/secrets/key" \
+        --secureboot-certificate "/run/secrets/cert" \
+        --measure \
+        --json pretty \
+        --output "/boot/$kver.efi"
+    sbsign \
+        --key "/run/secrets/key" \
+        --cert "/run/secrets/cert" \
+        "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \
+        --output "/boot/systemd-bootx64.efi"
 EOF
 
 FROM base as final
 
 RUN --mount=type=bind,from=kernel,target=/_mount/kernel <<EOF
-    kver=$(cd /usr/lib/modules && echo *);
+    kver=$(cd /usr/lib/modules && echo *)
     mkdir -p /boot/EFI/Linux
     # We put the UKI in /boot for now due to composefs verity not being the
     # same due to mtime of /usr/lib/modules being changed
-    cp /_mount/kernel/boot/$kver.efi /boot/EFI/Linux/$kver.efi;
+    cp /_mount/kernel/boot/$kver.efi /boot/EFI/Linux/$kver.efi
 EOF
 
 FROM base as final-final
diff --git a/examples/bootc-uki/build.final b/examples/bootc-uki/build.final
index 1ed285211..2a991f4d7 100755
--- a/examples/bootc-uki/build.final
+++ b/examples/bootc-uki/build.final
@@ -15,10 +15,29 @@ IMAGE_ID="$(sed s/sha256:// tmp/iid)"
 ./cfsctl --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
 COMPOSEFS_FSVERITY="$(./cfsctl --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}")"
 
+# See: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
+# Alternative to generate keys for testing: `sbctl create-keys`
+if [[ ! -d "secureboot" ]]; then
+    echo "Generating test Secure Boot keys"
+    mkdir secureboot
+    pushd secureboot > /dev/null
+    uuidgen --random > GUID.txt
+    openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Platform Key/" -out PK.crt
+    openssl x509 -outform DER -in PK.crt -out PK.cer
+    openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Key Exchange Key/" -out KEK.crt
+    openssl x509 -outform DER -in KEK.crt -out KEK.cer
+    openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Signature Database key/" -out db.crt
+    openssl x509 -outform DER -in db.crt -out db.cer
+    popd > /dev/null
+fi
+
+# For debugging, add --no-cache to podman command
 sudo podman build \
     -t quay.io/fedora/fedora-bootc-uki:42 \
     --build-arg=COMPOSEFS_FSVERITY="${COMPOSEFS_FSVERITY}" \
     -f Containerfile.stage2 \
+    --secret=id=key,src=secureboot/db.key \
+    --secret=id=cert,src=secureboot/db.crt \
     --iidfile=tmp/iid2
 
 rm -rf tmp/efi
@@ -26,27 +45,3 @@ mkdir -p tmp/efi
 ./cfsctl --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
 ./cfsctl --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}"
 ./cfsctl --repo tmp/sysroot/composefs oci prepare-boot "${IMAGE_ID}" --bootdir tmp/efi
-
-# For debugging, add --no-cache to podman command
-# mkdir tmp/internal-sysroot
-# # podman build \
-#     --iidfile=tmp/iid \
-#     -v "${PWD}/tmp/internal-sysroot:/tmp/sysroot:z,U" \
-#     --secret=id=key,src=secureboot/db.key \
-#     --secret=id=cert,src=secureboot/db.crt \
-
-# See: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
-# Alternative to generate keys for testing: `sbctl create-keys`
-# if [[ ! -d "secureboot" ]]; then
-#     echo "Generating test Secure Boot keys"
-#     mkdir secureboot
-#     pushd secureboot > /dev/null
-#     uuidgen --random > GUID.txt
-#     openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Platform Key/" -out PK.crt
-#     openssl x509 -outform DER -in PK.crt -out PK.cer
-#     openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Key Exchange Key/" -out KEK.crt
-#     openssl x509 -outform DER -in KEK.crt -out KEK.cer
-#     openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Signature Database key/" -out db.crt
-#     openssl x509 -outform DER -in db.crt -out db.cer
-#     popd > /dev/null
-# fi
diff --git a/examples/bootc-uki/build_vars b/examples/bootc-uki/build_vars
new file mode 100755
index 000000000..8008414b4
--- /dev/null
+++ b/examples/bootc-uki/build_vars
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -eux
+
+cd "${0%/*}"
+
+if [[ ! -d "secureboot" ]]; then
+    echo "fail"
+    exit 1
+fi
+
+# See: https://github.com/rhuefi/qemu-ovmf-secureboot
+# $ dnf install -y python3-virt-firmware
+GUID=$(cat secureboot/GUID.txt)
+virt-fw-vars --input "/usr/share/edk2/ovmf/OVMF_VARS_4M.secboot.qcow2" \
+    --secure-boot  \
+    --set-pk  $GUID "secureboot/PK.crt" \
+    --add-kek $GUID "secureboot/KEK.crt" \
+    --add-db  $GUID "secureboot/db.crt" \
+    -o "VARS_CUSTOM.secboot.qcow2.template"

From 83e2db19e3a48c3b33abf6658fcc7058d646bef7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= <tim@siosm.fr>
Date: Wed, 11 Jun 2025 14:32:44 +0200
Subject: [PATCH 3/4] examples/bootc*: Temporary bootc install scripts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Timothée Ravier <tim@siosm.fr>
---
 examples/bootc-uki/install-grub.sh         | 29 ++++++++++++++
 examples/bootc-uki/install-systemd-boot.sh | 45 ++++++++++++++++++++++
 2 files changed, 74 insertions(+)
 create mode 100755 examples/bootc-uki/install-grub.sh
 create mode 100755 examples/bootc-uki/install-systemd-boot.sh

diff --git a/examples/bootc-uki/install-grub.sh b/examples/bootc-uki/install-grub.sh
new file mode 100755
index 000000000..885826046
--- /dev/null
+++ b/examples/bootc-uki/install-grub.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -eux
+
+curl http://192.168.122.1:8000/bootc -o bootc
+chmod +x bootc
+
+IMAGE=quay.io/fedora/fedora-bootc-uki:42
+
+#    --env RUST_LOG=debug \
+#    --env RUST_BACKTRACE=1 \
+podman run \
+    --rm --privileged \
+    --pid=host \
+    -v /dev:/dev \
+    -v /var/lib/containers:/var/lib/containers \
+    -v /srv/bootc:/usr/bin/bootc:ro,Z \
+    -v /var/tmp:/var/tmp \
+    --security-opt label=type:unconfined_t \
+    "${IMAGE}" \
+    bootc install to-disk \
+        --composefs-native \
+        --boot=uki \
+        --source-imgref="containers-storage:${IMAGE}" \
+        --target-imgref="${IMAGE}" \
+        --target-transport="docker" \
+        /dev/vdb \
+        --filesystem=ext4 \
+        --wipe
diff --git a/examples/bootc-uki/install-systemd-boot.sh b/examples/bootc-uki/install-systemd-boot.sh
new file mode 100755
index 000000000..08e92107b
--- /dev/null
+++ b/examples/bootc-uki/install-systemd-boot.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -eux
+
+curl http://192.168.122.1:8000/bootc -o bootc
+chmod +x bootc
+
+IMAGE=quay.io/fedora/fedora-bootc-uki:42
+
+if [[ ! -f /srv/systemd-bootx64.efi ]]; then
+    echo "Needs /srv/systemd-bootx64.efi to exists for now"
+    exit 1
+fi
+
+#    --env RUST_LOG=debug \
+#    --env RUST_BACKTRACE=1 \
+podman run \
+    --rm --privileged \
+    --pid=host \
+    -v /dev:/dev \
+    -v /var/lib/containers:/var/lib/containers \
+    -v /srv/bootc:/usr/bin/bootc:ro,Z \
+    -v /var/tmp:/var/tmp \
+    --security-opt label=type:unconfined_t \
+    "${IMAGE}" \
+    bootc install to-disk \
+        --composefs-native \
+        --boot=uki \
+        --source-imgref="containers-storage:${IMAGE}" \
+        --target-imgref="${IMAGE}" \
+        --target-transport="docker" \
+        /dev/vdb \
+        --filesystem=ext4 \
+        --wipe
+
+mkdir -p efi
+mount /dev/vdb2 /srv/efi
+
+# Manual systemd-boot installation
+cp /srv/systemd-bootx64.efi /srv/efi/EFI/fedora/grubx64.efi
+mkdir -p /srv/efi/loader
+echo "timeout 5" > /srv/efi/loader/loader.conf
+rm -rf /srv/efi/EFI/fedora/grub.cfg
+
+umount efi

From 07d7791d94967f28f7f110f35dc3e5ea1b15d67a Mon Sep 17 00:00:00 2001
From: John Eckersberg <jeckersb@redhat.com>
Date: Wed, 3 Sep 2025 13:58:23 -0400
Subject: [PATCH 4/4] examples/bootc*: Migrate from cfsctl to bootc internals
 cfs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Update bootc examples to use the new unified bootc command interface:
- Replace cfsctl binary with bootc and use 'bootc internals cfs' subcommands
- Rename composefs-setup-root to bootc-initramfs-setup
- Update dracut module from 37composefs to 37bootc
- Remove sudo requirement from podman build commands
- Update service and module configuration files accordingly

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 examples/bootc-bls/Containerfile              |  4 ++--
 examples/bootc-bls/build                      |  9 +++++----
 .../bootc-initramfs-setup.service}            |  2 +-
 .../dracut/modules.d/37bootc/module-setup.sh  | 20 +++++++++++++++++++
 .../modules.d/37composefs/module-setup.sh     | 20 -------------------
 examples/bootc-uki/Containerfile.stage1       |  2 +-
 examples/bootc-uki/build.base                 |  8 ++++----
 examples/bootc-uki/build.final                | 14 ++++++-------
 .../bootc-initramfs-setup.service}            |  2 +-
 .../dracut/modules.d/37bootc/module-setup.sh  | 20 +++++++++++++++++++
 .../modules.d/37composefs/module-setup.sh     | 20 -------------------
 11 files changed, 61 insertions(+), 60 deletions(-)
 rename examples/bootc-bls/extra/usr/lib/dracut/modules.d/{37composefs/composefs-setup-root.service => 37bootc/bootc-initramfs-setup.service} (96%)
 create mode 100755 examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh
 delete mode 100755 examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh
 rename examples/bootc-uki/extra/usr/lib/dracut/modules.d/{37composefs/composefs-setup-root.service => 37bootc/bootc-initramfs-setup.service} (96%)
 create mode 100755 examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh
 delete mode 100755 examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh

diff --git a/examples/bootc-bls/Containerfile b/examples/bootc-bls/Containerfile
index c6fbfcdbd..73f114730 100644
--- a/examples/bootc-bls/Containerfile
+++ b/examples/bootc-bls/Containerfile
@@ -1,10 +1,10 @@
 FROM quay.io/fedora/fedora-bootc:42
 COPY extra /
-COPY cfsctl /usr/bin
+COPY bootc /usr/bin
 
 RUN passwd -d root
 
-# need to have composefs setup root in the initramfs so we need this
+# need to have bootc-initramfs-setup in the initramfs so we need this
 RUN set -x; \
     kver=$(cd /usr/lib/modules && echo *); \
     dracut -vf --install "/etc/passwd /etc/group" /usr/lib/modules/$kver/initramfs.img $kver;
diff --git a/examples/bootc-bls/build b/examples/bootc-bls/build
index 3e3ec090c..817a94e26 100755
--- a/examples/bootc-bls/build
+++ b/examples/bootc-bls/build
@@ -4,14 +4,15 @@ set -eux
 
 cd "${0%/*}"
 
-cargo build --release --features=pre-6.15 --bin cfsctl --bin composefs-setup-root
+cargo build --release --bin bootc --bin bootc-initramfs-setup
 
-cp ../../target/release/cfsctl .
-cp ../../target/release/composefs-setup-root extra/usr/lib/dracut/modules.d/37composefs/
+cp ../../target/release/bootc .
+cp ../../target/release/bootc-initramfs-setup extra/usr/lib/dracut/modules.d/37bootc/
 
 mkdir -p tmp
 
-sudo podman build \
+podman build \
     -t quay.io/fedora/fedora-bootc-bls:42 \
     -f Containerfile \
     --iidfile=tmp/iid \
+    .
diff --git a/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service b/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service
similarity index 96%
rename from examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service
rename to examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service
index ffc404d68..15fdc5801 100644
--- a/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service
+++ b/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service
@@ -27,7 +27,7 @@ OnFailureJobMode=isolate
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/composefs-setup-root
+ExecStart=/usr/bin/bootc-initramfs-setup
 StandardInput=null
 StandardOutput=journal
 StandardError=journal+console
diff --git a/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh b/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh
new file mode 100755
index 000000000..b1c56206f
--- /dev/null
+++ b/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+check() {
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    inst \
+        "${moddir}/bootc-initramfs-setup" /usr/bin/bootc-initramfs-setup
+    inst \
+        "${moddir}/bootc-initramfs-setup.service" \
+        "${systemdsystemunitdir}/bootc-initramfs-setup.service"
+
+    $SYSTEMCTL -q --root "${initdir}" add-wants \
+        'initrd-root-fs.target' 'bootc-initramfs-setup.service'
+}
diff --git a/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh b/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh
deleted file mode 100755
index 7fb853033..000000000
--- a/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/usr/bin/bash
-
-check() {
-    return 0
-}
-
-depends() {
-    return 0
-}
-
-install() {
-    inst \
-        "${moddir}/composefs-setup-root" /usr/bin/composefs-setup-root
-    inst \
-        "${moddir}/composefs-setup-root.service" \
-        "${systemdsystemunitdir}/composefs-setup-root.service"
-
-    $SYSTEMCTL -q --root "${initdir}" add-wants \
-        'initrd-root-fs.target' 'composefs-setup-root.service'
-}
diff --git a/examples/bootc-uki/Containerfile.stage1 b/examples/bootc-uki/Containerfile.stage1
index c6fbfcdbd..175f3e253 100644
--- a/examples/bootc-uki/Containerfile.stage1
+++ b/examples/bootc-uki/Containerfile.stage1
@@ -1,6 +1,6 @@
 FROM quay.io/fedora/fedora-bootc:42
 COPY extra /
-COPY cfsctl /usr/bin
+COPY bootc /usr/bin
 
 RUN passwd -d root
 
diff --git a/examples/bootc-uki/build.base b/examples/bootc-uki/build.base
index 312cb099f..5479c8134 100755
--- a/examples/bootc-uki/build.base
+++ b/examples/bootc-uki/build.base
@@ -4,14 +4,14 @@ set -eux
 
 cd "${0%/*}"
 
-cargo build --release --features=pre-6.15 --bin cfsctl --bin composefs-setup-root
+cargo build --release --bin bootc --bin bootc-initramfs-setup
 
-cp ../../target/release/cfsctl .
-cp ../../target/release/composefs-setup-root extra/usr/lib/dracut/modules.d/37composefs/
+cp ../../target/release/bootc .
+cp ../../target/release/bootc-initramfs-setup extra/usr/lib/dracut/modules.d/37bootc/
 
 mkdir -p tmp
 
-sudo podman build \
+podman build \
     -t quay.io/fedora/fedora-bootc-base-uki:42 \
     -f Containerfile.stage1 \
     --iidfile=tmp/iid \
diff --git a/examples/bootc-uki/build.final b/examples/bootc-uki/build.final
index 2a991f4d7..9f4fb9175 100755
--- a/examples/bootc-uki/build.final
+++ b/examples/bootc-uki/build.final
@@ -4,16 +4,16 @@ set -eux
 
 cd "${0%/*}"
 
-cargo build --release --features=pre-6.15 --bin cfsctl --bin composefs-setup-root
+cargo build --release --bin bootc
 
-cp ../../target/release/cfsctl .
+cp ../../target/release/bootc .
 
 rm -rf tmp/sysroot
 mkdir -p tmp/sysroot/composefs
 
 IMAGE_ID="$(sed s/sha256:// tmp/iid)"
-./cfsctl --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
-COMPOSEFS_FSVERITY="$(./cfsctl --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}")"
+./bootc internals cfs --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
+COMPOSEFS_FSVERITY="$(./bootc internals cfs --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}")"
 
 # See: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
 # Alternative to generate keys for testing: `sbctl create-keys`
@@ -42,6 +42,6 @@ sudo podman build \
 
 rm -rf tmp/efi
 mkdir -p tmp/efi
-./cfsctl --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
-./cfsctl --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}"
-./cfsctl --repo tmp/sysroot/composefs oci prepare-boot "${IMAGE_ID}" --bootdir tmp/efi
+./bootc internals cfs --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
+./bootc internals cfs --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}"
+./bootc internals cfs --repo tmp/sysroot/composefs oci prepare-boot "${IMAGE_ID}" --bootdir tmp/efi
diff --git a/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service b/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service
similarity index 96%
rename from examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service
rename to examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service
index ffc404d68..15fdc5801 100644
--- a/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service
+++ b/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service
@@ -27,7 +27,7 @@ OnFailureJobMode=isolate
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/composefs-setup-root
+ExecStart=/usr/bin/bootc-initramfs-setup
 StandardInput=null
 StandardOutput=journal
 StandardError=journal+console
diff --git a/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh b/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh
new file mode 100755
index 000000000..b1c56206f
--- /dev/null
+++ b/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+check() {
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    inst \
+        "${moddir}/bootc-initramfs-setup" /usr/bin/bootc-initramfs-setup
+    inst \
+        "${moddir}/bootc-initramfs-setup.service" \
+        "${systemdsystemunitdir}/bootc-initramfs-setup.service"
+
+    $SYSTEMCTL -q --root "${initdir}" add-wants \
+        'initrd-root-fs.target' 'bootc-initramfs-setup.service'
+}
diff --git a/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh b/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh
deleted file mode 100755
index 7fb853033..000000000
--- a/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37composefs/module-setup.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/usr/bin/bash
-
-check() {
-    return 0
-}
-
-depends() {
-    return 0
-}
-
-install() {
-    inst \
-        "${moddir}/composefs-setup-root" /usr/bin/composefs-setup-root
-    inst \
-        "${moddir}/composefs-setup-root.service" \
-        "${systemdsystemunitdir}/composefs-setup-root.service"
-
-    $SYSTEMCTL -q --root "${initdir}" add-wants \
-        'initrd-root-fs.target' 'composefs-setup-root.service'
-}