ci: add mkosi configuration and CI

Build a set of images across the following matrix:

- debian/ubuntu/fedora/centos
- grub/systemd-boot
- UKI/kernel
- x86-64/arm64

And boot them in qemu, running a smoke test that ensures the
image is bootable and secure boot is configured correctly.
When booting a UKI, a MOK-signed addon is also loaded and
verified.

Shim is signed with a local certificate enrolled in 'db' via
virt-firmware before booting. The distro signing certificate
is embedde in shim, for distro-signed second stages and kernels.

Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>

Author: bluca

.github/workflows/mkosi.yml

@@ -0,0 +1,88 @@
+name: mkosi
+
+on:
+  push:
+    # branches:
+    #   - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  boot:
+    runs-on: ${{ matrix.runner }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.distro }}-${{ matrix.bootloader }}-${{ matrix.uki }}-${{ matrix.runner }}-${{ github.ref }}
+      cancel-in-progress: true
+    strategy:
+      fail-fast: false
+      matrix:
+        distro:
+          - fedora
+          - centos
+          - ubuntu
+          - debian
+        bootloader:
+          # Locally signed systemd-boot
+          - systemd-boot
+          # Distro signed grub2
+          - grub-signed
+        uki:
+          # BLS #1 boot, kernel + initrd
+          - none
+          # BLS #2 boot, locally built UKI (unsigned because it is not provided by the distro)
+          - unsigned
+        runner:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+        include:
+          # Debian provides distro-signed systemd-boot
+          - distro: debian
+            bootloader: systemd-boot-signed
+            uki: unsigned
+            runner: ubuntu-24.04
+          - distro: debian
+            bootloader: systemd-boot-signed
+            uki: unsigned
+            runner: ubuntu-24.04-arm
+        exclude:
+          # The systemd-boot version in 24.04 fails to boot the arm64 compressed kernel
+          - distro: ubuntu
+            bootloader: systemd-boot
+            uki: none
+            runner: ubuntu-24.04-arm
+          # grub fails to load UKI with: error: ../../grub-core/script/function.c:119:can't find command `chainloader'
+          - distro: centos
+            bootloader: grub-signed
+            uki: unsigned
+            runner: ubuntu-24.04-arm
+          - distro: fedora
+            bootloader: grub-signed
+            uki: unsigned
+            runner: ubuntu-24.04-arm
+          # kernel is not signed
+          - distro: fedora
+            bootloader: grub-signed
+            uki: none
+            runner: ubuntu-24.04-arm
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          submodules: recursive
+      - uses: systemd/mkosi@7be5159f246d4b1283f62f8a0ab3f0ae90651e38
+
+      - name: Generate key
+        run: mkosi genkey
+
+      - name: Summary
+        run: mkosi summary
+
+      - name: Build tools tree
+        run: mkosi -f sandbox -- true
+
+      - name: Build image
+        run: mkosi sandbox -- mkosi --distribution ${{ matrix.distro }} --bootloader ${{ matrix.bootloader }} --unified-kernel-images ${{ matrix.uki }} --kernel-command-line=systemd.unit=mkosi-test.service -f build
+
+      - name: Run smoke tests
+        run: test "$(timeout -k 30 5m mkosi sandbox -- mkosi --firmware-variables mkosi/mkosi.output/ovmf_vars.fd --distribution ${{ matrix.distro }} --kernel-command-line-extra=systemd.unit=mkosi-test.service qemu 1>&2; echo $?)" -eq 123

.gitignore

@@ -52,3 +52,8 @@ shim_cert.h
 !/test-data/
 /test-random.h
 version.c
+/.mkosi-private/
+/mkosi/mkosi.builddir/
+/mkosi/mkosi.cache/
+/mkosi/mkosi.local.conf
+/mkosi/mkosi.output/

mkosi/mkosi.build.chroot

@@ -0,0 +1,26 @@
+#!/bin/bash
+set -e
+
+if [ "$ARCHITECTURE" = "x86-64" ]; then
+    EFI_ARCHITECTURE="x64"
+elif [ "$ARCHITECTURE" = "x86" ]; then
+    EFI_ARCHITECTURE="ia32"
+elif [ "$ARCHITECTURE" = "arm64" ]; then
+    EFI_ARCHITECTURE="aa64"
+else
+    EFI_ARCHITECTURE="$ARCHITECTURE"
+fi
+
+cd "$BUILDDIR"
+
+openssl x509 -inform PEM -in "$SRCDIR/mkosi/mkosi.conf.d/$DISTRIBUTION/certs/shim.crt" -outform DER -out shim.der
+
+export VENDOR_CERT_FILE=$PWD/shim.der
+export EFIDIR=$DISTRIBUTION
+export DEBUG=1
+
+make TOPDIR="$SRCDIR" -f "$SRCDIR/Makefile" -j1
+
+for b in shim fb mm; do
+    install -D "${b}${EFI_ARCHITECTURE}.efi" -t "$DESTDIR/usr/lib/shim/" -m 0755
+done

mkosi/mkosi.clean

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+rm -f "$OUTPUTDIR/ovmf_vars.fd"
+rm -rf "$OUTPUTDIR/mok/"

mkosi/mkosi.conf

@@ -0,0 +1,68 @@
+[Config]
+MinimumVersion=commit:7be5159f246d4b1283f62f8a0ab3f0ae90651e38
+
+[Output]
+RepartDirectories=mkosi.repart
+OutputDirectory=mkosi.output
+
+[Build]
+History=yes
+ToolsTree=default
+BuildDirectory=mkosi.builddir
+CacheDirectory=mkosi.cache
+Incremental=yes
+
+[Validation]
+SecureBoot=yes
+SecureBootAutoEnroll=no
+
+[Content]
+Bootable=yes
+ShimBootloader=unsigned
+
+# Default configuration is systemd-boot + UKI, can be overridden
+# on the command line or via mkosi/mkosi.local.conf
+Bootloader=systemd-boot-signed
+UnifiedKernelImages=unsigned
+
+SELinuxRelabel=no
+KernelInitrdModules=default
+KernelCommandLine=
+        systemd.show_status=0
+        systemd.log_ratelimit_kmsg=0
+        printk.devkmsg=on
+        rw
+        selinux=0
+        systemd.firstboot=no
+        oops=panic
+        panic=-1
+        softlockup_panic=1
+        panic_on_warn=1
+        mitigations=off
+
+Packages=
+        mokutil
+        openssl
+
+[Runtime]
+# TODO: remove command line from mkosi.yml and uncomment this when
+# https://github.com/systemd/mkosi/pull/3817 is fixed
+#FirmwareVariables=%O/ovmf_vars.fd
+Firmware=uefi-secure-boot
+Credentials=
+        journal.storage=persistent
+        tty.serial.hvc0.agetty.autologin=root
+        tty.serial.hvc0.login.noauth=yes
+        tty.console.agetty.autologin=root
+        tty.console.login.noauth=yes
+        tty.virtual.tty1.agetty.autologin=root
+        tty.virtual.tty1.login.noauth=yes
+RuntimeBuildSources=yes
+RuntimeScratch=no
+CPUs=2
+VSock=yes
+# TODO: tpmrm0 device doesn't show up in initrd on arm64
+TPM=no
+
+[Include]
+Include=mkosi-vm

mkosi/mkosi.conf.d/centos-fedora/mkosi.conf

@@ -0,0 +1,17 @@
+[Match]
+Distribution=|centos
+Distribution=|fedora
+
+[Content]
+Packages=
+        dos2unix
+        efibootmgr
+        efivar
+        python-virt-firmware
+
+BuildPackages=
+        make
+        gcc
+        elfutils-libelf-devel
+        openssl-devel
+        pesign

mkosi/mkosi.conf.d/centos-fedora/mkosi.conf.d/grub-arm64.conf

@@ -0,0 +1,5 @@
+[Match]
+Architecture=arm64
+
+[Content]
+Packages=grub2-efi-aa64

mkosi/mkosi.conf.d/centos-fedora/mkosi.conf.d/grub-x86-64.conf

@@ -0,0 +1,5 @@
+[Match]
+Architecture=x86-64
+
+[Content]
+Packages=grub2-efi-x64

mkosi/mkosi.conf.d/centos/certs/shim.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkqgAwIBAgIJAIlReu6IOzL7MA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV
+BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1
+cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTA4MTkzMloXDTM4MDExODA4MTkzMlow
+RjEgMB4GA1UEAwwXQ2VudE9TIFNlY3VyZSBCb290IENBIDIxIjAgBgkqhkiG9w0B
+CQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQChatbNaQDV0RTCqff1tl92xI6gu1k8jYufW8FyzZ6uDnxoGpBT0LiU
+WKuGjMQ89JgiApFzDYSLWrZg8NbTnVdz0hny4SMyspe5weUk6IToKXvEejZNFn6i
+vae2vfT0/ASKsgIvUcz4sWHMK43vbfv/pVpYGLgoG5aNUkt7VhkeURwJzR3ODgDp
+aL4bQ/7qEo8ASHCEvQx6klG330Z06O0kjS6GK12cPC1t5ZlimVXCNWP1jf0pMWmh
+aBrZjbyY0j8R7Yns3cEovAM230chsVdyFxSYpqCLzMlmWNxiIlvcAoDIRMWEa7Da
+SSAfJWH+ygAzad1PHlnCB0zAFbLAMJH1AgMBAAGjUzBRMB0GA1UdDgQWBBRwAH+Z
+IJwSa+FHdOrse22WMfNNyjAfBgNVHSMEGDAWgBRwAH+ZIJwSa+FHdOrse22WMfNN
+yjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAe5NcVSUd/POZs
+Jkiep8ATNwXglLAeYxB55F42sXx5OOdKMBmhqWQIVJvaih/wsfKIBfdUGv2L9dH8
+IQgiU1PRYx0baSVJno3HcQTbCqLvnvckusR7IUTDAFj774MvXwS6yV6pXzxDmuh2
+t8hRktOKFeUtdlDYqg9X3Ia3GkoB5huyEbuaZTNcV4TAfU/yAERNIAgRs+fLQU70
+OgGlWsp35J8qPkZKabGf0surDa2xa6iAoFyknxruoKQ8uNSB9KB7/0JvVouNx90+
+ncykWW96GVKs8+H5WGza10FqrchtThSNCSXTtLbTXoK0Atdvu0o04XUbsCGMnlcG
+zAVb3/m0
+-----END CERTIFICATE-----

mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf

@@ -0,0 +1,19 @@
+[Match]
+Distribution=|debian
+Distribution=|ubuntu
+
+[Content]
+Packages=
+        dos2unix
+        efibootmgr
+        efitools
+        efivar
+        python3-virt-firmware
+        sbsigntool
+
+BuildPackages=
+        build-essential
+        gnu-efi
+        libefivar-dev
+        libelf-dev
+        pesign