From d6e81377164796314e07ce47abd6e74f24efbeec Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Wed, 13 Mar 2024 17:59:51 +0100 Subject: [PATCH 1/3] boot: Only use io.systemd.boot.kernel-cmdline-extra for type 1 images Otherwise the cmdline is duplicated for UKIs. --- src/boot/efi/boot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c index d64e560a527..6c0f956c32f 100644 --- a/src/boot/efi/boot.c +++ b/src/boot/efi/boot.c @@ -2376,7 +2376,7 @@ static EFI_STATUS image_start( * so). */ _cleanup_free_ char16_t *options = xstrdup16(options_initrd ?: entry->options_implied ? NULL : entry->options); - if (!is_confidential_vm()) { + if (entry->type == LOADER_LINUX && !is_confidential_vm()) { const char *extra = smbios_find_oem_string("io.systemd.boot.kernel-cmdline-extra"); if (extra) { _cleanup_free_ char16_t *tmp = TAKE_PTR(options), *extra16 = xstr8_to_16(extra); From d1c29b517aaaf170e01bd4805a8902dbbc090ad4 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Wed, 13 Mar 2024 20:50:06 +0100 Subject: [PATCH 2/3] mkosi: Allow booting without secure boot Don't fail if SecureBoot is not enabled. Instead, only execute the secure boot related checks if secure boot is actually enabled. --- .../mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/base/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh index e0fcf304988..d2800a04a9f 100755 --- a/mkosi.images/base/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh +++ b/mkosi.images/base/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh @@ -4,8 +4,9 @@ systemctl --failed --no-legend | tee /failed-services # Check that secure boot keys were properly enrolled. -if ! systemd-detect-virt --container; then - cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1') +if ! systemd-detect-virt --container && \ + cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1') +then cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0') if command -v sbsign &>/dev/null; then From e399efea79bd214f8f27b30b3125987ed8aa4d52 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Wed, 13 Mar 2024 14:18:03 +0100 Subject: [PATCH 3/3] mkosi: Enable KVM Since https://github.blog/2024-01-17-github-hosted-runners-double-the-power-for-open-source/, it seems that KVM is supported on GA runners, so let's explicitly enable it to make sure it is used. We update mkosi to latest and set QemuFirmware=uefi to disable secure boot which crashes qemu until https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2038777 is fixed. --- .github/workflows/mkosi.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml index 0c732cd0f45..a71ae3fd39b 100644 --- a/.github/workflows/mkosi.yml +++ b/.github/workflows/mkosi.yml @@ -76,7 +76,7 @@ jobs: steps: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - - uses: systemd/mkosi@ea1b00c3dba12662214b2e95dd1fe837cb13664b + - uses: systemd/mkosi@1445b389750af22756c0fde6facc1f2f343340b4 - name: Free disk space run: | @@ -99,7 +99,9 @@ jobs: ToolsTreeDistribution=fedora QemuVsock=yes # Sometimes we run on a host with /dev/kvm, but it is broken, so explicitly disable it - QemuKvm=no + QemuKvm=yes + # TODO: Drop once https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2038777 is fixed in Github Actions + QemuFirmware=uefi Ephemeral=yes EOF