composefs/tests: More flexibility for insecure UKI testing

Update the CI matrix to include `seal_state` and `boot_type`. This does
not increase our matrix, but only rearranges it to be a bit more
meaningful. Earlier even when testing "insecure UKI", it still showed up
as "composefs-sealeduki-sdboot" which is incorrect.

This also allows us flexibility to, in future, test grub + UKI which is
disabled currently.

Update Justfile and the Dockerfile to make use of these new arguments.
Now we only sign the UKI, if `seal_state == sealed`, and in the Justfile
we disallow combinations that don't make sense, like BLS boot + sealed,
allowing missing verity (xfs) + sealed, etc.

Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>

Author: Johan-Liebert1

.github/workflows/ci.yml

@@ -161,22 +161,36 @@ jobs:
       matrix:
         # No fedora-44 due to https://bugzilla.redhat.com/show_bug.cgi?id=2429501
         test_os: [fedora-43, centos-9, centos-10]
-        variant: [ostree, composefs-sealeduki-sdboot, composefs-sdboot, composefs-grub]
+        variant: [ostree, composefs]
         filesystem: ["ext4", "xfs"]
+        bootloader: ["grub", "systemd"]
+        boot_type: ["bls", "uki"]
+        seal_state: ["sealed", "unsealed"]
+
         exclude:
-          # centos-9 UKI is experimental/broken (https://github.com/bootc-dev/bootc/issues/1812)
-          - test_os: centos-9
-            variant: composefs-sealeduki-sdboot
           # centos-9 fails with EUCLEAN (https://github.com/bootc-dev/bootc/issues/1812)
           # See: https://github.com/bootc-dev/bcvk/pull/204
           - test_os: centos-9
-            variant: composefs-sdboot
-          - test_os: centos-9
-            variant: composefs-grub
+            variant: composefs
+          - seal_state: "sealed"
+            boot_type: bls
+          - seal_state: "sealed"
+            bootloader: grub
+          - seal_state: "sealed"
+            filesystem: xfs
+          - seal_state: "unsealed"
+            filesystem: ext4
+          - bootloader: grub
+            boot_type: "uki"
+
           # We only test filesystems for composefs to test if composefs backend will work on fs
           # without fsverity
           - variant: ostree
             filesystem: ext4
+          - variant: ostree
+            boot_type: uki
+          - variant: ostree
+            bootloader: systemd
 
     runs-on: ubuntu-24.04
 
@@ -194,35 +208,13 @@ jobs:
           BASE=$(just pullspec-for-os base ${{ matrix.test_os }})
           echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
           echo "RUST_BACKTRACE=full" >> $GITHUB_ENV
-          echo "RUST_LOG=trace" >> $GITHUB_ENV
-          echo "BOOTC_filesystem=${{ matrix.filesystem }}" >> $GITHUB_ENV
+          echo "RUST_LOG=debug" >> $GITHUB_ENV
 
-          case "${{ matrix.variant }}" in
-            composefs-grub)
-              echo "BOOTC_variant=composefs" >> $GITHUB_ENV
-              echo "BOOTC_bootloader=grub" >> $GITHUB_ENV
-            ;;
-
-            composefs-sdboot)
-              echo "BOOTC_variant=composefs" >> $GITHUB_ENV
-              echo "BOOTC_bootloader=systemd" >> $GITHUB_ENV
-            ;;
-
-            composefs-sealeduki-sdboot)
-              echo "BOOTC_variant=${{ matrix.variant }}" >> $GITHUB_ENV
-              echo "BOOTC_bootloader=systemd" >> $GITHUB_ENV
-            ;;
-
-            ostree)
-              echo "BOOTC_variant=${{ matrix.variant }}" >> $GITHUB_ENV
-              echo "BOOTC_bootloader=grub" >> $GITHUB_ENV
-            ;;
-          esac
-
-          if [ "${{ matrix.variant }}" = "composefs-sealeduki-sdboot" ]; then
-            BUILDROOTBASE=$(just pullspec-for-os buildroot-base ${{ matrix.test_os }})
-            echo "BOOTC_buildroot_base=${BUILDROOTBASE}" >> $GITHUB_ENV
-          fi
+          echo "BOOTC_variant=${{ matrix.variant }}" >> $GITHUB_ENV
+          echo "BOOTC_filesystem=${{ matrix.filesystem }}" >> $GITHUB_ENV
+          echo "BOOTC_bootloader=${{ matrix.bootloader }}" >> $GITHUB_ENV
+          echo "BOOTC_boot_type=${{ matrix.boot_type }}" >> $GITHUB_ENV
+          echo "BOOTC_seal_state=${{ matrix.seal_state }}" >> $GITHUB_ENV
 
       - name: Download package artifacts
         uses: actions/download-artifact@v8
@@ -241,14 +233,14 @@ jobs:
       - name: Unit and container integration tests
         run: just test-container
 
-      - name: Validate composefs digest (sealed UKI only)
-        if: matrix.variant == 'composefs-sealeduki-sdboot'
+      - name: Validate composefs digest (UKI only)
+        if: matrix.boot_type == 'uki'
         run: just validate-composefs-digest
 
       - name: Run TMT integration tests
         run: |
-          if [[ "${{ matrix.variant }}" = composefs* ]]; then
-            just "test-${{ matrix.variant }}" "${{ matrix.filesystem }}"
+          if [[ "${{ matrix.variant }}" = composefs ]]; then
+            just test-composefs "${{ matrix.bootloader }}"  "${{ matrix.filesystem }}" "${{ matrix.boot_type }}" "${{ matrix.seal_state }}"
           else
             just test-tmt integration
           fi
@@ -259,7 +251,14 @@ jobs:
         if: always()
         uses: actions/upload-artifact@v7
         with:
-          name: tmt-log-PR-${{ github.event.number }}-${{ matrix.test_os }}-${{ matrix.variant }}-${{ matrix.filesystem }}-${{ env.ARCH }}
+          name: "tmt-log-PR-${{ github.event.number }}-\
+            ${{ matrix.test_os }}-\
+            ${{ matrix.variant }}-\
+            ${{ matrix.bootloader }}-\
+            ${{ matrix.boot_type }}-\
+            ${{ matrix.filesystem }}-\
+            ${{ matrix.seal_state }}-\
+            ${{ env.ARCH }}"
           path: /var/tmp/tmt
 
   # Test bootc install on Fedora CoreOS (separate job to avoid disk space issues

Dockerfile

@@ -177,6 +177,8 @@ RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp
 FROM tools as sealed-uki
 ARG variant
 ARG filesystem
+ARG seal_state
+ARG boot_type
 # Install our bootc package (only needed for the compute-composefs-digest command)
 RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packages,src=/,target=/run/packages \
@@ -194,20 +196,21 @@ if [[ $filesystem == "xfs" ]]; then
     allow_missing_verity=true
 fi
 
-if test "${variant}" = "composefs-sealeduki-sdboot"; then
-  /run/packaging/seal-uki /run/target /out /run/secrets $allow_missing_verity
+if test "${boot_type}" = "uki"; then
+  /run/packaging/seal-uki /run/target /out /run/secrets $allow_missing_verity $seal_state
 fi
 EORUN
 
 # And now the final image
 FROM base-penultimate
 ARG variant
+ARG boot_type
 # Copy the sealed UKI and finalize the image (remove raw kernel, create symlinks)
 RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     --mount=type=bind,from=sealed-uki,src=/,target=/run/sealed-uki <<EORUN
 set -xeuo pipefail
-if test "${variant}" = "composefs-sealeduki-sdboot"; then
+if test "${boot_type}" = "uki"; then
   /run/packaging/finalize-uki /run/sealed-uki/out
 fi
 EORUN

Justfile

@@ -18,11 +18,15 @@ base_img := "localhost/bootc"
 # Synthetic upgrade image for testing
 upgrade_img := base_img + "-upgrade"
 
-# Build variant: ostree (default) or composefs-sealeduki-sdboot (sealed UKI)
+# Build variant: ostree (default) or composefs
 variant := env("BOOTC_variant", "ostree")
 bootloader := env("BOOTC_bootloader", "grub")
 # Only used for composefs tests
 filesystem := env("BOOTC_filesystem", "ext4")
+# Only used for composefs tests
+boot_type := env("BOOTC_boot_type", "bls")
+# Only used for composefs tests
+seal_state := env("BOOTC_seal_state", "unsealed")
 # Base container image to build from
 base := env("BOOTC_base", "quay.io/centos-bootc/centos-bootc:stream10")
 # Buildroot base image
@@ -45,6 +49,8 @@ base_buildargs := generic_buildargs + " " + _extra_src_args \
                   + " --build-arg=base=" + base \
                   + " --build-arg=variant=" + variant \
                   + " --build-arg=bootloader=" + bootloader \
+                  + " --build-arg=boot_type=" + boot_type \
+                  + " --build-arg=seal_state=" + seal_state \
                   + " --build-arg=filesystem=" + filesystem # required for bootc container ukify to allow missing fsverity
 buildargs := base_buildargs \
              + " --cap-add=all --security-opt=label=type:container_runtime_t --device /dev/fuse" \
@@ -75,15 +81,15 @@ list-variants:
         Standard bootc image using ostree backend.
         This is the traditional, production-ready configuration.
 
-    composefs-sealeduki-sdboot
-        Sealed composefs image with:
-        - Unified Kernel Image (UKI) containing kernel + initramfs + cmdline
-        - Secure Boot signing (using keys in target/test-secureboot/)
-        - systemd-boot bootloader
-        - composefs digest embedded in kernel cmdline for verified boot
+    composefs (bootloader, filesystem, boot_type, seal_state)
+        Build Composefs image with:
+        - The specified bootloader (grub/systemd)
+        - The specified filesystem (ext4,btrfs,xfs)
+        - The specified boot type (BLS/UKI)
+        - The specified seal state (sealed/unsealed) determining whether we sign the UKI and
+          use secure boot or not
 
-        Use `just build-sealed` as a shortcut, or:
-        just variant=composefs-sealeduki-sdboot build
+    Use `just build-sealed` as shortcut to build a sealed composefs image with systemd-boot as the bootloader
 
     Current Configuration
     =====================
@@ -96,7 +102,7 @@ list-variants:
 # Build a sealed composefs image (alias for variant=composefs-sealeduki-sdboot)
 [group('core')]
 build-sealed:
-    @just --justfile {{justfile()}} variant=composefs-sealeduki-sdboot build
+    @just --justfile {{justfile()}} variant=composefs bootloader=systemd boot_type=uki seal_state=sealed build
 
 # Run tmt integration tests in VMs (e.g. `just test-tmt readonly`)
 [group('core')]
@@ -110,28 +116,29 @@ test-container: build build-units
     podman run --rm --read-only localhost/bootc-units /usr/bin/bootc-units
     podman run --rm --env=BOOTC_variant={{variant}} --env=BOOTC_base={{base}} {{base_img}} bootc-integration-tests container
 
-# Build and test sealed composefs images
 [group('core')]
-test-composefs-sealeduki-sdboot filesystem:
-    just variant=composefs-sealeduki-sdboot filesystem={{filesystem}} test-tmt readonly local-upgrade-reboot
+test-composefs bootloader filesystem boot_type seal_state:
+    @if [ "{{seal_state}}" = "sealed" ] && [ "{{filesystem}}" = "xfs" ]; then \
+        echo "Invalid combination: sealed requires filesystem that supports fs-verity (ext4, btrfs)"; \
+        exit 1; \
+    fi
 
-[group('core')]
-test-composefs bootloader filesystem:
-    just variant=composefs bootloader={{bootloader}} filesystem={{filesystem}} \
-        test-tmt --composefs-backend \
-            --bootloader {{bootloader}} \
-            --filesystem {{filesystem}} \
-            integration
-
-# Build and test composefs images booted using Type1 boot entries and systemd-boot as the bootloader
-[group('core')]
-test-composefs-sdboot filesystem:
-    just test-composefs systemd {{filesystem}}
+    @if [ "{{seal_state}}" = "sealed" ] && [ "{{boot_type}}" != "uki" ]; then \
+        echo "Invalid combination: sealed requires boot_type=uki"; \
+        exit 1; \
+    fi
 
-# Build and test composefs images booted using Type1 boot entries and grub as the bootloader
-[group('core')]
-test-composefs-grub filesystem:
-    just test-composefs grub {{filesystem}}
+    just variant=composefs \
+        bootloader={{bootloader}} \
+        filesystem={{filesystem}} \
+        boot_type={{boot_type}} \
+        seal_state={{seal_state}} \
+            test-tmt-nobuild --composefs-backend \
+                --bootloader={{bootloader}} \
+                --filesystem={{filesystem}} \
+                --seal-state={{seal_state}} \
+                --boot-type={{boot_type}} \
+                $(if [ "{{boot_type}}" = "uki" ]; then echo "readonly"; else echo "integration"; fi)
 
 # Run cargo fmt and clippy checks in container
 [group('core')]

contrib/packaging/seal-uki

@@ -13,6 +13,13 @@ secrets=$1
 shift
 allow_missing_verity=$1
 shift
+seal_state=$1
+shift
+
+if [[ $seal_state == "sealed" && $allow_missing_verity == "true" ]]; then
+    echo "Cannot have missing verity with sealed UKI" >&2
+    exit 1
+fi
 
 # Find the kernel version (needed for output filename)
 kver=$(bootc container inspect --rootfs "${target}" --json | jq -r '.kernel.version')
@@ -28,10 +35,12 @@ ukifyargs=(--measure
            --json pretty
            --output "${output}/${kver}.efi")
 
-# Signing options, we use sbsign by default
-ukifyargs+=(--signtool sbsign
-            --secureboot-private-key "${secrets}/secureboot_key"
-            --secureboot-certificate "${secrets}/secureboot_cert")
+if [[ $seal_state == "sealed" ]]; then
+    # Signing options, we use sbsign by default
+    ukifyargs+=(--signtool sbsign
+                --secureboot-private-key "${secrets}/secureboot_key"
+                --secureboot-certificate "${secrets}/secureboot_cert")
+fi
 
 # Baseline container ukify options
 containerukifyargs=(--rootfs "${target}")