build-sys: Re-seal upgrade image for composefs UKI builds

cgwalters · cgwalters · commit 621e1419daad · 2026-03-23T13:31:45.000Z
The upgrade test image (localhost/bootc-upgrade) was previously a simple
one-layer addition on top of localhost/bootc that did not go through the
sealing pipeline. This meant sealed composefs builds could not properly
test upgrades, since the upgrade image lacked a signed UKI with the
correct composefs digest.

Rework Dockerfile.upgrade into a multi-stage build that mirrors the main
Dockerfile sealing flow: when boot_type=uki, it computes the composefs
digest of the upgrade rootfs, generates and optionally signs a UKI via
seal-uki, and finalizes it with finalize-uki. For non-UKI builds, the
extra stages are effectively no-ops and the image remains a simple
derived layer.

Update _build-upgrade-image in the Justfile to pass the required build
arguments (boot_type, seal_state, filesystem) and build secrets
(secureboot keys). Extra container capabilities (CAP_ALL, fuse device)
are only added for UKI builds that need composefs support.

Assisted-by: OpenCode (claude-opus-4)
Signed-off-by: Colin Walters &lt;walters@verbum.org&gt;
diff --git a/Justfile b/Justfile
@@ -141,7 +141,7 @@ test-composefs bootloader filesystem boot_type seal_state *ARGS:
                 --seal-state={{seal_state}} \
                 --boot-type={{boot_type}} \
                 {{ARGS}} \
-                $(if [ "{{boot_type}}" = "uki" ]; then echo "readonly"; else echo "integration"; fi)
+                $(if [ "{{boot_type}}" = "uki" ]; then echo "readonly composefs-upgrade"; else echo "integration"; fi)
 
 # Run upgrade test: boot VM from published base image (with tmt deps added),
 # upgrade to locally-built image, reboot, then run readonly tests to verify.
@@ -362,7 +362,24 @@ _keygen:
     ./hack/generate-secureboot-keys
 
 _build-upgrade-image:
-    cat tmt/tests/Dockerfile.upgrade | podman build -t {{upgrade_img}} --from={{base_img}} -
+    #!/bin/bash
+    set -xeuo pipefail
+    # Secrets are always available (test-tmt depends on build which runs _keygen).
+    # Extra capabilities are only needed for UKI builds (composefs + fuse).
+    extra_args=()
+    if [ "{{boot_type}}" = "uki" ]; then
+        extra_args+=(--cap-add=all --security-opt=label=type:container_runtime_t --device /dev/fuse)
+    fi
+    podman build \
+        --build-arg "boot_type={{boot_type}}" \
+        --build-arg "seal_state={{seal_state}}" \
+        --build-arg "filesystem={{filesystem}}" \
+        --secret=id=secureboot_key,src=target/test-secureboot/db.key \
+        --secret=id=secureboot_cert,src=target/test-secureboot/db.crt \
+        "${extra_args[@]}" \
+        -t {{upgrade_img}} \
+        -f tmt/tests/Dockerfile.upgrade \
+        .
 
 # Build the upgrade source image: base image + tmt dependencies (rsync, nu, cloud-init)
 _build-upgrade-source-image:
diff --git a/tmt/tests/Dockerfile.upgrade b/tmt/tests/Dockerfile.upgrade
@@ -1,3 +1,62 @@
-# Just creates a file as a new layer for a synthetic upgrade test
-FROM localhost/bootc
-RUN touch --reference=/usr/bin/bash /usr/share/testing-bootc-upgrade-apply
+# Creates a synthetic upgrade image for testing.
+# For non-UKI builds, this just adds a marker file on top of localhost/bootc.
+# For UKI builds (boot_type=uki), the image is re-sealed with a new composefs
+# digest and (optionally signed) UKI.
+#
+# Build secrets required (for sealed builds):
+#   secureboot_key, secureboot_cert
+ARG boot_type=bls
+ARG seal_state=unsealed
+ARG filesystem=ext4
+
+# Capture contrib/packaging scripts for use in later stages
+FROM scratch AS packaging
+COPY contrib/packaging /
+
+# Create the upgrade content (a simple marker file).
+# For UKI builds, we also remove the existing UKI so that seal-uki can
+# regenerate it with the correct composefs digest for this derived image.
+FROM localhost/bootc AS upgrade-base
+ARG boot_type
+RUN touch --reference=/usr/bin/bash /usr/share/testing-bootc-upgrade-apply && \
+    if test "${boot_type}" = "uki"; then rm -rf /boot/EFI/Linux/*.efi; fi
+
+# Tools for sealing (only meaningfully used for UKI builds)
+FROM localhost/bootc AS tools
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    --mount=type=bind,from=packaging,src=/,target=/run/packaging \
+    /run/packaging/initialize-sealing-tools
+
+# Generate a sealed UKI for the upgrade image.
+# bootc is already installed in localhost/bootc (our tools base); the
+# container ukify command it provides is needed for seal-uki.
+FROM tools AS sealed-upgrade-uki
+ARG boot_type seal_state filesystem
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    --mount=type=secret,id=secureboot_key \
+    --mount=type=secret,id=secureboot_cert \
+    --mount=type=bind,from=packaging,src=/,target=/run/packaging \
+    --mount=type=bind,from=upgrade-base,src=/,target=/run/target <<EORUN
+set -xeuo pipefail
+
+allow_missing_verity=false
+if [ "${filesystem}" = "xfs" ]; then
+    allow_missing_verity=true
+fi
+
+if test "${boot_type}" = "uki"; then
+  /run/packaging/seal-uki /run/target /out /run/secrets "${allow_missing_verity}" "${seal_state}"
+fi
+EORUN
+
+# Final stage: the upgrade image, optionally with a re-sealed UKI
+FROM upgrade-base
+ARG boot_type
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    --mount=type=bind,from=packaging,src=/,target=/run/packaging \
+    --mount=type=bind,from=sealed-upgrade-uki,src=/,target=/run/sealed-uki <<EORUN
+set -xeuo pipefail
+if test "${boot_type}" = "uki"; then
+  /run/packaging/finalize-uki /run/sealed-uki/out
+fi
+EORUN
