Skip to content

Commit 8c4bdc8

Browse files
Johan-Liebert1cgwalters
authored andcommitted
xtask: Add seal-state and boot-type options
seal-state: Required to switch between secure/insecure firmware options boot-type: Required to send kargs to only bls installs Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
1 parent 217cd24 commit 8c4bdc8

2 files changed

Lines changed: 60 additions & 10 deletions

File tree

crates/xtask/src/tmt.rs

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ const DISTRO_CENTOS_9: &str = "centos-9";
3434
const COMPOSEFS_KERNEL_ARGS: [&str; 1] = ["--karg=enforcing=0"];
3535

3636
// Import the argument types from xtask.rs
37-
use crate::{Bootloader, RunTmtArgs, TmtProvisionArgs};
37+
use crate::{BootType, Bootloader, RunTmtArgs, SealState, TmtProvisionArgs};
3838

3939
/// Generate a random alphanumeric suffix for VM names
4040
fn generate_random_suffix() -> String {
@@ -113,12 +113,7 @@ const DEFAULT_SB_KEYS_DIR: &str = "target/test-secureboot";
113113
///
114114
/// For sealed images, secure boot keys must be present or an error is returned.
115115
#[context("Building firmware arguments")]
116-
fn build_firmware_args(
117-
sh: &Shell,
118-
image: &str,
119-
bootloader: &Option<Bootloader>,
120-
) -> Result<Vec<String>> {
121-
let is_sealed = is_sealed_image(sh, image)?;
116+
fn build_firmware_args(is_sealed: bool, bootloader: &Option<Bootloader>) -> Result<Vec<String>> {
122117
let sb_keys_dir = Utf8Path::new(DEFAULT_SB_KEYS_DIR);
123118

124119
let r = if is_sealed {
@@ -349,7 +344,12 @@ pub(crate) fn run_tmt(sh: &Shell, args: &RunTmtArgs) -> Result<()> {
349344
println!("Detected distro: {}", distro);
350345
println!("Detected VARIANT_ID: {variant_id}");
351346

352-
let firmware_args = build_firmware_args(sh, image, &args.bootloader)?;
347+
let firmware_args = build_firmware_args(
348+
args.seal_state
349+
.as_ref()
350+
.is_some_and(|v| *v == SealState::Sealed),
351+
&args.bootloader,
352+
)?;
353353

354354
// Create tmt-workdir and copy tmt bits to it
355355
// This works around https://github.com/teemtee/tmt/issues/4062
@@ -488,7 +488,11 @@ pub(crate) fn run_tmt(sh: &Shell, args: &RunTmtArgs) -> Result<()> {
488488
let filesystem = args.filesystem.as_deref().unwrap_or("ext4");
489489
opts.push(format!("--filesystem={}", filesystem));
490490
opts.push("--composefs-backend".into());
491-
opts.extend(COMPOSEFS_KERNEL_ARGS.map(|x| x.into()));
491+
492+
// UKI install fails with extra args
493+
if args.boot_type == BootType::Bls {
494+
opts.extend(COMPOSEFS_KERNEL_ARGS.map(|x| x.into()));
495+
}
492496
}
493497

494498
if let Some(b) = &args.bootloader {
@@ -750,7 +754,7 @@ pub(crate) fn tmt_provision(sh: &Shell, args: &TmtProvisionArgs) -> Result<()> {
750754
println!(" VM name: {}\n", vm_name);
751755

752756
// TODO: Send bootloader param here
753-
let firmware_args = build_firmware_args(sh, image, &None)?;
757+
let firmware_args = build_firmware_args(is_sealed_image(sh, image)?, &None)?;
754758

755759
// Launch VM with bcvk
756760
// Use ds=iid-datasource-none to disable cloud-init for faster boot

crates/xtask/src/xtask.rs

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,44 @@ impl Display for Bootloader {
9696
}
9797
}
9898

99+
/// The boot type for composefs backend
100+
#[derive(Debug, Default, Clone, ValueEnum, PartialEq, Eq)]
101+
pub enum BootType {
102+
/// Type1 (BLS) boot
103+
#[default]
104+
Bls,
105+
/// UKI boot
106+
Uki,
107+
}
108+
109+
impl Display for BootType {
110+
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
111+
match self {
112+
BootType::Bls => f.write_str("bls"),
113+
BootType::Uki => f.write_str("uki"),
114+
}
115+
}
116+
}
117+
118+
/// Whether the image is sealed or not
119+
#[derive(Debug, Default, Clone, ValueEnum, PartialEq, Eq)]
120+
pub enum SealState {
121+
/// The image is sealed
122+
Sealed,
123+
/// The image is unsealed
124+
#[default]
125+
Unsealed,
126+
}
127+
128+
impl Display for SealState {
129+
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
130+
match self {
131+
SealState::Sealed => f.write_str("sealed"),
132+
SealState::Unsealed => f.write_str("unsealed"),
133+
}
134+
}
135+
}
136+
99137
/// Arguments for run-tmt command
100138
#[derive(Debug, Args)]
101139
pub(crate) struct RunTmtArgs {
@@ -130,6 +168,14 @@ pub(crate) struct RunTmtArgs {
130168

131169
#[arg(long, requires = "composefs_backend")]
132170
pub(crate) filesystem: Option<String>,
171+
172+
/// Required to switch between secure/insecure firmware options
173+
#[arg(long, requires = "composefs_backend")]
174+
pub(crate) seal_state: Option<SealState>,
175+
176+
// Required to send kargs to only bls installs
177+
#[arg(long, default_value_t, requires = "composefs_backend")]
178+
pub(crate) boot_type: BootType,
133179
}
134180

135181
/// Arguments for tmt-provision command

0 commit comments

Comments
 (0)