xtask: Add seal-state and boot-type options

Johan-Liebert1 · cgwalters · commit 8c4bdc8c2dc7 · 2026-03-03T16:30:00.000-05:00
seal-state: Required to switch between secure/insecure firmware options
boot-type: Required to send kargs to only bls installs

Signed-off-by: Pragyan Poudyal &lt;pragyanpoudyal41999@gmail.com&gt;
diff --git a/crates/xtask/src/tmt.rs b/crates/xtask/src/tmt.rs
@@ -34,7 +34,7 @@ const DISTRO_CENTOS_9: &str = "centos-9";
 const COMPOSEFS_KERNEL_ARGS: [&str; 1] = ["--karg=enforcing=0"];
 
 // Import the argument types from xtask.rs
-use crate::{Bootloader, RunTmtArgs, TmtProvisionArgs};
+use crate::{BootType, Bootloader, RunTmtArgs, SealState, TmtProvisionArgs};
 
 /// Generate a random alphanumeric suffix for VM names
 fn generate_random_suffix() -> String {
@@ -113,12 +113,7 @@ const DEFAULT_SB_KEYS_DIR: &str = "target/test-secureboot";
 ///
 /// For sealed images, secure boot keys must be present or an error is returned.
 #[context("Building firmware arguments")]
-fn build_firmware_args(
-    sh: &Shell,
-    image: &str,
-    bootloader: &Option<Bootloader>,
-) -> Result<Vec<String>> {
-    let is_sealed = is_sealed_image(sh, image)?;
+fn build_firmware_args(is_sealed: bool, bootloader: &Option<Bootloader>) -> Result<Vec<String>> {
     let sb_keys_dir = Utf8Path::new(DEFAULT_SB_KEYS_DIR);
 
     let r = if is_sealed {
@@ -349,7 +344,12 @@ pub(crate) fn run_tmt(sh: &Shell, args: &RunTmtArgs) -> Result<()> {
     println!("Detected distro: {}", distro);
     println!("Detected VARIANT_ID: {variant_id}");
 
-    let firmware_args = build_firmware_args(sh, image, &args.bootloader)?;
+    let firmware_args = build_firmware_args(
+        args.seal_state
+            .as_ref()
+            .is_some_and(|v| *v == SealState::Sealed),
+        &args.bootloader,
+    )?;
 
     // Create tmt-workdir and copy tmt bits to it
     // This works around https://github.com/teemtee/tmt/issues/4062
@@ -488,7 +488,11 @@ pub(crate) fn run_tmt(sh: &Shell, args: &RunTmtArgs) -> Result<()> {
                 let filesystem = args.filesystem.as_deref().unwrap_or("ext4");
                 opts.push(format!("--filesystem={}", filesystem));
                 opts.push("--composefs-backend".into());
-                opts.extend(COMPOSEFS_KERNEL_ARGS.map(|x| x.into()));
+
+                // UKI install fails with extra args
+                if args.boot_type == BootType::Bls {
+                    opts.extend(COMPOSEFS_KERNEL_ARGS.map(|x| x.into()));
+                }
             }
 
             if let Some(b) = &args.bootloader {
@@ -750,7 +754,7 @@ pub(crate) fn tmt_provision(sh: &Shell, args: &TmtProvisionArgs) -> Result<()> {
     println!("  VM name: {}\n", vm_name);
 
     // TODO: Send bootloader param here
-    let firmware_args = build_firmware_args(sh, image, &None)?;
+    let firmware_args = build_firmware_args(is_sealed_image(sh, image)?, &None)?;
 
     // Launch VM with bcvk
     // Use ds=iid-datasource-none to disable cloud-init for faster boot
diff --git a/crates/xtask/src/xtask.rs b/crates/xtask/src/xtask.rs
@@ -96,6 +96,44 @@ impl Display for Bootloader {
     }
 }
 
+/// The boot type for composefs backend
+#[derive(Debug, Default, Clone, ValueEnum, PartialEq, Eq)]
+pub enum BootType {
+    /// Type1 (BLS) boot
+    #[default]
+    Bls,
+    /// UKI boot
+    Uki,
+}
+
+impl Display for BootType {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            BootType::Bls => f.write_str("bls"),
+            BootType::Uki => f.write_str("uki"),
+        }
+    }
+}
+
+/// Whether the image is sealed or not
+#[derive(Debug, Default, Clone, ValueEnum, PartialEq, Eq)]
+pub enum SealState {
+    /// The image is sealed
+    Sealed,
+    /// The image is unsealed
+    #[default]
+    Unsealed,
+}
+
+impl Display for SealState {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            SealState::Sealed => f.write_str("sealed"),
+            SealState::Unsealed => f.write_str("unsealed"),
+        }
+    }
+}
+
 /// Arguments for run-tmt command
 #[derive(Debug, Args)]
 pub(crate) struct RunTmtArgs {
@@ -130,6 +168,14 @@ pub(crate) struct RunTmtArgs {
 
     #[arg(long, requires = "composefs_backend")]
     pub(crate) filesystem: Option<String>,
+
+    /// Required to switch between secure/insecure firmware options
+    #[arg(long, requires = "composefs_backend")]
+    pub(crate) seal_state: Option<SealState>,
+
+    // Required to send kargs to only bls installs
+    #[arg(long, default_value_t, requires = "composefs_backend")]
+    pub(crate) boot_type: BootType,
 }
 
 /// Arguments for tmt-provision command
