sealing: Add GUID.txt for bcvk firmware enrollment

cgwalters · cgwalters · commit 8588839e09f0 · 2026-03-17T18:38:50.000Z
bcvk requires a GUID.txt file in the keys directory for Secure Boot
variable enrollment. Generate one in CI and in keys.py.

Assisted-by: OpenCode (Claude Opus 4)
diff --git a/.github/workflows/e2e-sealing.yml b/.github/workflows/e2e-sealing.yml
@@ -28,6 +28,8 @@ jobs:
           set -euo pipefail
           mkdir -p sealing/target/keys sealing/keys/
 
+          uuidgen > sealing/target/keys/GUID.txt
+
           for name in PK KEK db; do
             openssl req -new -x509 -newkey rsa:2048 -nodes \
               -keyout "sealing/target/keys/sb-${name}.key" \
@@ -126,6 +128,8 @@ jobs:
           set -euo pipefail
           mkdir -p /tmp/keys
 
+          uuidgen > /tmp/keys/GUID.txt
+
           # Secure Boot keys
           for name in PK KEK db; do
             openssl req -new -x509 -newkey rsa:2048 -nodes \
diff --git a/sealing/util/keys.py b/sealing/util/keys.py
@@ -15,6 +15,7 @@
 import argparse
 import subprocess
 import sys
+import uuid
 from pathlib import Path
 
 DEFAULT_KEYS_DIR = "target/keys"
@@ -61,6 +62,12 @@ def generate_keys(output_dir: Path):
             f"/CN={cn}",
         )
 
+    # GUID (required by bcvk for firmware enrollment)
+    guid_file = output_dir / "GUID.txt"
+    if not guid_file.exists():
+        guid_file.write_text(str(uuid.uuid4()) + "\n")
+        print(f"  create GUID.txt")
+
     # Create bcvk-compatible symlinks (bcvk expects PK.crt, not sb-PK.crt)
     for name in ("PK", "KEK", "db"):
         for ext in ("key", "crt"):
