bootc-dev
diff --git a/‎.github/workflows/e2e-sealing.yml‎
Lines changed: 225 additions & 0 deletions b/‎.github/workflows/e2e-sealing.yml‎
Lines changed: 225 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 13 additions & 0 deletions b/‎README.md‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎sealing-gen2-ipe/.gitignore‎
Lines changed: 2 additions & 0 deletions b/‎sealing-gen2-ipe/.gitignore‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎sealing-gen2-ipe/Containerfile.app‎
Lines changed: 22 additions & 0 deletions b/‎sealing-gen2-ipe/Containerfile.app‎
Lines changed: 22 additions & 0 deletions
@@ -0,0 +1,225 @@
+name: E2E sealed composefs boot
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # Job 1: UKI-only sealed boot (sealing/)
+  # Builds a minimal composefs host and verifies it boots with verity=require.
+  sealed-uki:
+    name: Sealed UKI boot (sealing/)
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Setup (podman, libvirt, bcvk, virt-firmware)
+        uses: bootc-dev/actions/bootc-ubuntu-setup@main
+        with:
+          libvirt: 'true'
+
+      - name: Generate ephemeral Secure Boot keys
+        run: |
+          set -euo pipefail
+          mkdir -p sealing/target/keys sealing/keys/
+
+          for name in PK KEK db; do
+            openssl req -new -x509 -newkey rsa:2048 -nodes \
+              -keyout "sealing/target/keys/sb-${name}.key" \
+              -out "sealing/target/keys/sb-${name}.crt" \
+              -days 1 -subj "/CN=composefs-ci-${name}/"
+            ln -sf "sb-${name}.key" "sealing/target/keys/${name}.key"
+            ln -sf "sb-${name}.crt" "sealing/target/keys/${name}.crt"
+          done
+
+          cp sealing/target/keys/sb-db.crt sealing/keys/db.crt
+
+      - name: Build sealed host image
+        working-directory: sealing
+        run: |
+          podman build -f Containerfile.host \
+            --secret id=secureboot_key,src=target/keys/sb-db.key \
+            -t localhost/sealed-host:latest .
+
+      - name: Boot and verify composefs root
+        working-directory: sealing
+        run: |
+          set -euo pipefail
+          VM_NAME="sealed-uki"
+
+          echo "==> Booting sealed host VM..."
+          bcvk libvirt run --detach --ssh-wait --name "${VM_NAME}" \
+            --filesystem=ext4 \
+            --secure-boot-keys target/keys \
+            localhost/sealed-host:latest
+
+          echo "==> Waiting for multi-user.target..."
+          bcvk libvirt ssh "${VM_NAME}" -- \
+            timeout 180 bash -c \
+              'systemctl is-active multi-user.target || journalctl -b --no-pager -o cat UNIT=multi-user.target --follow | grep -q -m1 "Reached target"'
+
+          echo "==> Running verification checks..."
+          bcvk libvirt ssh "${VM_NAME}" -- bash -c '
+            set -euo pipefail
+
+            echo "--- kernel ---"
+            uname -r
+
+            echo "--- root mount ---"
+            mount_line=$(mount | grep " / " || true)
+            echo "  ${mount_line}"
+            if echo "${mount_line}" | grep -q "verity=require"; then
+              echo "  OK: composefs root with verity=require"
+            else
+              echo "  FAIL: verity=require not found on root mount"
+              mount
+              exit 1
+            fi
+
+            echo "--- cmdline ---"
+            cat /proc/cmdline
+            if grep -q "composefs=" /proc/cmdline; then
+              echo "  OK: composefs= present in cmdline"
+            else
+              echo "  FAIL: composefs= not in cmdline"
+              exit 1
+            fi
+
+            echo ""
+            echo "=== COMPOSEFS SEALED UKI BOOT VERIFIED ==="
+          '
+
+      - name: Cleanup VM
+        if: always()
+        working-directory: sealing
+        run: bcvk libvirt rm --stop --force sealed-uki 2>/dev/null || true
+
+      - name: Dump VM journal on failure
+        if: failure()
+        working-directory: sealing
+        run: |
+          bcvk libvirt ssh sealed-uki -- journalctl -b --no-pager 2>/dev/null || true
+          bcvk libvirt ssh sealed-uki -- mount 2>/dev/null || true
+
+  # Job 2: Full sealed host with app-signing (sealing-gen2-ipe/)
+  # Builds the gen2 host (includes cfsctl, app-signing cert, sealed-httpd
+  # service) and verifies the composefs boot. The sealed-httpd service
+  # won't have an image to pull, but the host boot itself must succeed.
+  sealed-gen2:
+    name: Sealed gen2 host boot (sealing-gen2-ipe/)
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Setup (podman, libvirt, bcvk, virt-firmware)
+        uses: bootc-dev/actions/bootc-ubuntu-setup@main
+        with:
+          libvirt: 'true'
+
+      - name: Generate ephemeral keys (Secure Boot + composefs signing)
+        run: |
+          set -euo pipefail
+          mkdir -p /tmp/keys
+
+          # Secure Boot keys
+          for name in PK KEK db; do
+            openssl req -new -x509 -newkey rsa:2048 -nodes \
+              -keyout "/tmp/keys/sb-${name}.key" \
+              -out "/tmp/keys/sb-${name}.crt" \
+              -days 1 -subj "/CN=composefs-ci-${name}/"
+            ln -sf "sb-${name}.key" "/tmp/keys/${name}.key"
+            ln -sf "sb-${name}.crt" "/tmp/keys/${name}.crt"
+          done
+
+          # App-signing key (gen2 needs this for the image build)
+          openssl req -x509 -newkey rsa:4096 -nodes \
+            -keyout /tmp/keys/composefs-signing.key \
+            -out /tmp/keys/composefs-signing.pem \
+            -days 1 -subj '/CN=composefs-ci-app-signing/'
+
+          cp /tmp/keys/composefs-signing.pem sealing-gen2-ipe/app-signing-cert.pem
+
+      - name: Build gen2 sealed host image
+        working-directory: sealing-gen2-ipe
+        run: |
+          podman build -f Containerfile.host \
+            --secret id=secureboot_key,src=/tmp/keys/sb-db.key \
+            --secret id=secureboot_cert,src=/tmp/keys/sb-db.crt \
+            -t localhost/sealed-host-gen2:latest .
+
+      - name: Boot and verify composefs root
+        run: |
+          set -euo pipefail
+          VM_NAME="sealed-gen2"
+
+          echo "==> Booting gen2 sealed host VM..."
+          bcvk libvirt run --detach --ssh-wait --name "${VM_NAME}" \
+            --filesystem=ext4 \
+            --secure-boot-keys /tmp/keys \
+            localhost/sealed-host-gen2:latest
+
+          echo "==> Waiting for multi-user.target..."
+          bcvk libvirt ssh "${VM_NAME}" -- \
+            timeout 180 bash -c \
+              'systemctl is-active multi-user.target || journalctl -b --no-pager -o cat UNIT=multi-user.target --follow | grep -q -m1 "Reached target"'
+
+          echo "==> Running verification checks..."
+          bcvk libvirt ssh "${VM_NAME}" -- bash -c '
+            set -euo pipefail
+
+            echo "--- kernel ---"
+            uname -r
+
+            echo "--- root mount ---"
+            mount_line=$(mount | grep " / " || true)
+            echo "  ${mount_line}"
+            if echo "${mount_line}" | grep -q "verity=require"; then
+              echo "  OK: composefs root with verity=require"
+            else
+              echo "  FAIL: verity=require not found on root mount"
+              mount
+              exit 1
+            fi
+
+            echo "--- cmdline ---"
+            cat /proc/cmdline
+            if grep -q "composefs=" /proc/cmdline; then
+              echo "  OK: composefs= present in cmdline"
+            else
+              echo "  FAIL: composefs= not in cmdline"
+              exit 1
+            fi
+
+            echo "--- cfsctl ---"
+            cfsctl --version
+
+            echo "--- composefs-load-appkeys.service ---"
+            if systemctl is-active --quiet composefs-load-appkeys.service; then
+              echo "  OK: keyring service active"
+            else
+              echo "  INFO: keyring service not active (expected: cert was ephemeral)"
+              systemctl status composefs-load-appkeys.service --no-pager 2>/dev/null || true
+            fi
+
+            echo "--- sealed-httpd.service ---"
+            echo "  INFO: sealed-httpd expected to fail (no image pushed to GHCR)"
+            systemctl status sealed-httpd.service --no-pager 2>/dev/null || true
+
+            echo ""
+            echo "=== COMPOSEFS GEN2 SEALED BOOT VERIFIED ==="
+          '
+
+      - name: Cleanup VM
+        if: always()
+        run: bcvk libvirt rm --stop --force sealed-gen2 2>/dev/null || true
+
+      - name: Dump VM journal on failure
+        if: failure()
+        run: |
+          bcvk libvirt ssh sealed-gen2 -- journalctl -b --no-pager 2>/dev/null || true
+          bcvk libvirt ssh sealed-gen2 -- mount 2>/dev/null || true
@@ -0,0 +1,13 @@
+# Composefs sealed boot examples
+
+Two examples of composefs-backed bootc hosts with Secure Boot:
+
+| Directory | What |
+|---|---|
+| [`sealing/`](sealing/) | Sealed UKI boot — minimal composefs host with signed UKI |
+| [`sealing-gen2-ipe/`](sealing-gen2-ipe/) | + sealed app containers, fs-verity signatures, IPE kernel patches |
+
+`sealing/` is the foundational layer. `sealing-gen2-ipe/` adds app-level
+integrity (signed containers verified by composefs + IPE policies).
+
+See each directory's README for details.
@@ -0,0 +1,2 @@
+/target/
+app-signing-cert.pem
@@ -0,0 +1,22 @@
+# Containerfile.app — Minimal httpd application container
+#
+# This is a plain OCI container image, not a bootc image.
+# Sealing happens AFTER build via cfsctl (see Justfile seal-app target).
+
+FROM quay.io/centos/centos:stream10
+
+RUN dnf install -y httpd && dnf clean all
+
+RUN cat > /var/www/html/index.html <<'HTML'
+<!DOCTYPE html>
+<html>
+<head><title>Sealed composefs demo</title></head>
+<body>
+<h1>Hello from a sealed container</h1>
+<p>This container's filesystem is verified by composefs fs-verity signatures.</p>
+</body>
+</html>
+HTML
+
+EXPOSE 80
+CMD ["/usr/sbin/httpd", "-DFOREGROUND"]