sealing: E2E test for composefs sealed UKI boot

Builds a CentOS Stream 10 bootc host with the composefs backend and
boots it in a bcvk VM with Secure Boot. Verifies that the root is
mounted as a composefs overlay with verity=require.

Uses ephemeral Secure Boot keys (PK/KEK/db generated in CI). The
Containerfile signs systemd-boot and the UKI with the db key, then
flattens to a single layer for deterministic composefs digests. The
kernel stage runs bootc container ukify to compute the digest and
build a signed UKI.

Assisted-by: OpenCode (Claude Opus 4)

Author: cgwalters

.github/workflows/e2e-sealing.yml

@@ -0,0 +1,103 @@
+name: E2E sealed composefs boot
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  e2e-sealed-boot:
+    name: Build and boot sealed composefs host
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Setup (podman, libvirt, bcvk, virt-firmware)
+        uses: bootc-dev/actions/bootc-ubuntu-setup@main
+        with:
+          libvirt: 'true'
+
+      - name: Generate ephemeral Secure Boot keys
+        run: |
+          set -euo pipefail
+          mkdir -p target/keys keys/
+
+          for name in PK KEK db; do
+            openssl req -new -x509 -newkey rsa:2048 -nodes \
+              -keyout "target/keys/sb-${name}.key" \
+              -out "target/keys/sb-${name}.crt" \
+              -days 1 -subj "/CN=composefs-ci-${name}/"
+            ln -sf "sb-${name}.key" "target/keys/${name}.key"
+            ln -sf "sb-${name}.crt" "target/keys/${name}.crt"
+          done
+
+          cp target/keys/sb-db.crt keys/db.crt
+
+      - name: Build sealed host image
+        run: |
+          podman build -f Containerfile.host \
+            --secret id=secureboot_key,src=target/keys/sb-db.key \
+            -t localhost/sealed-host:latest .
+
+      - name: Boot VM with composefs backend
+        run: |
+          set -euo pipefail
+
+          VM_NAME="sealed-e2e"
+
+          echo "==> Booting sealed host VM with Secure Boot + composefs..."
+          bcvk libvirt run --detach --ssh-wait --name "${VM_NAME}" \
+            --filesystem=ext4 \
+            --secure-boot-keys target/keys \
+            localhost/sealed-host:latest
+
+          echo "==> Waiting for multi-user.target..."
+          bcvk libvirt ssh "${VM_NAME}" -- \
+            timeout 180 bash -c \
+              'systemctl is-active multi-user.target || journalctl -b --no-pager -o cat UNIT=multi-user.target --follow | grep -q -m1 "Reached target"'
+
+          echo "==> Running verification checks..."
+          bcvk libvirt ssh "${VM_NAME}" -- bash -c '
+            set -euo pipefail
+
+            echo "--- kernel ---"
+            uname -r
+
+            echo "--- root mount ---"
+            mount_line=$(mount | grep " / " || true)
+            echo "  ${mount_line}"
+            if echo "${mount_line}" | grep -q "verity=require"; then
+              echo "  OK: composefs root with verity=require"
+            else
+              echo "  FAIL: verity=require not found on root mount"
+              mount
+              exit 1
+            fi
+
+            echo "--- cmdline ---"
+            cat /proc/cmdline
+            if grep -q "composefs=" /proc/cmdline; then
+              echo "  OK: composefs= present in cmdline"
+            else
+              echo "  FAIL: composefs= not in cmdline"
+              exit 1
+            fi
+
+            echo ""
+            echo "=== COMPOSEFS SEALED BOOT VERIFIED ==="
+          '
+
+      - name: Cleanup VM
+        if: always()
+        run: bcvk libvirt rm --stop --force sealed-e2e 2>/dev/null || true
+
+      - name: Dump VM journal on failure
+        if: failure()
+        run: |
+          bcvk libvirt ssh sealed-e2e -- journalctl -b --no-pager 2>/dev/null || true
+          bcvk libvirt ssh sealed-e2e -- mount 2>/dev/null || true
+          bcvk libvirt ssh sealed-e2e -- cat /proc/cmdline 2>/dev/null || true

.gitignore

@@ -0,0 +1 @@
+/target/

Containerfile.host

@@ -0,0 +1,97 @@
+# Containerfile.host — Sealed bootc host with composefs root
+#
+# Builds a CentOS Stream 10 bootc image that boots with the composefs
+# backend. A signed Unified Kernel Image (UKI) embeds the composefs
+# digest; Secure Boot verifies the UKI, which in turn verifies every
+# file on the root filesystem via fs-verity.
+#
+# The db certificate (public) is read from the build context.
+# Only the db private key is a build secret.
+#
+# Build:
+#   podman build -f Containerfile.host \
+#     --secret id=secureboot_key,src=target/keys/sb-db.key \
+#     -t localhost/sealed-host:latest .
+
+# --- Stage: rootfs-builder (install packages on the bootc base) ---
+FROM quay.io/centos-bootc/centos-bootc:stream10 AS rootfs-builder
+
+# sbsigntools from EPEL; systemd-boot-unsigned for bootctl install
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    dnf -y install epel-release && \
+    dnf -y install systemd-boot-unsigned systemd-ukify sbsigntools && \
+    dnf clean all
+
+# composefs backend uses systemd-boot, not grub/bootupd
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    rpm -e bootupd 2>/dev/null || true
+
+# Default to ext4 (supports fsverity, required for composefs)
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    mkdir -p /usr/lib/bootc/install && \
+    cat > /usr/lib/bootc/install/00-composefs.toml <<'EOF'
+[install.filesystem.root]
+type = "ext4"
+EOF
+
+# Include the bootc dracut module in the initramfs so that composefs
+# root setup happens during boot (the module's check() returns 255,
+# meaning it's never auto-included). Then rebuild the initramfs.
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    mkdir -p /etc/dracut.conf.d && \
+    echo 'add_dracutmodules+=" bootc "' > /etc/dracut.conf.d/50-bootc-composefs.conf && \
+    kver=$(ls /usr/lib/modules/) && \
+    dracut --force --kver "$kver" /usr/lib/modules/$kver/initramfs.img && \
+    echo "Rebuilt initramfs with bootc module" && \
+    lsinitrd /usr/lib/modules/$kver/initramfs.img | grep -c bootc
+
+# Sign systemd-boot with our Secure Boot key so UEFI firmware will load it.
+# This must happen BEFORE the flatten so the signed binary is in the digest.
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    --mount=type=secret,id=secureboot_key \
+    --mount=type=bind,source=keys/db.crt,target=/tmp/db.crt \
+    sbsign --key /run/secrets/secureboot_key \
+           --cert /tmp/db.crt \
+           --output /tmp/systemd-bootx64.efi.signed \
+           /usr/lib/systemd/boot/efi/systemd-bootx64.efi && \
+    mv /tmp/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi
+
+# --- Stage: base (flatten to single layer for deterministic digests) ---
+FROM scratch AS base
+COPY --from=rootfs-builder / /
+LABEL containers.bootc 1
+LABEL ostree.bootable 1
+ENV container=oci
+STOPSIGNAL SIGRTMIN+3
+CMD ["/sbin/init"]
+
+# --- Stage: kernel (compute digest + build signed UKI) ---
+FROM base AS kernel
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    --mount=type=bind,from=base,target=/target \
+    --mount=type=secret,id=secureboot_key \
+    --mount=type=bind,source=keys/db.crt,target=/tmp/db.crt <<EORUN
+set -xeuo pipefail
+mkdir -p /out
+bootc container ukify --rootfs /target \
+  --karg rw \
+  --karg enforcing=0 \
+  --karg console=tty0 \
+  --karg console=ttyS0,115200n8 \
+  --karg console=hvc0,115200 \
+  --karg systemd.journald.forward_to_console=1 \
+  -- \
+  --signtool sbsign \
+  --secureboot-private-key /run/secrets/secureboot_key \
+  --secureboot-certificate /tmp/db.crt \
+  --output /out/uki.efi
+ls -lh /out/
+EORUN
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    kver=$(bootc container inspect --json | jq -r '.kernel.version') && \
+    mkdir -p /boot/EFI/Linux && \
+    mv /out/uki.efi "/boot/EFI/Linux/${kver}.efi"
+
+# --- Final image: base rootfs + /boot from kernel stage ---
+FROM base
+COPY --from=kernel /boot /boot

Justfile

@@ -0,0 +1,94 @@
+# Justfile for sealed composefs UKI boot
+#
+# Builds a CentOS Stream 10 bootc host that boots with the composefs
+# backend (UKI + composefs digest + Secure Boot).
+#
+# Prerequisites: podman, openssl, just
+# For VM testing: bcvk (from bootc-dev/bcvk), virt-firmware (pip)
+
+# Local image name
+host_image := "localhost/sealed-host:latest"
+
+# Key material directory (for local dev; CI uses secrets)
+keys_dir := justfile_directory() + "/target/keys"
+
+# Generate Secure Boot keys (PK/KEK for enrollment, db for signing).
+# Copies db.crt into keys/ for committing to the repo.
+keygen:
+    #!/bin/bash
+    set -euo pipefail
+    python3 util/keys.py generate --output-dir "{{keys_dir}}"
+    mkdir -p keys/
+    cp "{{keys_dir}}/sb-db.crt" keys/db.crt
+    echo "keys/db.crt updated — commit it to the repo"
+
+# Build the sealed host image (composefs backend with signed UKI).
+# Only the db private key is a secret; db.crt is in the build context.
+build-host:
+    #!/bin/bash
+    set -euo pipefail
+    if [ ! -f "{{keys_dir}}/sb-db.key" ]; then
+        echo "No keys found. Run 'just keygen' first."
+        exit 1
+    fi
+    podman build -f Containerfile.host \
+        --secret id=secureboot_key,src="{{keys_dir}}/sb-db.key" \
+        -t "{{host_image}}" .
+    echo "Host image built: {{host_image}}"
+
+# Boot a VM with the composefs backend and verify.
+bcvk-ssh: build-host
+    #!/bin/bash
+    set -euo pipefail
+
+    VM_NAME="sealed-demo"
+
+    # Clean up any previous VM with this name
+    bcvk libvirt rm --stop --force "${VM_NAME}" 2>/dev/null || true
+
+    echo "==> Booting sealed host VM..."
+    bcvk libvirt run --detach --ssh-wait --name "${VM_NAME}" \
+        --filesystem=ext4 \
+        --secure-boot-keys "{{keys_dir}}" \
+        "{{host_image}}"
+
+    echo "==> Waiting for multi-user.target (timeout 120s)..."
+    bcvk libvirt ssh "${VM_NAME}" -- \
+        timeout 120 bash -c \
+            'systemctl is-active multi-user.target || journalctl -b --no-pager -o cat UNIT=multi-user.target --follow | grep -q -m1 "Reached target"'
+
+    echo "==> multi-user.target reached, running checks..."
+    bcvk libvirt ssh "${VM_NAME}" -- bash -c '
+        set -euo pipefail
+
+        echo "--- kernel ---"
+        uname -r
+
+        echo "--- root mount ---"
+        mount | grep " / " || true
+        if mount | grep -q "verity=require"; then
+            echo "  OK: composefs root with verity=require"
+        else
+            echo "  FAIL: composefs root not detected"
+            exit 1
+        fi
+
+        echo "--- cmdline ---"
+        cat /proc/cmdline
+
+        echo ""
+        echo "=== COMPOSEFS BOOT VERIFIED ==="
+    '
+
+    echo "==> Cleaning up VM..."
+    bcvk libvirt rm --stop --force "${VM_NAME}"
+    echo "Done."
+
+# Clean generated artifacts and VM
+clean:
+    #!/bin/bash
+    set -euo pipefail
+    bcvk libvirt rm --stop --force sealed-demo 2>/dev/null || true
+    rm -rf target/
+    podman rmi -f "{{host_image}}" 2>/dev/null || true
+    echo "Cleaned"