Add UKI (systemd-boot + Type 2) support

cbootc install to-disk --uki now produces a true Unified Kernel Image:
- prepare-boot writes a Type 1 BLS entry to the XBOOTLDR to extract the
  kernel, initramfs, and the correct install-time composefs= hash
- ukify build embeds all three into a single .efi on the ESP (EFI/Linux/)
  where systemd-boot always scans, avoiding XBOOTLDR discovery issues
- Type 1 artifacts (.conf + kernel dir) are removed after the UKI is built

This solves the hash circularity problem: build-time directory hashing and
install-time OCI hashing produce different values, so the hash must be
computed at install time and then embedded — not pre-baked into the image.

Other changes:
- Containerfile.base: add systemd-ukify to rootfs-uki stage; split into
  grub/uki named targets with shared rootfs-common base
- upgrade.rs: detect UKI system via /boot/efi/EFI/Linux; call build_uki
  after prepare-boot to keep upgrades in sync
- rollback.rs: scan /boot/efi/EFI/Linux/*.efi; use bootctl set-next
- container.yml: push fedora-44-uki image alongside fedora-44
- e2e.yml: add UKI build/install/test steps with writable OVMF VARS
- tests/e2e.py: fix UKI .efi path (/boot/efi/EFI/Linux), pass VARS in UKI mode
- README: document install-time cmdline embedding and VARS requirement

Author: henrywang

.github/workflows/container.yml

@@ -27,12 +27,24 @@ jobs:
 
       # Build the base image and push it.  The build is slow (dnf + dracut)
       # so GHA layer cache is critical for subsequent runs.
-      - name: Build and push composefs-os:fedora-44
+      - name: Build and push composefs-os:fedora-44 (GRUB)
         uses: docker/build-push-action@v6
         with:
           context: .
           file: Containerfile.base
+          target: grub
           push: true
           tags: ghcr.io/${{ github.repository_owner }}/composefs-os:fedora-44
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
+      - name: Build and push composefs-os:fedora-44-uki (systemd-boot + UKI)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Containerfile.base
+          target: uki
+          push: true
+          tags: ghcr.io/${{ github.repository_owner }}/composefs-os:fedora-44-uki
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/e2e.yml

@@ -84,6 +84,46 @@ jobs:
         run: |
           python3 tests/e2e.py --secure-boot disk-sb.raw
 
+      - name: Build UKI base image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Containerfile.base
+          target: uki
+          push: false
+          load: true
+          tags: composefs-os:fedora-44-uki
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Load UKI base image into podman
+        run: |
+          sudo skopeo copy \
+            docker-daemon:composefs-os:fedora-44-uki \
+            containers-storage:localhost/composefs-os:fedora-44-uki
+
+      - name: Build UKI test image
+        run: |
+          sudo podman build \
+            --build-arg BASE_IMAGE=localhost/composefs-os:fedora-44-uki \
+            -t composefs-os-uki-test:latest \
+            -f examples/fedora/Containerfile .
+
+      - name: Install to disk image (UKI)
+        run: |
+          sudo podman run --rm --privileged \
+            -v ${{ github.workspace }}:/output \
+            -v /var/lib/containers:/var/lib/containers \
+            -v /var/tmp:/var/tmp \
+            composefs-os-uki-test:latest \
+            cbootc install to-disk /output/disk-uki.raw --size 5G --uki
+
+      - name: Run e2e tests (UKI)
+        run: |
+          OVMF=$(find /usr/share -name 'OVMF_CODE*.fd' ! -name '*VARS*' ! -name '*.secboot*' ! -name '*.ms.*' | head -1)
+          OVMF_VARS=$(find /usr/share -name 'OVMF_VARS.fd' ! -name '*.secboot*' ! -name '*.ms.*' | head -1)
+          python3 tests/e2e.py --ovmf "$OVMF" --ovmf-vars "$OVMF_VARS" --uki disk-uki.raw
+
       - name: Upload disk images on failure
         if: failure()
         uses: actions/upload-artifact@v4
@@ -92,4 +132,5 @@ jobs:
           path: |
             disk.raw
             disk-sb.raw
+            disk-uki.raw
           retention-days: 1

Containerfile.base

@@ -1,14 +1,12 @@
-# composefs-os:fedora-44 — Base image for composefs-rs bootable Fedora 44 systems.
+# composefs-os:fedora-44 — Base images for composefs-rs bootable Fedora 44 systems.
 #
-# This image contains the kernel, systemd, grub2, composefs toolchain (cfsctl,
-# composefs-setup-root, dracut module), and cbootc. /etc and /var are left
-# intact so derived images can use dnf normally.
+# Two named targets are available (default: grub):
+#   --target grub  GRUB-based boot (shim → grub2, BLS Type 1)
+#   --target uki   systemd-boot + UKI (BLS Type 2, cmdline embedded at build time)
 #
-# Derived images require no special build steps — just FROM this image, install
-# packages, add LABEL containers.bootc=1, and build. The composefs layout
-# transformation happens at install time via 'cbootc install to-disk'.
-#
-# Build: podman build -t composefs-os:fedora-44 -f Containerfile.base .
+# Build:
+#   podman build -t composefs-os:fedora-44       -f Containerfile.base .          # GRUB
+#   podman build -t composefs-os:fedora-44-uki   --target uki -f Containerfile.base .
 
 # ---------------------------------------------------------------------------
 # Stage 0a: Build cbootc
@@ -30,9 +28,9 @@ RUN cargo build --release -p composefs-ctl && \
     cargo build --release -p composefs-setup-root --no-default-features
 
 # ---------------------------------------------------------------------------
-# Stage 1: Bootstrap Fedora 44 rootfs via dnf --installroot
+# Stage 1: Bootstrap Fedora 44 rootfs (common to both boot styles)
 # ---------------------------------------------------------------------------
-FROM quay.io/fedora/fedora:44 AS rootfs-builder
+FROM quay.io/fedora/fedora:44 AS rootfs-common
 
 # Install dracut on the builder for 'dracut --sysroot /rootfs'
 RUN dnf install -y dracut && dnf clean all
@@ -49,8 +47,6 @@ RUN dnf install -y \
         NetworkManager iproute iputils hostname \
         dnf5 rpm \
         e2fsprogs dosfstools btrfs-progs \
-        grub2-efi-x64 grub2-efi-x64-modules grub2-tools grub2-tools-minimal \
-        shim-x64 efibootmgr \
         fsverity-utils \
         dracut \
         podman skopeo \
@@ -154,10 +150,7 @@ RUN KVER=$(ls /rootfs/usr/lib/modules | head -1) && \
        [ ! -f "/rootfs/usr/lib/modules/$KVER/vmlinuz" ]; then \
         cp "/rootfs/boot/vmlinuz-$KVER" \
            "/rootfs/usr/lib/modules/$KVER/vmlinuz"; \
-    fi && \
-    mkdir -p /rootfs/usr/share/efi && \
-    cp -r /rootfs/boot/efi/EFI /rootfs/usr/share/efi/ && \
-    rm -rf /rootfs/boot/*
+    fi
 
 # ---------------------------------------------------------------------------
 # Install cfsctl, cbootc, and update units
@@ -192,17 +185,64 @@ RUN mkdir -p /rootfs/sysroot && \
     ln -sf var/srv  /rootfs/srv
 
 # ---------------------------------------------------------------------------
-# Final stage — /etc and /var intact so derived images can use dnf normally.
-# No cfs-layout-apply step is required in derived images; cbootc install
-# to-disk handles the composefs layout transformation at install time.
+# Stage 2a: GRUB — add bootloader packages, copy EFI binaries, clear /boot
+# ---------------------------------------------------------------------------
+FROM rootfs-common AS rootfs-grub
+RUN dnf install -y \
+        --installroot /rootfs \
+        --use-host-config \
+        --releasever 44 \
+        --setopt=install_weak_deps=False \
+        grub2-efi-x64 grub2-efi-x64-modules grub2-tools grub2-tools-minimal \
+        shim-x64 efibootmgr \
+    && dnf clean all --installroot /rootfs --use-host-config
+RUN mkdir -p /rootfs/usr/share/efi && \
+    cp -r /rootfs/boot/efi/EFI /rootfs/usr/share/efi/ && \
+    rm -rf /rootfs/boot/*
+
+# ---------------------------------------------------------------------------
+# Stage 2b: systemd-boot — add systemd-boot-unsigned, clear /boot
+# Boot entries (BLS Type 1) are written by cfsctl oci prepare-boot at
+# install time, same as the GRUB path.  No UKI pre-build is needed here:
+# a pre-built UKI would embed a build-time composefs hash, but prepare-boot
+# computes the hash from the OCI image (different code path, different hash).
 # ---------------------------------------------------------------------------
-FROM scratch
-COPY --from=rootfs-builder /rootfs /
+FROM rootfs-common AS rootfs-uki
+RUN dnf install -y \
+        --installroot /rootfs \
+        --use-host-config \
+        --releasever 44 \
+        --setopt=install_weak_deps=False \
+        systemd-boot-unsigned \
+        systemd-ukify \
+    && dnf clean all --installroot /rootfs --use-host-config
+RUN rm -rf /rootfs/boot/*
+
+# ---------------------------------------------------------------------------
+# Final stage: GRUB (default target, backward-compat)
+# ---------------------------------------------------------------------------
+FROM scratch AS grub
+COPY --from=rootfs-grub /rootfs /
 
 LABEL containers.bootc=1
 LABEL composefs.backend=cfs-rs
 LABEL org.opencontainers.image.title="Fedora CFS Base"
-LABEL org.opencontainers.image.description="Base image for composefs-rs bootable Fedora 44 systems"
+LABEL org.opencontainers.image.description="Base image for composefs-rs bootable Fedora 44 systems (GRUB)"
+LABEL org.opencontainers.image.version="44"
+
+CMD ["/sbin/init"]
+
+# ---------------------------------------------------------------------------
+# Final stage: UKI (--target uki)
+# ---------------------------------------------------------------------------
+FROM scratch AS uki
+COPY --from=rootfs-uki /rootfs /
+
+LABEL containers.bootc=1
+LABEL composefs.backend=cfs-rs
+LABEL cbootc.boot-style=uki
+LABEL org.opencontainers.image.title="Fedora CFS Base (UKI)"
+LABEL org.opencontainers.image.description="Base image for composefs-rs bootable Fedora 44 systems (systemd-boot + UKI)"
 LABEL org.opencontainers.image.version="44"
 
 CMD ["/sbin/init"]

README.md

@@ -19,11 +19,12 @@ See [DESIGN.md](DESIGN.md) for rationale and architecture.
 
 ## Available Images
 
-| Image | Status |
-|-------|--------|
-| `ghcr.io/henrywang/composefs-os:fedora-44` | Working |
-| Ubuntu | Planned |
-| Arch Linux | Planned |
+| Image | Boot style | Status |
+|-------|-----------|--------|
+| `ghcr.io/henrywang/composefs-os:fedora-44` | GRUB (BLS Type 1) | Working |
+| `ghcr.io/henrywang/composefs-os:fedora-44-uki` | systemd-boot + UKI (BLS Type 2) | Working |
+| Ubuntu | — | Planned |
+| Arch Linux | — | Planned |
 
 
 ## Quick Start
@@ -70,8 +71,37 @@ qemu-system-x86_64 -enable-kvm -m 4096 \
     -nographic
 ```
 
-The same base image works for both modes — the EFI chain difference is handled
-entirely at install time.
+The same GRUB base image works for both modes — the EFI chain difference is
+handled entirely at install time.
+
+### UKI (Unified Kernel Image)
+
+The `-uki` image uses systemd-boot and BLS Type 2 entries: a single `.efi` file
+bundles the kernel, initramfs, and `composefs=` cmdline. The cmdline (including
+the composefs hash) is embedded at **install time** by `cbootc install to-disk`,
+so there is no separate `.conf` file and no writable grubenv.
+
+Pass `--uki` to `cbootc install to-disk` when using the UKI image:
+
+```sh
+sudo podman run --rm --privileged \
+    -v $(pwd):/output \
+    -v /var/lib/containers:/var/lib/containers \
+    -v /var/tmp:/var/tmp \
+    ghcr.io/henrywang/composefs-os:fedora-44-uki \
+    cbootc install to-disk /output/disk-uki.raw --size 10G --uki
+
+# A writable VARS file is needed for EFI variables (random seed, bootctl set-next)
+cp /usr/share/edk2/ovmf/OVMF_VARS.fd /tmp/OVMF_VARS.fd
+qemu-system-x86_64 -enable-kvm -m 4096 \
+    -drive file=disk-uki.raw,if=virtio \
+    -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/ovmf/OVMF_CODE.fd \
+    -drive if=pflash,format=raw,file=/tmp/OVMF_VARS.fd \
+    -nographic
+```
+
+`cbootc rollback` automatically detects the boot style — it uses
+`bootctl set-next` on UKI systems and `grub2-editenv` on GRUB systems.
 
 ## Building a Custom Image
 
@@ -120,7 +150,7 @@ survives upgrades. `cbootc-update.timer` (enabled in the base image) runs
 
 ```
 composefs-os/
-  Containerfile.base         Builds the bootable Fedora 44 base image
+  Containerfile.base         Builds Fedora 44 base images (--target grub | uki)
   src/                       cbootc source (Rust)
   units/
     cbootc-update.service    Systemd service for automatic upgrades
@@ -162,14 +192,18 @@ the running system.
 
 ### Rollback
 
-`cbootc rollback` selects the previous deployment for the next boot by writing
-`next_entry` to `/boot/grub2/grubenv`. Run `systemctl reboot` to apply it.
+`cbootc rollback` selects the previous deployment for the next boot.
+Run `systemctl reboot` to apply it.
 
-If rollback itself fails to boot, use the GRUB menu to select the older BLS
-entry manually — each deployment keeps its own entry in `/boot/loader/entries/`.
+- **GRUB systems**: writes `next_entry` to `/boot/grub2/grubenv`. If rollback
+  fails to boot, use the GRUB menu to pick the older BLS entry manually from
+  `/boot/loader/entries/`.
+- **UKI/systemd-boot systems**: calls `bootctl set-next` to set the
+  `LoaderEntryOneShot` EFI variable. If rollback fails to boot, use the
+  systemd-boot menu (hold Space at startup) to pick the older `.efi` entry.
 
-Old deployment boot files (`/boot/<digest>/`) accumulate across upgrades and
-are not pruned automatically. Remove them manually when disk space is a concern.
+Old deployment boot files accumulate across upgrades and are not pruned
+automatically. Remove them manually when disk space is a concern.
 
 ### x86-64 only