ci: Test with secure boot enabled under mkosi

This gives us some nice test coverage for secure boot enrolling and the stub secure boot workound. The authenticated EFI variables are already created by mkosi, all we need to do is request secure boot to be used.
2024-07-21 02:05:05 +00:00 · 2023-01-31 18:53:28 +01:00 · 2023-01-31 18:53:28 +01:00 · 2de6cc18f9
parent c2aed1d16c
commit 2de6cc18f9
2 changed files with 10 additions and 1 deletions
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@ -95,8 +95,11 @@ jobs:
        KernelCommandLine=${{ env.KERNEL_CMDLINE }}
        EOF

+    - name: Generate secure boot key
+      run: sudo mkosi genkey
+
    - name: Build ${{ matrix.distro }}
-      run: sudo mkosi --idmap no
+      run: sudo mkosi --idmap no --secure-boot

    - name: Show ${{ matrix.distro }} image summary
      run: sudo mkosi summary
--- a/test/mkosi-check-and-shutdown.sh
+++ b/test/mkosi-check-and-shutdown.sh
@ -3,6 +3,12 @@

 systemctl --failed --no-legend | tee /failed-services

+# Check that secure boot keys were properly enrolled.
+if [[ -d /sys/firmware/efi/efivars/ ]]; then
+    cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+    cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
+fi
+
 # Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
 [[ ! -s /failed-services ]]