From 374fa8e8533e4834337a22613c7bada205dc1853 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 5 Mar 2024 11:49:30 +0100
Subject: [PATCH 1/4] mkosi: fix UKI addons test

The test hasn't been working for a while, since there's no /efi or /boot
in $DESTDIR.

Resolves: #31618
---
 mkosi.images/base/mkosi.build.chroot                 | 12 ------------
 mkosi.images/system/mkosi.conf.d/10-arch.conf        |  1 +
 .../system/mkosi.conf.d/10-debian-ubuntu.conf        |  1 +
 mkosi.images/system/mkosi.conf.d/10-fedora.conf      |  1 +
 mkosi.images/system/mkosi.conf.d/10-opensuse.conf    |  1 +
 mkosi.images/system/mkosi.postinst.chroot            | 11 ++++++++++-
 6 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/mkosi.images/base/mkosi.build.chroot b/mkosi.images/base/mkosi.build.chroot
index ce3c8e2577..24362970ae 100755
--- a/mkosi.images/base/mkosi.build.chroot
+++ b/mkosi.images/base/mkosi.build.chroot
@@ -169,15 +169,3 @@ if [ "$WITH_TESTS" = 1 ]; then
 fi
 
 ( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed )
-
-# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
-if [ -d "${DESTDIR}/boot/loader" ]; then
-    addons_dir="${DESTDIR}/boot/loader/addons"
-elif [ -d "${DESTDIR}/efi/loader" ]; then
-    addons_dir="${DESTDIR}/efi/loader/addons"
-fi
-if [ -n "${addons_dir}" ]; then
-    mkdir -p "${addons_dir}"
-    ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi"
-    ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi"
-fi
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf
index e1a511c979..a3d008d10f 100644
--- a/mkosi.images/system/mkosi.conf.d/10-arch.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-arch.conf
@@ -23,5 +23,6 @@ Packages=
         python-pytest
         python3
         quota-tools
+        sbsigntools
         shadow
         vim
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
index 348bdb2992..d6e3f20222 100644
--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
@@ -19,6 +19,7 @@ Packages=
         netcat-openbsd
         openssh-server
         openssh-client
+        sbsigntool
         passwd
         policykit-1
         procps
diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
index 5863f03b19..7554ad2dc3 100644
--- a/mkosi.images/system/mkosi.conf.d/10-fedora.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
@@ -9,3 +9,4 @@ Packages=
         compsize
         f2fs-tools
         glibc-langpack-en
+        sbsigntools
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
index 71434b4560..ffcb664224 100644
--- a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
@@ -20,5 +20,6 @@ Packages=
         python3-psutil
         python3-pytest
         quota
+        sbsigntools
         shadow
         vim
diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot
index 692242da38..330fa3b73e 100755
--- a/mkosi.images/system/mkosi.postinst.chroot
+++ b/mkosi.images/system/mkosi.postinst.chroot
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -e
 
@@ -100,3 +100,12 @@ mkdir -p /usr/lib/tmpfiles.d
 cat >/usr/lib/tmpfiles.d/testuser.conf <<EOF
 q	/home/testuser	0700	4711	4711
 EOF
+
+# sbsign is not available on CentOS Stream
+if command -v sbsign &>/dev/null; then
+    # Ensure that side-loaded PE addons are loaded if signed, and ignored if not
+    addons_dir=/efi/loader/addons
+    mkdir -p "$addons_dir"
+    ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
+    ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
+fi

From d9c8cf40b5c920ae59a02fa2bab32e93dad33542 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 5 Mar 2024 11:51:52 +0100
Subject: [PATCH 2/4] Revert "mkosi: Disable cmdline addon test for now"

Let's see if this finally works.

This reverts commit e167a8283d5964ca0f903b3e362ab7e48a1ed2ab.
---
 .../usr/lib/systemd/mkosi-check-and-shutdown.sh          | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
index 9bb246263e..07caa6817e 100755
--- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
@@ -10,9 +10,12 @@ systemctl --failed --no-legend | tee /failed-services
 if ! systemd-detect-virt --container; then
     cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
     cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
-    # TODO: Figure out why this is failing
-    # grep -q this_should_be_here /proc/cmdline
-    # grep -q this_should_not_be_here /proc/cmdline && exit 1
+
+    if command -v sbsign &>/dev/null; then
+        cat /proc/cmdline
+        grep -q this_should_be_here /proc/cmdline
+        (! grep -q this_should_not_be_here /proc/cmdline)
+    fi
 fi
 
 # Exit with non-zero EC if the /failed-services file is not empty (we have -e set)

From 193fa9d7fe383801bf3ff53e5ee5a2c52107270f Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 5 Mar 2024 12:18:40 +0100
Subject: [PATCH 3/4] Revert "mkosi: Don't fail on
 systemd-vconsole-setup.service failure for now"

This doesn't seem to fail anymore.

This reverts commit 84c7929cd461f6f1cc2c44c69877b9fd0676c794.
---
 .../mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh    | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
index 07caa6817e..e0fcf30498 100755
--- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
@@ -1,9 +1,6 @@
 #!/bin/bash -eux
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
-# TODO: Figure out why this is failing
-systemctl reset-failed systemd-vconsole-setup.service
-
 systemctl --failed --no-legend | tee /failed-services
 
 # Check that secure boot keys were properly enrolled.

From e86b1a9b0f1d2fc150edde18ea6f748b9423df3c Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 5 Mar 2024 12:41:30 +0100
Subject: [PATCH 4/4] mkosi: make shellcheck happy

---
 mkosi.images/base/mkosi.build.chroot | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mkosi.images/base/mkosi.build.chroot b/mkosi.images/base/mkosi.build.chroot
index 24362970ae..b59f339b11 100755
--- a/mkosi.images/base/mkosi.build.chroot
+++ b/mkosi.images/base/mkosi.build.chroot
@@ -8,7 +8,7 @@ set -e
 # We don't want to install our build of systemd in the base image, but use it as an extra tree for the
 # initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as
 # an extra tree in the initrd and system image builds.
-DESTDIR="$OUTPUTDIR/systemd"
+export DESTDIR="$OUTPUTDIR/systemd"
 
 # If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
 # as out-of-tree build dir. Otherwise, let's make up our own builddir.