Skip to content

libvirt: Fix custom secure boot logic #170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cgwalters merged 1 commit into from
Dec 5, 2025
Merged

libvirt: Fix custom secure boot logic #170

cgwalters merged 1 commit into from
Dec 5, 2025

Conversation

@cgwalters
Copy link
Collaborator

@cgwalters cgwalters commented Dec 3, 2025

  • The nvram path needs to be absolute (would be nice if we could pass this as a file descriptor instead, but hard to do AFAIK with libvirt today)
  • When a custom nvram is specified, we need to avoid using firmware="efi" as it's mutually exclusive with explicit paths
  • Also need to explicitly specify raw format for nvram

No tests yet, but I did test this locally as part of updating bootc's composefs+UKI integration test suite.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 3, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request fixes several issues with the custom secure boot logic for libvirt domains. The changes correctly avoid using the mutually exclusive firmware="efi" attribute when a custom OVMF path is specified, and add the necessary raw format attributes for both the loader and nvram elements. My review includes one suggestion to improve the robustness of path resolution for the nvram template, ensuring it works correctly regardless of the current working directory. Overall, the changes are well-targeted and address the described issues effectively.

cgwalters added a commit to gerblesh/bootc that referenced this pull request Dec 3, 2025
@cgwalters
Rework sealed build process
9b96ef4 
Main goal is to reduce signing logic duplication between the systemd-boot
and UKI generation.

However, this quickly snowballed into wanting to actually verify
by providing a custom secure boot keys to bcvk that things worked.
This depends on bootc-dev/bcvk#170

Now as part of that, I ran into what I think are bugs in pesign;
this cuts things back over to using sbsign. I'll file a tracker for that
separately.

Finally as part of this, just remove the TMT example that builds
a sealed image but doesn't actually verify it works - it's already
drifted from what we do outside here. Ultimately what we need
is to shift some of this into the Fedora examples and we just
fetch it here anyways.

Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <[email protected]>
cgwalters added a commit to gerblesh/bootc that referenced this pull request Dec 3, 2025
@cgwalters
Rework sealed build process
c7859a7 
Main goal is to reduce signing logic duplication between the systemd-boot
and UKI generation.

However, this quickly snowballed into wanting to actually verify
by providing a custom secure boot keys to bcvk that things worked.
This depends on bootc-dev/bcvk#170

Now as part of that, I ran into what I think are bugs in pesign;
this cuts things back over to using sbsign. I'll file a tracker for that
separately.

Finally as part of this, just remove the TMT example that builds
a sealed image but doesn't actually verify it works - it's already
drifted from what we do outside here. Ultimately what we need
is to shift some of this into the Fedora examples and we just
fetch it here anyways.

Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <[email protected]>
@cgwalters cgwalters enabled auto-merge (rebase) December 4, 2025 00:55
cgwalters added a commit to gerblesh/bootc that referenced this pull request Dec 4, 2025
@cgwalters
Rework sealed build process
9be3705 
Main goal is to reduce signing logic duplication between the systemd-boot
and UKI generation.

However, this quickly snowballed into wanting to actually verify
by providing a custom secure boot keys to bcvk that things worked.
This depends on bootc-dev/bcvk#170

Now as part of that, I ran into what I think are bugs in pesign;
this cuts things back over to using sbsign. I'll file a tracker for that
separately.

Finally as part of this, just remove the TMT example that builds
a sealed image but doesn't actually verify it works - it's already
drifted from what we do outside here. Ultimately what we need
is to shift some of this into the Fedora examples and we just
fetch it here anyways.

Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <[email protected]>
gursewak1997
gursewak1997 reviewed Dec 5, 2025
View reviewed changes
@cgwalters
libvirt: Fix custom secure boot logic
ae10852 
- The nvram path needs to be absolute (would be nice if we could
  pass this as a file descriptor instead, but hard to do AFAIK
  with libvirt today)
- When a custom nvram is specified, we need to avoid using firmware="efi"
  as it's mutually exclusive with explicit <loader> paths
- Also need to explicitly specify `raw` format for nvram

No tests yet, but I did test this locally as part of updating
bootc's composefs+UKI integration test suite.

Signed-off-by: Colin Walters <[email protected]>
@cgwalters cgwalters mentioned this pull request Dec 5, 2025
Open
@cgwalters cgwalters merged commit 5ff7bcc into bootc-dev:main Dec 5, 2025
7 checks passed
cgwalters added a commit to gerblesh/bootc that referenced this pull request Dec 5, 2025
@cgwalters
Rework sealed build process
504df5f 
Main goal is to reduce signing logic duplication between the systemd-boot
and UKI generation.

However, this quickly snowballed into wanting to actually verify
by providing a custom secure boot keys to bcvk that things worked.
This depends on bootc-dev/bcvk#170

Now as part of that, I ran into what I think are bugs in pesign;
this cuts things back over to using sbsign. I'll file a tracker for that
separately.

Finally as part of this, just remove the TMT example that builds
a sealed image but doesn't actually verify it works - it's already
drifted from what we do outside here. Ultimately what we need
is to shift some of this into the Fedora examples and we just
fetch it here anyways.

Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gursewak1997 gursewak1997 gursewak1997 left review comments

@jeckersb jeckersb jeckersb approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cgwalters @jeckersb @gursewak1997