Merge branch 'main' into test_qemu

.dockerignore

@@ -0,0 +1,5 @@
+.devcontainer
+.github
+.gitignore
+action.yml
+Containerfile

.github/workflows/build-and-test.yml

@@ -15,6 +15,9 @@ env:
   IMAGE_REPO: 'quay.io/fedora-ostree-desktops'
   VERSION: '39'
   VARIANT: 'Server'
+  SECURE_BOOT_KEY_URL: 'https://github.com/ublue-os/akmods/raw/main/certs/public_key.der'
+  ENROLLMENT_PASSWORD: 'container-installer'
+
 
 jobs:
   build-container:
@@ -87,6 +90,8 @@ jobs:
           image_repo: ${{ env.IMAGE_REPO}}
           version: ${{ env.VERSION }}
           variant: ${{ env.VARIANT }}
+          secure_boot_key_url: ${{ env.SECURE_BOOT_KEY_URL }}
+          enrollment_password: ${{ env.ENROLLMENT_PASSWORD }}
 
       - name: Rename ISO
         run: |

Containerfile

@@ -11,10 +11,7 @@ ENV VERSION="${VERSION}"
 ENV WEB_UI="false"
 
 RUN mkdir /build-container-installer
-COPY /lorax_templates /build-container-installer/lorax_templates
+COPY / /build-container-installer/
-COPY /xorriso /build-container-installer/xorriso
-COPY /Makefile /build-container-installer
-COPY /entrypoint.sh /
 
 WORKDIR /build-container-installer
 
@@ -22,5 +19,5 @@ RUN dnf install -y make && make install-deps
 
 VOLUME /build-container-installer/build
 
-ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
+ENTRYPOINT ["/bin/bash", "/build-container-installer/entrypoint.sh"]
 

Makefile

@@ -8,6 +8,8 @@ IMAGE_TAG = $(VERSION)
 VARIANT = Server
 WEB_UI = false
 REPOS = /etc/yum.repos.d/fedora.repo /etc/yum.repos.d/fedora-updates.repo
+ENROLLMENT_PASSWORD =
+SECURE_BOOT_KEY_URL =
 ADDITIONAL_TEMPLATES = ""
 ROOTFS_SIZE = 4
 
@@ -19,7 +21,7 @@ _IMAGE_REPO_DOUBLE_ESCAPED = $(subst \,\\\,$(_IMAGE_REPO_ESCAPED))
 _VOLID = $(firstword $(subst -, ,$(IMAGE_NAME)))-$(ARCH)-$(IMAGE_TAG)
 _REPO_FILES = $(subst /etc/yum.repos.d,repos,$(REPOS))
 _LORAX_TEMPLATES = $(subst .in,,$(shell ls lorax_templates/*.tmpl.in)) $(foreach file,$(shell ls lorax_templates/scripts/post),lorax_templates/post_$(file).tmpl)
-_TEMPLATE_VARS = ARCH VERSION IMAGE_REPO IMAGE_NAME IMAGE_TAG VARIANT WEB_UI REPOS _IMAGE_REPO_ESCAPED _IMAGE_REPO_DOUBLE_ESCAPED
+_TEMPLATE_VARS = ARCH VERSION IMAGE_REPO IMAGE_NAME IMAGE_TAG VARIANT WEB_UI REPOS _IMAGE_REPO_ESCAPED _IMAGE_REPO_DOUBLE_ESCAPED ENROLLMENT_PASSWORD
 
 ifeq ($(VARIANT),Server)
 _LORAX_ARGS = --macboot --noupgrade
@@ -44,19 +46,30 @@ lorax_templates/post_%.tmpl: lorax_templates/scripts/post/%
 	$(eval _ISO_FILE = usr/share/anaconda/interactive-defaults.ks)
 	
 	header=0; \
+	skip=0; \
 	while read -r line; \
 	do \
-	  if [[ $$line =~ ^\<\% ]]; \
+		if [[ $$line =~ ^\<\% ]]; \
-	  then \
+		then \
 			echo $$line >> lorax_templates/post_$*.tmpl; \
 			echo >> lorax_templates/post_$*.tmpl; \
-	  else \
+		else \
-		  if [[ $$header == 0 ]]; \
+			if [[ $$header == 0 ]]; \
 			then \
-			  echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \
+				if [[ $$line =~ ^##\ (.*)$$ ]]; \
+				then \
+					echo "append $(_ISO_FILE) \"%post --erroronfail $${BASH_REMATCH[1]}\"" >> lorax_templates/post_$*.tmpl; \
+					skip=1; \
+				else \
+					echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \
+				fi; \
 				header=1; \
 			fi; \
-	    echo "append $(_ISO_FILE) \"$$line\"" >> lorax_templates/post_$*.tmpl; \
+			if [[ $$skip == 0 ]]; \
+			then \
+				echo "append $(_ISO_FILE) \"$${line//\"/\\\"}\"" >> lorax_templates/post_$*.tmpl; \
+			fi; \
+			skip=0; \
 		fi; \
 	done < lorax_templates/scripts/post/$*
 	echo "append $(_ISO_FILE) \"%end\"" >> lorax_templates/post_$*.tmpl
@@ -65,18 +78,30 @@ lorax_templates/post_%.tmpl: lorax_templates/scripts/post/%
 	$(eval _ISO_FILE = usr/share/anaconda/post-scripts/configure_upgrades.ks)
 
 	header=0; \
+	skip=0; \
 	while read -r line; \
 	do \
-	  if [[ $$line =~ ^\<\% ]]; \
+		if [[ $$line =~ ^\<\% ]]; \
-	  then \
+		then \
+			echo $$line >> lorax_templates/post_$*.tmpl; \
 			echo >> lorax_templates/post_$*.tmpl; \
-	  else \
+		else \
-		  if [[ $$header == 0 ]]; \
+			if [[ $$header == 0 ]]; \
 			then \
-			  echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \
+				if [[ $$line =~ ^##\ (.*)$$ ]]; \
+				then \
+					echo "append $(_ISO_FILE) \"%post --erroronfail $${BASH_REMATCH[1]}\"" >> lorax_templates/post_$*.tmpl; \
+					skip=1; \
+				else \
+					echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \
+				fi; \
 				header=1; \
 			fi; \
-	    echo "append $(_ISO_FILE) \"$$line\"" >> lorax_templates/post_$*.tmpl; \
+			if [[ $$skip == 0 ]]; \
+			then \
+				echo "append $(_ISO_FILE) \"$${line//\"/\\\"}\"" >> lorax_templates/post_$*.tmpl; \
+			fi; \
+			skip=0; \
 		fi; \
 	done < lorax_templates/scripts/post/$*
 	echo "append $(_ISO_FILE) \"%end\"" >> lorax_templates/post_$*.tmpl
@@ -100,6 +125,13 @@ repos/%.repo: /etc/yum.repos.d/%.repo
 boot.iso: $(_LORAX_TEMPLATES) $(_REPO_FILES)
 	rm -Rf $(_BASE_DIR)/results || true
 	rm /etc/rpm/macros.image-language-conf || true
+
+	# Download the secure boot key
+	if [ -n "$(SECURE_BOOT_KEY_URL)" ]; \
+	then \
+    	curl --fail -L -o $(_BASE_DIR)/sb_pubkey.der $(SECURE_BOOT_KEY_URL); \
+	fi
+
 	lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \
 		--isfinal --squashfs-only --buildarch=$(ARCH) --volid=$(_VOLID) \
 		$(_LORAX_ARGS) \

action.yml

@@ -29,6 +29,13 @@ inputs:
     description: Enable Anaconda WebUI
     required: false
     default: "false"
+  enrollment_password:
+    description: Used for supporting secure boot (requires SECURE_BOOT_KEY_URL to be defined)
+    required: false
+    default: "container-installer"
+  secure_boot_key_url:
+    description: Secure boot key that is installed from URL location
+    required: false
   action_version:
     description: Version of the action container to run
     deprecationMessage: No longer used. github.action_ref replaces the need for this. Will be removed in a future version.
@@ -54,5 +61,7 @@ runs:
           VERSION=${{ inputs.version }} \
           IMAGE_TAG=${{ inputs.image_tag || inputs.version }} \
           WEB_UI=${{ inputs.web_ui }} \
+          ENROLLMENT_PASSWORD=${{ inputs.enrollment_password }} \
+          SECURE_BOOT_KEY_URL=${{ inputs.secure_boot_key_url }} \
           "ADDITIONAL_TEMPLATES=${{ inputs.additional_templates }}"
 

lorax_templates/scripts/post/enroll-secureboot-key

@@ -0,0 +1,26 @@
+<%page args="enrollment_password "/>
+## --nochroot
+
+set -oue pipefail
+
+readonly ENROLLMENT_PASSWORD=${enrollment_password}
+readonly SECUREBOOT_KEY="/run/install/repo/sb_pubkey.der"
+
+if [[ ! -d "/sys/firmware/efi" ]]; then
+	echo "EFI mode not detected. Skipping key enrollment."
+	exit 0
+fi
+
+if [[ ! -f "$SECUREBOOT_KEY" ]]; then
+	echo "Secure boot key not provided: $SECUREBOOT_KEY"
+	exit 0
+fi
+
+SYS_ID="$(cat /sys/devices/virtual/dmi/id/product_name)"
+if [[ ":Jupiter:Galileo:" =~ ":$SYS_ID:" ]]; then
+	echo "Steam Deck hardware detected. Skipping key enrollment."
+	exit 0
+fi
+
+mokutil --timeout -1 || :
+echo -e "$ENROLLMENT_PASSWORD\n$ENROLLMENT_PASSWORD" | mokutil --import "$SECUREBOOT_KEY" || :

xorriso/gen_input.sh.in

@@ -5,12 +5,14 @@ echo "-outdev $(pwd)/build/deploy.iso"
 echo "-boot_image any replay"
 echo "-joliet on"
 echo "-compliance joliet_long_names"
-pushd container > /dev/null
+if [ -f $(pwd)/sb_pubkey.der ]; then
-for file in $(find ${IMAGE_NAME}-${IMAGE_TAG})
+	echo "-map $(pwd)/sb_pubkey.der sb_pubkey.der"
-do
+	echo "-chmod 0444 /sb_pubkey.der"
-    echo "-map $(pwd)/${file} ${file}"
+fi
-    echo "-chmod 0444 ${file}"
+pushd container >/dev/null
+for file in $(find ${IMAGE_NAME}-${IMAGE_TAG}); do
+	echo "-map $(pwd)/${file} ${file}"
+	echo "-chmod 0444 ${file}"
 done
 popd > /dev/null
 echo "-end"
-