KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement Secure Boot with UKI in run.sh

Browse Source 
Add complete Secure Boot implementation:
- Generate PK/KEK/db keys during ISO build
- Build Unified Kernel Image (UKI) bundling kernel+initramfs+cmdline
- Sign UKI with db key for Secure Boot verification
- Include kernel lockdown mode in cmdline (lockdown=confidentiality)
- Copy .auth files to ISO for UEFI key enrollment

All Secure Boot logic is embedded in run.sh as an inline binary hook
created during the Docker build process - no separate scripts.

Required packages added: efitools, sbsigntools, systemd-boot, binutils

VM template updated with TPM v2.0 for Secure Boot measurements.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
2026-02-20 07:40:21 -05:00
parent e3e729af80
commit 169362ce3d
3 changed files with 577 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
vm/template.xml
View File

@@ -22,11 +22,11 @@
<timer name='pit' tickpolicy='delay'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<tpm model='tpm-crb'>
<backend type='emulator' version='2.0'/>
</tpm>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='@VM_DISK@'/>