vm_create() now handles swtpm initialization gracefully:
- Pre-initializes swtpm state dir if /var/lib/libvirt/swtpm/ is writable
- Falls back to VM without TPM if swtpm setup fails (with clear warnings)
- Uses PID-suffixed paths for disk and ISO to avoid stale file conflicts
- Removed unused VM_DISK_PATH/VM_ISO_PATH globals (now local vars)
vm_destroy() cleanup:
- No longer references undefined local variables from vm_create
- Uses glob patterns to clean all VM files in /tmp/
- Explicitly preserves ISO in output/
Template changes:
- TPM is now @TPM_SECTION@ placeholder (injected based on swtpm availability)
- Allows same template to work with or without TPM
AGENTS.md additions:
- VM testing & swtpm setup documentation
- Direct QEMU alternative when libvirt has issues
- Session lessons: never delete ISO, never remove TPM, always test E2E
All 523 unit tests pass, 0 lint warnings.
💘 Generated with Crush
Assisted-by: GLM-5.1 via Crush <crush@charm.land>
systemd-boot and GRUB EFI conflict during package configuration.
systemd-boot also fails to configure in chroot (no efivars available).
Using GRUB with shim-signed for UEFI Secure Boot instead.
Changes:
- config/package-lists: Remove systemd-boot, systemd-boot-efi
- tests/unit/secureboot_test.bats: Update test for GRUB instead
Reference: Build failure in binary phase
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
The package name in Debian repositories is sbsigntool (singular), not
sbsigntools (plural). This typo was causing ISO builds to fail with:
E: Unable to locate package sbsigntools
Files fixed:
- config/package-lists/knel-football.list.chroot - package list
- tests/unit/secureboot_test.bats - test reference
- docs/TEST-COVERAGE.md - documentation
- docs/PRD.md - requirements documentation
Reference: Security audit FINDING-007 (test coverage)
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
