boot: skip loading DTBs in type 1 when secure boot is enabled #489
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # vi: ts=2 sw=2 et: | |
| # SPDX-License-Identifier: LGPL-2.1-or-later | |
| # Simple boot tests that build and boot the mkosi images generated by the mkosi config files in mkosi.default.d/. | |
| name: mkosi | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - v[0-9]+-stable | |
| paths: | |
| - '**' | |
| - '!README*' | |
| - '!LICENSE*' | |
| - '!LICENSES/**' | |
| - '!TODO' | |
| - '!docs/**' | |
| - '!man/**' | |
| - '!catalog/**' | |
| - '!shell-completion/**' | |
| - '!po/**' | |
| - '!.**' | |
| - '.github/**' | |
| pull_request: | |
| branches: | |
| - main | |
| - v[0-9]+-stable | |
| paths: | |
| - '**' | |
| - '!README*' | |
| - '!LICENSE*' | |
| - '!LICENSES/**' | |
| - '!TODO' | |
| - '!docs/**' | |
| - '!man/**' | |
| - '!catalog/**' | |
| - '!shell-completion/**' | |
| - '!po/**' | |
| - '!.**' | |
| - '.github/**' | |
| permissions: | |
| contents: read | |
| env: | |
| # Enable debug logging in systemd, but keep udev's log level to info, | |
| # since it's _very_ verbose in the QEMU task | |
| # Disable the ISC DHCP servers, as they are failing in Ubuntu | |
| KERNEL_CMDLINE: "systemd.unit=mkosi-check-and-shutdown.service !quiet systemd.log_level=debug systemd.log_target=console udev.log_level=info systemd.default_standard_output=journal+console systemd.mask=isc-dhcp-server6.service systemd.mask=isc-dhcp-server.service" | |
| jobs: | |
| ci: | |
| runs-on: ubuntu-22.04 | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ matrix.distro }}-${{ matrix.release }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - distro: arch | |
| release: rolling | |
| - distro: debian | |
| release: testing | |
| - distro: ubuntu | |
| release: jammy | |
| - distro: fedora | |
| release: "37" | |
| - distro: fedora | |
| release: rawhide | |
| - distro: opensuse | |
| release: tumbleweed | |
| - distro: centos | |
| release: "9" | |
| steps: | |
| - name: mkosi dependencies | |
| run: sudo apt-get install --assume-yes --no-install-recommends python3-pyelftools | |
| - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - uses: systemd/mkosi@4be912b0fa4931403fddf649aa242cd4406471c4 | |
| - name: Configure | |
| run: | | |
| tee mkosi.default <<- EOF | |
| [Distribution] | |
| Distribution=${{ matrix.distro }} | |
| Release=${{ matrix.release }} | |
| SecureBoot=yes | |
| [Content] | |
| Environment=CI_BUILD=1 | |
| [Output] | |
| KernelCommandLine=${{ env.KERNEL_CMDLINE }} | |
| EOF | |
| # TODO: Remove once archlinux-keyring is updated in ppa:michel-slm/kernel-utils. | |
| tee mkosi.conf.d/arch/11-arch-keyring.conf <<- EOF | |
| [Distribution] | |
| Distribution=arch | |
| RepositoryKeyCheck=no | |
| EOF | |
| - name: Generate secure boot key | |
| run: mkosi genkey | |
| - name: Build ${{ matrix.distro }} | |
| run: mkosi | |
| - name: Show ${{ matrix.distro }} image summary | |
| run: mkosi summary | |
| - name: Boot ${{ matrix.distro }} systemd-nspawn | |
| run: sudo mkosi boot ${{ env.KERNEL_CMDLINE }} audit=0 | |
| - name: Check ${{ matrix.distro }} systemd-nspawn | |
| run: sudo mkosi shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }" | |
| - name: Boot ${{ matrix.distro }} QEMU | |
| run: timeout -k 30 10m mkosi qemu | |
| - name: Check ${{ matrix.distro }} QEMU | |
| run: sudo mkosi shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }" |