From 736c1485e27a597b8bf720b2dba4f8664cb9321a Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Date: Thu, 11 Jul 2024 18:28:20 +0400
Subject: [PATCH] fix: change the UEFI firmware search path order

Ensure that SecureBoot enabled images come before regular ones.

With Ubuntu 24.04 `ovmf` package, due to the ordering of the search
paths `talosctl` might pick up a wrong image and disable SecureBoot.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
---
 .../machined/internal/server/v1alpha1/v1alpha1_server.go  | 4 ++++
 internal/integration/base/api.go                          | 4 +++-
 pkg/provision/providers/qemu/arch.go                      | 8 ++++++--
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/internal/app/machined/internal/server/v1alpha1/v1alpha1_server.go b/internal/app/machined/internal/server/v1alpha1/v1alpha1_server.go
index 5b7696394..0cd85df15 100644
--- a/internal/app/machined/internal/server/v1alpha1/v1alpha1_server.go
+++ b/internal/app/machined/internal/server/v1alpha1/v1alpha1_server.go
@@ -1285,6 +1285,10 @@ func getContainerInspector(ctx context.Context, namespace string, driver common.
 func (s *Server) Read(in *machine.ReadRequest, srv machine.MachineService_ReadServer) (err error) {
 	stat, err := os.Stat(in.Path)
 	if err != nil {
+		if os.IsNotExist(err) {
+			return status.Error(codes.NotFound, err.Error())
+		}
+
 		return err
 	}
 
diff --git a/internal/integration/base/api.go b/internal/integration/base/api.go
index 417917639..bf0de57bb 100644
--- a/internal/integration/base/api.go
+++ b/internal/integration/base/api.go
@@ -448,7 +448,9 @@ func (apiSuite *APISuite) HashKubeletCert(ctx context.Context, node string) (str
 
 	_, err = io.Copy(hash, reader)
 	if err != nil {
-		return "", err
+		if client.StatusCode(err) != codes.NotFound { // not found, swallow it
+			return "", err
+		}
 	}
 
 	return hex.EncodeToString(hash.Sum(nil)), reader.Close()
diff --git a/pkg/provision/providers/qemu/arch.go b/pkg/provision/providers/qemu/arch.go
index 308a461b0..d8424d16e 100644
--- a/pkg/provision/providers/qemu/arch.go
+++ b/pkg/provision/providers/qemu/arch.go
@@ -124,8 +124,6 @@ func (arch Arch) PFlash(uefiEnabled bool, extraUEFISearchPaths []string) []PFlas
 			"ovmf-x86_64-4m-vars.bin",
 		}
 
-		uefiSourceFiles = append(uefiSourceFiles, uefiSourceFilesInsecure...)
-
 		// Append extra search paths
 		uefiSourcePathPrefixes = append(uefiSourcePathPrefixes, extraUEFISearchPaths...)
 
@@ -143,6 +141,12 @@ func (arch Arch) PFlash(uefiEnabled bool, extraUEFISearchPaths []string) []PFlas
 			}
 		}
 
+		for _, p := range uefiSourcePathPrefixes {
+			for _, f := range uefiSourceFilesInsecure {
+				uefiSourcePaths = append(uefiSourcePaths, filepath.Join(p, f))
+			}
+		}
+
 		return []PFlash{
 			{
 				Size:        0,