Write PK/KEK/db .auth files under loader/keys/auto/ on the EFI
partition and append `secure-boot-enroll if-safe` to loader.conf so
systemd-boot enrolls the Talos SecureBoot keys on first boot when
UEFI firmware is in Setup Mode. `if-safe` is silently skipped on bare
hardware (the check requires a hypervisor), so keys stay inert on
metal and enroll on VMs.
Adds `SDBootEnrollKeys` to `profile.ImageOptions` and plumbs key paths
through `installer.Options` -> `InstallOptions` -> `sdboot.generateAssets()`.
Refactors the previously inline ISO PK/KEK/db generation in `outISO`
into `prepareEnrollmentDBs`, shared by ISO and disk-image paths.
Validates that pre-built PK/KEK/db paths are all set or all unset.
Adds secureboot profiles for private-cloud / self-managed platforms
where NVRAM starts empty: secureboot-cloudstack, secureboot-nocloud,
secureboot-opennebula, secureboot-openstack, secureboot-vmware.
Managed clouds (AWS, Azure, GCP, ...) ship vendor PK/KEK and are
deliberately excluded. Existing secureboot-metal also gains if-safe
enrollment via the refactoring -- no-op on real hardware, enrolls
in a VM.
Adds a unit test for `sdboot.generateAssets` covering the
no-enrollment, if-safe, and force modes, plus golden fixtures for
all new profiles across v1.9..v1.14 / amd64+arm64.
e2e-qemu.sh: add WITH_TRUSTED_BOOT_DISK_IMAGE case to run the trusted
boot disk image test in CI.
Signed-off-by: Mickaël Canévet <mickael.canevet@proton.ch>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The interactive installer has been deprecated since v1.12 cycle,
now removed completely including the API method.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Refactor the code to have less short-circuit returns with more explicit
switch statement.
Also fix up tests to assert that the latest version (in our case, 1.11)
is also covered.
Extracted from #11001.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Generate `installer` from `imager` so installer always have UKI's.
Push `installer-base` which just contains base tools to install.
Fixes: #10188Fixes: #10323
Signed-off-by: Noel Georgi <git@frezbo.dev>
