feat: Add bootc container ukify command

Add a new subcommand that builds a Unified Kernel Image (UKI) by computing the necessary arguments from a container image and invoking ukify. This simplifies the sealed image build workflow by having bootc internally compute: - The composefs digest (via existing compute-composefs-digest logic) - Kernel arguments from /usr/lib/bootc/kargs.d/*.toml files - Paths to kernel, initrd, and os-release Any additional arguments are passed through to ukify unchanged, allowing full control over signing, output paths, and other ukify options. The seal-uki script is updated to use this new command instead of manually computing these values and invoking ukify directly. Also adds kargs.d configuration files for the sealed UKI workflow: - 10-rootfs-rw.toml: Mount root filesystem read-write - 21-console-hvc0.toml: Console configuration for QEMU/virtio Closes: #1955 Assisted-by: OpenCode (Opus 4.5) Signed-off-by: John Eckersberg <jeckersb@redhat.com>
2026-02-05 15:45:53 +01:00 · 2026-01-28 11:42:59 -05:00
parent 4f51a5fbcb
commit 5d6dd67276
12 changed files with 320 additions and 38 deletions
--- a/contrib/packaging/seal-uki
+++ b/contrib/packaging/seal-uki
@@ -12,15 +12,7 @@ shift
 secrets=$1
 shift

-# Compute the composefs digest from the target rootfs
-composefs_digest=$(bootc container compute-composefs-digest "${target}")
-
-# Build the kernel command line
-# enforcing=0: https://github.com/bootc-dev/bootc/issues/1826
-# TODO: pick up kargs from /usr/lib/bootc/kargs.d
-cmdline="composefs=${composefs_digest} console=ttyS0,115200n8 console=hvc0 enforcing=0 rw"
-
-# Find the kernel version
+# Find the kernel version (needed for output filename)
 kver=$(bootc container inspect --rootfs "${target}" --json | jq -r '.kernel.version')
 if [ -z "$kver" ] || [ "$kver" = "null" ]; then
  echo "Error: No kernel found" >&2
@@ -29,12 +21,14 @@ fi

 mkdir -p "${output}"

-ukify build \
-  --linux "${target}/usr/lib/modules/${kver}/vmlinuz" \
-  --initrd "${target}/usr/lib/modules/${kver}/initramfs.img" \
-  --uname="${kver}" \
-  --cmdline "${cmdline}" \
-  --os-release "@${target}/usr/lib/os-release" \
+# Build the UKI using bootc container ukify
+# This computes the composefs digest, reads kargs from kargs.d, and invokes ukify
+#
+# WORKAROUND: SELinux must be permissive for sealed UKI boot
+# See https://github.com/bootc-dev/bootc/issues/1826
+bootc container ukify --rootfs "${target}" \
+  --karg enforcing=0 \
+  -- \
  --signtool sbsign \
  --secureboot-private-key "${secrets}/secureboot_key" \
  --secureboot-certificate "${secrets}/secureboot_cert" \
--- a/contrib/packaging/usr-extras/lib/bootc/kargs.d/10-rootfs-rw.toml
+++ b/contrib/packaging/usr-extras/lib/bootc/kargs.d/10-rootfs-rw.toml
@@ -0,0 +1,2 @@
+# Mount the root filesystem read-write
+kargs = ["rw"]
--- a/contrib/packaging/usr-extras/lib/bootc/kargs.d/21-console-hvc0.toml
+++ b/contrib/packaging/usr-extras/lib/bootc/kargs.d/21-console-hvc0.toml
@@ -1,2 +1,3 @@
 # https://bugzilla.redhat.com/show_bug.cgi?id=2353887
-kargs = ["console=hvc0"]
+# console=ttyS0 for QEMU serial, console=hvc0 for virtio/Xen console
+kargs = ["console=ttyS0,115200n8", "console=hvc0"]