Loop-mounting the raw image to inject our own SecureBoot certificates is failing
in CI runs more often than I'd like to see. So, switch to using mtools to
directly manipulate the ESP partition since it's formatted as vfat.
Signed-off-by: Mathias Gibbens <mathias.gibbens@futurfusion.io>
mkosi doesn't seem to have a nice hook we can use, so we rely on this
script to mount the final install image and inject/replace the auto-
enroll Secure Boot keys with the ones we want.
Signed-off-by: Mathias Gibbens <mathias.gibbens@futurfusion.io>
These scripts generate a full mock-up CA certificate hierarchy similar
to the production certs used when publishing IncusOS. A total of four
Secure Boot signing keys are created, with the first two used to
populate an initial db of trusted certificates. The third is prepared
as an update to db, while the fourth is prepared as an update to dbx.
The resulting keys generated with these scripts are for TEST purposes
only -- don't let them anywhere near a production system.
Signed-off-by: Mathias Gibbens <mathias.gibbens@futurfusion.io>
Rather than running a duplicate build, add a small script that will copy
each partition from the raw image with 512 byte sectors to a new iso
image with 2048 byte sectors. The resulting iso can then be booted as a
CDROM.
Signed-off-by: Mathias Gibbens <mathias.gibbens@futurfusion.io>
