feat: add secureboot enrollKeys schematic option#482
Merged
Conversation
Add a `secureboot.enrollKeys` field to the schematic, mapping to the imager's `SDBootEnrollKeys` profile option (off / manual / if-safe / force) for the ISO and disk image outputs. It controls systemd-boot's `secure-boot-enroll` setting in loader.conf. The default (if-safe) auto-enrolls SecureBoot keys only inside a virtual machine, so on bare-metal keys are never enrolled unattended. Setting force enables unattended enrollment when the UEFI firmware is in setup mode, which network provisioning flows with no console operator require. The corresponding imager flag was added in siderolabs/talos#13571; see siderolabs/talos#12568 for the discussion. Signed-off-by: Mickaël Canévet <mickael.canevet@proton.ch> Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
41ca30d to
3359f6c
Compare
shanduur
approved these changes
Jun 12, 2026
frezbo
approved these changes
Jun 12, 2026
frezbo
left a comment
Member
There was a problem hiding this comment.
I guess pull in new talos too?
Member
I already did previously, nothing new here (it's just an existing option to be wired into the schematic) |
Member
|
/m |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What?
Add a
secureboot.enrollKeysfield to the schematic, mapping to the imager'sSDBootEnrollKeysprofile option (off/manual/if-safe/force) for the ISO and disk-image outputs. It controls systemd-boot'ssecure-boot-enrollsetting inloader.conf. The field isomitempty, so schematics that don't set it produce an unchanged ID.Why?
The default
if-safeauto-enrolls SecureBoot keys only inside a VM, so on bare-metal keys are never enrolled unattended. Network provisioning flows with no console operator (PXE, Tinkerbell, Metal³, …) needforce, which enrolls once while the UEFI firmware is in setup mode — sd-boot's setup-mode gate prevents it from ever overwriting an already-enrolled platform key.Follow-up to the imager flag (siderolabs/talos#13571), per siderolabs/talos#12568 where @smira said this "can [be] put to the Image Factory as well" (as an opt-in; default stays
if-safe).Notes
ISOOptions, disk image →ImageOptions);secure-boot-enrollis meaningless for installer/UKI outputs, so it's ignored there.