Skip to content

feat: add secureboot enrollKeys schematic option#482

Merged
talos-bot merged 1 commit into
siderolabs:mainfrom
mcanevet:feat/secureboot-enroll-keys
Jun 12, 2026
Merged

feat: add secureboot enrollKeys schematic option#482
talos-bot merged 1 commit into
siderolabs:mainfrom
mcanevet:feat/secureboot-enroll-keys

Conversation

@mcanevet

Copy link
Copy Markdown
Contributor

What?

Add a secureboot.enrollKeys field to the schematic, mapping to the imager's SDBootEnrollKeys profile option (off / manual / if-safe / force) for the ISO and disk-image outputs. It controls systemd-boot's secure-boot-enroll setting in loader.conf. The field is omitempty, so schematics that don't set it produce an unchanged ID.

customization:
  secureboot:
    enrollKeys: force

Why?

The default if-safe auto-enrolls SecureBoot keys only inside a VM, so on bare-metal keys are never enrolled unattended. Network provisioning flows with no console operator (PXE, Tinkerbell, Metal³, …) need force, which enrolls once while the UEFI firmware is in setup mode — sd-boot's setup-mode gate prevents it from ever overwriting an already-enrolled platform key.

Follow-up to the imager flag (siderolabs/talos#13571), per siderolabs/talos#12568 where @smira said this "can [be] put to the Image Factory as well" (as an opt-in; default stays if-safe).

Notes

  • Mapped per output kind (ISO → ISOOptions, disk image → ImageOptions); secure-boot-enroll is meaningless for installer/UKI outputs, so it's ignored there.
  • Tests added for the mapping (force → image/ISO, invalid value rejected, ignored without SecureBoot); existing golden profile and schematic-ID tests are unchanged.

@github-project-automation github-project-automation Bot moved this to To Do in Planning Jun 12, 2026
@talos-bot talos-bot moved this from To Do to In Review in Planning Jun 12, 2026
Add a `secureboot.enrollKeys` field to the schematic, mapping to the
imager's `SDBootEnrollKeys` profile option (off / manual / if-safe /
force) for the ISO and disk image outputs. It controls systemd-boot's
`secure-boot-enroll` setting in loader.conf.

The default (if-safe) auto-enrolls SecureBoot keys only inside a virtual
machine, so on bare-metal keys are never enrolled unattended. Setting
force enables unattended enrollment when the UEFI firmware is in setup
mode, which network provisioning flows with no console operator require.

The corresponding imager flag was added in siderolabs/talos#13571; see
siderolabs/talos#12568 for the discussion.

Signed-off-by: Mickaël Canévet <mickael.canevet@proton.ch>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
@smira smira force-pushed the feat/secureboot-enroll-keys branch from 41ca30d to 3359f6c Compare June 12, 2026 13:10

@smira smira left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🆒

@github-project-automation github-project-automation Bot moved this from In Review to Approved in Planning Jun 12, 2026
@smira smira requested review from frezbo and shanduur June 12, 2026 13:11

@frezbo frezbo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess pull in new talos too?

@smira

smira commented Jun 12, 2026

Copy link
Copy Markdown
Member

I guess pull in new talos too?

I already did previously, nothing new here (it's just an existing option to be wired into the schematic)

@smira

smira commented Jun 12, 2026

Copy link
Copy Markdown
Member

/m

@talos-bot talos-bot merged commit 3359f6c into siderolabs:main Jun 12, 2026
21 checks passed
@github-project-automation github-project-automation Bot moved this from Approved to Done in Planning Jun 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

5 participants