Make tests work for sdboot

Johan-Liebert1 · cgwalters · commit 87e2a69d1a72 · 2026-02-11T09:47:03.000-05:00
Signed-off-by: Pragyan Poudyal &lt;pragyanpoudyal41999@gmail.com&gt;

Remove root= cmdline for sdboot

Signed-off-by: Pragyan Poudyal &lt;pragyanpoudyal41999@gmail.com&gt;

Use insecure UEFI for sdboot

Signed-off-by: Pragyan Poudyal &lt;pragyanpoudyal41999@gmail.com&gt;
diff --git a/Justfile b/Justfile
@@ -114,7 +114,6 @@ test-composefs bootloader:
     just variant=composefs bootloader={{bootloader}} \
         test-tmt --composefs-backend --bootloader {{bootloader}} \
         readonly \
-        bib-build \
         download-only \
         image-pushpull-upgrade \
         image-upgrade-reboot \
diff --git a/crates/lib/src/bootc_composefs/boot.rs b/crates/lib/src/bootc_composefs/boot.rs
@@ -68,7 +68,7 @@ use std::path::Path;
 
 use anyhow::{Context, Result, anyhow, bail};
 use bootc_blockdev::find_parent_devices;
-use bootc_kernel_cmdline::utf8::{Cmdline, Parameter};
+use bootc_kernel_cmdline::utf8::{Cmdline, Parameter, ParameterKey};
 use bootc_mount::inspect_filesystem_of_dir;
 use bootc_mount::tempmount::TempMount;
 use camino::{Utf8Path, Utf8PathBuf};
@@ -566,6 +566,12 @@ pub(crate) fn setup_composefs_bls_boot(
         }
     };
 
+    // Remove "root=" from kernel cmdline as systemd-auto-gpt-generator should use DPS
+    // UUID
+    if bootloader == Bootloader::Systemd {
+        cmdline_refs.remove(&ParameterKey::from("root"));
+    }
+
     let is_upgrade = matches!(setup_type, BootSetupType::Upgrade(..));
 
     let current_root = if is_upgrade {
diff --git a/crates/xtask/src/tmt.rs b/crates/xtask/src/tmt.rs
@@ -32,7 +32,7 @@ const DISTRO_CENTOS_9: &str = "centos-9";
 const COMPOSEFS_KERNEL_ARGS: [&str; 1] = ["--karg=enforcing=0"];
 
 // Import the argument types from xtask.rs
-use crate::{RunTmtArgs, TmtProvisionArgs};
+use crate::{Bootloader, RunTmtArgs, TmtProvisionArgs};
 
 /// Generate a random alphanumeric suffix for VM names
 fn generate_random_suffix() -> String {
@@ -111,7 +111,11 @@ const DEFAULT_SB_KEYS_DIR: &str = "target/test-secureboot";
 ///
 /// For sealed images, secure boot keys must be present or an error is returned.
 #[context("Building firmware arguments")]
-fn build_firmware_args(sh: &Shell, image: &str) -> Result<Vec<String>> {
+fn build_firmware_args(
+    sh: &Shell,
+    image: &str,
+    bootloader: &Option<Bootloader>,
+) -> Result<Vec<String>> {
     let is_sealed = is_sealed_image(sh, image)?;
     let sb_keys_dir = Utf8Path::new(DEFAULT_SB_KEYS_DIR);
 
@@ -133,6 +137,8 @@ fn build_firmware_args(sh: &Shell, image: &str) -> Result<Vec<String>> {
                 sb_keys_dir
             );
         }
+    } else if matches!(bootloader, Some(Bootloader::Systemd)) {
+        vec!["--firmware=uefi-insecure".into()]
     } else {
         Vec::new()
     };
@@ -310,7 +316,7 @@ pub(crate) fn run_tmt(sh: &Shell, args: &RunTmtArgs) -> Result<()> {
     println!("Detected distro: {}", distro);
     println!("Detected VARIANT_ID: {variant_id}");
 
-    let firmware_args = build_firmware_args(sh, image)?;
+    let firmware_args = build_firmware_args(sh, image, &args.bootloader)?;
 
     // Create tmt-workdir and copy tmt bits to it
     // This works around https://github.com/teemtee/tmt/issues/4062
@@ -699,7 +705,8 @@ pub(crate) fn tmt_provision(sh: &Shell, args: &TmtProvisionArgs) -> Result<()> {
     println!("  Image: {}", image);
     println!("  VM name: {}\n", vm_name);
 
-    let firmware_args = build_firmware_args(sh, image)?;
+    // TODO: Send bootloader param here
+    let firmware_args = build_firmware_args(sh, image, &None)?;
 
     // Launch VM with bcvk
     // Use ds=iid-datasource-none to disable cloud-init for faster boot
diff --git a/crates/xtask/src/xtask.rs b/crates/xtask/src/xtask.rs
@@ -79,7 +79,7 @@ pub(crate) struct LocalRustDepsArgs {
 
 /// Bootloader passed as --bootloader param for composefs builds
 // TODO: Find a better way to share this Enum between this and crates/lib
-#[derive(Debug, Clone, ValueEnum)]
+#[derive(Debug, Clone, ValueEnum, PartialEq, Eq)]
 pub enum Bootloader {
     /// grub as bootloader
     Grub,
diff --git a/tmt/tests/booted/readonly/030-test-composefs.nu b/tmt/tests/booted/readonly/030-test-composefs.nu
@@ -13,15 +13,21 @@ let is_composefs = (tap is_composefs)
 let expecting_composefs = ($env.BOOTC_variant? | default "" | find "composefs") != null
 if $expecting_composefs {
     assert $is_composefs
-    # When using systemd-boot with DPS (Discoverable Partition Specification),
-    # /proc/cmdline should NOT contain a root= parameter because systemd-gpt-auto-generator
-    # discovers the root partition automatically
-    # Note that there is `bootctl --json=pretty` but it doesn't actually output JSON
-    let bootctl_output = (bootctl)
-    if ($bootctl_output | str contains 'Product: systemd-boot') {
-        let cmdline = parse_cmdline
-        let has_root_param = ($cmdline | any { |param| $param | str starts-with 'root=' })
-        assert (not $has_root_param) "systemd-boot image should not have root= in kernel cmdline; systemd-gpt-auto-generator should discover the root partition via DPS"
+
+    let bootloader = ($st.status.booted.composefs.bootloader | str downcase)
+
+    if $bootloader == "systemd" {
+        # When using systemd-boot with DPS (Discoverable Partition Specification),
+        # /proc/cmdline should NOT contain a root= parameter because systemd-gpt-auto-generator
+        # discovers the root partition automatically
+        # Note that there is `bootctl --json=pretty` but it doesn't actually output JSON
+        let bootctl_output = (bootctl)
+
+        if ($bootctl_output | str contains 'Product: systemd-boot') {
+            let cmdline = parse_cmdline
+            let has_root_param = ($cmdline | any { |param| $param | str starts-with 'root=' })
+            assert (not $has_root_param) "systemd-boot image should not have root= in kernel cmdline; systemd-gpt-auto-generator should discover the root partition via DPS"
+        }
     }
 }
 
diff --git a/tmt/tests/booted/test-install-outside-container.nu b/tmt/tests/booted/test-install-outside-container.nu
@@ -28,6 +28,16 @@ umount /var/mnt
 # so we mask off /sysroot/ostree
 # And using systemd-run here breaks our install_t so we disable SELinux enforcement
 setenforce 0
+
+let st = bootc status --json | from json
+let bootloader = ($st.status.booted.composefs.bootloader | str downcase)
+
+let install_cmd = if (tap is_composefs) {
+    $"bootc install to-disk --disable-selinux --via-loopback --composefs-backend --bootloader=($bootloader) --filesystem ext4 --source-imgref ($target_image) ./disk.img"
+} else {
+    $"bootc install to-disk --disable-selinux --via-loopback --filesystem xfs --source-imgref ($target_image) ./disk.img"
+}
+
 systemd-run -p MountFlags=slave -qdPG -- /bin/sh -c $"
 set -xeuo pipefail
 bootc usr-overlay
@@ -36,7 +46,7 @@ if test -d /sysroot/ostree; then mount --bind /usr/share/empty /sysroot/ostree;
 rm -vrf /usr/lib/bootupd/updates
 # Another bootc install bug, we should not look at this in outside-of-container flows
 rm -vrf /usr/lib/bootc/bound-images.d
-bootc install to-disk --disable-selinux --via-loopback --filesystem xfs --source-imgref ($target_image) ./disk.img
+($install_cmd)
 "
 
 tap ok
