chore: drop with-secureboot talosctl flag

The code picks up firmware files in the order it's defined. The secureboot QEMU firmware files are defined first, so this flag is a no-op. This was leftover from when `ovmfctl` was used. Signed-off-by: Noel Georgi <git@frezbo.dev>
schaurian · Jul 31, 2023 · 209c348 · 209c348
1 parent ab14905
commit 209c348
Show file tree

Hide file tree

Showing 7 changed files with 5 additions and 23 deletions.
diff --git a/cmd/talosctl/cmd/mgmt/cluster/create.go b/cmd/talosctl/cmd/mgmt/cluster/create.go
@@ -83,7 +83,6 @@ const (
 	controlPlanePortFlag          = "control-plane-port"
 	kubePrismFlag                 = "kubeprism-port"
 	tpm2EnabledFlag               = "with-tpm2"
-	secureBootEnabledFlag         = "with-secureboot"
 	diskEncryptionKeyTypesFlag    = "disk-encryption-key-types"
 )
 
@@ -101,7 +100,6 @@ var (
 	applyConfigEnabled         bool
 	bootloaderEnabled          bool
 	uefiEnabled                bool
-	secureBootEnabled          bool
 	tpm2Enabled                bool
 	extraUEFISearchPaths       []string
 	configDebug                bool
@@ -336,7 +334,6 @@ func create(ctx context.Context, flags *pflag.FlagSet) (err error) {
 		provision.WithBootlader(bootloaderEnabled),
 		provision.WithUEFI(uefiEnabled),
 		provision.WithTPM2(tpm2Enabled),
-		provision.WithSecureBoot(secureBootEnabled),
 		provision.WithExtraUEFISearchPaths(extraUEFISearchPaths),
 		provision.WithTargetArch(targetArch),
 	}
@@ -942,7 +939,6 @@ func init() {
 	createCmd.Flags().BoolVar(&bootloaderEnabled, bootloaderEnabledFlag, true, "enable bootloader to load kernel and initramfs from disk image after install")
 	createCmd.Flags().BoolVar(&uefiEnabled, "with-uefi", true, "enable UEFI on x86_64 architecture")
 	createCmd.Flags().BoolVar(&tpm2Enabled, tpm2EnabledFlag, false, "enable TPM2 emulation support using swtpm")
-	createCmd.Flags().BoolVar(&secureBootEnabled, secureBootEnabledFlag, false, "enforce secure boot")
 	createCmd.Flags().StringSliceVar(&extraUEFISearchPaths, "extra-uefi-search-paths", []string{}, "additional search paths for UEFI firmware (only applies when UEFI is enabled)")
 	createCmd.Flags().StringSliceVar(&registryMirrors, registryMirrorFlag, []string{}, "list of registry mirrors to use in format: <registry host>=<mirror URL>")
 	createCmd.Flags().StringSliceVar(&registryInsecure, registryInsecureFlag, []string{}, "list of registry hostnames to skip TLS verification for")

diff --git a/hack/test/e2e-qemu.sh b/hack/test/e2e-qemu.sh
@@ -140,7 +140,7 @@ case "${WITH_TRUSTED_BOOT_ISO:-false}" in
   false)
     ;;
   *)
-    QEMU_FLAGS+=("--iso-path=_out/talos-uki-amd64.iso" "--with-secureboot" "--with-tpm2" "--encrypt-ephemeral" "--encrypt-state" "--disk-encryption-key-types=tpm")
+    QEMU_FLAGS+=("--iso-path=_out/talos-uki-amd64.iso" "--with-tpm2" "--encrypt-ephemeral" "--encrypt-state" "--disk-encryption-key-types=tpm")
     ;;
 esac
 

diff --git a/pkg/provision/options.go b/pkg/provision/options.go
@@ -79,15 +79,6 @@ func WithTPM2(enabled bool) Option {
 	}
 }
 
-// WithSecureBoot enables or disables secure boot.
-func WithSecureBoot(enabled bool) Option {
-	return func(o *Options) error {
-		o.SecureBootEnabled = enabled
-
-		return nil
-	}
-}
-
 // WithExtraUEFISearchPaths configures additional search paths to look for UEFI firmware.
 func WithExtraUEFISearchPaths(extraUEFISearchPaths []string) Option {
 	return func(o *Options) error {
@@ -157,8 +148,6 @@ type Options struct {
 	UEFIEnabled bool
 	// Enable TPM2 emulation using swtpm.
 	TPM2Enabled bool
-	// Enforce Secure Boot.
-	SecureBootEnabled bool
 	// Configure additional search paths to look for UEFI firmware.
 	ExtraUEFISearchPaths []string
 

diff --git a/pkg/provision/providers/qemu/arch.go b/pkg/provision/providers/qemu/arch.go
@@ -71,7 +71,7 @@ type PFlash struct {
 }
 
 // PFlash returns settings for parallel flash.
-func (arch Arch) PFlash(uefiEnabled, secureBootEnabled bool, extraUEFISearchPaths []string) []PFlash {
+func (arch Arch) PFlash(uefiEnabled bool, extraUEFISearchPaths []string) []PFlash {
 	switch arch {
 	case ArchArm64:
 		uefiSourcePaths := []string{"/usr/share/qemu-efi-aarch64/QEMU_EFI.fd", "/usr/share/OVMF/QEMU_EFI.fd"}
@@ -121,9 +121,7 @@ func (arch Arch) PFlash(uefiEnabled, secureBootEnabled bool, extraUEFISearchPath
 			"OVMF_VARS.fd",
 		}
 
-		if !secureBootEnabled {
-			uefiSourceFiles = append(uefiSourceFiles, uefiSourceFilesInsecure...)
-		}
+		uefiSourceFiles = append(uefiSourceFiles, uefiSourceFilesInsecure...)
 
 		// Append extra search paths
 		uefiSourcePathPrefixes = append(uefiSourcePathPrefixes, extraUEFISearchPaths...)

diff --git a/pkg/provision/providers/qemu/node.go b/pkg/provision/providers/qemu/node.go
@@ -34,7 +34,7 @@ func (p *provisioner) createNode(state *vm.State, clusterReq provision.ClusterRe
 
 	var pflashImages []string
 
-	if pflashSpec := arch.PFlash(opts.UEFIEnabled, opts.SecureBootEnabled, opts.ExtraUEFISearchPaths); pflashSpec != nil {
+	if pflashSpec := arch.PFlash(opts.UEFIEnabled, opts.ExtraUEFISearchPaths); pflashSpec != nil {
 		var err error
 
 		if pflashImages, err = p.createPFlashImages(state, nodeReq.Name, pflashSpec); err != nil {

diff --git a/pkg/provision/providers/qemu/preflight.go b/pkg/provision/providers/qemu/preflight.go
@@ -77,7 +77,7 @@ func (check *preflightCheckContext) qemuExecutable(ctx context.Context) error {
 }
 
 func (check *preflightCheckContext) checkFlashImages(ctx context.Context) error {
-	for _, flashImage := range check.arch.PFlash(check.options.UEFIEnabled, check.options.SecureBootEnabled, check.options.ExtraUEFISearchPaths) {
+	for _, flashImage := range check.arch.PFlash(check.options.UEFIEnabled, check.options.ExtraUEFISearchPaths) {
 		if len(flashImage.SourcePaths) == 0 {
 			continue
 		}

diff --git a/website/content/v1.5/reference/cli.md b/website/content/v1.5/reference/cli.md
@@ -164,7 +164,6 @@ talosctl cluster create [flags]
       --with-network-packet-corrupt float        specify percent of corrupt packets on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0)
       --with-network-packet-loss float           specify percent of packet loss on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0)
       --with-network-packet-reorder float        specify percent of reordered packets on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0)
-      --with-secureboot                          enforce secure boot
       --with-tpm2                                enable TPM2 emulation support using swtpm
       --with-uefi                                enable UEFI on x86_64 architecture (default true)
       --workers int                              the number of workers to create (default 1)
-Original file line number
+Diff line change
@@ Expand Up / @@ -140,7 +140,7 @@ case "${WITH_TRUSTED_BOOT_ISO:-false}" in @@
       false)
         ;;
       *)
-        QEMU_FLAGS+=("--iso-path=_out/talos-uki-amd64.iso" "--with-secureboot" "--with-tpm2" "--encrypt-ephemeral" "--encrypt-state" "--disk-encryption-key-types=tpm")
+        QEMU_FLAGS+=("--iso-path=_out/talos-uki-amd64.iso" "--with-tpm2" "--encrypt-ephemeral" "--encrypt-state" "--disk-encryption-key-types=tpm")
         ;;
     esac
@@ Expand Down @@