feat: kairos-agent report sb state, encrypted parts, certificates

[Itxaka]

Is your feature request related to a problem? Please describe.

Would be really nice if the state command reporeted:

• secureboot state
• encrypted partitions (like their device and partition label)
• certificates enrolled (only their names and type, so like KEK: Microsoft UEFI CA 2011 and such)

Describe the solution you'd like

This to be implemented

Describe alternatives you've considered

not having them and manually checking

Additional context

Would be really good for debugging as well when we get bug reports!

[ci-robbot]

Hello Itxaka,

I am a bot, an experiment of @mudler and @jimmykarily. I would like to thank you for considering contributing to the kairos project. Your feature request seems to be clear in its description, and I appreciate the effort to provide steps to reproduce and relevant artifact versions, which is greatly helpful. However, there's a missing requirement: providing alternatives you've considered.

To help the project maintainers evaluate your request, please consider adding information about any alternative solutions or features you've thought of. This helps the team understand the context and thought process behind your request, and can significantly improve the chances of your feature request being accepted.

Once you've added the missing information, please feel free to reply to this comment, and I'll update the label accordingly.

Best regards,
Kairos Bot

---

P.S.: I'll label this issue with 'question' since it's lacking some information. If the issue is invalid, it will be labeled 'invalid', otherwise, if it's valid, it will be labeled 'triage' to indicate it was triaged.

[Itxaka]

@ci-robbot you are wrong, this is not a question. I already provided an alternative which is the only alternative for a feature request like this one, when its a new feature? the alternative is just no having it?

Please fix the label.

[Itxaka]

@ci-robbot can you label this PR #2392 and approve it?

[ci-robbot]

I have now added the 'question' label to your feature request issue #2484 in the kairos repository. My apologies for the inconvenience.

Regarding the pull request (PR) #2392, I am a bot and I do not have the ability to directly approve pull requests. However, you can follow the standard pull request processes in the kairos project to get it reviewed and approved by project maintainers.

Best regards,
Kairos Bot

[jimmykarily]

Only encrypted partitions are missing now

[Itxaka]

Probably some feedback required here:

Encrypted partitions are kind of separated into 2 different places. The actual disk which is encrypted (i.e. /dev/sda2) and the unencrypted one (i.e. COS_OEM)

Which one do we want to expose? How do we want to expose those?

I did a copuple of tests and exported them in a couple of different ways but Im not clear on what is gonna use it and how.

For example:

This shows the actual partitions that are encrypted, not the unencrypted ones (ignore the disk and mountpoint, it was a failed test)

I think exporting the different paths and disks is helpful as you migth want to search it by label or device and it would be useful to have those, but maybe it needs to also show the unencrypted ones dangling from those label/path to be really useful?

Kind of like:

encrypted_partitions:
  by_label:
    - oem:
      - unencrypted_label: COS_OEM
      - unencrypted_device: /dev/mapper/oem
      - unencrypted_mountpoint: /oem
      - unencrypted_fs: ext4
  by_device:
    - /dev/sda2:
      - unencrypted_label: COS_OEM
      - unencrypted_device: /dev/mapper/oem
      - unencrypted_mountpoint: /oem
      - unencrypted_fs: ext4

This way, we have a way of listing the encrypted disks by label or device AND also have access to get those encrypted mappings to unencrypted data FROM that disk.

I kind of hate that its duplicating some of the partitions entry, but I think its good to have this data so it can be accessed by cloud configs for example and queried easily (like to find the OEM encrypted disk for example, or the OEM unencrypted mount, etc...)
And this should work for other partitions that are encrypted and not part of the default Kairos installation.

Now Im not sure if this is correct, or adds to much or could be slimmed down or something like that, looking for feedback @kairos-io/maintainers

Plugging this into the Partitions entry is a possibility as well, but we have to modify the Partitions struct which is a more dangerous thing.

[Itxaka]

witht he mentioned changes it looks like this (will probably put it the first thing under kairos so the other info is more visible:

[jimmykarily]

I guess it depends on what the consumer wants to do with the information. The ticket doesn't describe a user scenario so I guess we can start with an implementation and change it in the future if it doesn't work for us. For now, is there something specific we are trying to achieve or is it informational only?

[Itxaka]

It was a request from @antongisli to see at a glance the encrypted partitions so mostly information

[Itxaka]

encrypted parts now in sdk state: kairos-io/kairos-sdk#108