Summary
Add a mkosi --profile yubiOS build target so yubiOS can be built as a signed UKI disk image (particleos ethos) in addition to the OCI/bootc path.
Upstream PR
mkosi: feature/yubiOS-profile → mkosi/pull/2
What the profile provides
| Layer |
Implementation |
| Secure Boot signing |
SecureBootKeySource=provider:pkcs11 — YubiKey PIV slot 9c via OpenSSL pkcs11-provider |
| dm-verity |
VerityKeySource=provider:pkcs11 — same PIV key |
| LUKS2 FIDO2 |
rd.luks.options=fido2-device=auto on kernel cmdline |
| PAM U2F |
pam-u2f >= 1.3.1 wired at build time (CVE-2025-23013) |
| First-boot enrollment |
yubiOS-enroll.service dropped via mkosi.finalize.d |
Prerequisites
# Export cert from YubiKey PIV slot 9c
ykman piv certificates export 9c mkosi.secure-boot.pem
# Write PKCS11 URI
echo 'pkcs11:manufacturer=piv_II;id=%9c;type=private' > mkosi.secure-boot.pkcs11-uri
Remaining work
Summary
Add a
mkosi --profile yubiOS buildtarget so yubiOS can be built as a signed UKI disk image (particleos ethos) in addition to the OCI/bootc path.Upstream PR
mkosi: feature/yubiOS-profile → mkosi/pull/2
What the profile provides
SecureBootKeySource=provider:pkcs11— YubiKey PIV slot 9c via OpenSSL pkcs11-providerVerityKeySource=provider:pkcs11— same PIV keyrd.luks.options=fido2-device=autoon kernel cmdlinepam-u2f >= 1.3.1wired at build time (CVE-2025-23013)yubiOS-enroll.servicedropped via mkosi.finalize.dPrerequisites
Remaining work
tests/validate-pkcs11-uri.sh)