xtask: Use insecure firmware for all non-sealed VM tests

[jmarrero]

The stock OVMF Secure Boot key database (shipped with the Ubuntu runner's
edk2/ovmf package) does not include the distro signing keys needed to
verify the shim/grub chain for CentOS Stream or Fedora. Previously,
only systemd-boot tests explicitly requested --firmware=uefi-insecure
while grub tests inherited bcvk's default of uefi-secure, causing UEFI
to reject the boot with 'Security Violation'.

This worked by coincidence until the CentOS Stream 10 compose re-signed
grub2 (2.12-47) with a different certificate (Signing 802 / CA 8 instead
of Signing 202 / CA 2), which changed the Authenticode signature and
broke whatever fragile verification path was succeeding before.

Fix by using --firmware=uefi-insecure for all non-sealed images. Sealed
images continue to use uefi-secure with explicitly enrolled test keys.

Signed-off-by: Joseph Marrero Corchado jmarrero@redhat.com
Assisted-by: OpenCode (Claude claude-opus-4-6)

[jmarrero]

Need more investigation to submit to grub upstream/rpm maintainers but hopefully this unblocks CI

[gemini-code-assist]

Code Review

This pull request introduces the BOOTC_COMPOSE_EXCLUDE environment variable and build argument, allowing users to exclude specific packages (such as broken grub2 packages) from CentOS compose repositories during the build process. The feedback highlights a potential issue in the Justfile where the BOOTC_COMPOSE_EXCLUDE build argument is not quoted, which can lead to word splitting and unexpected glob expansion if the variable contains spaces or wildcards.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

If BOOTC_COMPOSE_EXCLUDE contains spaces (e.g., multiple packages like "grub2* shim*") or wildcards (like *), the unquoted expansion in the shell during podman build will lead to word splitting and unexpected glob expansion on the host. Wrapping the build argument value in single quotes prevents these issues.

                  + " --build-arg=BOOTC_COMPOSE_EXCLUDE='" + compose_exclude + "'"

[cgwalters]

I think it will work (for now) to add other compose repos into our build, and then pin grub to the previous version.

[jmarrero]

I got an agent trying to re-verify this, testing the issue locally to isolate the grub commit as I am getting mixed results. The latest grub2 EFI bin works correctly on the previous compose and the code changes don't seem to jump at me. Re-trying.

[cgwalters]

I added the ci/tier-1 label here so we verify work pre-merge-queue

[jmarrero]

It's definitely on the grub path, --bootloader=systemd does not have this issue. Still digging.

[cgwalters]

Yes, probably related to https://gitlab.com/redhat/centos-stream/rpms/grub2/-/commit/db5c73de4139ace15b496062cc445f0374518a28

[jmarrero]

This is already passing the *test-baseconfigs jobs that were failing before 🤞

[jmarrero]

Merge queue does not let us retry a job that fails. This is quite painful. Currently just failing on quay timeouts.