feat: use cached kernel

[m2Giles]

Thank you for contributing to the Universal Blue project!

Please read the Contributor's Guide before submitting a pull request.

[bsherman]

I built a local image pushed to local registry to test the approach of direct replacing the signed vmlinuz file.

This main kernel, as provided by kernel-cache repo, has 3 signatures:

• upstream fedora
• ublue akmods (our traditional akmods sig)
• ublue kernel (new sig to align with full kernel signing and Fedora 41 release)

Note: non-main kernels are not "Fedora Official" so we strip any signatures from them and they will only have the latter 2.

Output to verify above:

herman@fedora:~$ sbverify --list /usr/lib/modules/6.9.7-200.fc40.x86_64/vmlinuz 
signature 1
image signature issuers:
 - /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora Secure Boot CA 20200709/CN=fedoraca
image signature certificates:
 - subject: /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora Secure Boot Signer/OU=bkernel01 kernel/CN=kernel-signer
   issuer:  /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora Secure Boot CA 20200709/CN=fedoraca
signature 2
image signature issuers:
 - /O=Universal Blue/OU=kernel signing/CN=ublue kernel/[email protected]
image signature certificates:
 - subject: /O=Universal Blue/OU=kernel signing/CN=ublue kernel/[email protected]
   issuer:  /O=Universal Blue/OU=kernel signing/CN=ublue kernel/[email protected]
signature 3
image signature issuers:
 - /O=Universal Blue/OU=akmods/[email protected]/L=None/ST=None/C=XX/CN=ublue akmods 
image signature certificates:
 - subject: /O=Universal Blue/OU=akmods/[email protected]/L=None/ST=None/C=XX/CN=ublue akmods 
   issuer:  /O=Universal Blue/OU=akmods/[email protected]/L=None/ST=None/C=XX/CN=ublue akmods 

Observations:

1. kernel boots with SecureBoot disabled
2. kernel fails to boot with SecureBoot enabled if a ublue MOK NOT enrolled (qemu kvm uefi, lacking Microsoft key)
3. kernel boots with SecureBoot enabled if a ublue MOK NOT enrolled (on physical hardware with Microsoft key)
4. kernel boots with SecureBoot enabled if ublue akmods MOK is enrolled (qemu kvm uefi, lacking Microsoft key)
5. can rebase to another image, and rollback to image with this custom signed kernel, booting still works

All this seems good... yes, the process feels a bit janky, but it works.

[bsherman]

Next step as discussed with @m2Giles:

Add support to install.sh such that, if the kernel-cache (and thus akmods) provides a different kernel version than what is on the building image, we'll do an rpm-ostree override replace to the kernel-cache RPMs.

But for identically matching kernels, the rpm-ostree override replace fails to work (since the RPMs are otherwise identical), and in that case we'll just replace the vmlinuz file with our signed copy.

I'm waiting for this to be solid here, then I'll use this approach on uCore, too.