Fix wrong arg used (#408)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/workflows/dependabot_auto.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2.0.0
+        uses: dependabot/fetch-metadata@v2.1.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           skip-commit-verification: true

go.mod

@@ -11,15 +11,16 @@ require (
 	github.com/anatol/luks.go v0.0.0-20230423170605-fb3724ed7db7
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/jaypipes/ghw v0.12.0
-	github.com/kairos-io/kairos-sdk v0.1.1
+	github.com/kairos-io/kairos-sdk v0.1.8
 	github.com/mudler/go-pluggable v0.0.0-20230126220627-7710299a0ae5
 	github.com/onsi/ginkgo/v2 v2.17.1
 	github.com/onsi/gomega v1.33.0
 	github.com/otiai10/copy v1.14.0
 	github.com/pkg/errors v0.9.1
-	github.com/rs/zerolog v1.32.0
-	github.com/urfave/cli v1.22.14
+	github.com/rs/zerolog v1.33.0
+	github.com/urfave/cli/v2 v2.27.2
 	gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
@@ -39,7 +40,7 @@ require (
 	github.com/containerd/continuity v0.4.2 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/denisbrodbeck/machineid v1.0.1 // indirect
 	github.com/dgryski/go-camellia v0.0.0-20191119043421-69a8a13fb23d // indirect
 	github.com/docker/cli v24.0.0+incompatible // indirect
@@ -85,6 +86,7 @@ require (
 	github.com/vbatts/tar-split v0.11.3 // indirect
 	github.com/wayneashleyberry/terminal-dimensions v1.1.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/crypto v0.22.0 // indirect
 	golang.org/x/mod v0.15.0 // indirect
@@ -98,6 +100,5 @@ require (
 	google.golang.org/grpc v1.58.3 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
 )

go.sum

@@ -34,11 +34,13 @@ github.com/avast/retry-go v3.0.0+incompatible h1:4SOWQ7Qs+oroOTQOYnAHqelpCO0biHS
 github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59 h1:WWB576BN5zNSZc/M9d/10pqEx5VHNhaQ/yOVAkmj5Yo=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/chuckpreslar/emission v0.0.0-20170206194824-a7ddd980baf9 h1:xz6Nv3zcwO2Lila35hcb0QloCQsc38Al13RNEzWRpX4=
 github.com/chuckpreslar/emission v0.0.0-20170206194824-a7ddd980baf9/go.mod h1:2wSM9zJkl1UQEFZgSd68NfCgRz1VL1jzy/RjCg+ULrs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/containerd/aufs v1.0.0/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
 github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
 github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw=
@@ -47,13 +49,17 @@ github.com/containerd/containerd v1.7.11 h1:lfGKw3eU35sjV0aG2eYZTiwFEY1pCzxdzicH
 github.com/containerd/containerd v1.7.11/go.mod h1:5UluHxHTX2rdvYuZ5OJTC5m/KJNs0Zs9wVoJm9zf5ZE=
 github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM=
 github.com/containerd/continuity v0.4.2/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
+github.com/containerd/go-runc v1.0.0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
+github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -71,6 +77,8 @@ github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryef
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
+github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -99,6 +107,7 @@ github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4er
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
@@ -130,6 +139,7 @@ github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQ
 github.com/gookit/color v1.5.0/go.mod h1:43aQb+Zerm/BWh2GnrgOQm7ffz7tvQXEKV6BFMl7wAo=
 github.com/gookit/color v1.5.3 h1:twfIhZs4QLCtimkP7MOxlF3A0U/5cDPseRT9M/+2SCE=
 github.com/gookit/color v1.5.3/go.mod h1:NUzwzeehUfl7GIb36pqId+UGmRfQcU/WiiyTTeNjHtE=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -151,6 +161,16 @@ github.com/jzelinskie/whirlpool v0.0.0-20201016144138-0675e54bb004 h1:G+9t9cEtnC
 github.com/jzelinskie/whirlpool v0.0.0-20201016144138-0675e54bb004/go.mod h1:KmHnJWQrgEvbuy0vcvj00gtMqbvNn1L+3YUZLK/B92c=
 github.com/kairos-io/kairos-sdk v0.1.1 h1:A9/bweW+Oy0Tmp3l7R4kL4NZXTJcKPXpp1/7u/tAluE=
 github.com/kairos-io/kairos-sdk v0.1.1/go.mod h1:sR1X4B3F1nkaECQ1vdsJ78OIkfLfyB22/aIpdRQJ/Mo=
+github.com/kairos-io/kairos-sdk v0.1.2 h1:veA06dQR4zddrWSxaZNq+5lSZQH0EHlU6OnR5fdkQ2Q=
+github.com/kairos-io/kairos-sdk v0.1.2/go.mod h1:sR1X4B3F1nkaECQ1vdsJ78OIkfLfyB22/aIpdRQJ/Mo=
+github.com/kairos-io/kairos-sdk v0.1.3 h1:mdGdr5mWQ6FXZkXPsDRBvCdZDIKbFpub40idtsSTN8k=
+github.com/kairos-io/kairos-sdk v0.1.3/go.mod h1:sR1X4B3F1nkaECQ1vdsJ78OIkfLfyB22/aIpdRQJ/Mo=
+github.com/kairos-io/kairos-sdk v0.1.5 h1:dk33F9naiHiZlzLTioCz7XQcR8Y6CVRbwE5rxtz5ha0=
+github.com/kairos-io/kairos-sdk v0.1.5/go.mod h1:sR1X4B3F1nkaECQ1vdsJ78OIkfLfyB22/aIpdRQJ/Mo=
+github.com/kairos-io/kairos-sdk v0.1.6 h1:x+oqSvyRgexiJeTbYXpM0ZcJnDbnbRSG4lGNVqDCZc0=
+github.com/kairos-io/kairos-sdk v0.1.6/go.mod h1:sR1X4B3F1nkaECQ1vdsJ78OIkfLfyB22/aIpdRQJ/Mo=
+github.com/kairos-io/kairos-sdk v0.1.8 h1:TKigA+3Nmzn/NLztbLVBLacpx0cK1oJl1AoZarohU98=
+github.com/kairos-io/kairos-sdk v0.1.8/go.mod h1:asSOyJanH10Cnxl9zx5RzyYNMhEworaiMh/7uRnS4GA=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
@@ -162,9 +182,12 @@ github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuOb
 github.com/klauspost/cpuid/v2 v2.2.3 h1:sxCkb+qR91z4vsqw4vGGZlDgPz3G7gjaLyK3V8y70BU=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
 github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
 github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
@@ -178,11 +201,14 @@ github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZ
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
 github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
 github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
 github.com/moby/term v0.0.0-20221205130635-1aeaba878587 h1:HfkjXDfhgVaN5rmueG8cL8KKeFNecRCXFhaJ2qZ5SKA=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/mudler/go-pluggable v0.0.0-20230126220627-7710299a0ae5 h1:FaZD86+A9mVt7lh9glAryzQblMsbJYU2VnrdZ8yHlTs=
 github.com/mudler/go-pluggable v0.0.0-20230126220627-7710299a0ae5/go.mod h1:WmKcT8ONmhDQIqQ+HxU+tkGWjzBEyY/KFO8LTGCu4AI=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
@@ -229,6 +255,8 @@ github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUc
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.32.0 h1:keLypqrlIjaFsbmJOBdB/qvyF8KEtCWHwobLp5l/mQ0=
 github.com/rs/zerolog v1.32.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
+github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
@@ -236,10 +264,13 @@ github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNX
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -248,22 +279,35 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/tmc/scp v0.0.0-20170824174625-f7b48647feef h1:7D6Nm4D6f0ci9yttWaKjM1TMAXrH5Su72dojqYGntFY=
+github.com/urfave/cli v1.22.12 h1:igJgVw1JdKH+trcLWLeLwZjU9fEfPesQ+9/e4MQ44S8=
 github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8=
 github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk=
 github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA=
+github.com/urfave/cli v1.22.15 h1:nuqt+pdC/KqswQKhETJjo7pvn/k4xMUxgW6liI7XpnM=
+github.com/urfave/cli v1.22.15/go.mod h1:wSan1hmo5zeyLGBjRJbzRTNk8gwoYa2B9n4q9dmRIc0=
+github.com/urfave/cli/v2 v2.27.1/go.mod h1:8qnjx1vcq5s2/wpsqoZFndg2CE5tNFyrTvS6SinrnYQ=
+github.com/urfave/cli/v2 v2.27.2 h1:6e0H+AkS+zDckwPCUrZkKX38mRaau4nL2uipkJpbkcI=
+github.com/urfave/cli/v2 v2.27.2/go.mod h1:g0+79LmHHATl7DAcHO99smiR/T7uGLw84w8Y42x+4eM=
 github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck=
 github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY=
 github.com/wayneashleyberry/terminal-dimensions v1.1.0 h1:EB7cIzBdsOzAgmhTUtTTQXBByuPheP/Zv1zL2BRPY6g=
 github.com/wayneashleyberry/terminal-dimensions v1.1.0/go.mod h1:2lc/0eWCObmhRczn2SdGSQtgBooLUzIotkkEGXqghyg=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1zIOPMxZ5EncGwgmMJsa+9ucAQZXxsObs=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
+github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 h1:+qGGcbkzsfDQNPPe9UDgpxAWQrhbbBXOYJFQDq/dtJw=
+github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQutDLsQv2Deui4iYQ6DWTxR14g6m8Wv88+Xqk=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
+go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -396,6 +440,8 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 h1:POO/ycCATvegFmVuPpQzZFJ+pGZeX22Ufu6fibxDVjU=

main.go

@@ -4,8 +4,10 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/rs/zerolog"
+
 	"github.com/kairos-io/kcrypt/pkg/lib"
-	"github.com/urfave/cli"
+	"github.com/urfave/cli/v2"
 )
 
 var Version = "v0.0.0-dev"
@@ -14,38 +16,50 @@ func main() {
 	app := &cli.App{
 		Name:        "kairos-kcrypt",
 		Version:     Version,
-		Author:      "Ettore Di Giacinto",
+		Authors:     []*cli.Author{&cli.Author{Name: "Ettore Di Giacinto"}},
 		Usage:       "kairos escrow key agent component",
 		Description: ``,
 		UsageText:   ``,
 		Copyright:   "Ettore Di Giacinto",
-		Commands: []cli.Command{
+		Commands: []*cli.Command{
 			{
 
 				Name:        "encrypt",
 				Description: "Encrypts a partition",
 				Usage:       "Encrypts a partition",
-				ArgsUsage:   "kcrypt [--version VERSION] [--tpm] LABEL",
+				ArgsUsage:   "kcrypt [--tpm] [--tpm-pcrs] [--public-key-pcrs] LABEL",
 				Flags: []cli.Flag{
-					&cli.StringFlag{
-						Name:  "version",
-						Value: "luks1",
-						Usage: "luks version to use",
-					},
 					&cli.BoolFlag{
 						Name:  "tpm",
-						Usage: "Use TPM to lock the partition",
+						Usage: "Use TPM measurements to lock the partition",
+					},
+					&cli.StringSliceFlag{
+						Name:  "tpm-pcrs",
+						Usage: "tpm pcrs to bind to (single measurement) . Only applies when --tpm is also set.",
+					},
+					&cli.StringSliceFlag{
+						Name:  "public-key-pcrs",
+						Usage: "public key pcrs to bind to (policy). Only applies when --tpm is also set.",
+						Value: cli.NewStringSlice("11"),
 					},
 				},
 				Action: func(c *cli.Context) error {
+					var err error
+					var out string
 					if c.NArg() != 1 {
 						return fmt.Errorf("requires 1 arg, the partition label")
 					}
-					out, err := lib.Luksify(c.Args().First(), c.String("version"), c.Bool("tpm"))
+					log := zerolog.New(os.Stdout).With().Timestamp().Logger()
+					if c.Bool("tpm") {
+						err = lib.LuksifyMeasurements(c.Args().First(), c.StringSlice("tpm-pcrs"), c.StringSlice("public-key-pcrs"), log)
+					} else {
+						out, err = lib.Luksify(c.Args().First(), log)
+						fmt.Println(out)
+					}
 					if err != nil {
 						return err
 					}
-					fmt.Println(out)
+
 					return nil
 				},
 			},
@@ -74,7 +88,7 @@ func main() {
 					if c.NArg() != 2 {
 						return fmt.Errorf("requires 3 args. initrd,, dst")
 					}
-					return lib.ExtractInitrd(c.Args()[0], c.Args()[1])
+					return lib.ExtractInitrd(c.Args().First(), c.Args().Get(1))
 				},
 			},
 			{
@@ -84,7 +98,7 @@ func main() {
 					if c.NArg() != 3 {
 						return fmt.Errorf("requires 3 args. initrd, srcfile, dst")
 					}
-					return lib.InjectInitrd(c.Args()[0], c.Args()[1], c.Args()[2])
+					return lib.InjectInitrd(c.Args().First(), c.Args().Get(1), c.Args().Get(2))
 				},
 			},
 		},

pkg/lib/lock.go

@@ -1,23 +1,24 @@
 package lib
 
 import (
+	"bytes"
 	"fmt"
-	"github.com/gofrs/uuid"
-	"github.com/jaypipes/ghw"
-	"github.com/jaypipes/ghw/pkg/block"
-	configpkg "github.com/kairos-io/kcrypt/pkg/config"
 	"math/rand"
 	"os"
 	"os/exec"
 	"strings"
+	"syscall"
 	"time"
+
+	"github.com/gofrs/uuid"
+	"github.com/jaypipes/ghw"
+	"github.com/jaypipes/ghw/pkg/block"
+	configpkg "github.com/kairos-io/kcrypt/pkg/config"
+	"github.com/rs/zerolog"
 )
 
-func CreateLuks(dev, password, version string, cryptsetupArgs ...string) error {
-	if version == "" {
-		version = "luks2"
-	}
-	args := []string{"luksFormat", "--type", version, "--iter-time", "5", "-q", dev}
+func CreateLuks(dev, password string, cryptsetupArgs ...string) error {
+	args := []string{"luksFormat", "--type", "luks2", "--iter-time", "5", "-q", dev}
 	args = append(args, cryptsetupArgs...)
 	cmd := exec.Command("cryptsetup", args...)
 	cmd.Stdin = strings.NewReader(password)
@@ -48,86 +49,168 @@ func getRandomString(length int) string {
 // This is because the label of the encrypted partition is not accessible unless
 // the partition is decrypted first and the uuid changed after encryption so
 // any stored information needs to be updated (by the caller).
-func Luksify(label, version string, tpm bool) (string, error) {
+func Luksify(label string, logger zerolog.Logger) (string, error) {
 	var pass string
-	if version == "" {
-		version = "luks1"
-	}
-	if version != "luks1" && version != "luks2" {
-		return "", fmt.Errorf("version must be luks1 or luks2")
+
+	// Make sure ghw will see all partitions correctly.
+	// older versions don't have --type=all. Try the simpler version then.
+	out, err := SH("udevadm trigger --type=all || udevadm trigger")
+	if err != nil {
+		return "", fmt.Errorf("udevadm trigger failed: %w, out: %s", err, out)
 	}
+	syscall.Sync()
 
 	part, b, err := FindPartition(label)
 	if err != nil {
+		logger.Err(err).Msg("find partition")
 		return "", err
 	}
 
-	if tpm {
-		// On TPM locking we generate a random password that will only be used here then discarded.
-		// only unlocking method will be PCR values
-		pass = getRandomString(32)
-	} else {
-		pass, err = GetPassword(b)
-		if err != nil {
-			return "", err
-		}
+	pass, err = GetPassword(b)
+	if err != nil {
+		logger.Err(err).Msg("get password")
+		return "", err
 	}
 
-	part = fmt.Sprintf("/dev/%s", part)
-	devMapper := fmt.Sprintf("/dev/mapper/%s", b.Name)
+	mapper := fmt.Sprintf("/dev/mapper/%s", b.Name)
+	device := fmt.Sprintf("/dev/%s", part)
+	partUUID := uuid.NewV5(uuid.NamespaceURL, label)
+	extraArgs := []string{"--uuid", partUUID.String()}
+
+	if err := CreateLuks(device, pass, extraArgs...); err != nil {
+		logger.Err(err).Msg("create luks")
+		return "", err
+	}
+
+	err = formatLuks(device, b.Name, mapper, label, pass, logger)
+	if err != nil {
+		logger.Err(err).Msg("format luks")
+		return "", err
+	}
+
+	return configpkg.PartitionToString(b), nil
+}
+
+// LuksifyMeasurements takes a label and a list if public-keys and pcrs to bind and uses the measurements
+// in the current node to encrypt the partition with those and bind those to the given pcrs
+// this expects systemd 255 as it needs the SRK public key that systemd extracts
+// Sets a random password, enrolls the policy, unlocks and formats the partition, closes it and tfinally removes the random password from it
+// Note that there is a diff between the publicKeyPcrs and normal Pcrs
+// The former links to a policy type that allows anything signed by that policy to unlcok the partitions so its
+// really useful for binding to PCR11 which is the UKI measurements in order to be able to upgrade the system and still be able
+// to unlock the partitions.
+// The later binds to a SINGLE measurement, so if that changes, it will not unlock anything.
+// This is useful for things like PCR7 which measures the secureboot state and certificates if you dont expect those to change during
+// the whole lifetime of a machine
+// It can also be used to bind to things like the firmware code or efi drivers that we dont expect to change
+// default for publicKeyPcrs is 11
+// default for pcrs is nothing, so it doesn't bind as we want to expand things like DBX and be able to blacklist certs and such
+func LuksifyMeasurements(label string, publicKeyPcrs []string, pcrs []string, logger zerolog.Logger) error {
+	// Make sure ghw will see all partitions correctly.
+	// older versions don't have --type=all. Try the simpler version then.
+	out, err := SH("udevadm trigger --type=all || udevadm trigger")
+	if err != nil {
+		return fmt.Errorf("udevadm trigger failed: %w, out: %s", err, out)
+	}
+	syscall.Sync()
+
+	part, b, err := FindPartition(label)
+	if err != nil {
+		return err
+	}
+
+	// On TPM locking we generate a random password that will only be used here then discarded.
+	// only unlocking method will be PCR values
+	pass := getRandomString(32)
+	mapper := fmt.Sprintf("/dev/mapper/%s", b.Name)
+	device := fmt.Sprintf("/dev/%s", part)
 	partUUID := uuid.NewV5(uuid.NamespaceURL, label)
 
 	extraArgs := []string{"--uuid", partUUID.String()}
 
-	if err := CreateLuks(part, pass, version, extraArgs...); err != nil {
-		return "", err
-	}
-	if tpm {
-		// Enroll PCR policy as a keyslot
-		// We pass the current signature of the booted system to confirm that we would be able to unlock with the current booted system
-		// That checks the policy against the signatures and fails if a UKI with those signatures wont be able to unlock the device
-		// Files are generated by systemd automatically and are extracted from the UKI binary directly
-		// public pem cert -> .pcrpkey section fo the elf file
-		// signatures -> .pcrsig section of the elf file
-		args := []string{"--tpm2-public-key=/run/systemd/tpm2-pcr-public-key.pem", "--tpm2-signature=/run/systemd/tpm2-pcr-signature.json", "--tpm2-device=auto", part}
-		cmd := exec.Command("systemd-cryptenroll", args...)
-		cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", pass)) // cannot pass it via stdin
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		err := cmd.Run()
-		if err != nil {
-			return "", err
-		}
+	if err := CreateLuks(device, pass, extraArgs...); err != nil {
+		return err
 	}
 
-	if err := LuksUnlock(part, b.Name, pass); err != nil {
-		return "", fmt.Errorf("unlock err: %w", err)
+	if len(publicKeyPcrs) == 0 {
+		publicKeyPcrs = []string{"11"}
 	}
 
-	if err := Waitdevice(devMapper, 10); err != nil {
-		return "", fmt.Errorf("waitdevice err: %w", err)
-	}
+	syscall.Sync()
 
-	cmd := fmt.Sprintf("mkfs.ext4 -L %s %s", label, devMapper)
-	out, err := SH(cmd)
+	// Enroll PCR policy as a keyslot
+	// We pass the current signature of the booted system to confirm that we would be able to unlock with the current booted system
+	// That checks the policy against the signatures and fails if a UKI with those signatures wont be able to unlock the device
+	// Files are generated by systemd automatically and are extracted from the UKI binary directly
+	// public pem cert -> .pcrpkey section fo the elf file
+	// signatures -> .pcrsig section of the elf file
+	args := []string{
+		"--tpm2-public-key=/run/systemd/tpm2-pcr-public-key.pem",
+		fmt.Sprintf("--tpm2-public-key-pcrs=%s", strings.Join(publicKeyPcrs, "+")),
+		fmt.Sprintf("--tpm2-pcrs=%s", strings.Join(pcrs, "+")),
+		"--tpm2-signature=/run/systemd/tpm2-pcr-signature.json",
+		"--tpm2-device-key=/run/systemd/tpm2-srk-public-key.tpm2b_public",
+		device}
+	logger.Debug().Str("args", strings.Join(args, " ")).Msg("running command")
+	cmd := exec.Command("systemd-cryptenroll", args...)
+	cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", pass), "SYSTEMD_LOG_LEVEL=debug") // cannot pass it via stdin
+	// Store the output into a buffer to log it in case we need it
+	// debug output goes to stderr for some reason?
+	stdOut := bytes.Buffer{}
+	cmd.Stdout = &stdOut
+	cmd.Stderr = &stdOut
+	err = cmd.Run()
 	if err != nil {
-		return "", fmt.Errorf("mkfs err: %w, out: %s", err, out)
+		logger.Debug().Str("output", stdOut.String()).Msg("debug from cryptenroll")
+		logger.Err(err).Msg("Enrolling measurements")
+		return err
 	}
 
-	out, err = SH(fmt.Sprintf("cryptsetup close %s", b.Name))
+	logger.Debug().Str("output", stdOut.String()).Msg("debug from cryptenroll")
+
+	err = formatLuks(device, b.Name, mapper, label, pass, logger)
 	if err != nil {
-		return "", fmt.Errorf("lock err: %w, out: %s", err, out)
+		logger.Err(err).Msg("format luks")
+		return err
 	}
 
-	if tpm {
-		// Delete password slot from luks device
-		out, err := SH(fmt.Sprintf("systemd-cryptenroll --wipe-slot=password %s", part))
-		if err != nil {
-			return "", fmt.Errorf("err: %w, out: %s", err, out)
-		}
+	// Delete password slot from luks device
+	out, err = SH(fmt.Sprintf("systemd-cryptenroll --wipe-slot=password %s", device))
+	if err != nil {
+		logger.Err(err).Str("out", out).Msg("Removing password")
+		return err
+	}
+	return nil
+}
+
+// format luks will unlock the device, wait for it and then format it
+// device is the actual /dev/X luks device
+// label is the label we will set to the formatted partition
+// password is the pass to unlock the device to be able to format the underlying mapper
+func formatLuks(device, name, mapper, label, pass string, logger zerolog.Logger) error {
+	l := logger.With().Str("device", device).Str("name", name).Str("mapper", mapper).Logger()
+	l.Debug().Msg("unlock")
+	if err := LuksUnlock(device, name, pass); err != nil {
+		return fmt.Errorf("unlock err: %w", err)
 	}
 
-	return configpkg.PartitionToString(b), nil
+	l.Debug().Msg("wait device")
+	if err := Waitdevice(mapper, 10); err != nil {
+		return fmt.Errorf("waitdevice err: %w", err)
+	}
+
+	l.Debug().Msg("format")
+	cmdFormat := fmt.Sprintf("mkfs.ext4 -L %s %s", label, mapper)
+	out, err := SH(cmdFormat)
+	if err != nil {
+		return fmt.Errorf("mkfs err: %w, out: %s", err, out)
+	}
+	l.Debug().Msg("close")
+	out, err = SH(fmt.Sprintf("cryptsetup close %s", mapper))
+	if err != nil {
+		return fmt.Errorf("lock err: %w, out: %s", err, out)
+	}
+	return nil
 }
 
 func FindPartition(label string) (string, *block.Partition, error) {
@@ -145,5 +228,5 @@ func FindPartition(label string) (string, *block.Partition, error) {
 		return "", nil, err
 	}
 
-	return "", nil, fmt.Errorf("not found")
+	return "", nil, fmt.Errorf("not found label %s", label)
 }

pkg/lib/unlock.go

@@ -38,6 +38,14 @@ func UnlockAllWithLogger(tpm bool, logger zerolog.Logger) error {
 		return nil
 	}
 
+	// Some versions of udevadm don't support --settle (e.g. alpine)
+	// and older versions don't have --type=all. Try the simpler version then.
+	logger.Info().Msgf("triggering udev to populate disk info")
+	_, err = utils.SH("udevadm trigger --type=all || udevadm trigger")
+	if err != nil {
+		return err
+	}
+
 	for _, disk := range blk.Disks {
 		for _, p := range disk.Partitions {
 			if p.Type == "crypto_LUKS" {

pkg/lib/utils.go

@@ -24,5 +24,5 @@ func Waitdevice(device string, attempts int) error {
 		}
 		time.Sleep(1 * time.Second)
 	}
-	return fmt.Errorf("no device found")
+	return fmt.Errorf("no device found %s", device)
 }