Override boot assessment services for UKI (#1149)

packages/static/kairos-overlay-files/collection.yaml

@@ -1,4 +1,4 @@
 packages:
   - name: "kairos-overlay-files"
     category: "static"
-    version: "1.5.1"
+    version: "1.6.0"

packages/static/kairos-overlay-files/files/system/oem/08_efi_assessment.yaml

@@ -0,0 +1,33 @@
+name: "Enable EFI assessment"
+stages:
+  initramfs:
+    - name: "Override systemd-boot services to enable RW on /efi partition"
+      if: '([ -e "/sbin/systemctl" ] || [ -e "/usr/bin/systemctl" ] || [ -e "/usr/sbin/systemctl" ] || [ -e "/usr/bin/systemctl" ]) && [ -e "/run/cos/uki_boot_mode" ]'
+      files:
+        - path: /etc/systemd/system/systemd-bless-boot.service.d/override.conf
+          permissions: 0644
+          owner: 0
+          group: 0
+          content: |
+            [Service]
+            # Allow RW on /efi partition
+            ExecStartPre=mount -o remount,rw /efi
+            # Remove the assessment suffix from loader.conf if any
+            ExecStartPost=sed -i -E 's/(default\s+)*\+[0-9]+(-[0-9]+)?(\.conf)/\1\3/' /efi/loader/loader.conf
+            # Revert back to RO on /efi partition
+            ExecStartPost=mount -o remount,ro /efi
+        - path: /etc/systemd/system/systemd-boot-random-seed.service.d/override.conf
+          permissions: 0644
+          owner: 0
+          group: 0
+          content: |
+            [Service]
+            # Allow RW on /efi partition
+            ExecStartPre=mount -o remount,rw /efi
+            # Revert back to RO on /efi partition
+            ExecStartPost=mount -o remount,ro /efi
+    - name: "Enable boot assessment"
+      if: '([ -e "/sbin/systemctl" ] || [ -e "/usr/bin/systemctl" ] || [ -e "/usr/sbin/systemctl" ]) && [ -e "/run/cos/uki_boot_mode" ]'
+      systemctl:
+        enable:
+          - name: "systemd-bless-boot"