the n-th boot phase path set will be signed by the n-th key. This can be used to build different trust
policies for different phases of the boot. In the config file, <varname>PCRPrivateKey=</varname>,
<varname>PCRPublicKey=</varname>, and <varname>Phases=</varname> are grouped into separate sections,
- describing separate boot phases.</para>
+ describing separate boot phases. If <varname>SigningEngine=</varname>/<option>--signing-engine=</option>
+ is specified, then the private keys arguments will be passed verbatim to OpenSSL as URIs, and the public
+ key arguments will be loaded as X.509 certificates, so that signing can be perfomed with an OpenSSL
+ engine.</para>
<para>If a SecureBoot signing key is provided via the
<varname>SecureBootPrivateKey=</varname>/<option>--secureboot-private-key=</option> option, the resulting
assert ns.sign_kernel is False
assert ns._groups == ['NAME']
- assert ns.pcr_private_keys == [pathlib.Path('some/path7')]
+ assert ns.pcr_private_keys == ['some/path7']
assert ns.pcr_public_keys == [pathlib.Path('some/path8')]
assert ns.phase_path_groups == [['enter-initrd:leave-initrd:sysinit:ready:shutdown:final']]
assert ns.sign_kernel is False
assert ns._groups == ['NAME']
- assert ns.pcr_private_keys == [pathlib.Path('some/path7')]
+ assert ns.pcr_private_keys == ['some/path7']
assert ns.pcr_public_keys == [pathlib.Path('some/path8')]
assert ns.phase_path_groups == [['enter-initrd:leave-initrd:sysinit:ready:shutdown:final']]
assert opts.pcrpkey == pathlib.Path('PATH')
assert opts.uname == '1.2.3'
assert opts.stub == pathlib.Path('STUBPATH')
- assert opts.pcr_private_keys == [pathlib.Path('PKEY1')]
+ assert opts.pcr_private_keys == ['PKEY1']
assert opts.pcr_public_keys == [pathlib.Path('PKEY2')]
assert opts.pcr_banks == ['SHA1', 'SHA256']
assert opts.signing_engine == 'ENGINE'
assert opts.pcrpkey == pathlib.Path('PATH')
assert opts.uname == '1.2.3'
assert opts.stub == pathlib.Path('STUBPATH')
- assert opts.pcr_private_keys == [pathlib.Path('PKEY1')]
+ assert opts.pcr_private_keys == ['PKEY1']
assert opts.pcr_public_keys == [pathlib.Path('PKEY2')]
assert opts.pcr_banks == ['SHA1', 'SHA256']
assert opts.signing_engine == 'ENGINE'
assert opts.pcrpkey == pathlib.Path('PATH')
assert opts.uname == '1.2.3'
assert opts.stub == pathlib.Path('STUBPATH')
- assert opts.pcr_private_keys == [pathlib.Path('PKEY1'),
- pathlib.Path('some/path7')]
+ assert opts.pcr_private_keys == ['PKEY1', 'some/path7']
assert opts.pcr_public_keys == [pathlib.Path('PKEY2'),
pathlib.Path('some/path8')]
assert opts.pcr_banks == ['SHA1', 'SHA256']
*((priv_key, pub_key)
for priv_key, pub_key, _ in key_path_groups(opts)))
for path in paths:
- if path and path.exists():
+ if path and pathlib.Path(path).exists():
raise ValueError(f'{path} is present')
for priv_key, pub_key, group in key_path_groups(opts):
extra = [f'--private-key={priv_key}']
- if pub_key:
+ if opts.signing_engine is not None:
+ assert pub_key
+ extra += [f'--private-key-source=engine:{opts.signing_engine}']
+ extra += [f'--certificate={pub_key}']
+ elif pub_key:
extra += [f'--public-key={pub_key}']
extra += [f'--phase={phase_path}' for phase_path in group or ()]
sbsign_tool,
'--key', opts.sb_key,
'--cert', opts.sb_cert,
- input_f,
- '--output', output_f,
]
if opts.signing_engine is not None:
sign_invocation += ['--engine', opts.signing_engine]
+ sign_invocation += [
+ input_f,
+ '--output', output_f,
+ ]
signer_sign(sign_invocation)
def find_pesign(opts=None):
pcrpkey = opts.pcr_public_keys[0]
elif opts.pcr_private_keys and len(opts.pcr_private_keys) == 1:
from cryptography.hazmat.primitives import serialization
- privkey = serialization.load_pem_private_key(opts.pcr_private_keys[0].read_bytes(), password=None)
+ privkey = serialization.load_pem_private_key(pathlib.Path(opts.pcr_private_keys[0]).read_bytes(), password=None)
pcrpkey = privkey.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
print(f'Writing private key for PCR signing to {priv_key}')
with temporary_umask(0o077):
- priv_key.write_bytes(priv_key_pem)
+ pathlib.Path(priv_key).write_bytes(priv_key_pem)
if pub_key:
print(f'Writing public key for PCR signing to {pub_key}')
pub_key.write_bytes(pub_key_pem)
ConfigItem(
'--pcr-private-key',
dest = 'pcr_private_keys',
- metavar = 'PATH',
- type = pathlib.Path,
action = 'append',
- help = 'private part of the keypair for signing PCR signatures',
+ help = 'private part of the keypair or engine-specific designation for signing PCR signatures',
config_key = 'PCRSignature:/PCRPrivateKey',
config_push = ConfigItem.config_set_group,
),
metavar = 'PATH',
type = pathlib.Path,
action = 'append',
- help = 'public part of the keypair for signing PCR signatures',
+ help = 'public part of the keypair or engine-specific designation for signing PCR signatures',
config_key = 'PCRSignature:/PCRPublicKey',
config_push = ConfigItem.config_set_group,
),