uname = ukify.Uname.scrape(kernel_initrd[1])
assert re.match(r'\d+\.\d+\.\d+', uname)
-def test_efi_signing_sbsign(kernel_initrd, tmpdir):
+@pytest.mark.parametrize("days", [365*10, None])
+def test_efi_signing_sbsign(days, kernel_initrd, tmpdir):
if kernel_initrd is None:
pytest.skip('linux+initrd not found')
if not shutil.which('sbsign'):
key = unbase64(ourdir / 'example.signing.key.base64')
output = f'{tmpdir}/signed.efi'
- opts = ukify.parse_args([
+ args = [
'build',
*kernel_initrd,
f'--output={output}',
'--cmdline=ARG1 ARG2 ARG3',
f'--secureboot-certificate={cert.name}',
f'--secureboot-private-key={key.name}',
- ])
+ ]
+ if days is not None:
+ args += [f'--secureboot-certificate-validity={days}']
+
+ opts = ukify.parse_args(args)
try:
ukify.check_inputs(opts)
print(f"Wrote {'signed' if sign_args_present else 'unsigned'} {opts.output}")
-
@contextlib.contextmanager
def temporary_umask(mask: int):
# Drop <mask> bits from umask
def generate_keys(opts):
+ work = False
+
# This will generate keys and certificates and write them to the paths that
# are specified as input paths.
if opts.sb_key or opts.sb_cert:
print(f'Writing SecureBoot certificate to {opts.sb_cert}')
opts.sb_cert.write_bytes(cert_pem)
+ work = True
+
for priv_key, pub_key, _ in key_path_groups(opts):
priv_key_pem, pub_key_pem = generate_priv_pub_key_pair()
print(f'Writing public key for PCR signing to {pub_key}')
pub_key.write_bytes(pub_key_pem)
+ work = True
+
+ if not work:
+ raise ValueError('genkey: --secureboot-private-key=/--secureboot-certificate= or --pcr-private-key/--pcr-public-key must be specified')
+
def inspect_section(opts, section):
name = section.Name.rstrip(b"\x00").decode()