Merge pull request #30343 from keszybz/ukify-genkey

Raise error if 'ukify genkey' is called with no output arguments

diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
index e85171b0e9b9776bc76d1d295e2ec4804f04efb0..3a60a21f55e7c5064e29a30fe3be102df4de6cb0 100755 (executable)
--- a/src/ukify/test/test_ukify.py
+++ b/src/ukify/test/test_ukify.py
@@ -529,7 +529,8 @@ def test_uname_scraping(kernel_initrd):
     uname = ukify.Uname.scrape(kernel_initrd[1])
     assert re.match(r'\d+\.\d+\.\d+', uname)
 
-def test_efi_signing_sbsign(kernel_initrd, tmpdir):
+@pytest.mark.parametrize("days", [365*10, None])
+def test_efi_signing_sbsign(days, kernel_initrd, tmpdir):
     if kernel_initrd is None:
         pytest.skip('linux+initrd not found')
     if not shutil.which('sbsign'):
@@ -540,7 +541,7 @@ def test_efi_signing_sbsign(kernel_initrd, tmpdir):
     key = unbase64(ourdir / 'example.signing.key.base64')
 
     output = f'{tmpdir}/signed.efi'
-    opts = ukify.parse_args([
+    args = [
         'build',
         *kernel_initrd,
         f'--output={output}',
@@ -548,7 +549,11 @@ def test_efi_signing_sbsign(kernel_initrd, tmpdir):
         '--cmdline=ARG1 ARG2 ARG3',
         f'--secureboot-certificate={cert.name}',
         f'--secureboot-private-key={key.name}',
-    ])
+    ]
+    if days is not None:
+        args += [f'--secureboot-certificate-validity={days}']
+
+    opts = ukify.parse_args(args)
 
     try:
         ukify.check_inputs(opts)

diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
index 9fbe4d70f49bbbc25c42c4b0eaf9f8bc0c42491a..b33c8cf744cc9ae894832db5a928fb585cc97ef6 100755 (executable)
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -846,7 +846,6 @@ uki,1,UKI,uki,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.ht
     print(f"Wrote {'signed' if sign_args_present else 'unsigned'} {opts.output}")
 
 
-
 @contextlib.contextmanager
 def temporary_umask(mask: int):
     # Drop <mask> bits from umask
@@ -933,6 +932,8 @@ def generate_priv_pub_key_pair(keylength : int = 2048) -> tuple[bytes]:
 
 
 def generate_keys(opts):
+    work = False
+
     # This will generate keys and certificates and write them to the paths that
     # are specified as input paths.
     if opts.sb_key or opts.sb_cert:
@@ -948,6 +949,8 @@ def generate_keys(opts):
         print(f'Writing SecureBoot certificate to {opts.sb_cert}')
         opts.sb_cert.write_bytes(cert_pem)
 
+        work = True
+
     for priv_key, pub_key, _ in key_path_groups(opts):
         priv_key_pem, pub_key_pem = generate_priv_pub_key_pair()
 
@@ -958,6 +961,11 @@ def generate_keys(opts):
             print(f'Writing public key for PCR signing to {pub_key}')
             pub_key.write_bytes(pub_key_pem)
 
+        work = True
+
+    if not work:
+        raise ValueError('genkey: --secureboot-private-key=/--secureboot-certificate= or --pcr-private-key/--pcr-public-key must be specified')
+
 
 def inspect_section(opts, section):
     name = section.Name.rstrip(b"\x00").decode()