dest="firmware_variables",
metavar="PATH",
section="Runtime",
- parse=config_make_path_parser(constants=("custom", "microsoft")),
+ parse=config_make_path_parser(constants=("custom", "microsoft", "microsoft-mok")),
help="Set the path to the firmware variables file to use",
compat_longs=("--qemu-firmware-variables",),
compat_names=("QemuFirmwareVariables",),
logging.debug(f"{p.name} firmware description includes secure boot, skipping")
continue
- if config.firmware_variables == Path("microsoft") and "enrolled-keys" not in j["features"]:
+ if (
+ config.firmware_variables in (Path("microsoft"), Path("microsoft-mok"))
+ and "enrolled-keys" not in j["features"]
+ ):
logging.debug(f"{p.name} firmware description does not have enrolled Microsoft keys, skipping")
continue
- if config.firmware_variables != Path("microsoft") and "enrolled-keys" in j["features"]:
+ if (
+ config.firmware_variables not in (Path("microsoft"), Path("microsoft-mok"))
+ and "enrolled-keys" in j["features"]
+ ):
logging.debug(f"{p.name} firmware description has enrolled Microsoft keys, skipping")
continue
],
),
) # fmt: skip
+ elif config.firmware_variables == Path("microsoft-mok"):
+ assert config.secure_boot_certificate
+
+ run(
+ [
+ "virt-fw-vars",
+ "--input", workdir(ovmf.vars),
+ "--output", workdir(ovmf_vars),
+ "--add-mok", "605dab50-e046-4300-abb6-3dd810dd8b23", workdir(config.secure_boot_certificate),
+ "--loglevel", "WARNING",
+ ],
+ sandbox=config.sandbox(
+ options=[
+ "--bind", ovmf_vars, workdir(ovmf_vars),
+ "--ro-bind", ovmf.vars, workdir(ovmf.vars),
+ "--ro-bind", config.secure_boot_certificate, workdir(config.secure_boot_certificate),
+ ],
+ ),
+ ) # fmt: skip
else:
vars = (
config.tools() / ovmf.vars.relative_to("/")
"the native host architecture"
)
- if config.firmware_variables == Path("custom") and not config.secure_boot_certificate:
- die("SecureBootCertificate= must be configured to use FirmwareVariables=custom")
+ if (
+ config.firmware_variables in (Path("custom"), Path("microsoft-mok"))
+ and not config.secure_boot_certificate
+ ):
+ die("SecureBootCertificate= must be configured to use FirmwareVariables=custom|microsoft-mok")
# After we unshare the user namespace to sandbox qemu, we might not have access to /dev/kvm or related
# device nodes anymore as access to these might be gated behind the kvm group and we won't be part of the
When set to `microsoft`, a firmware variables file with the Microsoft
secure boot certificates already enrolled will be used.
+ When set to `microsoft-mok`, a firmware variables file with the
+ Microsoft secure boot certificates already enrolled will be extended
+ with a `MokList` variable containing the secure boot certificate
+ from `SecureBootCertificate=`. This is intended to be used together
+ with shim binaries signed by the distribution and locally signed EFI
+ binaries.
+
When set to `custom`, the secure boot certificate from
`SecureBootCertificate=` will be enrolled into the default firmware
variables file.
projects / thirdparty / mkosi.git / commitdiff
