measure: add support for signing PCR sections with engine/provider

author Luca Boccassi <bluca@debian.org>

Sun, 11 Feb 2024 00:33:24 +0000 (00:33 +0000)

committer Daan De Meyer <daan.j.demeyer@gmail.com>

Mon, 4 Mar 2024 18:48:03 +0000 (19:48 +0100)
author Luca Boccassi <bluca@debian.org>
Sun, 11 Feb 2024 00:33:24 +0000 (00:33 +0000)
committer Daan De Meyer <daan.j.demeyer@gmail.com>
Mon, 4 Mar 2024 18:48:03 +0000 (19:48 +0100)
diff --git a/mkosi/__init__.py b/mkosi/__init__.py

index 55dc15d680d30375b56461eca292d5ba39856c24..b36401355583e359e6f57a593a4e0f736f20cfe5 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1929,7 +1929,16 @@ def build_uki(
                  "--pcr-private-key", context.config.secure_boot_key,
                  "--pcr-banks", "sha1,sha256",
              ]
-            options += ["--ro-bind", context.config.secure_boot_key, context.config.secure_boot_key]
+            if context.config.secure_boot_key.exists():
+                options += ["--ro-bind", context.config.secure_boot_key, context.config.secure_boot_key]
+            if context.config.secure_boot_key_source.type == KeySource.Type.engine:
+                cmd += [
+                    "--signing-engine", context.config.secure_boot_key_source.source,
+                    "--pcr-public-key", context.config.secure_boot_certificate,
+                ]
+                options += [
+                    "--ro-bind", context.config.secure_boot_certificate, context.config.secure_boot_certificate,
+                ]
  
      cmd += ["build", "--linux", kimg]
      options += ["--ro-bind", kimg, kimg]
author	Luca Boccassi <bluca@debian.org>
	Sun, 11 Feb 2024 00:33:24 +0000 (00:33 +0000)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Mon, 4 Mar 2024 18:48:03 +0000 (19:48 +0100)