From: Luca Boccassi <bluca@debian.org>
Date: Sun, 11 Feb 2024 00:33:24 +0000 (+0000)
Subject: measure: add support for signing PCR sections with engine/provider
X-Git-Tag: v21~12^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2373%2Fhead;p=thirdparty%2Fmkosi.git

measure: add support for signing PCR sections with engine/provider
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 55dc15d68..b36401355 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1929,7 +1929,16 @@ def build_uki(
                 "--pcr-private-key", context.config.secure_boot_key,
                 "--pcr-banks", "sha1,sha256",
             ]
-            options += ["--ro-bind", context.config.secure_boot_key, context.config.secure_boot_key]
+            if context.config.secure_boot_key.exists():
+                options += ["--ro-bind", context.config.secure_boot_key, context.config.secure_boot_key]
+            if context.config.secure_boot_key_source.type == KeySource.Type.engine:
+                cmd += [
+                    "--signing-engine", context.config.secure_boot_key_source.source,
+                    "--pcr-public-key", context.config.secure_boot_certificate,
+                ]
+                options += [
+                    "--ro-bind", context.config.secure_boot_certificate, context.config.secure_boot_certificate,
+                ]
 
     cmd += ["build", "--linux", kimg]
     options += ["--ro-bind", kimg, kimg]