pesign_prepare,
prepare_grub_config,
python_binary,
+ run_systemd_sign_tool,
shim_second_stage_binary,
sign_efi_binary,
want_efi,
ArtifactOutput,
Bootloader,
Cacheonly,
+ CertificateSourceType,
Compression,
Config,
ConfigFeature,
if context.config.secure_boot_sign_tool != SecureBootSignTool.pesign:
cmd += [
- "--signtool", "sbsign",
- "--secureboot-certificate", workdir(context.config.secure_boot_certificate),
- ] # fmt: skip
- opt += [
- "--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate), # noqa: E501
+ "--signtool", (
+ "sbsign"
+ if context.config.secure_boot_sign_tool == SecureBootSignTool.sbsign
+ else "systemd-sbsign"
+ ),
] # fmt: skip
+
+ if (
+ context.config.secure_boot_key_source.type != KeySourceType.file
+ or context.config.secure_boot_certificate_source.type != CertificateSourceType.file
+ ):
+ opt += ["--bind", "/run", "/run"]
+
if context.config.secure_boot_key_source.type == KeySourceType.engine:
cmd += ["--signing-engine", context.config.secure_boot_key_source.source]
- opt += ["--bind", "/run", "/run"]
+ elif context.config.secure_boot_key_source.type == KeySourceType.provider:
+ cmd += ["--signing-provider", context.config.secure_boot_key_source.source]
+
if context.config.secure_boot_key.exists():
cmd += ["--secureboot-private-key", workdir(context.config.secure_boot_key)]
opt += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)]
else:
cmd += ["--secureboot-private-key", context.config.secure_boot_key]
+
+ if context.config.secure_boot_certificate_source.type == CertificateSourceType.provider:
+ cmd += ["--certificate-provider", context.config.secure_boot_certificate_source.source]
+
+ if context.config.secure_boot_certificate.exists():
+ cmd += ["--secureboot-certificate", workdir(context.config.secure_boot_certificate)]
+ opt += [
+ "--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate), # noqa: E501
+ ] # fmt: skip
+ else:
+ cmd += ["--secureboot-certificate", context.config.secure_boot_certificate]
else:
pesign_prepare(context)
cmd += [
"--pcr-banks", "sha256",
] # fmt: skip
+ # If we're providing the private key via an engine or provider, we have to pass in a X.509
+ # certificate via --pcr-public-key as well.
+ if context.config.sign_expected_pcr_key_source.type != KeySourceType.file:
+ if context.config.sign_expected_pcr_certificate_source.type == CertificateSourceType.provider:
+ arguments += [
+ "--certificate-provider",
+ f"provider:{context.config.sign_expected_pcr_certificate_source.source}",
+ ]
+
+ options += ["--bind", "/run", "/run"]
+
+ if context.config.sign_expected_pcr_certificate.exists():
+ arguments += [
+ "--pcr-public-key", workdir(context.config.sign_expected_pcr_certificate),
+ ] # fmt: skip
+ options += [
+ "--ro-bind", context.config.sign_expected_pcr_certificate, workdir(context.config.sign_expected_pcr_certificate), # noqa: E501
+ ] # fmt: skip
+ else:
+ arguments += ["--pcr-public-key", context.config.sign_expected_pcr_certificate]
+
if context.config.sign_expected_pcr_key_source.type == KeySourceType.engine:
- arguments += [
- "--signing-engine", context.config.sign_expected_pcr_key_source.source,
- "--pcr-public-key", workdir(context.config.sign_expected_pcr_certificate),
- ] # fmt: skip
- options += [
- "--ro-bind", context.config.sign_expected_pcr_certificate, workdir(context.config.sign_expected_pcr_certificate), # noqa: E501
- "--bind", "/run", "/run",
- ] # fmt: skip
+ arguments += ["--signing-engine", context.config.sign_expected_pcr_key_source.source]
+ elif context.config.sign_expected_pcr_key_source.type == KeySourceType.provider:
+ arguments += ["--signing-provider", context.config.sign_expected_pcr_key_source.source]
if context.config.sign_expected_pcr_key.exists():
arguments += ["--pcr-private-key", workdir(context.config.sign_expected_pcr_key)]
if config.secure_boot_key_source != config.sign_expected_pcr_key_source:
die("Secure boot key source and expected PCR signatures key source have to be the same")
+ if config.secure_boot_certificate_source != config.sign_expected_pcr_certificate_source:
+ die(
+ "Secure boot certificate source and expected PCR signatures certificate source have to be the same" # noqa: E501
+ ) # fmt: skip
+
if config.verity == ConfigFeature.enabled and not config.verity_key:
die(
"Verity= is enabled but no verity key is configured",
if context.config.passphrase:
cmdline += ["--key-file", workdir(context.config.passphrase)]
opts += ["--ro-bind", context.config.passphrase, workdir(context.config.passphrase)]
- if verity:
- assert context.config.verity_key
- assert context.config.verity_certificate
-
- if context.config.verity_key_source.type != KeySourceType.file:
- cmdline += ["--private-key-source", str(context.config.verity_key_source)]
- opts += ["--bind", "/run", "/run"]
- if context.config.verity_key.exists():
- cmdline += ["--private-key", workdir(context.config.verity_key)]
- opts += ["--ro-bind", context.config.verity_key, workdir(context.config.verity_key)]
- else:
- cmdline += ["--private-key", context.config.verity_key]
-
- cmdline += ["--certificate", workdir(context.config.verity_certificate)]
- opts += [
- "--ro-bind", context.config.verity_certificate, workdir(context.config.verity_certificate),
- ] # fmt: skip
if skip:
cmdline += ["--defer-partitions", ",".join(skip)]
if split:
with complete_step(msg):
output = json.loads(
- run(
- cmdline,
- stdin=(
- sys.stdin
- if context.config.verity_key_source.type != KeySourceType.file
- else subprocess.DEVNULL
- ),
+ run_systemd_sign_tool(
+ context.config,
+ cmdline=cmdline,
+ options=opts,
+ certificate=context.config.verity_certificate if verity else None,
+ certificate_source=context.config.verity_certificate_source,
+ key=context.config.verity_key if verity else None,
+ key_source=context.config.verity_key_source,
stdout=subprocess.PIPE,
- env=context.config.environment,
- sandbox=context.sandbox(
- binary="systemd-repart",
- devices=(
- not context.config.repart_offline
- or context.config.verity_key_source.type != KeySourceType.file
- ),
- options=opts,
- ),
+ devices=not context.config.repart_offline,
).stdout
)
if context.config.passphrase:
cmdline += ["--key-file", context.config.passphrase]
options += ["--ro-bind", context.config.passphrase, workdir(context.config.passphrase)]
- if want_verity(context.config):
- assert context.config.verity_key
- assert context.config.verity_certificate
-
- if context.config.verity_key_source.type != KeySourceType.file:
- cmdline += ["--private-key-source", str(context.config.verity_key_source)]
- if context.config.verity_key.exists():
- cmdline += ["--private-key", workdir(context.config.verity_key)]
- options += ["--ro-bind", context.config.verity_key, workdir(context.config.verity_key)]
- else:
- cmdline += ["--private-key", context.config.verity_key]
-
- cmdline += ["--certificate", workdir(context.config.verity_certificate)]
- options += [
- "--ro-bind", context.config.verity_certificate, workdir(context.config.verity_certificate)
- ] # fmt: skip
if context.config.sector_size:
cmdline += ["--sector-size", str(context.config.sector_size)]
if ArtifactOutput.partitions in context.config.split_artifacts:
with complete_step(f"Building {context.config.output_format} extension image"):
j = json.loads(
- run(
- cmdline,
- stdin=(
- sys.stdin
- if context.config.verity_key_source.type != KeySourceType.file
- else subprocess.DEVNULL
- ),
+ run_systemd_sign_tool(
+ context.config,
+ cmdline=cmdline,
+ options=options,
+ certificate=context.config.verity_certificate if want_verity(context.config) else None,
+ certificate_source=context.config.verity_certificate_source,
+ key=context.config.verity_key if want_verity(context.config) else None,
+ key_source=context.config.verity_key_source,
stdout=subprocess.PIPE,
- env=context.config.environment,
- sandbox=context.sandbox(
- binary="systemd-repart",
- devices=(
- not context.config.repart_offline
- or context.config.verity_key_source.type != KeySourceType.file
- ),
- options=options,
- ),
+ devices=not context.config.repart_offline,
).stdout
)
) # fmt: skip
+def validate_certificates_and_keys(config: Config) -> None:
+ keyutil = config.find_binary("systemd-keyutil", "/usr/lib/systemd/systemd-keyutil")
+ if not keyutil:
+ return
+
+ if want_verity(config):
+ run_systemd_sign_tool(
+ config,
+ cmdline=[keyutil, "validate"],
+ options=[],
+ certificate=config.verity_certificate,
+ certificate_source=config.verity_certificate_source,
+ key=config.verity_key,
+ key_source=config.verity_key_source,
+ stdout=subprocess.DEVNULL,
+ )
+
+ if config.bootable != ConfigFeature.disabled and config.secure_boot:
+ run_systemd_sign_tool(
+ config,
+ cmdline=[keyutil, "validate"],
+ options=[],
+ certificate=config.secure_boot_certificate,
+ certificate_source=config.secure_boot_certificate_source,
+ key=config.secure_boot_key,
+ key_source=config.secure_boot_key_source,
+ stdout=subprocess.DEVNULL,
+ )
+
+ if want_signed_pcrs(config):
+ run_systemd_sign_tool(
+ config,
+ cmdline=[keyutil, "validate"],
+ options=[],
+ certificate=config.sign_expected_pcr_certificate,
+ certificate_source=config.sign_expected_pcr_certificate_source,
+ key=config.sign_expected_pcr_key,
+ key_source=config.sign_expected_pcr_key_source,
+ stdout=subprocess.DEVNULL,
+ )
+
+
def needs_build(args: Args, config: Config, force: int = 1) -> bool:
return (
args.force >= force
for config in images:
run_clean(args, config, resources=resources)
- if args.verb != Verb.sandbox:
- for config in images:
- if any(
- source.type != KeySourceType.file
- for source in (
- config.verity_key_source,
- config.secure_boot_key_source,
- config.sign_expected_pcr_key_source,
- )
- ):
- join_new_session_keyring()
- break
-
if tools and not (tools.output_dir_or_cwd() / tools.output).exists():
with prepend_to_environ_path(tools):
check_tools(tools, Verb.build)
fork_and_wait(run_build, args, tools, resources=resources, metadata_dir=Path(metadata_dir))
if args.verb == Verb.sandbox:
- return run_sandbox(args, last)
+ with prepend_to_environ_path(last):
+ return run_sandbox(args, last)
for i, config in enumerate(images):
with prepend_to_environ_path(config):
last = images[-1]
if not (last.output_dir_or_cwd() / last.output).exists() or last.output_format == OutputFormat.none:
+ for config in images:
+ if any(
+ source.type != KeySourceType.file
+ for source in (
+ config.verity_key_source,
+ config.secure_boot_key_source,
+ config.sign_expected_pcr_key_source,
+ )
+ ):
+ join_new_session_keyring()
+ break
+
+ with complete_step("Validating certificates and keys"):
+ for config in images:
+ with prepend_to_environ_path(config):
+ validate_certificates_and_keys(config)
+
ensure_directories_exist(last)
with (
import sys
import tempfile
import textwrap
-from collections.abc import Iterator, Sequence
+from collections.abc import Iterator, Mapping, Sequence
from pathlib import Path
from typing import Optional
from mkosi.config import (
BiosBootloader,
Bootloader,
+ CertificateSource,
+ CertificateSourceType,
Config,
ConfigFeature,
+ KeySource,
KeySourceType,
OutputFormat,
SecureBootSignTool,
from mkosi.qemu import KernelType
from mkosi.run import run, workdir
from mkosi.sandbox import umask
-from mkosi.types import PathString
+from mkosi.types import _FILE, CompletedProcess, PathString
from mkosi.util import flatten
from mkosi.versioncomp import GenericVersion
die(f"Certificate {certificate} is missing Common Name")
+def run_systemd_sign_tool(
+ config: Config,
+ *,
+ cmdline: Sequence[PathString],
+ options: Sequence[PathString],
+ certificate: Optional[Path],
+ certificate_source: CertificateSource,
+ key: Optional[Path],
+ key_source: KeySource,
+ env: Mapping[str, str] = {},
+ stdout: _FILE = None,
+ devices: bool = False,
+) -> CompletedProcess:
+ if not certificate and not key:
+ return run(
+ cmdline,
+ stdout=stdout,
+ env={**config.environment, **env},
+ sandbox=config.sandbox(binary=cmdline[0], options=options, devices=devices),
+ )
+
+ assert certificate
+ assert key
+
+ cmd: list[PathString] = [*cmdline]
+ opt: list[PathString] = [*options]
+
+ if certificate_source.type != CertificateSourceType.file or key_source.type != KeySourceType.file:
+ opt += ["--bind", "/run", "/run"]
+
+ if certificate_source.type != CertificateSourceType.file:
+ cmd += ["--certificate-source", str(certificate_source)]
+
+ if certificate.exists():
+ cmd += ["--certificate", workdir(certificate)]
+ opt += ["--ro-bind", certificate, workdir(certificate)]
+ else:
+ cmd += ["--certificate", certificate]
+
+ if key_source.type != KeySourceType.file:
+ cmd += ["--private-key-source", str(key_source)]
+
+ if key.exists():
+ cmd += ["--private-key", workdir(key)]
+ opt += ["--ro-bind", key, workdir(key)]
+ else:
+ cmd += ["--private-key", key]
+
+ return run(
+ cmd,
+ stdin=(sys.stdin if key_source.type != KeySourceType.file else subprocess.DEVNULL),
+ stdout=stdout,
+ env={**config.environment, **env},
+ sandbox=config.sandbox(
+ binary=cmd[0],
+ options=opt,
+ devices=devices or key_source.type != KeySourceType.file,
+ ),
+ )
+
+
def pesign_prepare(context: Context) -> None:
assert context.config.secure_boot_key
assert context.config.secure_boot_certificate
assert context.config.secure_boot_key
assert context.config.secure_boot_certificate
- if (
+ sbsign = context.config.find_binary("systemd-sbsign", "/usr/lib/systemd/systemd-sbsign")
+ if context.config.secure_boot_sign_tool == SecureBootSignTool.systemd and not sbsign:
+ die("Could not find systemd-sbsign")
+
+ cmd: list[PathString]
+ options: list[PathString]
+
+ if context.config.secure_boot_sign_tool == SecureBootSignTool.systemd or (
+ context.config.secure_boot_sign_tool == SecureBootSignTool.auto and sbsign
+ ):
+ assert sbsign
+
+ run_systemd_sign_tool(
+ context.config,
+ cmdline=[sbsign, "sign", "--output", workdir(output), workdir(input)],
+ options=["--ro-bind", input, workdir(input), "--bind", output.parent, workdir(output.parent)],
+ certificate=context.config.secure_boot_certificate,
+ certificate_source=context.config.secure_boot_certificate_source,
+ key=context.config.secure_boot_key,
+ key_source=context.config.secure_boot_key_source,
+ )
+ elif (
context.config.secure_boot_sign_tool == SecureBootSignTool.sbsign
or context.config.secure_boot_sign_tool == SecureBootSignTool.auto
and context.config.find_binary("sbsign") is not None
):
- cmd: list[PathString] = [
+ cmd = [
"sbsign",
"--cert", workdir(context.config.secure_boot_certificate),
"--output", workdir(output),
] # fmt: skip
- options: list[PathString] = [
+ options = [
"--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate), # noqa: E501
"--ro-bind", input, workdir(input),
"--bind", output.parent, workdir(output.parent),
if context.config.secure_boot_key_source.type != KeySourceType.file
else subprocess.DEVNULL
),
+ env=context.config.environment,
sandbox=context.sandbox(
binary="sbsign",
options=options,
if context.config.secure_boot_key_source.type != KeySourceType.file
else subprocess.DEVNULL
),
+ env=context.config.environment,
sandbox=context.sandbox(
binary="pesign",
options=[
bootctlver = systemd_tool_version("bootctl", sandbox=context.sandbox)
- if context.config.secure_boot and context.config.secure_boot_auto_enroll and bootctlver >= 257:
- assert context.config.secure_boot_certificate
- assert context.config.secure_boot_key
-
- cmd += [
- "--secure-boot-auto-enroll=yes",
- "--certificate", workdir(context.config.secure_boot_certificate),
- ] # fmt: skip
- options += [
- "--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate), # noqa: E501
- ] # fmt: skip
- if context.config.secure_boot_key_source.type != KeySourceType.file:
- cmd += ["--private-key-source", str(context.config.secure_boot_key_source)]
- options += ["--bind", "/run", "/run"]
- if context.config.secure_boot_key.exists():
- cmd += ["--private-key", workdir(context.config.secure_boot_key)]
- options += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)]
- else:
- cmd += ["--private-key", context.config.secure_boot_key]
+ if want_bootctl_auto_enroll := (
+ context.config.secure_boot and context.config.secure_boot_auto_enroll and bootctlver >= 257
+ ):
+ cmd += ["--secure-boot-auto-enroll=yes"]
with complete_step("Installing systemd-boot…"):
- run(
- cmd,
- stdin=(
- sys.stdin
- if context.config.secure_boot_key_source.type != KeySourceType.file
- else subprocess.DEVNULL
- ),
- env=context.config.environment | {"SYSTEMD_ESP_PATH": "/efi", "SYSTEMD_XBOOTLDR_PATH": "/boot"},
- sandbox=context.sandbox(
- binary="bootctl",
- options=options,
- devices=context.config.secure_boot_key_source.type != KeySourceType.file,
- ),
+ run_systemd_sign_tool(
+ context.config,
+ cmdline=cmd,
+ options=options,
+ certificate=context.config.secure_boot_certificate if want_bootctl_auto_enroll else None,
+ certificate_source=context.config.secure_boot_certificate_source,
+ key=context.config.secure_boot_key if want_bootctl_auto_enroll else None,
+ key_source=context.config.secure_boot_key_source,
+ env={"SYSTEMD_ESP_PATH": "/efi", "SYSTEMD_XBOOTLDR_PATH": "/boot"},
)
# TODO: Use --random-seed=no when we can depend on systemd 256.
Path(context.root / "efi/loader/random-seed").unlink(missing_ok=True)
auto = enum.auto()
sbsign = enum.auto()
pesign = enum.auto()
+ systemd = enum.auto()
class OutputFormat(StrEnum):
return parse_path(value, secret=True) if Path(value).exists() else Path(value)
+def config_parse_certificate(value: Optional[str], old: Optional[str]) -> Optional[Path]:
+ if not value:
+ return None
+
+ return parse_path(value) if Path(value).exists() else Path(value)
+
+
def make_tree_parser(absolute: bool = True, required: bool = False) -> Callable[[str], ConfigTree]:
def parse_tree(value: str) -> ConfigTree:
src, sep, tgt = value.partition(":")
return KeySource(type=type, source=source)
+class CertificateSourceType(StrEnum):
+ file = enum.auto()
+ provider = enum.auto()
+
+
+@dataclasses.dataclass(frozen=True)
+class CertificateSource:
+ type: CertificateSourceType
+ source: str = ""
+
+ def __str__(self) -> str:
+ return f"{self.type}:{self.source}" if self.source else str(self.type)
+
+
+def config_parse_certificate_source(
+ value: Optional[str],
+ old: Optional[CertificateSource],
+) -> Optional[CertificateSource]:
+ if not value:
+ return old
+
+ typ, _, source = value.partition(":")
+ try:
+ type = CertificateSourceType(typ)
+ except ValueError:
+ die(f"'{value}' is not a valid certificate source")
+
+ return CertificateSource(type=type, source=source)
+
+
def config_parse_artifact_output_list(
value: Optional[str], old: Optional[list[ArtifactOutput]]
) -> Optional[list[ArtifactOutput]]:
secure_boot_key: Optional[Path]
secure_boot_key_source: KeySource
secure_boot_certificate: Optional[Path]
+ secure_boot_certificate_source: CertificateSource
secure_boot_sign_tool: SecureBootSignTool
verity: ConfigFeature
verity_key: Optional[Path]
verity_key_source: KeySource
verity_certificate: Optional[Path]
+ verity_certificate_source: CertificateSource
sign_expected_pcr: ConfigFeature
sign_expected_pcr_key: Optional[Path]
sign_expected_pcr_key_source: KeySource
sign_expected_pcr_certificate: Optional[Path]
+ sign_expected_pcr_certificate_source: CertificateSource
passphrase: Optional[Path]
checksum: bool
sign: bool
dest="secure_boot_certificate",
metavar="PATH",
section="Validation",
- parse=config_make_path_parser(),
+ parse=config_parse_certificate,
paths=("mkosi.crt",),
help="UEFI SecureBoot certificate in X509 format",
),
+ ConfigSetting(
+ dest="secure_boot_certificate_source",
+ section="Validation",
+ metavar="SOURCE[:PROVIDER]",
+ parse=config_parse_certificate_source,
+ default=CertificateSource(type=CertificateSourceType.file),
+ help="The source to use to retrieve the secure boot signing certificate",
+ scope=SettingScope.universal,
+ ),
ConfigSetting(
dest="secure_boot_sign_tool",
section="Validation",
dest="verity_certificate",
metavar="PATH",
section="Validation",
- parse=config_make_path_parser(),
+ parse=config_parse_certificate,
paths=("mkosi.crt",),
help="Certificate for signing verity signature in X509 format",
scope=SettingScope.universal,
),
+ ConfigSetting(
+ dest="verity_certificate_source",
+ section="Validation",
+ metavar="SOURCE[:PROVIDER]",
+ parse=config_parse_certificate_source,
+ default=CertificateSource(type=CertificateSourceType.file),
+ help="The source to use to retrieve the verity signing certificate",
+ scope=SettingScope.universal,
+ ),
ConfigSetting(
dest="sign_expected_pcr",
metavar="FEATURE",
dest="sign_expected_pcr_certificate",
metavar="PATH",
section="Validation",
- parse=config_make_path_parser(),
+ parse=config_parse_certificate,
paths=("mkosi.crt",),
help="Certificate for signing expected PCR signature in X509 format",
scope=SettingScope.universal,
),
+ ConfigSetting(
+ dest="sign_expected_pcr_certificate_source",
+ section="Validation",
+ metavar="SOURCE[:PROVIDER]",
+ parse=config_parse_certificate_source,
+ default=CertificateSource(type=CertificateSourceType.file),
+ help="The source to use to retrieve the expected PCR signing certificate",
+ scope=SettingScope.universal,
+ ),
ConfigSetting(
dest="passphrase",
metavar="PATH",
SecureBoot Signing Key: {none_to_none(config.secure_boot_key)}
SecureBoot Signing Key Source: {config.secure_boot_key_source}
SecureBoot Certificate: {none_to_none(config.secure_boot_certificate)}
+ SecureBoot Certificate Source: {config.secure_boot_certificate_source}
SecureBoot Sign Tool: {config.secure_boot_sign_tool}
Verity: {config.verity}
Verity Signing Key: {none_to_none(config.verity_key)}
Verity Signing Key Source: {config.verity_key_source}
Verity Certificate: {none_to_none(config.verity_certificate)}
+ Verity Certificate Source: {config.verity_certificate_source}
Sign Expected PCRs: {config.sign_expected_pcr}
Expected PCRs Signing Key: {none_to_none(config.sign_expected_pcr_key)}
Expected PCRs Key Source: {config.sign_expected_pcr_key_source}
Expected PCRs Certificate: {none_to_none(config.sign_expected_pcr_certificate)}
+ Expected PCRs Certificate Source: {config.sign_expected_pcr_certificate_source}
Passphrase: {none_to_none(config.passphrase)}
Checksum: {yes_no(config.checksum)}
Sign: {yes_no(config.sign)}
) -> Optional[GenericVersion]:
return GenericVersion(version) if version is not None else None
+ def certificate_source_transformer(
+ certificate_source: dict[str, Any], fieldtype: type[CertificateSource]
+ ) -> CertificateSource:
+ assert "Type" in certificate_source
+ return CertificateSource(
+ type=CertificateSourceType(certificate_source["Type"]),
+ source=certificate_source.get("Source", ""),
+ )
+
def key_source_transformer(keysource: dict[str, Any], fieldtype: type[KeySource]) -> KeySource:
assert "Type" in keysource
return KeySource(type=KeySourceType(keysource["Type"]), source=keysource.get("Source", ""))
list[PEAddon]: pe_addon_transformer,
list[UKIProfile]: uki_profile_transformer,
list[ArtifactOutput]: enum_list_transformer,
+ CertificateSource: certificate_source_transformer,
}
def json_transformer(key: str, val: Any) -> Any:
UEFI kernel image, if `SecureBoot=` is used.
`SecureBootSignTool=`, `--secure-boot-sign-tool`
-: Tool to use to sign secure boot PE binaries. Takes one of `sbsign`, `pesign` or `auto`. Defaults to `auto`.
- If set to `auto`, either sbsign or pesign are used if available, with sbsign being preferred if both are
- installed.
+: Tool to use to sign secure boot PE binaries. Takes one of `systemd`, `sbsign`, `pesign` or `auto`.
+ Defaults to `auto`. If set to `auto`, either `systemd-sbsign`, `sbsign` or `pesign` are used if
+ available, with `systemd-sbsign` being preferred.
`Verity=`, `--verity=`
: Whether to enforce or disable signed verity for extension images.
: Path to the X.509 file containing the certificate for signing the expected PCR signatures.
`SecureBootKeySource=`, `--secure-boot-key-source=`, `VerityKeySource=`, `--verity-key-source=`, `SignExpectedPcrKeySource=`, `--sign-expected-key-source=`
-: The source of the corresponding private key `SecureBootKey=`, to support OpenSSL engines and providers,
- e.g. `--secure-boot-key-source=engine:pkcs11` or `--secure-boot-key-source=provider:pkcs11`. Note that
- providers are currently only supported for the verity key.
+: The source of the corresponding private key, to support OpenSSL engines and providers,
+ e.g. `--secure-boot-key-source=engine:pkcs11` or `--secure-boot-key-source=provider:pkcs11`.
+
+`SecureBootCertificateSource=`, `--secure-boot-certificate-source=`, `VerityCertificateSource=`, `--verity-certificate-source=`, `SignExpectedPcrCertificateSource=`, `--sign-expected-certificate-source=`
+: The source of the corresponding certificate, to support OpenSSL providers,
+ e.g. `--secure-boot-certificate-source=provider:pkcs11`. Note that engines are not supported.
`Passphrase=`, `--passphrase`
: Specify the path to a file containing the passphrase to use for LUKS
BiosBootloader,
Bootloader,
Cacheonly,
+ CertificateSource,
+ CertificateSourceType,
Compression,
Config,
ConfigFeature,
"SecureBoot": true,
"SecureBootAutoEnroll": true,
"SecureBootCertificate": null,
+ "SecureBootCertificateSource": {
+ "Source": "",
+ "Type": "file"
+ },
"SecureBootKey": "/path/to/keyfile",
"SecureBootKeySource": {
"Source": "",
"Sign": false,
"SignExpectedPcr": "disabled",
"SignExpectedPcrCertificate": "/my/cert",
+ "SignExpectedPcrCertificateSource": {
+ "Source": "",
+ "Type": "file"
+ },
"SignExpectedPcrKey": "/my/key",
"SignExpectedPcrKeySource": {
"Source": "",
"UseSubvolumes": "auto",
"Verity": "enabled",
"VerityCertificate": "/path/to/cert",
+ "VerityCertificateSource": {
+ "Source": "",
+ "Type": "file"
+ },
"VerityKey": null,
"VerityKeySource": {
"Source": "",
secure_boot=True,
secure_boot_auto_enroll=True,
secure_boot_certificate=None,
+ secure_boot_certificate_source=CertificateSource(type=CertificateSourceType.file),
secure_boot_key=Path("/path/to/keyfile"),
secure_boot_key_source=KeySource(type=KeySourceType.file),
secure_boot_sign_tool=SecureBootSignTool.pesign,
sign_expected_pcr_key=Path("/my/key"),
sign_expected_pcr_key_source=KeySource(type=KeySourceType.file),
sign_expected_pcr_certificate=Path("/my/cert"),
+ sign_expected_pcr_certificate_source=CertificateSource(type=CertificateSourceType.file),
skeleton_trees=[ConfigTree(Path("/foo/bar"), Path("/")), ConfigTree(Path("/bar/baz"), Path("/qux"))],
source_date_epoch=12345,
split_artifacts=[ArtifactOutput.uki, ArtifactOutput.kernel],
verity_certificate=Path("/path/to/cert"),
verity_key=None,
verity_key_source=KeySource(type=KeySourceType.file),
+ verity_certificate_source=CertificateSource(type=CertificateSourceType.file),
volatile_package_directories=[Path("def")],
volatile_packages=["abc"],
with_docs=True,
projects / thirdparty / mkosi.git / commitdiff
