/mkosi.nspawn
/mkosi.rootpw
/mkosi.conf
-/mkosi.secure-boot.key
-/mkosi.secure-boot.crt
+/mkosi.key
+/mkosi.crt
__pycache__
: Show brief usage information.
-`--secure-boot-common-name=`
+`--genkey-common-name=`
-: Common name to be used when generating SecureBoot keys via mkosi's `genkey`
- command. Defaults to `mkosi of %u`, where `%u` expands to the username of the
- user invoking mkosi.
+: Common name to be used when generating keys via mkosi's `genkey` command. Defaults to `mkosi of %u`, where
+ `%u` expands to the username of the user invoking mkosi.
-`--secure-boot-valid-days=`
+`--genkey-valid-days=`
-: Number of days that the keys should remain valid when generating SecureBoot
- keys via mkosi's `genkey` command. Defaults to two years (730 days).
+: Number of days that the keys should remain valid when generating keys via mkosi's `genkey` command.
+ Defaults to two years (730 days).
`--auto-bump=`, `-B`
file does not exist and encryption is requested, the user is queried
instead.
-* The **`mkosi.secure-boot.crt`** and **`mkosi.secure-boot.key`**
- files contain an X.509 certificate and PEM private key to use when
- UEFI SecureBoot support is enabled. All EFI binaries included in the
- image's ESP are signed with this key, as a late step in the build
- process.
+* The **`mkosi.crt`** and **`mkosi.key`** files contain an X.509 certificate and PEM private key to use when
+ signing is required (UEFI SecureBoot, verity, ...).
* The **`mkosi.output/`** directory will be used for all build
artifacts, if the image output path is not configured (i.e. no
httpd.serve_forever()
-def generate_secure_boot_key(args: MkosiArgs) -> None:
- """Generate secure boot keys using openssl"""
+def generate_key_cert_pair(args: MkosiArgs) -> None:
+ """Generate a private key and accompanying X509 certificate using openssl"""
keylength = 2048
- expiration_date = datetime.date.today() + datetime.timedelta(int(args.secure_boot_valid_days))
- cn = expand_specifier(args.secure_boot_common_name)
+ expiration_date = datetime.date.today() + datetime.timedelta(int(args.genkey_valid_days))
+ cn = expand_specifier(args.genkey_common_name)
- for f in ("mkosi.secure-boot.key", "mkosi.secure-boot.crt"):
+ for f in ("mkosi.key", "mkosi.crt"):
if Path(f).exists() and not args.force:
die(f"{f} already exists",
- hint=("To generate new secure boot keys, "
- "first remove mkosi.secure-boot.key and mkosi.secure-boot.crt"))
+ hint=("To generate new keys, first remove mkosi.key and mkosi.crt"))
- log_step(f"Generating secure boot keys rsa:{keylength} for CN {cn!r}.")
+ log_step(f"Generating keys rsa:{keylength} for CN {cn!r}.")
logging.info(
dedent(
f"""
- The keys will expire in {args.secure_boot_valid_days} days ({expiration_date:%A %d. %B %Y}).
+ The keys will expire in {args.genkey_valid_days} days ({expiration_date:%A %d. %B %Y}).
Remember to roll them over to new ones before then.
"""
)
"-new",
"-x509",
"-newkey", f"rsa:{keylength}",
- "-keyout", "mkosi.secure-boot.key",
- "-out", "mkosi.secure-boot.crt",
- "-days", str(args.secure_boot_valid_days),
+ "-keyout", "mkosi.key",
+ "-out", "mkosi.crt",
+ "-days", str(args.genkey_valid_days),
"-subj", f"/CN={cn}/",
"-nodes",
]
check_root()
if args.verb == Verb.genkey:
- return generate_secure_boot_key(args)
+ return generate_key_cert_pair(args)
if args.verb == Verb.bump:
return bump_image_version()
debug: bool
debug_shell: bool
pager: bool
- secure_boot_valid_days: str
- secure_boot_common_name: str
+ genkey_valid_days: str
+ genkey_common_name: str
auto_bump: bool
presets: list[str]
dest="secure_boot_key",
section="Output",
parse=config_make_path_parser(required=False),
- paths=("mkosi.secure-boot.key",),
+ paths=("mkosi.key",),
),
MkosiConfigSetting(
dest="secure_boot_certificate",
section="Output",
parse=config_make_path_parser(required=False),
- paths=("mkosi.secure-boot.crt",),
+ paths=("mkosi.crt",),
),
MkosiConfigSetting(
dest="sign_expected_pcr",
help="Enable paging for long output",
)
parser.add_argument(
- "--secure-boot-valid-days",
+ "--genkey-valid-days",
metavar="DAYS",
- help="Number of days UEFI SecureBoot keys should be valid when generating keys",
+ help="Number of days keys should be valid when generating keys",
action=action,
default="730",
)
parser.add_argument(
- "--secure-boot-common-name",
+ "--genkey-common-name",
metavar="CN",
- help="Template for the UEFI SecureBoot CN when generating keys",
+ help="Template for the CN when generating keys",
action=action,
default="mkosi of %u",
)
if args.secure_boot and args.verb != Verb.genkey:
if args.secure_boot_key is None:
die("UEFI SecureBoot enabled, but couldn't find private key.",
- hint="Consider placing it in mkosi.secure-boot.key")
+ hint="Consider placing it in mkosi.key")
if args.secure_boot_certificate is None:
die("UEFI SecureBoot enabled, but couldn't find certificate.",
- hint="Consider placing it in mkosi.secure-boot.crt")
+ hint="Consider placing it in mkosi.crt")
if args.sign_expected_pcr is True and not shutil.which("systemd-measure"):
die("Couldn't find systemd-measure needed for the --sign-expected-pcr option.")
projects / thirdparty / mkosi.git / commitdiff
