Introduce separate settings for configuring the verity key/certificate

These also default to mkosi.key and mkosi.crt but give the option to
use different files if required.

diff --git a/mkosi.md b/mkosi.md
index a950ed7d3d4c3e5127ecad124ba5d6f5fadb923e..dbb6ab6921592448ba9ec1ec223641937261f5c7 100644 (file)
--- a/mkosi.md
+++ b/mkosi.md
@@ -884,6 +884,16 @@ a boolean argument: either "1", "yes", or "true" to enable, or "0",
 : Path to the X.509 file containing the certificate for the signed
   UEFI kernel image, if `SecureBoot=` is used.
 
+`VerityKey=`, `--verity-key=`
+
+: Path to the PEM file containing the secret key for signing the verity signature, if a verity signature
+  partition is added with systemd-repart.
+
+`VerityCertificate=`, `--verity-certificate=`
+
+: Path to the X.509 file containing the certificate for signing the verity signature, if a verity signature
+  partition is added with systemd-repart.
+
 `SignExpectedPCR=`, `--sign-expected-pcr`
 
 : Measure the components of the unified kernel image (UKI) using

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 36eb204ccdacbb270ff0b8be4f16d55bbf55ebec..ebecd31da8fe577aebd7789be760723ef0b9aa46 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1287,8 +1287,10 @@ def print_summary(args: MkosiArgs, config: MkosiConfig) -> None:
 
     {bold("VALIDATION")}:
                UEFI SecureBoot: {yes_no(config.secure_boot)}
-           SecureBoot Sign Key: {none_to_none(config.secure_boot_key)}
+        SecureBoot Signing Key: {none_to_none(config.secure_boot_key)}
         SecureBoot Certificate: {none_to_none(config.secure_boot_certificate)}
+            Verity Signing Key: {none_to_none(config.verity_key)}
+            Verity Certificate: {none_to_none(config.verity_certificate)}
                       Checksum: {yes_no(config.checksum)}
                           Sign: {yes_no(config.sign)}
                        GPG Key: ({"default" if config.key is None else config.key})
@@ -1486,10 +1488,10 @@ def invoke_repart(state: MkosiState, skip: Sequence[str] = [], split: bool = Fal
         cmdline += ["--empty=create"]
     if state.config.passphrase:
         cmdline += ["--key-file", state.config.passphrase]
-    if state.config.secure_boot_key:
-        cmdline += ["--private-key", state.config.secure_boot_key]
-    if state.config.secure_boot_certificate:
-        cmdline += ["--certificate", state.config.secure_boot_certificate]
+    if state.config.verity_key:
+        cmdline += ["--private-key", state.config.verity_key]
+    if state.config.verity_certificate:
+        cmdline += ["--certificate", state.config.verity_certificate]
     if skip:
         cmdline += ["--defer-partitions", ",".join(skip)]
     if split and state.config.split_artifacts:

diff --git a/mkosi/config.py b/mkosi/config.py
index de2f0b55d59f52f2e6b9cd02ae4061fdd89a9623..a62a794a097a8231a991540dc72343d89fe50c41 100644 (file)
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -576,6 +576,8 @@ class MkosiConfig:
     secure_boot: bool
     secure_boot_key: Optional[Path]
     secure_boot_certificate: Optional[Path]
+    verity_key: Optional[Path]
+    verity_certificate: Optional[Path]
     sign_expected_pcr: bool
     compress_output: Compression
     image_version: Optional[str]
@@ -1062,6 +1064,18 @@ class MkosiConfigParser:
             parse=config_make_path_parser(),
             paths=("mkosi.crt",),
         ),
+        MkosiConfigSetting(
+            dest="verity_key",
+            section="Validation",
+            parse=config_make_path_parser(),
+            paths=("mkosi.key",),
+        ),
+        MkosiConfigSetting(
+            dest="verity_certificate",
+            section="Validation",
+            parse=config_make_path_parser(),
+            paths=("mkosi.crt",),
+        ),
         MkosiConfigSetting(
             dest="sign_expected_pcr",
             section="Validation",
@@ -1740,6 +1754,18 @@ class MkosiConfigParser:
             help="UEFI SecureBoot certificate in X509 format",
             action=action,
         )
+        group.add_argument(
+            "--verity-key",
+            metavar="PATH",
+            help="Private key for signing verity signature in PEM format",
+            action=action,
+        )
+        group.add_argument(
+            "--verity-certificate",
+            metavar="PATH",
+            help="Certificate for signing verity signature in X509 format",
+            action=action,
+        )
         group.add_argument(
             "--sign-expected-pcr",
             metavar="FEATURE",