: Path to the X.509 file containing the certificate for the signed
UEFI kernel image, if `SecureBoot=` is used.
+`VerityKey=`, `--verity-key=`
+
+: Path to the PEM file containing the secret key for signing the verity signature, if a verity signature
+ partition is added with systemd-repart.
+
+`VerityCertificate=`, `--verity-certificate=`
+
+: Path to the X.509 file containing the certificate for signing the verity signature, if a verity signature
+ partition is added with systemd-repart.
+
`SignExpectedPCR=`, `--sign-expected-pcr`
: Measure the components of the unified kernel image (UKI) using
{bold("VALIDATION")}:
UEFI SecureBoot: {yes_no(config.secure_boot)}
- SecureBoot Sign Key: {none_to_none(config.secure_boot_key)}
+ SecureBoot Signing Key: {none_to_none(config.secure_boot_key)}
SecureBoot Certificate: {none_to_none(config.secure_boot_certificate)}
+ Verity Signing Key: {none_to_none(config.verity_key)}
+ Verity Certificate: {none_to_none(config.verity_certificate)}
Checksum: {yes_no(config.checksum)}
Sign: {yes_no(config.sign)}
GPG Key: ({"default" if config.key is None else config.key})
cmdline += ["--empty=create"]
if state.config.passphrase:
cmdline += ["--key-file", state.config.passphrase]
- if state.config.secure_boot_key:
- cmdline += ["--private-key", state.config.secure_boot_key]
- if state.config.secure_boot_certificate:
- cmdline += ["--certificate", state.config.secure_boot_certificate]
+ if state.config.verity_key:
+ cmdline += ["--private-key", state.config.verity_key]
+ if state.config.verity_certificate:
+ cmdline += ["--certificate", state.config.verity_certificate]
if skip:
cmdline += ["--defer-partitions", ",".join(skip)]
if split and state.config.split_artifacts:
secure_boot: bool
secure_boot_key: Optional[Path]
secure_boot_certificate: Optional[Path]
+ verity_key: Optional[Path]
+ verity_certificate: Optional[Path]
sign_expected_pcr: bool
compress_output: Compression
image_version: Optional[str]
parse=config_make_path_parser(),
paths=("mkosi.crt",),
),
+ MkosiConfigSetting(
+ dest="verity_key",
+ section="Validation",
+ parse=config_make_path_parser(),
+ paths=("mkosi.key",),
+ ),
+ MkosiConfigSetting(
+ dest="verity_certificate",
+ section="Validation",
+ parse=config_make_path_parser(),
+ paths=("mkosi.crt",),
+ ),
MkosiConfigSetting(
dest="sign_expected_pcr",
section="Validation",
help="UEFI SecureBoot certificate in X509 format",
action=action,
)
+ group.add_argument(
+ "--verity-key",
+ metavar="PATH",
+ help="Private key for signing verity signature in PEM format",
+ action=action,
+ )
+ group.add_argument(
+ "--verity-certificate",
+ metavar="PATH",
+ help="Certificate for signing verity signature in X509 format",
+ action=action,
+ )
group.add_argument(
"--sign-expected-pcr",
metavar="FEATURE",