- A passwordless root account may now be created by specifying `hashed:`
- On `arm64` we now add an autologin dropin for `ttyAMA0` if autologin
is enabled.
+- Added `SecureBootAutoEnroll=` to control automatic enrollment of secureboot
+ keys separately from signing `systemd-boot` and generated UKIs.
## v19
state.root / shim_second_stage_binary(state),
)
- if state.config.secure_boot:
+ if state.config.secure_boot and state.config.secure_boot_auto_enroll:
assert state.config.secure_boot_key
assert state.config.secure_boot_certificate
ssh: bool
secure_boot: bool
+ secure_boot_auto_enroll: bool
secure_boot_key: Optional[Path]
secure_boot_certificate: Optional[Path]
secure_boot_sign_tool: SecureBootSignTool
parse=config_parse_boolean,
help="Sign the resulting kernel/initrd image for UEFI SecureBoot",
),
+ MkosiConfigSetting(
+ dest="secure_boot_auto_enroll",
+ metavar="BOOL",
+ section="Validation",
+ parse=config_parse_boolean,
+ default=True,
+ help="Automatically enroll the secureboot signing key on first boot",
+ ),
MkosiConfigSetting(
dest="secure_boot_key",
metavar="PATH",
{bold("VALIDATION")}:
UEFI SecureBoot: {yes_no(config.secure_boot)}
+ UEFI SecureBoot AutoEnroll: {yes_no(config.secure_boot_auto_enroll)}
SecureBoot Signing Key: {none_to_none(config.secure_boot_key)}
SecureBoot Certificate: {none_to_none(config.secure_boot_certificate)}
SecureBoot Sign Tool: {config.secure_boot_sign_tool}
`SecureBoot=`, `--secure-boot`
: Sign systemd-boot (if it is not signed yet) and any generated
- unified kernel images for UEFI SecureBoot. Also set up automatic
- enrollment of the secure boot keys in virtual machines as documented
- in the systemd-boot
- [man page](https://www.freedesktop.org/software/systemd/man/systemd-boot.html).
+ unified kernel images for UEFI SecureBoot.
+
+`SecureBootAutoEnroll=`, `--secure-boot-auto-enroll=`
+
+: Set up automatic enrollment of the secure boot keys in virtual machines as
+ documented in the systemd-boot
+ [man page](https://www.freedesktop.org/software/systemd/man/systemd-boot.html)
+ if `SecureBoot=` is used.
Note that systemd-boot will only do automatic secure boot key
enrollment in virtual machines starting from systemd v253. To do auto
enrollment on systemd v252 or on bare metal machines, write a
systemd-boot configuration file to `/efi/loader/loader.conf` using an
extra tree with `secure-boot-enroll force` or
`secure-boot-enroll manual` in it. Auto enrollment is not supported on
- systemd versions older than v252.
+ systemd versions older than v252. Defaults to `yes`.
`SecureBootKey=`, `--secure-boot-key=`
],
"SectorSize": null,
"SecureBoot": true,
+ "SecureBootAutoEnroll": true,
"SecureBootCertificate": null,
"SecureBootKey": "/path/to/keyfile",
"SecureBootSignTool": "pesign",
runtime_trees = [ConfigTree(Path("/foo/bar"), Path("/baz")), ConfigTree(Path("/bar/baz"), Path("/qux"))],
sector_size = None,
secure_boot = True,
+ secure_boot_auto_enroll = True,
secure_boot_certificate = None,
secure_boot_key = Path("/path/to/keyfile"),
secure_boot_sign_tool = SecureBootSignTool.pesign,
projects / thirdparty / mkosi.git / commitdiff
