with complete_step("Signing systemd-boot binaries…"):
for f in itertools.chain(directory.glob('*.efi'), directory.glob('*.EFI')):
- run(
- [
- "sbsign",
- "--key",
- state.config.secure_boot_key,
- "--cert",
- state.config.secure_boot_certificate,
- "--output",
- f"{f}.signed",
- f,
- ],
- )
+ run(["sbsign",
+ "--key", state.config.secure_boot_key,
+ "--cert", state.config.secure_boot_certificate,
+ "--output", f"{f}.signed",
+ f])
with complete_step("Installing boot loader…"):
run(["bootctl", "install", "--root", state.root], env={"SYSTEMD_ESP_PATH": "/boot"})
keys.mkdir(parents=True, exist_ok=True)
# sbsiglist expects a DER certificate.
- run(
- [
- "openssl",
- "x509",
- "-outform",
- "DER",
- "-in",
- state.config.secure_boot_certificate,
- "-out",
- state.workspace / "mkosi.der",
- ],
- )
- run(
- [
- "sbsiglist",
- "--owner",
- str(uuid.uuid4()),
- "--type",
- "x509",
- "--output",
- state.workspace / "mkosi.esl",
- state.workspace / "mkosi.der",
- ],
- )
+ run(["openssl",
+ "x509",
+ "-outform", "DER",
+ "-in", state.config.secure_boot_certificate,
+ "-out", state.workspace / "mkosi.der"])
+ run(["sbsiglist",
+ "--owner", str(uuid.uuid4()),
+ "--type", "x509",
+ "--output", state.workspace / "mkosi.esl",
+ state.workspace / "mkosi.der"])
# We reuse the key for all secure boot databases to keep things simple.
for db in ["PK", "KEK", "db"]:
- run(
- [
- "sbvarsign",
- "--attr",
- "NON_VOLATILE,BOOTSERVICE_ACCESS,RUNTIME_ACCESS,TIME_BASED_AUTHENTICATED_WRITE_ACCESS",
- "--key",
- state.config.secure_boot_key,
- "--cert",
- state.config.secure_boot_certificate,
- "--output",
- keys / f"{db}.auth",
- db,
- state.workspace / "mkosi.esl",
- ],
- )
+ run(["sbvarsign",
+ "--attr",
+ "NON_VOLATILE,BOOTSERVICE_ACCESS,RUNTIME_ACCESS,TIME_BASED_AUTHENTICATED_WRITE_ACCESS",
+ "--key", state.config.secure_boot_key,
+ "--cert", state.config.secure_boot_certificate,
+ "--output", keys / f"{db}.auth",
+ db,
+ state.workspace / "mkosi.esl"])
def install_skeleton_trees(state: MkosiState, cached: bool) -> None:
if state.config.sign_expected_pcr:
cmd += [
"--pcr-private-key", state.config.secure_boot_key,
- "--pcr-banks", "sha1,sha256"
+ "--pcr-banks", "sha1,sha256",
]
if state.config.initrds:
if not config.acl:
return
- ret = run(
- [
- "setfacl",
- "--physical",
- "--modify" if allow else "--remove",
- f"user:{uid}:rwx" if allow else f"user:{uid}",
- "-",
- ],
- check=False,
- text=True,
- # Supply files via stdin so we don't clutter --debug run output too much
- input="\n".join([str(root), *(e.path for e in cast(Iterator[os.DirEntry[str]], scandir_recursive(root)) if e.is_dir())])
+ ret = run(["setfacl",
+ "--physical",
+ "--modify" if allow else "--remove",
+ f"user:{uid}:rwx" if allow else f"user:{uid}",
+ "-"],
+ check=False,
+ text=True,
+ # Supply files via stdin so we don't clutter --debug run output too much
+ input="\n".join([str(root),
+ *(e.path for e in cast(Iterator[os.DirEntry[str]], scandir_recursive(root)) if e.is_dir())])
)
if ret.returncode != 0:
warn("Failed to set ACLs, you'll need root privileges to remove some generated files/directories")
def nspawn_knows_arg(arg: str) -> bool:
# Specify some extra incompatible options so nspawn doesn't try to boot a container in the current
# directory if it has a compatible layout.
- return "unrecognized option" not in run(["systemd-nspawn", arg,
- "--directory", "/dev/null", "--image", "/dev/null"],
- stdout=subprocess.DEVNULL, stderr=subprocess.PIPE, check=False,
- text=True).stderr
+ c = run(["systemd-nspawn", arg,
+ "--directory", "/dev/null",
+ "--image", "/dev/null"],
+ stdout=subprocess.DEVNULL,
+ stderr=subprocess.PIPE,
+ check=False,
+ text=True)
+ return "unrecognized option" not in c.stderr
def run_shell(config: MkosiConfig) -> None:
cmdline: list[PathString] = [
find_qemu_binary(config),
- "-machine",
- machine,
- "-smp",
- config.qemu_smp,
- "-m",
- config.qemu_mem,
- "-object",
- "rng-random,filename=/dev/urandom,id=rng0",
- "-device",
- "virtio-rng-pci,rng=rng0,id=rng-device0",
- "-nic",
- "user,model=virtio-net-pci",
+ "-machine", machine,
+ "-smp", config.qemu_smp,
+ "-m", config.qemu_mem,
+ "-object", "rng-random,filename=/dev/urandom,id=rng0",
+ "-device", "virtio-rng-pci,rng=rng0,id=rng-device0",
+ "-nic", "user,model=virtio-net-pci",
]
try:
ovmf_vars = stack.enter_context(tempfile.NamedTemporaryFile(prefix=".mkosi-", dir=tmp_dir()))
copy_path(find_ovmf_vars(config), Path(ovmf_vars.name))
cmdline += [
- "-global",
- "ICH9-LPC.disable_s3=1",
- "-global",
- "driver=cfi.pflash01,property=secure,value=on",
- "-drive",
- f"file={ovmf_vars.name},if=pflash,format=raw",
+ "-global", "ICH9-LPC.disable_s3=1",
+ "-global", "driver=cfi.pflash01,property=secure,value=on",
+ "-drive", f"file={ovmf_vars.name},if=pflash,format=raw",
]
if config.ephemeral:
kernel = (config.output_dir or Path.cwd()) / config.output_split_kernel
if not kernel.exists() and "-kernel" not in config.cmdline:
die("No kernel found, please install a kernel in the cpio or provide a -kernel argument to mkosi qemu")
- cmdline += [
- "-kernel", kernel,
- "-initrd", fname,
- "-append", " ".join(config.kernel_command_line + config.kernel_command_line_extra),
- ]
+ cmdline += ["-kernel", kernel,
+ "-initrd", fname,
+ "-append", " ".join(config.kernel_command_line + config.kernel_command_line_extra)]
if config.distribution == Distribution.debian:
- cmdline += [
- "-drive",
- f"if=virtio,id=hd,file={fname},format=raw",
- ]
+ cmdline += ["-drive", f"if=virtio,id=hd,file={fname},format=raw"]
else:
- cmdline += [
- "-drive",
- f"if=none,id=hd,file={fname},format=raw",
- "-device",
- "virtio-scsi-pci,id=scsi",
- "-device",
- "scsi-hd,drive=hd,bootindex=1",
- ]
+ cmdline += ["-drive", f"if=none,id=hd,file={fname},format=raw",
+ "-device", "virtio-scsi-pci,id=scsi",
+ "-device", "scsi-hd,drive=hd,bootindex=1"]
swtpm_socket = stack.enter_context(start_swtpm())
if swtpm_socket is not None:
- cmdline += [
- "-chardev", f"socket,id=chrtpm,path={swtpm_socket}",
- "-tpmdev", "emulator,id=tpm0,chardev=chrtpm",
- ]
+ cmdline += ["-chardev", f"socket,id=chrtpm,path={swtpm_socket}",
+ "-tpmdev", "emulator,id=tpm0,chardev=chrtpm"]
if config.architecture == "x86_64":
cmdline += ["-device", "tpm-tis,tpmdev=tpm0"]
crt = config.secure_boot_certificate or "mkosi.secure-boot.crt"
cmd: list[PathString] = [
- "openssl",
- "req",
+ "openssl", "req",
"-new",
"-x509",
- "-newkey",
- f"rsa:{keylength}",
- "-keyout",
- key,
- "-out",
- crt,
- "-days",
- str(config.secure_boot_valid_days),
- "-subj",
- f"/CN={cn}/",
+ "-newkey", f"rsa:{keylength}",
+ "-keyout", key,
+ "-out", crt,
+ "-days", str(config.secure_boot_valid_days),
+ "-subj", f"/CN={cn}/",
"-nodes",
]
run(cmd)
projects / thirdparty / mkosi.git / commitdiff
