]> git.ipfire.org Git - thirdparty/mkosi.git/commitdiff
guard cryptography imports
authorJoerg Behrmann <behrmann@physik.fu-berlin.de>
Thu, 22 Sep 2022 08:37:05 +0000 (10:37 +0200)
committerJoerg Behrmann <behrmann@physik.fu-berlin.de>
Thu, 22 Sep 2022 08:57:08 +0000 (10:57 +0200)
mkosi/__init__.py

index b97b546ca4f47f1784f7196e742c3b8cd90ecd24..d7c64c9417846bc9a70bd836cf61e933aedd968f 100644 (file)
@@ -3757,10 +3757,13 @@ def make_verity_sig(
 
     assert root_hash is not None
 
-    from cryptography import x509
-    from cryptography.hazmat.primitives import hashes, serialization
-    from cryptography.hazmat.primitives.asymmetric import ec, rsa
-    from cryptography.hazmat.primitives.serialization import pkcs7
+    try:
+        from cryptography import x509
+        from cryptography.hazmat.primitives import hashes, serialization
+        from cryptography.hazmat.primitives.asymmetric import ec, rsa
+        from cryptography.hazmat.primitives.serialization import pkcs7
+    except ImportError:
+        die("Verity support needs the cryptography module. Please install it.")
 
     with complete_step("Signing verity root hash…"):
 
@@ -3987,38 +3990,42 @@ def install_unified_kernel(
             # systemd-measure binary around, then also include a
             # signature of expected PCR 11 values in the kernel image
             if state.config.secure_boot:
-                if shutil.which('systemd-measure'):
-                    with complete_step("Generating PCR 11 signature…"):
-                        from cryptography import x509
-                        from cryptography.hazmat.primitives import serialization
-
-                        # Extract the public key from the SecureBoot certificate
-                        cert = x509.load_pem_x509_certificate(state.config.secure_boot_certificate.read_bytes())
-                        pcrpkey = state.workspace / "pcrpkey.pem"
-                        pcrpkey.write_bytes(cert.public_key().public_bytes(
-                            encoding=serialization.Encoding.PEM,
-                            format=serialization.PublicFormat.SubjectPublicKeyInfo))
-
-                        cmd_measure: Sequence[PathString] = [
-                            "systemd-measure",
-                            "sign",
-                            f"--linux={state.root / kimg}",
-                            f"--osrel={osrelease}",
-                            f"--cmdline={cmdline}",
-                            f"--initrd={initrd}",
-                            f"--pcrpkey={pcrpkey}",
-                            f"--private-key={state.config.secure_boot_key}",
-                            f"--public-key={pcrpkey}",
-                            "--bank=sha1",
-                            "--bank=sha256",
-                        ]
-
-                        c = run(cmd_measure, stdout=subprocess.PIPE)
-
-                        pcrsig = state.workspace / "pcrsig.json"
-                        pcrsig.write_bytes(c.stdout)
-                else:
-                    MkosiPrinter.info("Couldn't find systemd-measure binary, not embedding PCR signature in unified kernel image.")
+                try:
+                    from cryptography import x509
+                    from cryptography.hazmat.primitives import serialization
+
+                    if shutil.which('systemd-measure'):
+                        with complete_step("Generating PCR 11 signature…"):
+
+                            # Extract the public key from the SecureBoot certificate
+                            cert = x509.load_pem_x509_certificate(state.config.secure_boot_certificate.read_bytes())
+                            pcrpkey = state.workspace / "pcrpkey.pem"
+                            pcrpkey.write_bytes(cert.public_key().public_bytes(
+                                encoding=serialization.Encoding.PEM,
+                                format=serialization.PublicFormat.SubjectPublicKeyInfo))
+
+                            cmd_measure = [
+                                "systemd-measure",
+                                "sign",
+                                f"--linux={state.root / kimg}",
+                                f"--osrel={osrelease}",
+                                f"--cmdline={cmdline}",
+                                f"--initrd={initrd}",
+                                f"--pcrpkey={pcrpkey}",
+                                f"--private-key={state.config.secure_boot_key}",
+                                f"--public-key={pcrpkey}",
+                                "--bank=sha1",
+                                "--bank=sha256",
+                            ]
+
+                            c = run(cmd_measure, stdout=subprocess.PIPE)
+
+                            pcrsig = state.workspace / "pcrsig.json"
+                            pcrsig.write_bytes(c.stdout)
+                    else:
+                        MkosiPrinter.info("Couldn't find systemd-measure binary, not embedding PCR signature in unified kernel image.")
+                except ImportError:
+                    MkosiPrinter.info("Couldn't import the cryptography Python module, not embedding PCR signature in unified kernel image.")
 
             cmd: List[PathString] = [
                 "objcopy",