Bind /run when an engine might be used instead of only /run/pcscd

It's not guaranteed that the engine will be the pkcs#11 one so let's
bind the entirety of /run in case another daemon might be used with
a socket elsewhere in /run.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 435910aabbc2df145907be17bfa05ea5d3eef3e5..bae8baa49a837dcd03d2b8082df52fb6102161f3 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1534,7 +1534,7 @@ def run_ukify(
             ]  # fmt: skip
             if context.config.secure_boot_key_source.type == KeySourceType.engine:
                 cmd += ["--signing-engine", context.config.secure_boot_key_source.source]
-                opt += ["--bind-try", "/run/pcscd", "/run/pcscd"]
+                opt += ["--bind", "/run", "/run"]
             if context.config.secure_boot_key.exists():
                 cmd += ["--secureboot-private-key", workdir(context.config.secure_boot_key)]
                 opt += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)]
@@ -1609,7 +1609,7 @@ def build_uki(
             ]  # fmt: skip
             options += [
                 "--ro-bind", context.config.sign_expected_pcr_certificate, workdir(context.config.sign_expected_pcr_certificate),  # noqa: E501
-                "--bind-try", "/run/pcscd", "/run/pcscd",
+                "--bind", "/run", "/run",
             ]  # fmt: skip
 
         if context.config.sign_expected_pcr_key.exists():
@@ -3074,7 +3074,7 @@ def make_image(
 
         if context.config.verity_key_source.type != KeySourceType.file:
             cmdline += ["--private-key-source", str(context.config.verity_key_source)]
-            opts += ["--bind-try", "/run/pcscd", "/run/pcscd"]
+            opts += ["--bind", "/run", "/run"]
         if context.config.verity_key.exists():
             cmdline += ["--private-key", workdir(context.config.verity_key)]
             opts += ["--ro-bind", context.config.verity_key, workdir(context.config.verity_key)]

diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py
index f347c352c0dac137a3969d674764326da4fc762b..ff2ed0d1f0b74ae8a8f1d1f92cb01721644c5da2 100644 (file)
--- a/mkosi/bootloader.py
+++ b/mkosi/bootloader.py
@@ -518,7 +518,7 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path:
         ]  # fmt: skip
         if context.config.secure_boot_key_source.type == KeySourceType.engine:
             cmd += ["--engine", context.config.secure_boot_key_source.source]
-            options += ["--bind-try", "/run/pcscd", "/run/pcscd"]
+            options += ["--bind", "/run", "/run"]
         if context.config.secure_boot_key.exists():
             cmd += ["--key", workdir(context.config.secure_boot_key)]
             options += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)]
@@ -753,7 +753,7 @@ def install_systemd_boot(context: Context) -> None:
                     ]  # fmt: skip
                     if context.config.secure_boot_key_source.type == KeySourceType.engine:
                         cmd += ["--engine", context.config.secure_boot_key_source.source]
-                        options += ["--bind-try", "/run/pcscd", "/run/pcscd"]
+                        options += ["--bind", "/run", "/run"]
                     if context.config.secure_boot_key.exists():
                         cmd += ["--key", workdir(context.config.secure_boot_key)]
                         options += [