verity: add support for signing with an hardware token

author Luca Boccassi <bluca@debian.org>

Sat, 10 Feb 2024 19:28:29 +0000 (19:28 +0000)

committer Daan De Meyer <daan.j.demeyer@gmail.com>

Mon, 4 Mar 2024 18:47:30 +0000 (19:47 +0100)
author Luca Boccassi <bluca@debian.org>
Sat, 10 Feb 2024 19:28:29 +0000 (19:28 +0000)
committer Daan De Meyer <daan.j.demeyer@gmail.com>
Mon, 4 Mar 2024 18:47:30 +0000 (19:47 +0100)
diff --git a/mkosi/__init__.py b/mkosi/__init__.py

index ebaf499068d798ead632c641f56099ff67d235fd..55dc15d680d30375b56461eca292d5ba39856c24 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2811,7 +2811,10 @@ def make_image(
          options += ["--ro-bind", context.config.passphrase, context.config.passphrase]
      if context.config.verity_key:
          cmdline += ["--private-key", context.config.verity_key]
-        options += ["--ro-bind", context.config.verity_key, context.config.verity_key]
+        if context.config.verity_key_source.type != KeySource.Type.file:
+            cmdline += ["--private-key-source", str(context.config.verity_key_source)]
+        if context.config.verity_key.exists():
+            options += ["--ro-bind", context.config.verity_key, context.config.verity_key]
      if context.config.verity_certificate:
          cmdline += ["--certificate", context.config.verity_certificate]
          options += ["--ro-bind", context.config.verity_certificate, context.config.verity_certificate]
@@ -2837,7 +2840,13 @@ def make_image(
                  cmdline,
                  stdout=subprocess.PIPE,
                  env=context.config.environment,
-                sandbox=context.sandbox(devices=not context.config.repart_offline, options=options),
+                sandbox=context.sandbox(
+                    devices=(
+                        not context.config.repart_offline or
+                        context.config.verity_key_source.type != KeySource.Type.file
+                    ),
+                    options=options,
+                ),
              ).stdout
          )
  
@@ -2989,7 +2998,10 @@ def make_extension_image(context: Context, output: Path) -> None:
          options += ["--ro-bind", context.config.passphrase, context.config.passphrase]
      if context.config.verity_key:
          cmdline += ["--private-key", context.config.verity_key]
-        options += ["--ro-bind", context.config.verity_key, context.config.verity_key]
+        if context.config.verity_key_source.type != KeySource.Type.file:
+            cmdline += ["--private-key-source", str(context.config.verity_key_source)]
+        if context.config.verity_key.exists():
+            options += ["--ro-bind", context.config.verity_key, context.config.verity_key]
      if context.config.verity_certificate:
          cmdline += ["--certificate", context.config.verity_certificate]
          options += ["--ro-bind", context.config.verity_certificate, context.config.verity_certificate]
@@ -3008,7 +3020,13 @@ def make_extension_image(context: Context, output: Path) -> None:
          run(
              cmdline + ["--definitions", r],
              env=env,
-            sandbox=context.sandbox(devices=not context.config.repart_offline, options=options),
+            sandbox=context.sandbox(
+                devices=(
+                    not context.config.repart_offline or
+                    context.config.verity_key_source.type != KeySource.Type.file
+                ),
+                options=options,
+            ),
          )
  
  
diff --git a/mkosi/config.py b/mkosi/config.py

index 1195161728a03043fc46b14135de1f9f1b64032d..ccf88130dbea4d5b12fe3517fdf6400550573a8e 100644 (file)
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -1327,6 +1327,7 @@ class Config:
      secure_boot_certificate: Optional[Path]
      secure_boot_sign_tool: SecureBootSignTool
      verity_key: Optional[Path]
+    verity_key_source: KeySource
      verity_certificate: Optional[Path]
      sign_expected_pcr: ConfigFeature
      passphrase: Optional[Path]
@@ -2376,11 +2377,19 @@ SETTINGS = (
      ),
      ConfigSetting(
          dest="verity_key",
-        metavar="PATH",
+        metavar="KEY",
          section="Validation",
-        parse=config_make_path_parser(secret=True),
+        parse=config_parse_key,
          paths=("mkosi.key",),
-        help="Private key for signing verity signature in PEM format",
+        help="Private key for signing verity signature",
+    ),
+    ConfigSetting(
+        dest="verity_key_source",
+        section="Validation",
+        metavar="SOURCE[:ENGINE]",
+        parse=config_parse_key_source,
+        default=KeySource(type=KeySource.Type.file),
+        help="The source to use to retrieve the verity signing key",
      ),
      ConfigSetting(
          dest="verity_certificate",
@@ -3649,6 +3658,7 @@ def summary(config: Config) -> str:
               SecureBoot Certificate: {none_to_none(config.secure_boot_certificate)}
                 SecureBoot Sign Tool: {config.secure_boot_sign_tool}
                   Verity Signing Key: {none_to_none(config.verity_key)}
+          Verity Signing Key Source: {config.verity_key_source}
                   Verity Certificate: {none_to_none(config.verity_certificate)}
                   Sign Expected PCRs: {config.sign_expected_pcr}
                           Passphrase: {none_to_none(config.passphrase)}
diff --git a/mkosi/resources/mkosi.md b/mkosi/resources/mkosi.md

index f8eb980db695df056f310c010c4c154080a28441..52aba1b98062a255347c06a3782f1b128a2d160c 100644 (file)
--- a/mkosi/resources/mkosi.md
+++ b/mkosi/resources/mkosi.md
@@ -1358,7 +1358,13 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
  `VerityKey=`, `--verity-key=`
  
  : Path to the PEM file containing the secret key for signing the verity signature, if a verity signature
-  partition is added with systemd-repart.
+  partition is added with systemd-repart. When `VerityKeySource=` is specified, the input type depends on
+  the source.
+
+`VerityKeySource=`, `--verity-key-source=`
+
+: Source of `VerityKey=`, to support OpenSSL engines. E.g.:
+  `--verity-key-source=engine:pkcs11`
  
  `VerityCertificate=`, `--verity-certificate=`
  
diff --git a/tests/test_json.py b/tests/test_json.py

index 12c1a01cc0de0b317d27dcd4b32d3fc8ac4fd0e4..b1939f5f31d08f4cc3ea5b4df7feea14d24f2b53 100644 (file)
--- a/tests/test_json.py
+++ b/tests/test_json.py
@@ -306,6 +306,10 @@ def test_config() -> None:
              "UseSubvolumes": "auto",
              "VerityCertificate": "/path/to/cert",
              "VerityKey": null,
+            "VerityKeySource": {
+                "source": "",
+                "type": "file"
+            },
              "WithDocs": true,
              "WithNetwork": false,
              "WithRecommends": true,
@@ -441,6 +445,7 @@ def test_config() -> None:
          use_subvolumes = ConfigFeature.auto,
          verity_certificate = Path("/path/to/cert"),
          verity_key = None,
+        verity_key_source = KeySource(type=KeySource.Type.file),
          with_docs = True,
          with_network = False,
          with_recommends = True,
author	Luca Boccassi <bluca@debian.org>
	Sat, 10 Feb 2024 19:28:29 +0000 (19:28 +0000)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Mon, 4 Mar 2024 18:47:30 +0000 (19:47 +0100)
mkosi/__init__.py		patch \| blob \| blame \| history
mkosi/config.py		patch \| blob \| blame \| history
mkosi/resources/mkosi.md		patch \| blob \| blame \| history
tests/test_json.py		patch \| blob \| blame \| history