ConfigFeature,
DocFormat,
JsonEncoder,
- KeySource,
+ KeySourceType,
ManifestFormat,
Network,
OutputFormat,
options += [
"--ro-bind", context.config.secure_boot_certificate, context.config.secure_boot_certificate,
]
- if context.config.secure_boot_key_source.type == KeySource.Type.engine:
+ if context.config.secure_boot_key_source.type == KeySourceType.engine:
cmd += ["--signing-engine", context.config.secure_boot_key_source.source]
if context.config.secure_boot_key.exists():
options += ["--ro-bind", context.config.secure_boot_key, context.config.secure_boot_key]
]
if context.config.secure_boot_key.exists():
options += ["--bind", context.config.secure_boot_key, context.config.secure_boot_key]
- if context.config.secure_boot_key_source.type == KeySource.Type.engine:
+ if context.config.secure_boot_key_source.type == KeySourceType.engine:
cmd += [
"--signing-engine", context.config.secure_boot_key_source.source,
"--pcr-public-key", context.config.secure_boot_certificate,
sandbox=context.sandbox(
binary=ukify,
options=options,
- devices=context.config.secure_boot_key_source.type != KeySource.Type.file,
+ devices=context.config.secure_boot_key_source.type != KeySourceType.file,
),
)
if config.selinux_relabel == ConfigFeature.enabled:
check_tool(config, "setfiles", reason="relabel files")
- if config.secure_boot_key_source.type != KeySource.Type.file:
+ if config.secure_boot_key_source.type != KeySourceType.file:
check_ukify(
config,
version="256",
reason="sign PCR hashes with OpenSSL engine",
)
- if config.verity_key_source.type != KeySource.Type.file:
+ if config.verity_key_source.type != KeySourceType.file:
check_systemd_tool(
config,
"systemd-repart",
options += ["--ro-bind", context.config.passphrase, context.config.passphrase]
if context.config.verity_key:
cmdline += ["--private-key", context.config.verity_key]
- if context.config.verity_key_source.type != KeySource.Type.file:
+ if context.config.verity_key_source.type != KeySourceType.file:
cmdline += ["--private-key-source", str(context.config.verity_key_source)]
if context.config.verity_key.exists():
options += ["--ro-bind", context.config.verity_key, context.config.verity_key]
binary="systemd-repart",
devices=(
not context.config.repart_offline or
- context.config.verity_key_source.type != KeySource.Type.file
+ context.config.verity_key_source.type != KeySourceType.file
),
vartmp=True,
options=options,
options += ["--ro-bind", context.config.passphrase, context.config.passphrase]
if context.config.verity_key:
cmdline += ["--private-key", context.config.verity_key]
- if context.config.verity_key_source.type != KeySource.Type.file:
+ if context.config.verity_key_source.type != KeySourceType.file:
cmdline += ["--private-key-source", str(context.config.verity_key_source)]
if context.config.verity_key.exists():
options += ["--ro-bind", context.config.verity_key, context.config.verity_key]
binary="systemd-repart",
devices=(
not context.config.repart_offline or
- context.config.verity_key_source.type != KeySource.Type.file
+ context.config.verity_key_source.type != KeySourceType.file
),
vartmp=True,
options=options,
Bootloader,
Config,
ConfigFeature,
- KeySource,
+ KeySourceType,
OutputFormat,
SecureBootSignTool,
ShimBootloader,
"--ro-bind", context.config.secure_boot_certificate, context.config.secure_boot_certificate,
"--ro-bind", input, input,
]
- if context.config.secure_boot_key_source.type == KeySource.Type.engine:
+ if context.config.secure_boot_key_source.type == KeySourceType.engine:
cmd += ["--engine", context.config.secure_boot_key_source.source]
if context.config.secure_boot_key.exists():
options += ["--ro-bind", context.config.secure_boot_key, context.config.secure_boot_key]
sandbox=context.sandbox(
binary="sbsign",
options=options,
- devices=context.config.secure_boot_key_source.type != KeySource.Type.file,
+ devices=context.config.secure_boot_key_source.type != KeySourceType.file,
)
)
output.unlink(missing_ok=True)
"--ro-bind", context.config.secure_boot_certificate, context.config.secure_boot_certificate,
"--ro-bind", context.workspace / "mkosi.esl", context.workspace / "mkosi.esl",
]
- if context.config.secure_boot_key_source.type == KeySource.Type.engine:
+ if context.config.secure_boot_key_source.type == KeySourceType.engine:
cmd += ["--engine", context.config.secure_boot_key_source.source]
if context.config.secure_boot_key.exists():
options += ["--ro-bind", context.config.secure_boot_key, context.config.secure_boot_key]
sandbox=context.sandbox(
binary="sbvarsign",
options=options,
- devices=context.config.secure_boot_key_source.type != KeySource.Type.file,
+ devices=context.config.secure_boot_key_source.type != KeySourceType.file,
),
)
return content
+class KeySourceType(StrEnum):
+ file = enum.auto()
+ engine = enum.auto()
+
+
@dataclasses.dataclass(frozen=True)
class KeySource:
- class Type(StrEnum):
- file = enum.auto()
- engine = enum.auto()
-
- type: Type
+ type: KeySourceType
source: str = ""
def __str__(self) -> str:
typ, _, source = value.partition(":")
try:
- type = KeySource.Type(typ)
+ type = KeySourceType(typ)
except ValueError:
die(f"'{value}' is not a valid key source")
section="Validation",
metavar="SOURCE[:ENGINE]",
parse=config_parse_key_source,
- default=KeySource(type=KeySource.Type.file),
+ default=KeySource(type=KeySourceType.file),
help="The source to use to retrieve the secure boot signing key",
),
ConfigSetting(
section="Validation",
metavar="SOURCE[:ENGINE]",
parse=config_parse_key_source,
- default=KeySource(type=KeySource.Type.file),
+ default=KeySource(type=KeySourceType.file),
help="The source to use to retrieve the verity signing key",
scope=SettingScope.universal,
),
def key_source_transformer(keysource: dict[str, Any], fieldtype: type[KeySource]) -> KeySource:
assert "Type" in keysource
- return KeySource(type=KeySource.Type(keysource["Type"]), source=keysource.get("Source", ""))
+ return KeySource(type=KeySourceType(keysource["Type"]), source=keysource.get("Source", ""))
# The type of this should be
# dict[type, Callable[a stringy JSON object (str, null, list or dict of str), type of the key], type of the key]
ConfigTree,
DocFormat,
KeySource,
+ KeySourceType,
ManifestFormat,
Network,
OutputFormat,
secure_boot_auto_enroll=True,
secure_boot_certificate=None,
secure_boot_key=Path("/path/to/keyfile"),
- secure_boot_key_source=KeySource(type=KeySource.Type.file),
+ secure_boot_key_source=KeySource(type=KeySourceType.file),
secure_boot_sign_tool=SecureBootSignTool.pesign,
seed=uuid.UUID("7496d7d8-7f08-4a2b-96c6-ec8c43791b60"),
selinux_relabel=ConfigFeature.disabled,
use_subvolumes=ConfigFeature.auto,
verity_certificate=Path("/path/to/cert"),
verity_key=None,
- verity_key_source=KeySource(type=KeySource.Type.file),
+ verity_key_source=KeySource(type=KeySourceType.file),
volatile_package_directories=[Path("def")],
volatile_packages=["abc"],
with_docs=True,
projects / thirdparty / mkosi.git / commitdiff
