# If a SecureBoot key is configured, and we have the
# systemd-measure binary around, then also include a
# signature of expected PCR 11 values in the kernel image
- if state.config.secure_boot:
+ if state.config.secure_boot and state.config.measure:
try:
from cryptography import x509
from cryptography.hazmat.primitives import serialization
-
- if shutil.which('systemd-measure'):
- with complete_step("Generating PCR 11 signature…"):
-
- # Extract the public key from the SecureBoot certificate
- cert = x509.load_pem_x509_certificate(state.config.secure_boot_certificate.read_bytes())
- pcrpkey = state.workspace / "pcrpkey.pem"
- pcrpkey.write_bytes(cert.public_key().public_bytes(
- encoding=serialization.Encoding.PEM,
- format=serialization.PublicFormat.SubjectPublicKeyInfo))
-
- cmd_measure = [
- "systemd-measure",
- "sign",
- f"--linux={state.root / kimg}",
- f"--osrel={osrelease}",
- f"--cmdline={cmdline}",
- f"--initrd={initrd}",
- f"--pcrpkey={pcrpkey}",
- f"--private-key={state.config.secure_boot_key}",
- f"--public-key={pcrpkey}",
- "--bank=sha1",
- "--bank=sha256",
- ]
-
- c = run(cmd_measure, stdout=subprocess.PIPE)
-
- pcrsig = state.workspace / "pcrsig.json"
- pcrsig.write_bytes(c.stdout)
- else:
- MkosiPrinter.info("Couldn't find systemd-measure binary, not embedding PCR signature in unified kernel image.")
except ImportError:
- MkosiPrinter.info("Couldn't import the cryptography Python module, not embedding PCR signature in unified kernel image.")
+ die("Couldn't import the cryptography Python module. This is needed for the --measure option.")
+
+ if not shutil.which('systemd-measure'):
+ die("Couldn't find systemd-measure binary. It is needed for the --measure option.")
+
+ with complete_step("Generating PCR 11 signature…"):
+ # Extract the public key from the SecureBoot certificate
+ cert = x509.load_pem_x509_certificate(state.config.secure_boot_certificate.read_bytes())
+ pcrpkey = state.workspace / "pcrpkey.pem"
+ pcrpkey.write_bytes(cert.public_key().public_bytes(
+ encoding=serialization.Encoding.PEM,
+ format=serialization.PublicFormat.SubjectPublicKeyInfo))
+
+ cmd_measure = [
+ "systemd-measure",
+ "sign",
+ f"--linux={state.root / kimg}",
+ f"--osrel={osrelease}",
+ f"--cmdline={cmdline}",
+ f"--initrd={initrd}",
+ f"--pcrpkey={pcrpkey}",
+ f"--private-key={state.config.secure_boot_key}",
+ f"--public-key={pcrpkey}",
+ "--bank=sha1",
+ "--bank=sha256",
+ ]
+
+ c = run(cmd_measure, stdout=subprocess.PIPE)
+
+ pcrsig = state.workspace / "pcrsig.json"
+ pcrsig.write_bytes(c.stdout)
cmd: List[PathString] = [
"objcopy",
action=VerityAction,
help="Add integrity partition, and optionally sign it (implies --read-only)",
)
+ group.add_argument(
+ "--measure",
+ action=BooleanAction,
+ help="Measure the components of the unified kernel image (UKI) and embed the PCR signature into the UKI",
+ )
group.add_argument(
"--compress",
type=parse_compression,
projects / thirdparty / mkosi.git / commitdiff
