Fix signing with engine

author Daan De Meyer <daan.j.demeyer@gmail.com>

Mon, 23 Sep 2024 14:24:30 +0000 (16:24 +0200)

committer Daan De Meyer <daan.j.demeyer@gmail.com>

Mon, 23 Sep 2024 14:57:23 +0000 (16:57 +0200)
author Daan De Meyer <daan.j.demeyer@gmail.com>
Mon, 23 Sep 2024 14:24:30 +0000 (16:24 +0200)
committer Daan De Meyer <daan.j.demeyer@gmail.com>
Mon, 23 Sep 2024 14:57:23 +0000 (16:57 +0200)
diff --git a/mkosi/__init__.py b/mkosi/__init__.py

index 9f89dd50ce9355635d678ad0c97ace4c2be146af..ba5d31d2e4a5eedad33bd2305391ae5cf7ba2db0 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1497,6 +1497,7 @@ def build_uki(
              ]  # fmt: skip
              if context.config.secure_boot_key_source.type == KeySourceType.engine:
                  cmd += ["--signing-engine", context.config.secure_boot_key_source.source]
+                options += ["--bind-try", "/run/pcscd", "/run/pcscd"]
              if context.config.secure_boot_key.exists():
                  options += ["--ro-bind", context.config.secure_boot_key, context.config.secure_boot_key]
          else:
@@ -1526,6 +1527,7 @@ def build_uki(
                  ]  # fmt: skip
                  options += [
                      "--ro-bind", context.config.secure_boot_certificate, context.config.secure_boot_certificate,  # noqa
+                    "--bind-try", "/run/pcscd", "/run/pcscd",
                  ]  # fmt: skip
  
      cmd += ["build", "--linux", kimg]
@@ -2789,6 +2791,7 @@ def make_image(
      if context.config.verity_key:
          if context.config.verity_key_source.type != KeySourceType.file:
              cmdline += ["--private-key-source", str(context.config.verity_key_source)]
+            options += ["--bind-try", "/run/pcscd", "/run/pcscd"]
          if context.config.verity_key.exists():
              cmdline += ["--private-key", workdir(context.config.verity_key)]
              options += ["--ro-bind", context.config.verity_key, workdir(context.config.verity_key)]
diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py

index 47434f8bb6a1bd9747fa1bccb0dbebb331100300..56962650cf0a362ce7ffd7fa4fe77c6b5795eb67 100644 (file)
--- a/mkosi/bootloader.py
+++ b/mkosi/bootloader.py
@@ -516,6 +516,7 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path:
          ]  # fmt: skip
          if context.config.secure_boot_key_source.type == KeySourceType.engine:
              cmd += ["--engine", context.config.secure_boot_key_source.source]
+            options += ["--bind-try", "/run/pcscd", "/run/pcscd"]
          if context.config.secure_boot_key.exists():
              cmd += ["--key", workdir(context.config.secure_boot_key)]
              options += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)]
@@ -750,6 +751,7 @@ def install_systemd_boot(context: Context) -> None:
                      ]  # fmt: skip
                      if context.config.secure_boot_key_source.type == KeySourceType.engine:
                          cmd += ["--engine", context.config.secure_boot_key_source.source]
+                        options += ["--bind-try", "/run/pcscd", "/run/pcscd"]
                      if context.config.secure_boot_key.exists():
                          cmd += ["--key", workdir(context.config.secure_boot_key)]
                          options += [
author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Mon, 23 Sep 2024 14:24:30 +0000 (16:24 +0200)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Mon, 23 Sep 2024 14:57:23 +0000 (16:57 +0200)
mkosi/__init__.py		patch \| blob \| blame \| history
mkosi/bootloader.py		patch \| blob \| blame \| history