if config.secure_boot_key_source != config.sign_expected_pcr_key_source:
die("Secure boot key source and expected PCR signatures key source have to be the same")
+ if config.verity == ConfigFeature.enabled and not config.verity_key:
+ die(
+ "Verity= is enabled but no verity key is configured",
+ hint="Run mkosi genkey to generate a key/certificate pair",
+ )
+
+ if config.verity == ConfigFeature.enabled and not config.verity_certificate:
+ die(
+ "Verity= is enabled but no verity certificate is configured",
+ hint="Run mkosi genkey to generate a key/certificate pair",
+ )
+
for addon in config.pe_addons:
if not addon.output:
die(
skip: Sequence[str] = [],
split: bool = False,
tabs: bool = False,
+ verity: bool = False,
root: Optional[Path] = None,
definitions: Sequence[Path] = [],
) -> list[Partition]:
if context.config.passphrase:
cmdline += ["--key-file", workdir(context.config.passphrase)]
options += ["--ro-bind", context.config.passphrase, workdir(context.config.passphrase)]
- if context.config.verity_key:
+ if verity:
+ assert context.config.verity_key
+ assert context.config.verity_certificate
+
if context.config.verity_key_source.type != KeySourceType.file:
cmdline += ["--private-key-source", str(context.config.verity_key_source)]
options += ["--bind-try", "/run/pcscd", "/run/pcscd"]
options += ["--ro-bind", context.config.verity_key, workdir(context.config.verity_key)]
else:
cmdline += ["--private-key", context.config.verity_key]
- if context.config.verity_certificate:
+
cmdline += ["--certificate", workdir(context.config.verity_certificate)]
options += [
"--ro-bind", context.config.verity_certificate, workdir(context.config.verity_certificate),
partitions = [Partition.from_dict(d) for d in output]
+ if context.config.verity == ConfigFeature.enabled and not any(
+ p.type.startswith("usr-verity-sig") or p.type.startswith("root-verity-sig") for p in partitions
+ ):
+ die(
+ "Verity is explicitly enabled but didn't find any verity signature partition",
+ hint="Make sure to add verity signature partitions in mkosi.repart if building a disk image",
+ )
+
if split:
for p in partitions:
if p.split_path:
return partitions
+def want_verity(config: Config) -> bool:
+ return config.verity == ConfigFeature.enabled or bool(
+ config.verity == ConfigFeature.auto and config.verity_key and config.verity_certificate
+ )
+
+
def make_disk(
context: Context,
msg: str,
definitions = [defaults]
return make_image(
- context, msg=msg, skip=skip, split=split, tabs=tabs, root=context.root, definitions=definitions
+ context,
+ msg=msg,
+ skip=skip,
+ split=split,
+ tabs=tabs,
+ verity=want_verity(context.config),
+ root=context.root,
+ definitions=definitions,
)
def make_extension_image(context: Context, output: Path) -> None:
- r = context.resources / f"repart/definitions/{context.config.output_format}.repart.d"
+ unsigned = "-unsigned" if not want_verity(context.config) else ""
+ r = context.resources / f"repart/definitions/{context.config.output_format}{unsigned}.repart.d"
cmdline: list[PathString] = [
"systemd-repart",
if context.config.passphrase:
cmdline += ["--key-file", context.config.passphrase]
options += ["--ro-bind", context.config.passphrase, workdir(context.config.passphrase)]
- if context.config.verity_key:
+ if want_verity(context.config):
+ assert context.config.verity_key
+ assert context.config.verity_certificate
+
if context.config.verity_key_source.type != KeySourceType.file:
cmdline += ["--private-key-source", str(context.config.verity_key_source)]
if context.config.verity_key.exists():
options += ["--ro-bind", context.config.verity_key, workdir(context.config.verity_key)]
else:
cmdline += ["--private-key", context.config.verity_key]
- if context.config.verity_certificate:
+
cmdline += ["--certificate", workdir(context.config.verity_certificate)]
options += [
"--ro-bind", context.config.verity_certificate, workdir(context.config.verity_certificate)
secure_boot_key_source: KeySource
secure_boot_certificate: Optional[Path]
secure_boot_sign_tool: SecureBootSignTool
+ verity: ConfigFeature
verity_key: Optional[Path]
verity_key_source: KeySource
verity_certificate: Optional[Path]
choices=SecureBootSignTool.choices(),
help="Tool to use for signing PE binaries for secure boot",
),
+ ConfigSetting(
+ dest="verity",
+ section="Validation",
+ metavar="FEATURE",
+ parse=config_parse_feature,
+ help="Configure whether to enforce or disable verity partitions for disk images",
+ ),
ConfigSetting(
dest="verity_key",
metavar="KEY",
SecureBoot Signing Key Source: {config.secure_boot_key_source}
SecureBoot Certificate: {none_to_none(config.secure_boot_certificate)}
SecureBoot Sign Tool: {config.secure_boot_sign_tool}
+ Verity: {config.verity}
Verity Signing Key: {none_to_none(config.verity_key)}
Verity Signing Key Source: {config.verity_key_source}
Verity Certificate: {none_to_none(config.verity_certificate)}
If set to `auto`, either sbsign or pesign are used if available, with sbsign being preferred if both are
installed.
+`Verity=`, `--verity=`
+: Whether to enforce or disable signed verity for extension images.
+ Takes a boolean value or `auto`. If enabled, a verity key and
+ certificate must be present and the build will fail if we don't
+ detect any verity partitions in the disk image produced by
+ systemd-repart. If disabled, verity partitions will be excluded from
+ disk images produced by systemd-repart even if the partition
+ definitions contain verity partitions. If set to `auto`, the verity
+ key and certificate will be passed to systemd-repart if available,
+ but the build won't fail if no verity partitions are found in the
+ disk image produced by systemd-repart.
+
+ Note that explicitly disabling signed verity is not yet implemented
+ for the `disk` output and only works for extension images at the
+ moment.
+
`VerityKey=`, `--verity-key=`
: Path to the PEM file containing the secret key for signing the verity signature, if a verity signature
partition is added with systemd-repart. When `VerityKeySource=` is specified, the input type depends on