Add support for openssl providers as key sources

diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py
index 89f105470bb0b5020af21a49bcea4675e493d686..4665bf881de46a9d52be82784cdf8b3e4ccec449 100644 (file)
--- a/mkosi/bootloader.py
+++ b/mkosi/bootloader.py
@@ -703,7 +703,7 @@ def install_systemd_boot(context: Context) -> None:
         options += [
             "--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate),  # noqa: E501
         ]  # fmt: skip
-        if context.config.secure_boot_key_source.type == KeySourceType.engine:
+        if context.config.secure_boot_key_source.type != KeySourceType.file:
             cmd += ["--private-key-source", str(context.config.secure_boot_key_source)]
             options += ["--bind", "/run", "/run"]
         if context.config.secure_boot_key.exists():

diff --git a/mkosi/config.py b/mkosi/config.py
index af4d3846c08a75fd10e837f95223ffba0e7ab7ac..8653bf9a0b0da8afe5ddca044509cbef3fad7b72 100644 (file)
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -1302,6 +1302,7 @@ def file_run_or_read(file: Path) -> str:
 class KeySourceType(StrEnum):
     file = enum.auto()
     engine = enum.auto()
+    provider = enum.auto()
 
 
 @dataclasses.dataclass(frozen=True)

diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md
index d89c6af31f2fbac292987d643943fd6bb6e40660..9625ed22eed73d38f44ee80b21fc9e707f47340c 100644 (file)
--- a/mkosi/resources/man/mkosi.1.md
+++ b/mkosi/resources/man/mkosi.1.md
@@ -1135,10 +1135,6 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
     `SignExpectedPcr=` is also used. When `SecureBootKeySource=` is specified,
     the input type depends on the source.
 
-`SecureBootKeySource=`, `--secure-boot-key-source=`
-:   Source of `SecureBootKey=`, to support OpenSSL engines. E.g.:
-    `--secure-boot-key-source=engine:pkcs11`
-
 `SecureBootCertificate=`, `--secure-boot-certificate=`
 :   Path to the X.509 file containing the certificate for the signed
     UEFI kernel image, if `SecureBoot=` is used.
@@ -1169,10 +1165,6 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
     partition is added with systemd-repart. When `VerityKeySource=` is specified, the input type depends on
     the source.
 
-`VerityKeySource=`, `--verity-key-source=`
-:   Source of `VerityKey=`, to support OpenSSL engines. E.g.:
-    `--verity-key-source=engine:pkcs11`
-
 `VerityCertificate=`, `--verity-certificate=`
 :   Path to the X.509 file containing the certificate for signing the verity signature, if a verity signature
     partition is added with systemd-repart.
@@ -1190,13 +1182,14 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
     When `SignExpectedPcrKeySource=` is specified, the input type depends on
     the source.
 
-`SignExpectedPcrKeySource=`, `--sign-expected-key-source=`
-:   Source of `VerityKey=`, to support OpenSSL engines. E.g.:
-    `--verity-key-source=engine:pkcs11`
-
 `SignExpectedPcrCertificate=`, `--sign-expected-pcr-certificate=`
 :   Path to the X.509 file containing the certificate for signing the expected PCR signatures.
 
+`SecureBootKeySource=`, `--secure-boot-key-source=`, `VerityKeySource=`, `--verity-key-source=`, `SignExpectedPcrKeySource=`, `--sign-expected-key-source=`
+:   The source of the corresponding private key `SecureBootKey=`, to support OpenSSL engines and providers,
+    e.g. `--secure-boot-key-source=engine:pkcs11` or `--secure-boot-key-source=provider:pkcs11`. Note that
+    providers are currently only supported for the verity key.
+
 `Passphrase=`, `--passphrase`
 :   Specify the path to a file containing the passphrase to use for LUKS
     encryption. It should contain the passphrase literally, and not end in