Don't insist on pre-signed EFI binaries when ShimBootloader == signed

The whole point of shim is that you can use a presigned shim with
locally signed EFI binaries if the local key is enrolled in MOK, so
don't insist on presigned EFI binaries when a signed shim is requested.

Instead the new "signed" variants of the Bootloader= option can be used
to still force installation of presigned EFI binaries.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index afcca6d2845224e891fec451464f4726ed8a8832..181aed6ad31edebbc5cf64628aaa20bd1f7dfc50 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1858,7 +1858,6 @@ def install_type1(
         if (
             want_efi(context.config)
             and context.config.secure_boot
-            and context.config.shim_bootloader != ShimBootloader.signed
             and not context.config.bootloader.is_signed()
             and KernelType.identify(context.config, kimg) == KernelType.pe
         ):
@@ -1995,7 +1994,7 @@ def install_uki(
     with umask(~0o700):
         boot_binary.parent.mkdir(parents=True, exist_ok=True)
 
-    if context.config.shim_bootloader == ShimBootloader.signed or context.config.bootloader.is_signed():
+    if context.config.bootloader.is_signed():
         for p in (context.root / "usr/lib/modules" / kver).glob("*.efi"):
             log_step(f"Installing prebuilt UKI at {p} to {boot_binary}")
             shutil.copy2(p, boot_binary)

diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py
index 1fffa05a911b193e1b0b43b6a47583efcac92c89..d5af3925f707024a13e02516604adee47a9b3671 100644 (file)
--- a/mkosi/bootloader.py
+++ b/mkosi/bootloader.py
@@ -74,7 +74,7 @@ def want_grub_efi(context: Context) -> bool:
     if not (arch := context.config.architecture.to_grub()):
         return False
 
-    if context.config.shim_bootloader != ShimBootloader.signed and not context.config.bootloader.is_signed():
+    if not context.config.bootloader.is_signed():
         have = find_grub_directory(context, target=f"{arch}-efi") is not None
         if not have and context.config.bootable == ConfigFeature.enabled:
             die("An EFI bootable image with grub was requested but grub for EFI is not installed")
@@ -322,7 +322,7 @@ def install_grub(context: Context) -> None:
         with umask(~0o700):
             output.parent.mkdir(parents=True, exist_ok=True)
 
-        if context.config.shim_bootloader == ShimBootloader.signed or context.config.bootloader.is_signed():
+        if context.config.bootloader.is_signed():
             if not (signed := find_signed_grub_image(context)):
                 if context.config.bootable == ConfigFeature.enabled:
                     die("Couldn't find a signed grub EFI binary installed in the image")
@@ -643,7 +643,7 @@ def install_systemd_boot(context: Context) -> None:
         return
 
     directory = context.root / "usr/lib/systemd/boot/efi"
-    signed = context.config.shim_bootloader == ShimBootloader.signed or context.config.bootloader.is_signed()
+    signed = context.config.bootloader.is_signed()
     if not directory.glob("*.efi.signed" if signed else "*.efi"):
         if context.config.bootable == ConfigFeature.enabled:
             die(