partitions: Sequence[Partition],
profiles: Sequence[Path],
cmdline: list[str],
-) -> None:
+) -> dict[str, Any]:
boot_binary = context.root / finalize_uki_path(
context, finalize_bootloader_entry_format(context, kver, token, partitions)
)
+ pcrs: dict[str, Any] = {}
+
# Make sure the parent directory where we'll be writing the UKI exists.
with umask(~0o700):
boot_binary.parent.mkdir(parents=True, exist_ok=True)
if context.config.bootable == ConfigFeature.enabled:
die(f"Couldn't find a signed UKI binary installed at /usr/lib/modules/{kver} in the image")
- return
+ return pcrs
else:
microcodes = finalize_microcode(context)
if context.config.kernel_modules_initrd:
initrds += [build_kernel_modules_initrd(context, kver)]
- build_uki(
+ pcrs = build_uki(
context,
systemd_stub_binary(context),
kver,
f.write("fi\n")
+ return pcrs
+
def systemd_addon_stub_binary(context: Context) -> Path:
arch = context.config.architecture.to_efi()
token = find_entry_token(context)
cmdline = finalize_cmdline(context, partitions, finalize_roothash(partitions))
profiles = build_uki_profiles(context, cmdline) if want_uki(context) else []
+ # The first processed UKI is the one that will be used as split artifact, so take pcrs from
+ # it and ignore the rest
+ # TODO: we should probably support signing pcrs for all built UKIs
+ pcrs: dict[str, Any] = {}
for kver, kimg in gen_kernel_images(context):
if want_uki(context):
- install_uki(context, kver, kimg, token, partitions, profiles, cmdline)
+ pcrs = pcrs or install_uki(context, kver, kimg, token, partitions, profiles, cmdline)
if not want_uki(context) or want_grub_bios(context, partitions):
install_type1(context, kver, kimg, token, partitions, cmdline)
if context.config.bootloader.is_uki():
break
+ if ArtifactOutput.pcrs in context.config.split_artifacts and pcrs:
+ (context.staging / context.config.output_split_pcrs).write_text(json.dumps(pcrs))
+
def make_uki(
context: Context,
projects / thirdparty / mkosi.git / commitdiff
