From: Emanuele Giuseppe Esposito Date: Wed, 27 Sep 2023 08:28:45 +0000 (-0400) Subject: ukify: override default option value with config file X-Git-Tag: v255-rc1~118^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1277575408493eb67e04be6f3f8187d67933e7ff;p=thirdparty%2Fsystemd.git ukify: override default option value with config file If an option like SecureBootCertificateDir is given, it should override the default '/etc/pki/pesign'. Until now the config file option were always ignored if they had a default. So from now on, every ConfigItem with a config_key and default field should also give config_push = ConfigItem.config_set. --- diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py index 7c25aace81d..b12c09d4bf9 100755 --- a/src/ukify/test/test_ukify.py +++ b/src/ukify/test/test_ukify.py @@ -266,6 +266,7 @@ def test_parse_sections(): def test_config_priority(tmp_path): config = tmp_path / 'config1.conf' + # config: use pesign and give certdir + certname config.write_text(textwrap.dedent( f''' [UKI] @@ -282,10 +283,8 @@ def test_config_priority(tmp_path): Stub = some/path4 PCRBanks = sha512,sha1 SigningEngine = engine1 - SignTool = pesign - SecureBootPrivateKey = some/path5 - SecureBootCertificate = some/path6 - SecureBootCertificateDir = some/path7 + SecureBootSigningTool = pesign + SecureBootCertificateDir = some/path5 SecureBootCertificateName = some/name1 SignKernel = no @@ -295,6 +294,7 @@ def test_config_priority(tmp_path): Phases = {':'.join(ukify.KNOWN_PHASES)} ''')) + # args: use sbsign and give key + cert, should override pesign opts = ukify.parse_args( ['build', '--linux=/ARG1', @@ -311,11 +311,9 @@ def test_config_priority(tmp_path): '--pcr-public-key=PKEY2', '--pcr-banks=SHA1,SHA256', '--signing-engine=ENGINE', - '--signtool=pesign', + '--signtool=sbsign', '--secureboot-private-key=SBKEY', '--secureboot-certificate=SBCERT', - '--secureboot-certificate-dir=SBPATH', - '--secureboot-certificate-name=SBNAME', '--sign-kernel', '--no-sign-kernel', '--tools=TOOLZ///', @@ -345,11 +343,11 @@ def test_config_priority(tmp_path): pathlib.Path('some/path8')] assert opts.pcr_banks == ['SHA1', 'SHA256'] assert opts.signing_engine == 'ENGINE' - assert opts.signtool == 'pesign' - assert opts.sb_key == 'SBKEY' - assert opts.sb_cert == 'SBCERT' - assert opts.sb_certdir == 'SBPATH' - assert opts.sb_cert_name == 'SBNAME' + assert opts.signtool == 'sbsign' # from args + assert opts.sb_key == 'SBKEY' # from args + assert opts.sb_cert == 'SBCERT' # from args + assert opts.sb_certdir == 'some/path5' # from config + assert opts.sb_cert_name == 'some/name1' # from config assert opts.sign_kernel is False assert opts.tools == [pathlib.Path('TOOLZ/')] assert opts.output == pathlib.Path('OUTPUT') diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py index 40550e8c541..1ed8aadccad 100755 --- a/src/ukify/ukify.py +++ b/src/ukify/ukify.py @@ -1036,6 +1036,19 @@ class ConfigItem: if getattr(namespace, dest) is None: setattr(namespace, dest, value) + @staticmethod + def config_set( + namespace: argparse.Namespace, + group: Optional[str], + dest: str, + value: Any, + ) -> None: + "Set namespace. to value only if it was None" + + assert not group + + setattr(namespace, dest, value) + @staticmethod def config_set_group( namespace: argparse.Namespace, @@ -1300,6 +1313,7 @@ CONFIG_ITEMS = [ default = '/etc/pki/pesign', help = 'required by --signtool=pesign. Path to nss certificate database directory for PE signing. Default is /etc/pki/pesign', config_key = 'UKI/SecureBootCertificateDir', + config_push = ConfigItem.config_set ), ConfigItem( '--secureboot-certificate-name', @@ -1314,6 +1328,7 @@ CONFIG_ITEMS = [ default = 365 * 10, help = "period of validity (in days) for a certificate created by 'genkey'", config_key = 'UKI/SecureBootCertificateValidity', + config_push = ConfigItem.config_set ), ConfigItem(