From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sat, 6 May 2023 11:31:22 +0000 (+0200)
Subject: Make key generation generic
X-Git-Tag: v15~177^2~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c2b1aa94f7b0f511d1c730b66ce85c57d33dc9a;p=thirdparty%2Fmkosi.git

Make key generation generic

Let's put generated keys in mkosi.key and mkosi.crt, and remove the
secure boot nomenclature from the key generation options. This allows
us to reuse the keys for other signing operations as well.
---

diff --git a/.gitignore b/.gitignore
index 9824131b0..c6983c40e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,6 @@
 /mkosi.nspawn
 /mkosi.rootpw
 /mkosi.conf
-/mkosi.secure-boot.key
-/mkosi.secure-boot.crt
+/mkosi.key
+/mkosi.crt
 __pycache__
diff --git a/mkosi.md b/mkosi.md
index 919d1f399..520276ca6 100644
--- a/mkosi.md
+++ b/mkosi.md
@@ -990,16 +990,15 @@ Those settings cannot be configured in the configuration files.
 
 : Show brief usage information.
 
-`--secure-boot-common-name=`
+`--genkey-common-name=`
 
-: Common name to be used when generating SecureBoot keys via mkosi's `genkey`
-  command. Defaults to `mkosi of %u`, where `%u` expands to the username of the
-  user invoking mkosi.
+: Common name to be used when generating keys via mkosi's `genkey` command. Defaults to `mkosi of %u`, where
+  `%u` expands to the username of the user invoking mkosi.
 
-`--secure-boot-valid-days=`
+`--genkey-valid-days=`
 
-: Number of days that the keys should remain valid when generating SecureBoot
-  keys via mkosi's `genkey` command. Defaults to two years (730 days).
+: Number of days that the keys should remain valid when generating keys via mkosi's `genkey` command.
+  Defaults to two years (730 days).
 
 `--auto-bump=`, `-B`
 
@@ -1169,11 +1168,8 @@ local directory:
   file does not exist and encryption is requested, the user is queried
   instead.
 
-* The **`mkosi.secure-boot.crt`** and **`mkosi.secure-boot.key`**
-  files contain an X.509 certificate and PEM private key to use when
-  UEFI SecureBoot support is enabled. All EFI binaries included in the
-  image's ESP are signed with this key, as a late step in the build
-  process.
+* The **`mkosi.crt`** and **`mkosi.key`** files contain an X.509 certificate and PEM private key to use when
+  signing is required (UEFI SecureBoot, verity, ...).
 
 * The **`mkosi.output/`** directory will be used for all build
   artifacts, if the image output path is not configured (i.e. no
diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 2a8b640c2..032ca1054 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2122,24 +2122,23 @@ def run_serve(config: MkosiConfig) -> None:
         httpd.serve_forever()
 
 
-def generate_secure_boot_key(args: MkosiArgs) -> None:
-    """Generate secure boot keys using openssl"""
+def generate_key_cert_pair(args: MkosiArgs) -> None:
+    """Generate a private key and accompanying X509 certificate using openssl"""
 
     keylength = 2048
-    expiration_date = datetime.date.today() + datetime.timedelta(int(args.secure_boot_valid_days))
-    cn = expand_specifier(args.secure_boot_common_name)
+    expiration_date = datetime.date.today() + datetime.timedelta(int(args.genkey_valid_days))
+    cn = expand_specifier(args.genkey_common_name)
 
-    for f in ("mkosi.secure-boot.key", "mkosi.secure-boot.crt"):
+    for f in ("mkosi.key", "mkosi.crt"):
         if Path(f).exists() and not args.force:
             die(f"{f} already exists",
-                hint=("To generate new secure boot keys, "
-                      "first remove mkosi.secure-boot.key and mkosi.secure-boot.crt"))
+                hint=("To generate new keys, first remove mkosi.key and mkosi.crt"))
 
-    log_step(f"Generating secure boot keys rsa:{keylength} for CN {cn!r}.")
+    log_step(f"Generating keys rsa:{keylength} for CN {cn!r}.")
     logging.info(
         dedent(
             f"""
-            The keys will expire in {args.secure_boot_valid_days} days ({expiration_date:%A %d. %B %Y}).
+            The keys will expire in {args.genkey_valid_days} days ({expiration_date:%A %d. %B %Y}).
             Remember to roll them over to new ones before then.
             """
         )
@@ -2150,9 +2149,9 @@ def generate_secure_boot_key(args: MkosiArgs) -> None:
         "-new",
         "-x509",
         "-newkey", f"rsa:{keylength}",
-        "-keyout", "mkosi.secure-boot.key",
-        "-out", "mkosi.secure-boot.crt",
-        "-days", str(args.secure_boot_valid_days),
+        "-keyout", "mkosi.key",
+        "-out", "mkosi.crt",
+        "-days", str(args.genkey_valid_days),
         "-subj", f"/CN={cn}/",
         "-nodes",
     ]
@@ -2195,7 +2194,7 @@ def run_verb(args: MkosiArgs, presets: Sequence[MkosiConfig]) -> None:
         check_root()
 
     if args.verb == Verb.genkey:
-        return generate_secure_boot_key(args)
+        return generate_key_cert_pair(args)
 
     if args.verb == Verb.bump:
         return bump_image_version()
diff --git a/mkosi/config.py b/mkosi/config.py
index 5fa4cb8af..a4549e7ff 100644
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -536,8 +536,8 @@ class MkosiArgs:
     debug: bool
     debug_shell: bool
     pager: bool
-    secure_boot_valid_days: str
-    secure_boot_common_name: str
+    genkey_valid_days: str
+    genkey_common_name: str
     auto_bump: bool
     presets: list[str]
 
@@ -830,13 +830,13 @@ class MkosiConfigParser:
             dest="secure_boot_key",
             section="Output",
             parse=config_make_path_parser(required=False),
-            paths=("mkosi.secure-boot.key",),
+            paths=("mkosi.key",),
         ),
         MkosiConfigSetting(
             dest="secure_boot_certificate",
             section="Output",
             parse=config_make_path_parser(required=False),
-            paths=("mkosi.secure-boot.crt",),
+            paths=("mkosi.crt",),
         ),
         MkosiConfigSetting(
             dest="sign_expected_pcr",
@@ -1319,16 +1319,16 @@ class MkosiConfigParser:
             help="Enable paging for long output",
         )
         parser.add_argument(
-            "--secure-boot-valid-days",
+            "--genkey-valid-days",
             metavar="DAYS",
-            help="Number of days UEFI SecureBoot keys should be valid when generating keys",
+            help="Number of days keys should be valid when generating keys",
             action=action,
             default="730",
         )
         parser.add_argument(
-            "--secure-boot-common-name",
+            "--genkey-common-name",
             metavar="CN",
-            help="Template for the UEFI SecureBoot CN when generating keys",
+            help="Template for the CN when generating keys",
             action=action,
             default="mkosi of %u",
         )
@@ -2129,11 +2129,11 @@ def load_config(args: argparse.Namespace) -> MkosiConfig:
     if args.secure_boot and args.verb != Verb.genkey:
         if args.secure_boot_key is None:
             die("UEFI SecureBoot enabled, but couldn't find private key.",
-                hint="Consider placing it in mkosi.secure-boot.key")
+                hint="Consider placing it in mkosi.key")
 
         if args.secure_boot_certificate is None:
             die("UEFI SecureBoot enabled, but couldn't find certificate.",
-                hint="Consider placing it in mkosi.secure-boot.crt")
+                hint="Consider placing it in mkosi.crt")
 
     if args.sign_expected_pcr is True and not shutil.which("systemd-measure"):
         die("Couldn't find systemd-measure needed for the --sign-expected-pcr option.")