From: Daan De Meyer Date: Sat, 6 May 2023 12:06:28 +0000 (+0200) Subject: Introduce separate settings for configuring the verity key/certificate X-Git-Tag: v15~177^2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c9cd6619e8f2c21c298b507d2aa103646269e46;p=thirdparty%2Fmkosi.git Introduce separate settings for configuring the verity key/certificate These also default to mkosi.key and mkosi.crt but give the option to use different files if required. --- diff --git a/mkosi.md b/mkosi.md index a950ed7d3..dbb6ab692 100644 --- a/mkosi.md +++ b/mkosi.md @@ -884,6 +884,16 @@ a boolean argument: either "1", "yes", or "true" to enable, or "0", : Path to the X.509 file containing the certificate for the signed UEFI kernel image, if `SecureBoot=` is used. +`VerityKey=`, `--verity-key=` + +: Path to the PEM file containing the secret key for signing the verity signature, if a verity signature + partition is added with systemd-repart. + +`VerityCertificate=`, `--verity-certificate=` + +: Path to the X.509 file containing the certificate for signing the verity signature, if a verity signature + partition is added with systemd-repart. + `SignExpectedPCR=`, `--sign-expected-pcr` : Measure the components of the unified kernel image (UKI) using diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 36eb204cc..ebecd31da 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -1287,8 +1287,10 @@ def print_summary(args: MkosiArgs, config: MkosiConfig) -> None: {bold("VALIDATION")}: UEFI SecureBoot: {yes_no(config.secure_boot)} - SecureBoot Sign Key: {none_to_none(config.secure_boot_key)} + SecureBoot Signing Key: {none_to_none(config.secure_boot_key)} SecureBoot Certificate: {none_to_none(config.secure_boot_certificate)} + Verity Signing Key: {none_to_none(config.verity_key)} + Verity Certificate: {none_to_none(config.verity_certificate)} Checksum: {yes_no(config.checksum)} Sign: {yes_no(config.sign)} GPG Key: ({"default" if config.key is None else config.key}) @@ -1486,10 +1488,10 @@ def invoke_repart(state: MkosiState, skip: Sequence[str] = [], split: bool = Fal cmdline += ["--empty=create"] if state.config.passphrase: cmdline += ["--key-file", state.config.passphrase] - if state.config.secure_boot_key: - cmdline += ["--private-key", state.config.secure_boot_key] - if state.config.secure_boot_certificate: - cmdline += ["--certificate", state.config.secure_boot_certificate] + if state.config.verity_key: + cmdline += ["--private-key", state.config.verity_key] + if state.config.verity_certificate: + cmdline += ["--certificate", state.config.verity_certificate] if skip: cmdline += ["--defer-partitions", ",".join(skip)] if split and state.config.split_artifacts: diff --git a/mkosi/config.py b/mkosi/config.py index de2f0b55d..a62a794a0 100644 --- a/mkosi/config.py +++ b/mkosi/config.py @@ -576,6 +576,8 @@ class MkosiConfig: secure_boot: bool secure_boot_key: Optional[Path] secure_boot_certificate: Optional[Path] + verity_key: Optional[Path] + verity_certificate: Optional[Path] sign_expected_pcr: bool compress_output: Compression image_version: Optional[str] @@ -1062,6 +1064,18 @@ class MkosiConfigParser: parse=config_make_path_parser(), paths=("mkosi.crt",), ), + MkosiConfigSetting( + dest="verity_key", + section="Validation", + parse=config_make_path_parser(), + paths=("mkosi.key",), + ), + MkosiConfigSetting( + dest="verity_certificate", + section="Validation", + parse=config_make_path_parser(), + paths=("mkosi.crt",), + ), MkosiConfigSetting( dest="sign_expected_pcr", section="Validation", @@ -1740,6 +1754,18 @@ class MkosiConfigParser: help="UEFI SecureBoot certificate in X509 format", action=action, ) + group.add_argument( + "--verity-key", + metavar="PATH", + help="Private key for signing verity signature in PEM format", + action=action, + ) + group.add_argument( + "--verity-certificate", + metavar="PATH", + help="Certificate for signing verity signature in X509 format", + action=action, + ) group.add_argument( "--sign-expected-pcr", metavar="FEATURE",