From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 9 May 2023 15:01:28 +0000 (+0200)
Subject: Fix --sign-expected-pcr
X-Git-Tag: v15~172
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e0b20f62d7ea3f64f56c309f5da1bca3728c87e;p=thirdparty%2Fmkosi.git

Fix --sign-expected-pcr

Fall out from the introduction of ConfigFeature
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index e0089a5aa..7c6b4b4d6 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -846,7 +846,11 @@ def install_unified_kernel(state: MkosiState, roothash: Optional[str]) -> None:
                     "--secureboot-certificate", state.config.secure_boot_certificate,
                 ]
 
-                if state.config.sign_expected_pcr:
+                sign_expected_pcr = (state.config.sign_expected_pcr == ConfigFeature.enabled or
+                                    (state.config.sign_expected_pcr == ConfigFeature.auto and
+                                     shutil.which("systemd-measure") is not None))
+
+                if sign_expected_pcr:
                     cmd += [
                         "--pcr-private-key", state.config.secure_boot_key,
                         "--pcr-banks", "sha1,sha256",
diff --git a/mkosi/config.py b/mkosi/config.py
index ebd4871ce..d3531a1a9 100644
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -579,7 +579,7 @@ class MkosiConfig:
     secure_boot_certificate: Optional[Path]
     verity_key: Optional[Path]
     verity_certificate: Optional[Path]
-    sign_expected_pcr: bool
+    sign_expected_pcr: ConfigFeature
     compress_output: Compression
     image_version: Optional[str]
     image_id: Optional[str]
@@ -2201,12 +2201,6 @@ def load_config(args: argparse.Namespace) -> MkosiConfig:
             die("UEFI SecureBoot enabled, but couldn't find certificate.",
                 hint="Consider placing it in mkosi.crt")
 
-    if args.sign_expected_pcr is True and not shutil.which("systemd-measure"):
-        die("Couldn't find systemd-measure needed for the --sign-expected-pcr option.")
-
-    if args.sign_expected_pcr is None:
-        args.sign_expected_pcr = bool(shutil.which("systemd-measure"))
-
     if args.repo_dirs and not (
         is_dnf_distribution(args.distribution)
         or is_apt_distribution(args.distribution)
@@ -2239,5 +2233,8 @@ def load_config(args: argparse.Namespace) -> MkosiConfig:
         if (args.build_script is not None or args.base_trees) and GenericVersion(platform.release()) < GenericVersion("5.11") and os.geteuid() != 0:
             die("This unprivileged build configuration requires at least Linux v5.11")
 
+        if args.sign_expected_pcr == ConfigFeature.enabled and not shutil.which("systemd-measure"):
+            die("Couldn't find systemd-measure needed for the --sign-expected-pcr option.")
+
     return MkosiConfig.from_namespace(args)