From: Cornelius Hoffmann <coding@hoffmn.de>
Date: Wed, 13 Dec 2023 00:22:17 +0000 (+0100)
Subject: Add SecureBootAutoEnroll= option
X-Git-Tag: v20~72
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67e437012b6d8c6f7db54d22c917ffc3fa72bf62;p=thirdparty%2Fmkosi.git

Add SecureBootAutoEnroll= option

Closes https://github.com/systemd/mkosi/issues/2169
---

diff --git a/NEWS.md b/NEWS.md
index d9f487eee..f287e1f1b 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -48,6 +48,8 @@
 - A passwordless root account may now be created by specifying `hashed:`
 - On `arm64` we now add an autologin dropin for `ttyAMA0` if autologin
   is enabled.
+- Added `SecureBootAutoEnroll=` to control automatic enrollment of secureboot
+  keys separately from signing `systemd-boot` and generated UKIs.
 
 ## v19
 
diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 46cfc6ce7..5f7f4d567 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -807,7 +807,7 @@ def install_systemd_boot(state: MkosiState) -> None:
                 state.root / shim_second_stage_binary(state),
             )
 
-    if state.config.secure_boot:
+    if state.config.secure_boot and state.config.secure_boot_auto_enroll:
         assert state.config.secure_boot_key
         assert state.config.secure_boot_certificate
 
diff --git a/mkosi/config.py b/mkosi/config.py
index cbbb07b3e..79323ba6e 100644
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -969,6 +969,7 @@ class MkosiConfig:
     ssh: bool
 
     secure_boot: bool
+    secure_boot_auto_enroll: bool
     secure_boot_key: Optional[Path]
     secure_boot_certificate: Optional[Path]
     secure_boot_sign_tool: SecureBootSignTool
@@ -1874,6 +1875,14 @@ SETTINGS = (
         parse=config_parse_boolean,
         help="Sign the resulting kernel/initrd image for UEFI SecureBoot",
     ),
+    MkosiConfigSetting(
+        dest="secure_boot_auto_enroll",
+        metavar="BOOL",
+        section="Validation",
+        parse=config_parse_boolean,
+        default=True,
+        help="Automatically enroll the secureboot signing key on first boot",
+    ),
     MkosiConfigSetting(
         dest="secure_boot_key",
         metavar="PATH",
@@ -3089,6 +3098,7 @@ def summary(config: MkosiConfig) -> str:
 
     {bold("VALIDATION")}:
                UEFI SecureBoot: {yes_no(config.secure_boot)}
+    UEFI SecureBoot AutoEnroll: {yes_no(config.secure_boot_auto_enroll)}
         SecureBoot Signing Key: {none_to_none(config.secure_boot_key)}
         SecureBoot Certificate: {none_to_none(config.secure_boot_certificate)}
           SecureBoot Sign Tool: {config.secure_boot_sign_tool}
diff --git a/mkosi/resources/mkosi.md b/mkosi/resources/mkosi.md
index e0018f489..b9dcdab75 100644
--- a/mkosi/resources/mkosi.md
+++ b/mkosi/resources/mkosi.md
@@ -1171,17 +1171,21 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
 `SecureBoot=`, `--secure-boot`
 
 : Sign systemd-boot (if it is not signed yet) and any generated
-  unified kernel images for UEFI SecureBoot. Also set up automatic
-  enrollment of the secure boot keys in virtual machines as documented
-  in the systemd-boot
-  [man page](https://www.freedesktop.org/software/systemd/man/systemd-boot.html).
+  unified kernel images for UEFI SecureBoot.
+
+`SecureBootAutoEnroll=`, `--secure-boot-auto-enroll=`
+
+: Set up automatic enrollment of the secure boot keys in virtual machines as
+  documented in the systemd-boot
+  [man page](https://www.freedesktop.org/software/systemd/man/systemd-boot.html)
+  if `SecureBoot=` is used.
   Note that systemd-boot will only do automatic secure boot key
   enrollment in virtual machines starting from systemd v253. To do auto
   enrollment on systemd v252 or on bare metal machines, write a
   systemd-boot configuration file to `/efi/loader/loader.conf` using an
   extra tree with `secure-boot-enroll force` or
   `secure-boot-enroll manual` in it. Auto enrollment is not supported on
-  systemd versions older than v252.
+  systemd versions older than v252. Defaults to `yes`.
 
 `SecureBootKey=`, `--secure-boot-key=`
 
diff --git a/tests/test_json.py b/tests/test_json.py
index 8e30eb1a1..660d0a97d 100644
--- a/tests/test_json.py
+++ b/tests/test_json.py
@@ -247,6 +247,7 @@ def test_config() -> None:
             ],
             "SectorSize": null,
             "SecureBoot": true,
+            "SecureBootAutoEnroll": true,
             "SecureBootCertificate": null,
             "SecureBootKey": "/path/to/keyfile",
             "SecureBootSignTool": "pesign",
@@ -376,6 +377,7 @@ def test_config() -> None:
         runtime_trees = [ConfigTree(Path("/foo/bar"), Path("/baz")), ConfigTree(Path("/bar/baz"), Path("/qux"))],
         sector_size = None,
         secure_boot = True,
+        secure_boot_auto_enroll = True,
         secure_boot_certificate = None,
         secure_boot_key = Path("/path/to/keyfile"),
         secure_boot_sign_tool = SecureBootSignTool.pesign,