From: Joerg Behrmann Date: Thu, 22 Sep 2022 08:37:05 +0000 (+0200) Subject: guard cryptography imports X-Git-Tag: v14~20^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=79cd8109e01f25b39f612ef590f2c3e70b311676;p=thirdparty%2Fmkosi.git guard cryptography imports --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index b97b546ca..d7c64c941 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -3757,10 +3757,13 @@ def make_verity_sig( assert root_hash is not None - from cryptography import x509 - from cryptography.hazmat.primitives import hashes, serialization - from cryptography.hazmat.primitives.asymmetric import ec, rsa - from cryptography.hazmat.primitives.serialization import pkcs7 + try: + from cryptography import x509 + from cryptography.hazmat.primitives import hashes, serialization + from cryptography.hazmat.primitives.asymmetric import ec, rsa + from cryptography.hazmat.primitives.serialization import pkcs7 + except ImportError: + die("Verity support needs the cryptography module. Please install it.") with complete_step("Signing verity root hash…"): @@ -3987,38 +3990,42 @@ def install_unified_kernel( # systemd-measure binary around, then also include a # signature of expected PCR 11 values in the kernel image if state.config.secure_boot: - if shutil.which('systemd-measure'): - with complete_step("Generating PCR 11 signature…"): - from cryptography import x509 - from cryptography.hazmat.primitives import serialization - - # Extract the public key from the SecureBoot certificate - cert = x509.load_pem_x509_certificate(state.config.secure_boot_certificate.read_bytes()) - pcrpkey = state.workspace / "pcrpkey.pem" - pcrpkey.write_bytes(cert.public_key().public_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PublicFormat.SubjectPublicKeyInfo)) - - cmd_measure: Sequence[PathString] = [ - "systemd-measure", - "sign", - f"--linux={state.root / kimg}", - f"--osrel={osrelease}", - f"--cmdline={cmdline}", - f"--initrd={initrd}", - f"--pcrpkey={pcrpkey}", - f"--private-key={state.config.secure_boot_key}", - f"--public-key={pcrpkey}", - "--bank=sha1", - "--bank=sha256", - ] - - c = run(cmd_measure, stdout=subprocess.PIPE) - - pcrsig = state.workspace / "pcrsig.json" - pcrsig.write_bytes(c.stdout) - else: - MkosiPrinter.info("Couldn't find systemd-measure binary, not embedding PCR signature in unified kernel image.") + try: + from cryptography import x509 + from cryptography.hazmat.primitives import serialization + + if shutil.which('systemd-measure'): + with complete_step("Generating PCR 11 signature…"): + + # Extract the public key from the SecureBoot certificate + cert = x509.load_pem_x509_certificate(state.config.secure_boot_certificate.read_bytes()) + pcrpkey = state.workspace / "pcrpkey.pem" + pcrpkey.write_bytes(cert.public_key().public_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PublicFormat.SubjectPublicKeyInfo)) + + cmd_measure = [ + "systemd-measure", + "sign", + f"--linux={state.root / kimg}", + f"--osrel={osrelease}", + f"--cmdline={cmdline}", + f"--initrd={initrd}", + f"--pcrpkey={pcrpkey}", + f"--private-key={state.config.secure_boot_key}", + f"--public-key={pcrpkey}", + "--bank=sha1", + "--bank=sha256", + ] + + c = run(cmd_measure, stdout=subprocess.PIPE) + + pcrsig = state.workspace / "pcrsig.json" + pcrsig.write_bytes(c.stdout) + else: + MkosiPrinter.info("Couldn't find systemd-measure binary, not embedding PCR signature in unified kernel image.") + except ImportError: + MkosiPrinter.info("Couldn't import the cryptography Python module, not embedding PCR signature in unified kernel image.") cmd: List[PathString] = [ "objcopy",