From: Daan De Meyer Date: Mon, 23 Dec 2024 09:19:56 +0000 (+0100) Subject: Drop support for pesign secure boot signtool X-Git-Tag: v25~94 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e406bb2146b13fa161821f70990a5ef45ff34b0;p=thirdparty%2Fmkosi.git Drop support for pesign secure boot signtool sbsigntools is packaged in EPEL now and in the future we're looking to standardize solely on systemd-sbsign so let's already drop support for pesign which was only really useful on CentOS Stream because it didn't have sbsigntools which it does have now. --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index e91000190..da8a4fa29 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -28,7 +28,6 @@ from typing import Optional, Union, cast from mkosi.archive import can_extract_tar, extract_tar, make_cpio, make_tar from mkosi.bootloader import ( - certificate_common_name, efi_boot_binary, extract_pe_section, gen_kernel_images, @@ -36,7 +35,6 @@ from mkosi.bootloader import ( install_grub, install_shim, install_systemd_boot, - pesign_prepare, prepare_grub_config, python_binary, run_systemd_sign_tool, @@ -1506,51 +1504,42 @@ def run_ukify( assert context.config.secure_boot_key assert context.config.secure_boot_certificate - if context.config.secure_boot_sign_tool != SecureBootSignTool.pesign: - cmd += [ - "--signtool", ( - "sbsign" - if context.config.secure_boot_sign_tool == SecureBootSignTool.sbsign - or not context.config.find_binary("systemd-sbsign", "/usr/lib/systemd/systemd-sbsign") - else "systemd-sbsign" - ), - ] # fmt: skip + cmd += [ + "--signtool", ( + "sbsign" + if context.config.secure_boot_sign_tool == SecureBootSignTool.sbsign + or not context.config.find_binary("systemd-sbsign", "/usr/lib/systemd/systemd-sbsign") + else "systemd-sbsign" + ), + ] # fmt: skip - if ( - context.config.secure_boot_key_source.type != KeySourceType.file - or context.config.secure_boot_certificate_source.type != CertificateSourceType.file - ): - opt += ["--bind", "/run", "/run"] + if ( + context.config.secure_boot_key_source.type != KeySourceType.file + or context.config.secure_boot_certificate_source.type != CertificateSourceType.file + ): + opt += ["--bind", "/run", "/run"] - if context.config.secure_boot_key_source.type == KeySourceType.engine: - cmd += ["--signing-engine", context.config.secure_boot_key_source.source] - elif context.config.secure_boot_key_source.type == KeySourceType.provider: - cmd += ["--signing-provider", context.config.secure_boot_key_source.source] + if context.config.secure_boot_key_source.type == KeySourceType.engine: + cmd += ["--signing-engine", context.config.secure_boot_key_source.source] + elif context.config.secure_boot_key_source.type == KeySourceType.provider: + cmd += ["--signing-provider", context.config.secure_boot_key_source.source] - if context.config.secure_boot_key.exists(): - cmd += ["--secureboot-private-key", workdir(context.config.secure_boot_key)] - opt += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)] - else: - cmd += ["--secureboot-private-key", context.config.secure_boot_key] + if context.config.secure_boot_key.exists(): + cmd += ["--secureboot-private-key", workdir(context.config.secure_boot_key)] + opt += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)] + else: + cmd += ["--secureboot-private-key", context.config.secure_boot_key] - if context.config.secure_boot_certificate_source.type == CertificateSourceType.provider: - cmd += ["--certificate-provider", context.config.secure_boot_certificate_source.source] + if context.config.secure_boot_certificate_source.type == CertificateSourceType.provider: + cmd += ["--certificate-provider", context.config.secure_boot_certificate_source.source] - if context.config.secure_boot_certificate.exists(): - cmd += ["--secureboot-certificate", workdir(context.config.secure_boot_certificate)] - opt += [ - "--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate), # noqa: E501 - ] # fmt: skip - else: - cmd += ["--secureboot-certificate", context.config.secure_boot_certificate] - else: - pesign_prepare(context) - cmd += [ - "--signtool", "pesign", - "--secureboot-certificate-dir", workdir(context.workspace / "pesign"), - "--secureboot-certificate-name", certificate_common_name(context, context.config.secure_boot_certificate), # noqa: E501 + if context.config.secure_boot_certificate.exists(): + cmd += ["--secureboot-certificate", workdir(context.config.secure_boot_certificate)] + opt += [ + "--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate), # noqa: E501 ] # fmt: skip - opt += ["--ro-bind", context.workspace / "pesign", workdir(context.workspace / "pesign")] + else: + cmd += ["--secureboot-certificate", context.config.secure_boot_certificate] run( cmd, diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py index 163837ca1..c6a53252b 100644 --- a/mkosi/bootloader.py +++ b/mkosi/bootloader.py @@ -408,33 +408,6 @@ def shim_second_stage_binary(context: Context) -> Path: return Path(f"efi/EFI/BOOT/grub{arch}.EFI") -def certificate_common_name(context: Context, certificate: Path) -> str: - output = run( - [ - "openssl", - "x509", - "-noout", - "-subject", - "-nameopt", "multiline", - "-in", workdir(certificate), - ], - stdout=subprocess.PIPE, - sandbox=context.sandbox(options=["--ro-bind", certificate, workdir(certificate)]), - ).stdout # fmt: skip - - for line in output.splitlines(): - if not line.strip().startswith("commonName"): - continue - - _, sep, value = line.partition("=") - if not sep: - die("Missing '=' delimiter in openssl output") - - return value.strip() - - die(f"Certificate {certificate} is missing Common Name") - - def run_systemd_sign_tool( config: Config, *, @@ -499,60 +472,6 @@ def run_systemd_sign_tool( ) -def pesign_prepare(context: Context) -> None: - assert context.config.secure_boot_key - assert context.config.secure_boot_certificate - - if (context.workspace / "pesign").exists(): - return - - (context.workspace / "pesign").mkdir() - - # pesign takes a certificate directory and a certificate common name as input arguments, so we have - # to transform our input key and cert into that format. Adapted from - # https://www.mankier.com/1/pesign#Examples-Signing_with_the_certificate_and_private_key_in_individual_files - with open(context.workspace / "secure-boot.p12", "wb") as f: - run( - [ - "openssl", - "pkcs12", - "-export", - # Arcane incantation to create a pkcs12 certificate without a password. - "-keypbe", "NONE", - "-certpbe", "NONE", - "-nomaciter", - "-passout", "pass:", - "-inkey", workdir(context.config.secure_boot_key), - "-in", workdir(context.config.secure_boot_certificate), - ], - stdout=f, - sandbox=context.sandbox( - options=[ - "--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key), - "--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate), # noqa: E501 - ], - ), - ) # fmt: skip - - (context.workspace / "pesign").mkdir(exist_ok=True) - - run( - [ - "pk12util", - "-K", "", - "-W", "", - "-i", workdir(context.workspace / "secure-boot.p12"), - "-d", workdir(context.workspace / "pesign"), - ], - sandbox=context.sandbox( - options=[ - "--ro-bind", context.workspace / "secure-boot.p12", workdir(context.workspace / "secure-boot.p12"), # noqa: E501 - "--ro-bind", context.workspace / "pesign", workdir(context.workspace / "pesign"), - ], - ), - ) # fmt: skip - - def sign_efi_binary(context: Context, input: Path, output: Path) -> Path: assert context.config.secure_boot_key assert context.config.secure_boot_certificate @@ -618,41 +537,8 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path: devices=context.config.secure_boot_key_source.type != KeySourceType.file, ), ) - elif ( - context.config.secure_boot_sign_tool == SecureBootSignTool.pesign - or context.config.secure_boot_sign_tool == SecureBootSignTool.auto - and context.config.find_binary("pesign") is not None - ): - if context.config.secure_boot_certificate_source.type != CertificateSourceType.file: - die("Secure boot certificate source must be 'file' when using pesign as the signing tool") - - pesign_prepare(context) - run( - [ - "pesign", - "--certdir", workdir(context.workspace / "pesign"), - "--certificate", certificate_common_name(context, context.config.secure_boot_certificate), - "--sign", - "--force", - "--in", workdir(input), - "--out", workdir(output), - ], - stdin=( - sys.stdin - if context.config.secure_boot_key_source.type != KeySourceType.file - else subprocess.DEVNULL - ), - env=context.config.environment, - sandbox=context.sandbox( - options=[ - "--ro-bind", context.workspace / "pesign", workdir(context.workspace / "pesign"), - "--ro-bind", input, workdir(input), - "--bind", output.parent, workdir(output), - ] - ), - ) # fmt: skip else: - die("One of sbsign or pesign is required to use SecureBoot=") + die("One of systemd-sbsign or sbsign is required to use SecureBoot=") return output diff --git a/mkosi/config.py b/mkosi/config.py index 5fa2507c1..782f79205 100644 --- a/mkosi/config.py +++ b/mkosi/config.py @@ -173,7 +173,6 @@ class QemuVsockCID(enum.IntEnum): class SecureBootSignTool(StrEnum): auto = enum.auto() sbsign = enum.auto() - pesign = enum.auto() systemd_sbsign = enum.auto() diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md index 79f199f7b..c896fa5a2 100644 --- a/mkosi/resources/man/mkosi.1.md +++ b/mkosi/resources/man/mkosi.1.md @@ -1138,8 +1138,8 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`, UEFI kernel image, if `SecureBoot=` is used. `SecureBootSignTool=`, `--secure-boot-sign-tool` -: Tool to use to sign secure boot PE binaries. Takes one of `systemd-sbsign`, `sbsign`, `pesign` or `auto`. - Defaults to `auto`. If set to `auto`, either `systemd-sbsign`, `sbsign` or `pesign` are used if +: Tool to use to sign secure boot PE binaries. Takes one of `systemd-sbsign`, `sbsign` or `auto`. + Defaults to `auto`. If set to `auto`, either `systemd-sbsign` or `sbsign` are used if available, with `systemd-sbsign` being preferred. `Verity=`, `--verity=` @@ -1288,7 +1288,6 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`, | `pkcs11-provider` | ✓ | | ✓ | ✓ | ✓ | ✓ | ✓ | | `sed` | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | `pacman` | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | - | `pesign` | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | `policycoreutils` | ✓ | ✓ | ✓ | ✓ | ✓ | | ✓ | | `qemu` | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | `sbsigntools` | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | diff --git a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-arch.conf b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-arch.conf index 216ab78df..7d3555c84 100644 --- a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-arch.conf +++ b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-arch.conf @@ -21,7 +21,6 @@ Packages= libseccomp openssh pacman - pesign pipewire pipewire-audio pkcs11-provider diff --git a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-azure-centos-fedora/mkosi.conf.d/10-uefi.conf b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-azure-centos-fedora/mkosi.conf.d/10-uefi.conf index bac4324ca..dc50f8d0b 100644 --- a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-azure-centos-fedora/mkosi.conf.d/10-uefi.conf +++ b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-azure-centos-fedora/mkosi.conf.d/10-uefi.conf @@ -7,4 +7,3 @@ HostArchitecture=|arm64 [Content] Packages= edk2-ovmf - pesign diff --git a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-debian-kali-ubuntu/mkosi.conf b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-debian-kali-ubuntu/mkosi.conf index a02a4e954..d9acff430 100644 --- a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-debian-kali-ubuntu/mkosi.conf +++ b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-debian-kali-ubuntu/mkosi.conf @@ -31,7 +31,6 @@ Packages= openssh-client ovmf pacman-package-manager - pesign policycoreutils python3-cryptography python3-pefile diff --git a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-opensuse.conf b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-opensuse.conf index 7187d0cd4..fd3f7aa32 100644 --- a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-opensuse.conf +++ b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-opensuse.conf @@ -21,7 +21,6 @@ Packages= openssh-clients ovmf patterns-base-minimal_base - pesign pkcs11-provider policycoreutils python3-cryptography diff --git a/tests/test_json.py b/tests/test_json.py index ece55d45d..108b01b27 100644 --- a/tests/test_json.py +++ b/tests/test_json.py @@ -312,7 +312,7 @@ def test_config() -> None: "Source": "", "Type": "file" }, - "SecureBootSignTool": "pesign", + "SecureBootSignTool": "systemd-sbsign", "Seed": "7496d7d8-7f08-4a2b-96c6-ec8c43791b60", "ShimBootloader": "none", "Sign": false, @@ -538,7 +538,7 @@ def test_config() -> None: secure_boot_certificate_source=CertificateSource(type=CertificateSourceType.file), secure_boot_key=Path("/path/to/keyfile"), secure_boot_key_source=KeySource(type=KeySourceType.file), - secure_boot_sign_tool=SecureBootSignTool.pesign, + secure_boot_sign_tool=SecureBootSignTool.systemd_sbsign, seed=uuid.UUID("7496d7d8-7f08-4a2b-96c6-ec8c43791b60"), selinux_relabel=ConfigFeature.disabled, shim_bootloader=ShimBootloader.none,