From: Malte Poll <mp@edgeless.systems>
Date: Thu, 25 May 2023 09:53:47 +0000 (+0200)
Subject: ukify: always sign kernel inside of uki if secure boot is enabled
X-Git-Tag: v15~147
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85d8342e974e5537529ea959b4e405fa330467b9;p=thirdparty%2Fmkosi.git

ukify: always sign kernel inside of uki if secure boot is enabled

This overrides the auto detection of ukify and always signs the kernel bevore embedding it in the uki (even if the kernel is already signed).
Rationale: When building Fedora 37 images, the Fedora provided kernel is signed with an expired key (id 2574709492).
I would like to add an additional signature with my own signing key to enable kexec and other features that require a correctly signed kernel image.

Co-authored-by: Otto Bittner <cobittner@posteo.net>
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index b1ee0a44d..a0157a26c 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -857,6 +857,7 @@ def install_unified_kernel(state: MkosiState, roothash: Optional[str]) -> None:
                 cmd += [
                     "--secureboot-private-key", state.config.secure_boot_key,
                     "--secureboot-certificate", state.config.secure_boot_certificate,
+                    "--sign-kernel",
                 ]
 
                 sign_expected_pcr = (state.config.sign_expected_pcr == ConfigFeature.enabled or