From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 31 Oct 2024 11:36:09 +0000 (+0100)
Subject: Bind /run when an engine might be used instead of only /run/pcscd
X-Git-Tag: v25~194^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=889a7f353263c486b947fc8b23f567a0088d3fac;p=thirdparty%2Fmkosi.git

Bind /run when an engine might be used instead of only /run/pcscd

It's not guaranteed that the engine will be the pkcs#11 one so let's
bind the entirety of /run in case another daemon might be used with
a socket elsewhere in /run.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 435910aab..bae8baa49 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1534,7 +1534,7 @@ def run_ukify(
             ]  # fmt: skip
             if context.config.secure_boot_key_source.type == KeySourceType.engine:
                 cmd += ["--signing-engine", context.config.secure_boot_key_source.source]
-                opt += ["--bind-try", "/run/pcscd", "/run/pcscd"]
+                opt += ["--bind", "/run", "/run"]
             if context.config.secure_boot_key.exists():
                 cmd += ["--secureboot-private-key", workdir(context.config.secure_boot_key)]
                 opt += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)]
@@ -1609,7 +1609,7 @@ def build_uki(
             ]  # fmt: skip
             options += [
                 "--ro-bind", context.config.sign_expected_pcr_certificate, workdir(context.config.sign_expected_pcr_certificate),  # noqa: E501
-                "--bind-try", "/run/pcscd", "/run/pcscd",
+                "--bind", "/run", "/run",
             ]  # fmt: skip
 
         if context.config.sign_expected_pcr_key.exists():
@@ -3074,7 +3074,7 @@ def make_image(
 
         if context.config.verity_key_source.type != KeySourceType.file:
             cmdline += ["--private-key-source", str(context.config.verity_key_source)]
-            opts += ["--bind-try", "/run/pcscd", "/run/pcscd"]
+            opts += ["--bind", "/run", "/run"]
         if context.config.verity_key.exists():
             cmdline += ["--private-key", workdir(context.config.verity_key)]
             opts += ["--ro-bind", context.config.verity_key, workdir(context.config.verity_key)]
diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py
index f347c352c..ff2ed0d1f 100644
--- a/mkosi/bootloader.py
+++ b/mkosi/bootloader.py
@@ -518,7 +518,7 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path:
         ]  # fmt: skip
         if context.config.secure_boot_key_source.type == KeySourceType.engine:
             cmd += ["--engine", context.config.secure_boot_key_source.source]
-            options += ["--bind-try", "/run/pcscd", "/run/pcscd"]
+            options += ["--bind", "/run", "/run"]
         if context.config.secure_boot_key.exists():
             cmd += ["--key", workdir(context.config.secure_boot_key)]
             options += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)]
@@ -753,7 +753,7 @@ def install_systemd_boot(context: Context) -> None:
                     ]  # fmt: skip
                     if context.config.secure_boot_key_source.type == KeySourceType.engine:
                         cmd += ["--engine", context.config.secure_boot_key_source.source]
-                        options += ["--bind-try", "/run/pcscd", "/run/pcscd"]
+                        options += ["--bind", "/run", "/run"]
                     if context.config.secure_boot_key.exists():
                         cmd += ["--key", workdir(context.config.secure_boot_key)]
                         options += [