From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 20 Dec 2023 08:57:42 +0000 (+0100)
Subject: Pass in credentials via kernel command line as well
X-Git-Tag: v20~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ea7fe98fd92ed76bf14fb0c08a05861f78222d1;p=thirdparty%2Fmkosi.git

Pass in credentials via kernel command line as well

If we can't do smbios or fw_cfg, let's fall back to kernel command
line if possible.
---

diff --git a/mkosi/qemu.py b/mkosi/qemu.py
index 69aab36f4..aba76f629 100644
--- a/mkosi/qemu.py
+++ b/mkosi/qemu.py
@@ -613,17 +613,6 @@ def run_qemu(args: MkosiArgs, config: MkosiConfig, qemu_device_fds: Mapping[Qemu
             # without uidmap to avoid having to mount over /etc/passwd.
             stack.enter_context(mount_passwd())
 
-        for k, v in config.credentials.items():
-            payload = base64.b64encode(v.encode()).decode()
-            if config.architecture.supports_smbios(firmware):
-                cmdline += ["-smbios", f"type=11,value=io.systemd.credential.binary:{k}={payload}"]
-            elif config.architecture.supports_fw_cfg():
-                f = stack.enter_context(tempfile.NamedTemporaryFile(prefix="mkosi-fw-cfg", mode="w"))
-                f.write(v)
-                f.flush()
-                os.fchown(f.fileno(), INVOKING_USER.uid, INVOKING_USER.gid)
-                cmdline += ["-fw_cfg", f"name=opt/io.systemd.credentials/{k},file={f.name}"]
-
         if firmware == QemuFirmware.uefi:
             ovmf_vars = stack.enter_context(tempfile.NamedTemporaryFile(prefix="mkosi-ovmf-vars"))
             shutil.copy2(config.qemu_firmware_variables or find_ovmf_vars(config), Path(ovmf_vars.name))
@@ -680,6 +669,19 @@ def run_qemu(args: MkosiArgs, config: MkosiConfig, qemu_device_fds: Mapping[Qemu
         else:
             kcl = config.kernel_command_line_extra
 
+        for k, v in config.credentials.items():
+            payload = base64.b64encode(v.encode()).decode()
+            if config.architecture.supports_smbios(firmware):
+                cmdline += ["-smbios", f"type=11,value=io.systemd.credential.binary:{k}={payload}"]
+            elif config.architecture.supports_fw_cfg():
+                f = stack.enter_context(tempfile.NamedTemporaryFile(prefix="mkosi-fw-cfg", mode="w"))
+                f.write(v)
+                f.flush()
+                os.fchown(f.fileno(), INVOKING_USER.uid, INVOKING_USER.gid)
+                cmdline += ["-fw_cfg", f"name=opt/io.systemd.credentials/{k},file={f.name}"]
+            elif kernel:
+                kcl += [f"systemd.set_credential_binary={k}:{payload}"]
+
         if kernel:
             cmdline += ["-kernel", kernel]