From: Luca Boccassi Date: Sat, 10 Feb 2024 19:28:29 +0000 (+0000) Subject: verity: add support for signing with an hardware token X-Git-Tag: v21~12^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c89ea056c611ef0e07bc9587644e697be3b5f20f;p=thirdparty%2Fmkosi.git verity: add support for signing with an hardware token Needs sd-repart v256 with --signing-engine parameter Co-authored-by: Daan De Meyer --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index ebaf49906..55dc15d68 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -2811,7 +2811,10 @@ def make_image( options += ["--ro-bind", context.config.passphrase, context.config.passphrase] if context.config.verity_key: cmdline += ["--private-key", context.config.verity_key] - options += ["--ro-bind", context.config.verity_key, context.config.verity_key] + if context.config.verity_key_source.type != KeySource.Type.file: + cmdline += ["--private-key-source", str(context.config.verity_key_source)] + if context.config.verity_key.exists(): + options += ["--ro-bind", context.config.verity_key, context.config.verity_key] if context.config.verity_certificate: cmdline += ["--certificate", context.config.verity_certificate] options += ["--ro-bind", context.config.verity_certificate, context.config.verity_certificate] @@ -2837,7 +2840,13 @@ def make_image( cmdline, stdout=subprocess.PIPE, env=context.config.environment, - sandbox=context.sandbox(devices=not context.config.repart_offline, options=options), + sandbox=context.sandbox( + devices=( + not context.config.repart_offline or + context.config.verity_key_source.type != KeySource.Type.file + ), + options=options, + ), ).stdout ) @@ -2989,7 +2998,10 @@ def make_extension_image(context: Context, output: Path) -> None: options += ["--ro-bind", context.config.passphrase, context.config.passphrase] if context.config.verity_key: cmdline += ["--private-key", context.config.verity_key] - options += ["--ro-bind", context.config.verity_key, context.config.verity_key] + if context.config.verity_key_source.type != KeySource.Type.file: + cmdline += ["--private-key-source", str(context.config.verity_key_source)] + if context.config.verity_key.exists(): + options += ["--ro-bind", context.config.verity_key, context.config.verity_key] if context.config.verity_certificate: cmdline += ["--certificate", context.config.verity_certificate] options += ["--ro-bind", context.config.verity_certificate, context.config.verity_certificate] @@ -3008,7 +3020,13 @@ def make_extension_image(context: Context, output: Path) -> None: run( cmdline + ["--definitions", r], env=env, - sandbox=context.sandbox(devices=not context.config.repart_offline, options=options), + sandbox=context.sandbox( + devices=( + not context.config.repart_offline or + context.config.verity_key_source.type != KeySource.Type.file + ), + options=options, + ), ) diff --git a/mkosi/config.py b/mkosi/config.py index 119516172..ccf88130d 100644 --- a/mkosi/config.py +++ b/mkosi/config.py @@ -1327,6 +1327,7 @@ class Config: secure_boot_certificate: Optional[Path] secure_boot_sign_tool: SecureBootSignTool verity_key: Optional[Path] + verity_key_source: KeySource verity_certificate: Optional[Path] sign_expected_pcr: ConfigFeature passphrase: Optional[Path] @@ -2376,11 +2377,19 @@ SETTINGS = ( ), ConfigSetting( dest="verity_key", - metavar="PATH", + metavar="KEY", section="Validation", - parse=config_make_path_parser(secret=True), + parse=config_parse_key, paths=("mkosi.key",), - help="Private key for signing verity signature in PEM format", + help="Private key for signing verity signature", + ), + ConfigSetting( + dest="verity_key_source", + section="Validation", + metavar="SOURCE[:ENGINE]", + parse=config_parse_key_source, + default=KeySource(type=KeySource.Type.file), + help="The source to use to retrieve the verity signing key", ), ConfigSetting( dest="verity_certificate", @@ -3649,6 +3658,7 @@ def summary(config: Config) -> str: SecureBoot Certificate: {none_to_none(config.secure_boot_certificate)} SecureBoot Sign Tool: {config.secure_boot_sign_tool} Verity Signing Key: {none_to_none(config.verity_key)} + Verity Signing Key Source: {config.verity_key_source} Verity Certificate: {none_to_none(config.verity_certificate)} Sign Expected PCRs: {config.sign_expected_pcr} Passphrase: {none_to_none(config.passphrase)} diff --git a/mkosi/resources/mkosi.md b/mkosi/resources/mkosi.md index f8eb980db..52aba1b98 100644 --- a/mkosi/resources/mkosi.md +++ b/mkosi/resources/mkosi.md @@ -1358,7 +1358,13 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`, `VerityKey=`, `--verity-key=` : Path to the PEM file containing the secret key for signing the verity signature, if a verity signature - partition is added with systemd-repart. + partition is added with systemd-repart. When `VerityKeySource=` is specified, the input type depends on + the source. + +`VerityKeySource=`, `--verity-key-source=` + +: Source of `VerityKey=`, to support OpenSSL engines. E.g.: + `--verity-key-source=engine:pkcs11` `VerityCertificate=`, `--verity-certificate=` diff --git a/tests/test_json.py b/tests/test_json.py index 12c1a01cc..b1939f5f3 100644 --- a/tests/test_json.py +++ b/tests/test_json.py @@ -306,6 +306,10 @@ def test_config() -> None: "UseSubvolumes": "auto", "VerityCertificate": "/path/to/cert", "VerityKey": null, + "VerityKeySource": { + "source": "", + "type": "file" + }, "WithDocs": true, "WithNetwork": false, "WithRecommends": true, @@ -441,6 +445,7 @@ def test_config() -> None: use_subvolumes = ConfigFeature.auto, verity_certificate = Path("/path/to/cert"), verity_key = None, + verity_key_source = KeySource(type=KeySource.Type.file), with_docs = True, with_network = False, with_recommends = True,