From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 6 Nov 2024 16:38:10 +0000 (+0100)
Subject: Introduce systemd-sbsign to do secure boot signing (#35021)
X-Git-Tag: v257-rc1~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5011dd2394d736be6dfce8bcc12bba4537a9e33;p=thirdparty%2Fsystemd.git

Introduce systemd-sbsign to do secure boot signing (#35021)

Currently in mkosi and ukify we use sbsigntools to do secure boot
signing. This has multiple issues:

- sbsigntools is practically unmaintained, sbvarsign is completely
broken with the latest gnu-efi when built without -fshort-wchar and
upstream has completely ignored my bug report about this.
- sbsigntools only supports openssl engines and not the new providers
API.
- sbsigntools doesn't allow us to cache hardware token pins in the
kernel keyring like we do nowadays when we sign stuff ourselves in
systemd-repart or systemd-measure

There are alternative tools like sbctl and pesign but these do not
support caching hardware token pins in the kernel keyring either.

To get around the issues with sbsigntools, let's introduce our own
tool systemd-sbsign to do secure boot signing. This allows us to
take advantage of our own openssl infra so that hardware token pins
are cached in the kernel keyring as expected and we get openssl
provider support as well.
---

e5011dd2394d736be6dfce8bcc12bba4537a9e33