From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sat, 2 Mar 2024 10:38:45 +0000 (+0100)
Subject: Only enable sha256 PCR bank for swtpm
X-Git-Tag: v21~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fcbcfe81148dc376874829b9e7dfec8a586eb66b;p=thirdparty%2Fmkosi.git

Only enable sha256 PCR bank for swtpm

Mimicks the same change in systemd-vmspawn
(https://github.com/systemd/systemd/commit/519bad6c2c23d3c2dc9558878becb485f3ae9057)
---

diff --git a/mkosi/qemu.py b/mkosi/qemu.py
index be22721d4..4339c554f 100644
--- a/mkosi/qemu.py
+++ b/mkosi/qemu.py
@@ -34,7 +34,7 @@ from mkosi.config import (
     systemd_tool_version,
     want_selinux_relabel,
 )
-from mkosi.log import die
+from mkosi.log import ARG_DEBUG, die
 from mkosi.partition import finalize_root, find_partitions
 from mkosi.run import AsyncioThread, find_binary, fork_and_wait, run, spawn
 from mkosi.tree import copy_tree, rmtree
@@ -286,6 +286,11 @@ def find_ovmf_vars(config: Config) -> Path:
 @contextlib.contextmanager
 def start_swtpm(config: Config) -> Iterator[Path]:
     with tempfile.TemporaryDirectory(prefix="mkosi-swtpm") as state:
+        # swtpm_setup is noisy and doesn't have a --quiet option so we pipe it's stdout to /dev/null.
+        run(["swtpm_setup", "--tpm-state", state, "--tpm2", "--pcr-banks", "sha256", "--config", "/dev/null"],
+            sandbox=config.sandbox(options=["--bind", state, state]),
+            stdout=None if ARG_DEBUG.get() else subprocess.DEVNULL)
+
         cmdline = ["swtpm", "socket", "--tpm2", "--tpmstate", f"dir={state}"]
 
         # We create the socket ourselves and pass the fd to swtpm to avoid race conditions where we start qemu before
diff --git a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-centos-fedora/mkosi.conf b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-centos-fedora/mkosi.conf
index dd78d62c2..c7502c201 100644
--- a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-centos-fedora/mkosi.conf
+++ b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-centos-fedora/mkosi.conf
@@ -23,6 +23,7 @@ Packages=
         qemu-kvm-core
         shadow-utils
         squashfs-tools
+        swtpm-tools
         systemd-container
         systemd-udev
         ubu-keyring
diff --git a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu.conf
index eb5e98ee7..1f1b7f23f 100644
--- a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu.conf
+++ b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu.conf
@@ -29,6 +29,7 @@ Packages=
         qemu-system
         sbsigntool
         squashfs-tools
+        swtpm-tools
         systemd-boot
         systemd-container
         systemd-coredump