From: Joerg Behrmann Date: Thu, 22 Sep 2022 15:44:28 +0000 (+0200) Subject: make measuring an option X-Git-Tag: v14~20^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1200%2Fhead;p=thirdparty%2Fmkosi.git make measuring an option --- diff --git a/mkosi.md b/mkosi.md index 85eb7c9ca..99f8599a1 100644 --- a/mkosi.md +++ b/mkosi.md @@ -559,6 +559,18 @@ a boolean argument: either "1", "yes", or "true" to enable, or "0", provisions described in the [Discoverable Partitions Specification](https://systemd.io/DISCOVERABLE_PARTITIONS). + This option requires the [`cryptography`](https://cryptography.io/) + module. + +`Measure=`, `--measure` + +: Measure the components of the unified kernel image (UKI) using + `systemd-measure` and embed the PCR signature into the unified kernel + image. + + This option requires the [`cryptography`](https://cryptography.io/) + module. + `CompressFs=`, `--compress-fs=` : Enable or disable internal compression in the file system. Only diff --git a/mkosi/__init__.py b/mkosi/__init__.py index d7c64c941..eb6e6535b 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -3989,43 +3989,42 @@ def install_unified_kernel( # If a SecureBoot key is configured, and we have the # systemd-measure binary around, then also include a # signature of expected PCR 11 values in the kernel image - if state.config.secure_boot: + if state.config.secure_boot and state.config.measure: try: from cryptography import x509 from cryptography.hazmat.primitives import serialization - - if shutil.which('systemd-measure'): - with complete_step("Generating PCR 11 signature…"): - - # Extract the public key from the SecureBoot certificate - cert = x509.load_pem_x509_certificate(state.config.secure_boot_certificate.read_bytes()) - pcrpkey = state.workspace / "pcrpkey.pem" - pcrpkey.write_bytes(cert.public_key().public_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PublicFormat.SubjectPublicKeyInfo)) - - cmd_measure = [ - "systemd-measure", - "sign", - f"--linux={state.root / kimg}", - f"--osrel={osrelease}", - f"--cmdline={cmdline}", - f"--initrd={initrd}", - f"--pcrpkey={pcrpkey}", - f"--private-key={state.config.secure_boot_key}", - f"--public-key={pcrpkey}", - "--bank=sha1", - "--bank=sha256", - ] - - c = run(cmd_measure, stdout=subprocess.PIPE) - - pcrsig = state.workspace / "pcrsig.json" - pcrsig.write_bytes(c.stdout) - else: - MkosiPrinter.info("Couldn't find systemd-measure binary, not embedding PCR signature in unified kernel image.") except ImportError: - MkosiPrinter.info("Couldn't import the cryptography Python module, not embedding PCR signature in unified kernel image.") + die("Couldn't import the cryptography Python module. This is needed for the --measure option.") + + if not shutil.which('systemd-measure'): + die("Couldn't find systemd-measure binary. It is needed for the --measure option.") + + with complete_step("Generating PCR 11 signature…"): + # Extract the public key from the SecureBoot certificate + cert = x509.load_pem_x509_certificate(state.config.secure_boot_certificate.read_bytes()) + pcrpkey = state.workspace / "pcrpkey.pem" + pcrpkey.write_bytes(cert.public_key().public_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PublicFormat.SubjectPublicKeyInfo)) + + cmd_measure = [ + "systemd-measure", + "sign", + f"--linux={state.root / kimg}", + f"--osrel={osrelease}", + f"--cmdline={cmdline}", + f"--initrd={initrd}", + f"--pcrpkey={pcrpkey}", + f"--private-key={state.config.secure_boot_key}", + f"--public-key={pcrpkey}", + "--bank=sha1", + "--bank=sha256", + ] + + c = run(cmd_measure, stdout=subprocess.PIPE) + + pcrsig = state.workspace / "pcrsig.json" + pcrsig.write_bytes(c.stdout) cmd: List[PathString] = [ "objcopy", @@ -5208,6 +5207,11 @@ def create_parser() -> ArgumentParserMkosi: action=VerityAction, help="Add integrity partition, and optionally sign it (implies --read-only)", ) + group.add_argument( + "--measure", + action=BooleanAction, + help="Measure the components of the unified kernel image (UKI) and embed the PCR signature into the UKI", + ) group.add_argument( "--compress", type=parse_compression, diff --git a/mkosi/backend.py b/mkosi/backend.py index ab1b504ad..8ce6262a8 100644 --- a/mkosi/backend.py +++ b/mkosi/backend.py @@ -485,6 +485,7 @@ class MkosiConfig: read_only: bool encrypt: Optional[str] verity: Union[bool, str] + measure: bool compress: Union[None, str, bool] compress_fs: Union[None, str, bool] compress_output: Union[None, str, bool] diff --git a/tests/test_config_parser.py b/tests/test_config_parser.py index 74ed847b7..3aa976ea3 100644 --- a/tests/test_config_parser.py +++ b/tests/test_config_parser.py @@ -128,6 +128,7 @@ class MkosiConfig: "bios_size": None, "verb": Verb.build, "verity": False, + "measure": False, "with_docs": False, "with_network": False, "with_tests": True,