From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Sat, 15 Feb 2025 00:58:41 +0000 (+0000)
Subject: Create split pcrs file also when going through install_uki
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3513%2Fhead;p=thirdparty%2Fmkosi.git

Create split pcrs file also when going through install_uki

This happens when building ParticleOS

Follow-up for 393b16cf8410c40695b776e709a4b8029c860c0c
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index e1f19bee2..0828c87cd 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2090,11 +2090,13 @@ def install_uki(
     partitions: Sequence[Partition],
     profiles: Sequence[Path],
     cmdline: list[str],
-) -> None:
+) -> dict[str, Any]:
     boot_binary = context.root / finalize_uki_path(
         context, finalize_bootloader_entry_format(context, kver, token, partitions)
     )
 
+    pcrs: dict[str, Any] = {}
+
     # Make sure the parent directory where we'll be writing the UKI exists.
     with umask(~0o700):
         boot_binary.parent.mkdir(parents=True, exist_ok=True)
@@ -2108,7 +2110,7 @@ def install_uki(
             if context.config.bootable == ConfigFeature.enabled:
                 die(f"Couldn't find a signed UKI binary installed at /usr/lib/modules/{kver} in the image")
 
-            return
+            return pcrs
     else:
         microcodes = finalize_microcode(context)
 
@@ -2116,7 +2118,7 @@ def install_uki(
         if context.config.kernel_modules_initrd:
             initrds += [build_kernel_modules_initrd(context, kver)]
 
-        build_uki(
+        pcrs = build_uki(
             context,
             systemd_stub_binary(context),
             kver,
@@ -2149,6 +2151,8 @@ def install_uki(
 
             f.write("fi\n")
 
+    return pcrs
+
 
 def systemd_addon_stub_binary(context: Context) -> Path:
     arch = context.config.architecture.to_efi()
@@ -2230,16 +2234,23 @@ def install_kernel(context: Context, partitions: Sequence[Partition]) -> None:
     token = find_entry_token(context)
     cmdline = finalize_cmdline(context, partitions, finalize_roothash(partitions))
     profiles = build_uki_profiles(context, cmdline) if want_uki(context) else []
+    # The first processed UKI is the one that will be used as split artifact, so take pcrs from
+    # it and ignore the rest
+    # TODO: we should probably support signing pcrs for all built UKIs
+    pcrs: dict[str, Any] = {}
 
     for kver, kimg in gen_kernel_images(context):
         if want_uki(context):
-            install_uki(context, kver, kimg, token, partitions, profiles, cmdline)
+            pcrs = pcrs or install_uki(context, kver, kimg, token, partitions, profiles, cmdline)
         if not want_uki(context) or want_grub_bios(context, partitions):
             install_type1(context, kver, kimg, token, partitions, cmdline)
 
         if context.config.bootloader.is_uki():
             break
 
+    if ArtifactOutput.pcrs in context.config.split_artifacts and pcrs:
+        (context.staging / context.config.output_split_pcrs).write_text(json.dumps(pcrs))
+
 
 def make_uki(
     context: Context,