From b20749d65c0e03fcd7ada23ebe463584b9a07edf Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Sun, 3 Nov 2024 18:08:07 +0100 Subject: [PATCH] Add support for openssl providers as key sources --- mkosi/bootloader.py | 2 +- mkosi/config.py | 1 + mkosi/resources/man/mkosi.1.md | 17 +++++------------ 3 files changed, 7 insertions(+), 13 deletions(-) diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py index 89f105470..4665bf881 100644 --- a/mkosi/bootloader.py +++ b/mkosi/bootloader.py @@ -703,7 +703,7 @@ def install_systemd_boot(context: Context) -> None: options += [ "--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate), # noqa: E501 ] # fmt: skip - if context.config.secure_boot_key_source.type == KeySourceType.engine: + if context.config.secure_boot_key_source.type != KeySourceType.file: cmd += ["--private-key-source", str(context.config.secure_boot_key_source)] options += ["--bind", "/run", "/run"] if context.config.secure_boot_key.exists(): diff --git a/mkosi/config.py b/mkosi/config.py index af4d3846c..8653bf9a0 100644 --- a/mkosi/config.py +++ b/mkosi/config.py @@ -1302,6 +1302,7 @@ def file_run_or_read(file: Path) -> str: class KeySourceType(StrEnum): file = enum.auto() engine = enum.auto() + provider = enum.auto() @dataclasses.dataclass(frozen=True) diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md index d89c6af31..9625ed22e 100644 --- a/mkosi/resources/man/mkosi.1.md +++ b/mkosi/resources/man/mkosi.1.md @@ -1135,10 +1135,6 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`, `SignExpectedPcr=` is also used. When `SecureBootKeySource=` is specified, the input type depends on the source. -`SecureBootKeySource=`, `--secure-boot-key-source=` -: Source of `SecureBootKey=`, to support OpenSSL engines. E.g.: - `--secure-boot-key-source=engine:pkcs11` - `SecureBootCertificate=`, `--secure-boot-certificate=` : Path to the X.509 file containing the certificate for the signed UEFI kernel image, if `SecureBoot=` is used. @@ -1169,10 +1165,6 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`, partition is added with systemd-repart. When `VerityKeySource=` is specified, the input type depends on the source. -`VerityKeySource=`, `--verity-key-source=` -: Source of `VerityKey=`, to support OpenSSL engines. E.g.: - `--verity-key-source=engine:pkcs11` - `VerityCertificate=`, `--verity-certificate=` : Path to the X.509 file containing the certificate for signing the verity signature, if a verity signature partition is added with systemd-repart. @@ -1190,13 +1182,14 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`, When `SignExpectedPcrKeySource=` is specified, the input type depends on the source. -`SignExpectedPcrKeySource=`, `--sign-expected-key-source=` -: Source of `VerityKey=`, to support OpenSSL engines. E.g.: - `--verity-key-source=engine:pkcs11` - `SignExpectedPcrCertificate=`, `--sign-expected-pcr-certificate=` : Path to the X.509 file containing the certificate for signing the expected PCR signatures. +`SecureBootKeySource=`, `--secure-boot-key-source=`, `VerityKeySource=`, `--verity-key-source=`, `SignExpectedPcrKeySource=`, `--sign-expected-key-source=` +: The source of the corresponding private key `SecureBootKey=`, to support OpenSSL engines and providers, + e.g. `--secure-boot-key-source=engine:pkcs11` or `--secure-boot-key-source=provider:pkcs11`. Note that + providers are currently only supported for the verity key. + `Passphrase=`, `--passphrase` : Specify the path to a file containing the passphrase to use for LUKS encryption. It should contain the passphrase literally, and not end in -- 2.47.2