From 39277e041c0d51e53c3706755783c3baa9979a57 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Wed, 22 Jan 2025 17:07:09 +0100 Subject: [PATCH] Don't insist on pre-signed EFI binaries when ShimBootloader == signed The whole point of shim is that you can use a presigned shim with locally signed EFI binaries if the local key is enrolled in MOK, so don't insist on presigned EFI binaries when a signed shim is requested. Instead the new "signed" variants of the Bootloader= option can be used to still force installation of presigned EFI binaries. --- mkosi/__init__.py | 3 +-- mkosi/bootloader.py | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/mkosi/__init__.py b/mkosi/__init__.py index afcca6d28..181aed6ad 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -1858,7 +1858,6 @@ def install_type1( if ( want_efi(context.config) and context.config.secure_boot - and context.config.shim_bootloader != ShimBootloader.signed and not context.config.bootloader.is_signed() and KernelType.identify(context.config, kimg) == KernelType.pe ): @@ -1995,7 +1994,7 @@ def install_uki( with umask(~0o700): boot_binary.parent.mkdir(parents=True, exist_ok=True) - if context.config.shim_bootloader == ShimBootloader.signed or context.config.bootloader.is_signed(): + if context.config.bootloader.is_signed(): for p in (context.root / "usr/lib/modules" / kver).glob("*.efi"): log_step(f"Installing prebuilt UKI at {p} to {boot_binary}") shutil.copy2(p, boot_binary) diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py index 1fffa05a9..d5af3925f 100644 --- a/mkosi/bootloader.py +++ b/mkosi/bootloader.py @@ -74,7 +74,7 @@ def want_grub_efi(context: Context) -> bool: if not (arch := context.config.architecture.to_grub()): return False - if context.config.shim_bootloader != ShimBootloader.signed and not context.config.bootloader.is_signed(): + if not context.config.bootloader.is_signed(): have = find_grub_directory(context, target=f"{arch}-efi") is not None if not have and context.config.bootable == ConfigFeature.enabled: die("An EFI bootable image with grub was requested but grub for EFI is not installed") @@ -322,7 +322,7 @@ def install_grub(context: Context) -> None: with umask(~0o700): output.parent.mkdir(parents=True, exist_ok=True) - if context.config.shim_bootloader == ShimBootloader.signed or context.config.bootloader.is_signed(): + if context.config.bootloader.is_signed(): if not (signed := find_signed_grub_image(context)): if context.config.bootable == ConfigFeature.enabled: die("Couldn't find a signed grub EFI binary installed in the image") @@ -643,7 +643,7 @@ def install_systemd_boot(context: Context) -> None: return directory = context.root / "usr/lib/systemd/boot/efi" - signed = context.config.shim_bootloader == ShimBootloader.signed or context.config.bootloader.is_signed() + signed = context.config.bootloader.is_signed() if not directory.glob("*.efi.signed" if signed else "*.efi"): if context.config.bootable == ConfigFeature.enabled: die( -- 2.47.2