From 1f604962a97ac9e977770bbc9865a6d87eb5fe2d Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Mon, 3 Feb 2025 17:22:30 +0100 Subject: [PATCH] Add "defer" setting for Verity This defers the creation of the verity-sig partition which is useful when doing offline signing. --- mkosi/__init__.py | 9 +++++++++ mkosi/config.py | 1 + mkosi/resources/man/mkosi.1.md | 13 +++++++------ mkosi/resources/man/mkosi.news.7.md | 4 ++++ 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/mkosi/__init__.py b/mkosi/__init__.py index e5e1234af..1f2125adb 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -3353,6 +3353,13 @@ def make_disk( definitions = [defaults] + if context.config.verity == Verity.defer: + skip = [ + *skip, + f"root-{context.config.architecture}-verity-sig", + f"usr-{context.config.architecture}-verity-sig", + ] + return make_image( context, msg=msg, @@ -3555,6 +3562,8 @@ def make_extension_or_portable_image(context: Context, output: Path) -> None: ] if context.config.verity == Verity.hash: cmdline += [f"--exclude-partitions={','.join(verity)}"] + elif context.config.verity == Verity.defer: + cmdline += [f"--defer-partitions={','.join(verity)}"] with complete_step(f"Building {context.config.output_format} extension image"): j = json.loads( diff --git a/mkosi/config.py b/mkosi/config.py index c1cab71d3..5bab619fb 100644 --- a/mkosi/config.py +++ b/mkosi/config.py @@ -367,6 +367,7 @@ class Verity(StrEnum): disabled = enum.auto() hash = enum.auto() signed = enum.auto() + defer = enum.auto() auto = enum.auto() diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md index b879696a7..0c6beca73 100644 --- a/mkosi/resources/man/mkosi.1.md +++ b/mkosi/resources/man/mkosi.1.md @@ -1141,17 +1141,18 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`, `Verity=`, `--verity=` : Whether to enforce or disable verity for extension images. Takes one of - `signed`, `hash`, `auto` or a boolean value. If set to `signed`, + `signed`, `hash`, `defer`, `auto` or a boolean value. If set to `signed`, a verity key and certificate must be present and the build will fail if we don't detect any verity partitions in the disk image produced by **systemd-repart**. If disabled, verity partitions will be excluded from the extension images produced by **systemd-repart**. If set to `hash`, **mkosi** configures **systemd-repart** to create a verity hash - partition, but no signature partition. If set to `auto` and a verity key - and certificate are present, **mkosi** will pass them to **systemd-repart** and - expects the generated disk image to contain verity partitions, but the build - won't fail if no verity partitions are found in the disk image produced by - **systemd-repart**. + partition, but no signature partition. If set to `defer`, space for the verity + sig partition will be allocated but it will not be populated yet. If set to + `auto` and a verity key and certificate are present, **mkosi** will pass them + to **systemd-repart** and expects the generated disk image to contain verity + partitions, but the build won't fail if no verity partitions are found in the + disk image produced by **systemd-repart**. Note that explicitly disabling verity signature and/or hash is not yet implemented for the `disk` output and only works for extension images at the diff --git a/mkosi/resources/man/mkosi.news.7.md b/mkosi/resources/man/mkosi.news.7.md index 3bc8df74a..a9b6276c2 100644 --- a/mkosi/resources/man/mkosi.news.7.md +++ b/mkosi/resources/man/mkosi.news.7.md @@ -9,6 +9,10 @@ - Teach `--verity` a new `hash` value, which skips the verity signature partition for extension / portable images. To align the possible values, `yes` is renamed to `signed`. +- Teach `--verity` a new `defer` value, which defers creation of the + verity signature partition for disk, extension and portable images (but + still allocates space for it). This is useful to implement offline + signing of the verity roothash. ## v25 -- 2.47.2