<term><varname>SecureBootSigningTool=<replaceable>SIGNER</replaceable></varname></term>
<term><option>--signtool=<replaceable>SIGNER</replaceable></option></term>
- <listitem><para>Whether to use <literal>sbsign</literal> or <literal>pesign</literal>.
- Depending on this choice, different parameters are required in order to sign an image.
- Defaults to <literal>sbsign</literal>.</para>
+ <listitem><para>Whether to use <literal>sbsign</literal>, <literal>pesign</literal>, or
+ <literal>systemd-sbsign</literal>. Depending on this choice, different parameters are required in
+ order to sign an image. Defaults to <literal>sbsign</literal>.</para>
<xi:include href="version-info.xml" xpointer="v254"/></listitem>
</varlistentry>
return 'No signature table present' in info
+class SystemdSbSign(SignTool):
+ @staticmethod
+ def sign(input_f: str, output_f: str, opts: UkifyConfig) -> None:
+ assert opts.sb_key is not None
+ assert opts.sb_cert is not None
+
+ tool = find_tool(
+ 'systemd-sbsign',
+ '/usr/lib/systemd/systemd-sbsign',
+ opts=opts,
+ msg='systemd-sbsign, required for signing, is not installed',
+ )
+ cmd = [
+ tool,
+ "sign",
+ '--private-key', opts.sb_key,
+ '--certificate', opts.sb_cert,
+ *(
+ ['--private-key-source', f'engine:{opts.signing_engine}']
+ if opts.signing_engine is not None
+ else []
+ ),
+ input_f,
+ '--output', output_f,
+ ] # fmt: skip
+
+ print('+', shell_join(cmd))
+ subprocess.check_call(cmd)
+
+ @staticmethod
+ def verify(opts: UkifyConfig) -> bool:
+ raise NotImplementedError('systemd-sbsign cannot yet verify if existing PE binaries are signed')
+
+
def parse_banks(s: str) -> list[str]:
banks = re.split(r',|\s+', s)
# TODO: do some sanity checking here
setattr(namespace, 'signtool', SbSign)
elif values == 'pesign':
setattr(namespace, 'signtool', PeSign)
+ elif values == 'systemd-sbsign':
+ setattr(namespace, 'signtool', SystemdSbSign)
else:
raise ValueError(f"Unknown signtool '{values}' (this is unreachable)")
),
ConfigItem(
'--signtool',
- choices=('sbsign', 'pesign'),
+ choices=('sbsign', 'pesign', 'systemd-sbsign'),
action=SignToolAction,
dest='signtool',
help=(
ConfigItem(
'--secureboot-private-key',
dest='sb_key',
- help='required by --signtool=sbsign. Path to key file or engine-specific designation for SB signing',
+ help='required by --signtool=sbsign|systemd-sbsign. Path to key file or engine-specific designation for SB signing', # noqa: E501
config_key='UKI/SecureBootPrivateKey',
),
ConfigItem(
)
elif bool(opts.sb_key) and bool(opts.sb_cert):
# both param given, infer sbsign and in case it was given, ensure signtool=sbsign
- if opts.signtool and opts.signtool != SbSign:
+ if opts.signtool and opts.signtool not in (SbSign, SystemdSbSign):
raise ValueError(
f'Cannot provide --signtool={opts.signtool} with --secureboot-private-key= and --secureboot-certificate=' # noqa: E501
)
- opts.signtool = SbSign
+ if not opts.signtool:
+ opts.signtool = SbSign
elif bool(opts.sb_cert_name):
# sb_cert_name given, infer pesign and in case it was given, ensure signtool=pesign
if opts.signtool and opts.signtool != PeSign:
projects / thirdparty / systemd.git / commitdiff
