mkosi: Sign expected PCRs

This is now possible without a TMP device so let's start signing
PCRs when building images with mkosi.

diff --git a/mkosi.conf.d/10-systemd.conf b/mkosi.conf.d/10-systemd.conf
index 640214c8a353626651bb06eab405ab600a6012b5..09e8c5c3f16654326eb5d523cdfb4300bff8bcd6 100644 (file)
--- a/mkosi.conf.d/10-systemd.conf
+++ b/mkosi.conf.d/10-systemd.conf
@@ -11,11 +11,6 @@ OutputDirectory=mkosi.output
 BuildDirectory=mkosi.builddir
 CacheDirectory=mkosi.cache
 
-[Validation]
-SecureBoot=yes
-# Disabled until systemd-measure can operate without a TPM device.
-SignExpectedPcr=no
-
 [Host]
 QemuMem=2G
 ExtraSearchPaths=build/

diff --git a/mkosi.presets/20-final/mkosi.conf b/mkosi.presets/20-final/mkosi.conf
index ec0a90feffb1f19117f17f312df46ce1f9761330..bb158eb05911a956e9316a7b41d29dc0e0c3ea94 100644 (file)
--- a/mkosi.presets/20-final/mkosi.conf
+++ b/mkosi.presets/20-final/mkosi.conf
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 [Content]
+Autologin=yes
 BaseTrees=../../mkosi.output/base
 ExtraTrees=../../src:/root/src
 Initrds=../../mkosi.output/initrd
@@ -35,4 +36,5 @@ Packages=
         zsh
 
 [Validation]
-Autologin=yes
+SecureBoot=yes
+SignExpectedPcr=yes