From: Daan De Meyer Date: Tue, 5 Nov 2024 12:44:18 +0000 (+0100) Subject: ukify: Add support for systemd-sbsign X-Git-Tag: v257-rc1~5^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d835c4476b84eb31f0b433ee31edb6b0cd4fd694;p=thirdparty%2Fsystemd.git ukify: Add support for systemd-sbsign --- diff --git a/man/ukify.xml b/man/ukify.xml index c78a12ada02..ffc406f6cef 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -440,9 +440,9 @@ SecureBootSigningTool=SIGNER - Whether to use sbsign or pesign. - Depending on this choice, different parameters are required in order to sign an image. - Defaults to sbsign. + Whether to use sbsign, pesign, or + systemd-sbsign. Depending on this choice, different parameters are required in + order to sign an image. Defaults to sbsign. diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py index 02220dd983b..60f64dc817f 100755 --- a/src/ukify/ukify.py +++ b/src/ukify/ukify.py @@ -526,6 +526,40 @@ class SbSign(SignTool): return 'No signature table present' in info +class SystemdSbSign(SignTool): + @staticmethod + def sign(input_f: str, output_f: str, opts: UkifyConfig) -> None: + assert opts.sb_key is not None + assert opts.sb_cert is not None + + tool = find_tool( + 'systemd-sbsign', + '/usr/lib/systemd/systemd-sbsign', + opts=opts, + msg='systemd-sbsign, required for signing, is not installed', + ) + cmd = [ + tool, + "sign", + '--private-key', opts.sb_key, + '--certificate', opts.sb_cert, + *( + ['--private-key-source', f'engine:{opts.signing_engine}'] + if opts.signing_engine is not None + else [] + ), + input_f, + '--output', output_f, + ] # fmt: skip + + print('+', shell_join(cmd)) + subprocess.check_call(cmd) + + @staticmethod + def verify(opts: UkifyConfig) -> bool: + raise NotImplementedError('systemd-sbsign cannot yet verify if existing PE binaries are signed') + + def parse_banks(s: str) -> list[str]: banks = re.split(r',|\s+', s) # TODO: do some sanity checking here @@ -1477,6 +1511,8 @@ class SignToolAction(argparse.Action): setattr(namespace, 'signtool', SbSign) elif values == 'pesign': setattr(namespace, 'signtool', PeSign) + elif values == 'systemd-sbsign': + setattr(namespace, 'signtool', SystemdSbSign) else: raise ValueError(f"Unknown signtool '{values}' (this is unreachable)") @@ -1624,7 +1660,7 @@ CONFIG_ITEMS = [ ), ConfigItem( '--signtool', - choices=('sbsign', 'pesign'), + choices=('sbsign', 'pesign', 'systemd-sbsign'), action=SignToolAction, dest='signtool', help=( @@ -1637,7 +1673,7 @@ CONFIG_ITEMS = [ ConfigItem( '--secureboot-private-key', dest='sb_key', - help='required by --signtool=sbsign. Path to key file or engine-specific designation for SB signing', + help='required by --signtool=sbsign|systemd-sbsign. Path to key file or engine-specific designation for SB signing', # noqa: E501 config_key='UKI/SecureBootPrivateKey', ), ConfigItem( @@ -1940,11 +1976,12 @@ def finalize_options(opts: argparse.Namespace) -> None: ) elif bool(opts.sb_key) and bool(opts.sb_cert): # both param given, infer sbsign and in case it was given, ensure signtool=sbsign - if opts.signtool and opts.signtool != SbSign: + if opts.signtool and opts.signtool not in (SbSign, SystemdSbSign): raise ValueError( f'Cannot provide --signtool={opts.signtool} with --secureboot-private-key= and --secureboot-certificate=' # noqa: E501 ) - opts.signtool = SbSign + if not opts.signtool: + opts.signtool = SbSign elif bool(opts.sb_cert_name): # sb_cert_name given, infer pesign and in case it was given, ensure signtool=pesign if opts.signtool and opts.signtool != PeSign: