From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 30 May 2023 12:09:44 +0000 (+0200)
Subject: mkosi: Sign expected PCRs
X-Git-Tag: v254-rc1~301^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ee6eedab821c3ad9491efa062ade49f2f550d7f7;p=thirdparty%2Fsystemd.git

mkosi: Sign expected PCRs

This is now possible without a TMP device so let's start signing
PCRs when building images with mkosi.
---

diff --git a/mkosi.conf.d/10-systemd.conf b/mkosi.conf.d/10-systemd.conf
index 640214c8a35..09e8c5c3f16 100644
--- a/mkosi.conf.d/10-systemd.conf
+++ b/mkosi.conf.d/10-systemd.conf
@@ -11,11 +11,6 @@ OutputDirectory=mkosi.output
 BuildDirectory=mkosi.builddir
 CacheDirectory=mkosi.cache
 
-[Validation]
-SecureBoot=yes
-# Disabled until systemd-measure can operate without a TPM device.
-SignExpectedPcr=no
-
 [Host]
 QemuMem=2G
 ExtraSearchPaths=build/
diff --git a/mkosi.presets/20-final/mkosi.conf b/mkosi.presets/20-final/mkosi.conf
index ec0a90feffb..bb158eb0591 100644
--- a/mkosi.presets/20-final/mkosi.conf
+++ b/mkosi.presets/20-final/mkosi.conf
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 [Content]
+Autologin=yes
 BaseTrees=../../mkosi.output/base
 ExtraTrees=../../src:/root/src
 Initrds=../../mkosi.output/initrd
@@ -35,4 +36,5 @@ Packages=
         zsh
 
 [Validation]
-Autologin=yes
+SecureBoot=yes
+SignExpectedPcr=yes