From: Zbigniew Jędrzejewski-Szmek Date: Wed, 6 Dec 2023 10:41:56 +0000 (+0100) Subject: ukify: raise error if genkey is called with no output arguments X-Git-Tag: v256-rc1~1593^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f3d50fb2c6890c0036614786fb97f46eb561432e;p=thirdparty%2Fsystemd.git ukify: raise error if genkey is called with no output arguments The idea is that genkey is called with either --secureboot-private-key= + --secureboot-certificate=, and then it writes those, or with --pcr-private-key + optionally --pcr-public-key and then it writes those, or both. But when called with no arguments whatsover, it did nothing. There is no implicit value for any of those parameters as input (unlike in mkosi), so we also don't want to have implicit values when used as output. But we shouldn't return success if no work was done, this is quite confusing. --- diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py index d04b6dfac06..b33c8cf744c 100755 --- a/src/ukify/ukify.py +++ b/src/ukify/ukify.py @@ -932,6 +932,8 @@ def generate_priv_pub_key_pair(keylength : int = 2048) -> tuple[bytes]: def generate_keys(opts): + work = False + # This will generate keys and certificates and write them to the paths that # are specified as input paths. if opts.sb_key or opts.sb_cert: @@ -947,6 +949,8 @@ def generate_keys(opts): print(f'Writing SecureBoot certificate to {opts.sb_cert}') opts.sb_cert.write_bytes(cert_pem) + work = True + for priv_key, pub_key, _ in key_path_groups(opts): priv_key_pem, pub_key_pem = generate_priv_pub_key_pair() @@ -957,6 +961,11 @@ def generate_keys(opts): print(f'Writing public key for PCR signing to {pub_key}') pub_key.write_bytes(pub_key_pem) + work = True + + if not work: + raise ValueError('genkey: --secureboot-private-key=/--secureboot-certificate= or --pcr-private-key/--pcr-public-key must be specified') + def inspect_section(opts, section): name = section.Name.rstrip(b"\x00").decode()