git.ipfire.org Git - thirdparty/systemd.git/commit

author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Mon, 4 Nov 2024 23:36:32 +0000 (00:36 +0100)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Wed, 6 Nov 2024 13:00:49 +0000 (14:00 +0100)
commit	5f163921e9ff6d735798db259c47543822f81b5c
tree	c47a09a971a18c1ffac1bfb3e235556a4ece4b6b	tree \| snapshot
parent	0bf70b1984dbef2df289a99976165cb3c90a0781	commit \| diff

Introduce systemd-sbsign to do secure boot signing

Currently in mkosi and ukify we use sbsigntools to do secure boot
signing. This has multiple issues:

- sbsigntools is practically unmaintained, sbvarsign is completely
broken with the latest gnu-efi when built without -fshort-wchar and
upstream has completely ignored my bug report about this.
- sbsigntools only supports openssl engines and not the new providers
API.
- sbsigntools doesn't allow us to cache hardware token pins in the
kernel keyring like we do nowadays when we sign stuff ourselves in
systemd-repart or systemd-measure

There are alternative tools like sbctl and pesign but these do not
support caching hardware token pins in the kernel keyring either.

To get around the issues with sbsigntools, let's introduce our own
tool systemd-sbsign to do secure boot signing. This allows us to
take advantage of our own openssl infra so that hardware token pins
are cached in the kernel keyring as expected and we get openssl
provider support as well.

man/systemd-sbsign.xml	[new file with mode: 0644]	blob
src/boot/authenticode.h	[new file with mode: 0644]	blob
src/boot/meson.build		diff \| blob \| blame \| history
src/boot/sbsign.c	[new file with mode: 0644]	blob
src/shared/openssl-util.h		diff \| blob \| blame \| history
src/shared/pe-binary.c		diff \| blob \| blame \| history
src/shared/pe-binary.h		diff \| blob \| blame \| history
test/units/TEST-74-AUX-UTILS.sbsign.sh	[new file with mode: 0755]	blob