From: Daan De Meyer Date: Sun, 3 Nov 2024 17:08:07 +0000 (+0100) Subject: Add support for openssl providers as key sources X-Git-Tag: v25~186^2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=refs%2Fpull%2F3166%2Fhead;p=thirdparty%2Fmkosi.git Add support for openssl providers as key sources --- diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py index 89f105470..4665bf881 100644 --- a/mkosi/bootloader.py +++ b/mkosi/bootloader.py @@ -703,7 +703,7 @@ def install_systemd_boot(context: Context) -> None: options += [ "--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate), # noqa: E501 ] # fmt: skip - if context.config.secure_boot_key_source.type == KeySourceType.engine: + if context.config.secure_boot_key_source.type != KeySourceType.file: cmd += ["--private-key-source", str(context.config.secure_boot_key_source)] options += ["--bind", "/run", "/run"] if context.config.secure_boot_key.exists(): diff --git a/mkosi/config.py b/mkosi/config.py index af4d3846c..8653bf9a0 100644 --- a/mkosi/config.py +++ b/mkosi/config.py @@ -1302,6 +1302,7 @@ def file_run_or_read(file: Path) -> str: class KeySourceType(StrEnum): file = enum.auto() engine = enum.auto() + provider = enum.auto() @dataclasses.dataclass(frozen=True) diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md index d89c6af31..9625ed22e 100644 --- a/mkosi/resources/man/mkosi.1.md +++ b/mkosi/resources/man/mkosi.1.md @@ -1135,10 +1135,6 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`, `SignExpectedPcr=` is also used. When `SecureBootKeySource=` is specified, the input type depends on the source. -`SecureBootKeySource=`, `--secure-boot-key-source=` -: Source of `SecureBootKey=`, to support OpenSSL engines. E.g.: - `--secure-boot-key-source=engine:pkcs11` - `SecureBootCertificate=`, `--secure-boot-certificate=` : Path to the X.509 file containing the certificate for the signed UEFI kernel image, if `SecureBoot=` is used. @@ -1169,10 +1165,6 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`, partition is added with systemd-repart. When `VerityKeySource=` is specified, the input type depends on the source. -`VerityKeySource=`, `--verity-key-source=` -: Source of `VerityKey=`, to support OpenSSL engines. E.g.: - `--verity-key-source=engine:pkcs11` - `VerityCertificate=`, `--verity-certificate=` : Path to the X.509 file containing the certificate for signing the verity signature, if a verity signature partition is added with systemd-repart. @@ -1190,13 +1182,14 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`, When `SignExpectedPcrKeySource=` is specified, the input type depends on the source. -`SignExpectedPcrKeySource=`, `--sign-expected-key-source=` -: Source of `VerityKey=`, to support OpenSSL engines. E.g.: - `--verity-key-source=engine:pkcs11` - `SignExpectedPcrCertificate=`, `--sign-expected-pcr-certificate=` : Path to the X.509 file containing the certificate for signing the expected PCR signatures. +`SecureBootKeySource=`, `--secure-boot-key-source=`, `VerityKeySource=`, `--verity-key-source=`, `SignExpectedPcrKeySource=`, `--sign-expected-key-source=` +: The source of the corresponding private key `SecureBootKey=`, to support OpenSSL engines and providers, + e.g. `--secure-boot-key-source=engine:pkcs11` or `--secure-boot-key-source=provider:pkcs11`. Note that + providers are currently only supported for the verity key. + `Passphrase=`, `--passphrase` : Specify the path to a file containing the passphrase to use for LUKS encryption. It should contain the passphrase literally, and not end in