From a628fe24bbe170bdc7693d96b914ff11cacb6b02 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 11 Feb 2024 00:33:24 +0000
Subject: [PATCH] measure: add support for signing PCR sections with
 engine/provider

---
 mkosi/__init__.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 55dc15d68..b36401355 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1929,7 +1929,16 @@ def build_uki(
                 "--pcr-private-key", context.config.secure_boot_key,
                 "--pcr-banks", "sha1,sha256",
             ]
-            options += ["--ro-bind", context.config.secure_boot_key, context.config.secure_boot_key]
+            if context.config.secure_boot_key.exists():
+                options += ["--ro-bind", context.config.secure_boot_key, context.config.secure_boot_key]
+            if context.config.secure_boot_key_source.type == KeySource.Type.engine:
+                cmd += [
+                    "--signing-engine", context.config.secure_boot_key_source.source,
+                    "--pcr-public-key", context.config.secure_boot_certificate,
+                ]
+                options += [
+                    "--ro-bind", context.config.secure_boot_certificate, context.config.secure_boot_certificate,
+                ]
 
     cmd += ["build", "--linux", kimg]
     options += ["--ro-bind", kimg, kimg]
-- 
2.47.2