mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
ukify: Add support for systemd-sbsign
This commit is contained in:
parent
8cbd9d8328
commit
d835c4476b
@ -440,9 +440,9 @@
|
||||
<term><varname>SecureBootSigningTool=<replaceable>SIGNER</replaceable></varname></term>
|
||||
<term><option>--signtool=<replaceable>SIGNER</replaceable></option></term>
|
||||
|
||||
<listitem><para>Whether to use <literal>sbsign</literal> or <literal>pesign</literal>.
|
||||
Depending on this choice, different parameters are required in order to sign an image.
|
||||
Defaults to <literal>sbsign</literal>.</para>
|
||||
<listitem><para>Whether to use <literal>sbsign</literal>, <literal>pesign</literal>, or
|
||||
<literal>systemd-sbsign</literal>. Depending on this choice, different parameters are required in
|
||||
order to sign an image. Defaults to <literal>sbsign</literal>.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v254"/></listitem>
|
||||
</varlistentry>
|
||||
|
@ -526,6 +526,40 @@ class SbSign(SignTool):
|
||||
return 'No signature table present' in info
|
||||
|
||||
|
||||
class SystemdSbSign(SignTool):
|
||||
@staticmethod
|
||||
def sign(input_f: str, output_f: str, opts: UkifyConfig) -> None:
|
||||
assert opts.sb_key is not None
|
||||
assert opts.sb_cert is not None
|
||||
|
||||
tool = find_tool(
|
||||
'systemd-sbsign',
|
||||
'/usr/lib/systemd/systemd-sbsign',
|
||||
opts=opts,
|
||||
msg='systemd-sbsign, required for signing, is not installed',
|
||||
)
|
||||
cmd = [
|
||||
tool,
|
||||
"sign",
|
||||
'--private-key', opts.sb_key,
|
||||
'--certificate', opts.sb_cert,
|
||||
*(
|
||||
['--private-key-source', f'engine:{opts.signing_engine}']
|
||||
if opts.signing_engine is not None
|
||||
else []
|
||||
),
|
||||
input_f,
|
||||
'--output', output_f,
|
||||
] # fmt: skip
|
||||
|
||||
print('+', shell_join(cmd))
|
||||
subprocess.check_call(cmd)
|
||||
|
||||
@staticmethod
|
||||
def verify(opts: UkifyConfig) -> bool:
|
||||
raise NotImplementedError('systemd-sbsign cannot yet verify if existing PE binaries are signed')
|
||||
|
||||
|
||||
def parse_banks(s: str) -> list[str]:
|
||||
banks = re.split(r',|\s+', s)
|
||||
# TODO: do some sanity checking here
|
||||
@ -1477,6 +1511,8 @@ class SignToolAction(argparse.Action):
|
||||
setattr(namespace, 'signtool', SbSign)
|
||||
elif values == 'pesign':
|
||||
setattr(namespace, 'signtool', PeSign)
|
||||
elif values == 'systemd-sbsign':
|
||||
setattr(namespace, 'signtool', SystemdSbSign)
|
||||
else:
|
||||
raise ValueError(f"Unknown signtool '{values}' (this is unreachable)")
|
||||
|
||||
@ -1624,7 +1660,7 @@ CONFIG_ITEMS = [
|
||||
),
|
||||
ConfigItem(
|
||||
'--signtool',
|
||||
choices=('sbsign', 'pesign'),
|
||||
choices=('sbsign', 'pesign', 'systemd-sbsign'),
|
||||
action=SignToolAction,
|
||||
dest='signtool',
|
||||
help=(
|
||||
@ -1637,7 +1673,7 @@ CONFIG_ITEMS = [
|
||||
ConfigItem(
|
||||
'--secureboot-private-key',
|
||||
dest='sb_key',
|
||||
help='required by --signtool=sbsign. Path to key file or engine-specific designation for SB signing',
|
||||
help='required by --signtool=sbsign|systemd-sbsign. Path to key file or engine-specific designation for SB signing', # noqa: E501
|
||||
config_key='UKI/SecureBootPrivateKey',
|
||||
),
|
||||
ConfigItem(
|
||||
@ -1940,11 +1976,12 @@ def finalize_options(opts: argparse.Namespace) -> None:
|
||||
)
|
||||
elif bool(opts.sb_key) and bool(opts.sb_cert):
|
||||
# both param given, infer sbsign and in case it was given, ensure signtool=sbsign
|
||||
if opts.signtool and opts.signtool != SbSign:
|
||||
if opts.signtool and opts.signtool not in (SbSign, SystemdSbSign):
|
||||
raise ValueError(
|
||||
f'Cannot provide --signtool={opts.signtool} with --secureboot-private-key= and --secureboot-certificate=' # noqa: E501
|
||||
)
|
||||
opts.signtool = SbSign
|
||||
if not opts.signtool:
|
||||
opts.signtool = SbSign
|
||||
elif bool(opts.sb_cert_name):
|
||||
# sb_cert_name given, infer pesign and in case it was given, ensure signtool=pesign
|
||||
if opts.signtool and opts.signtool != PeSign:
|
||||
|
Loading…
Reference in New Issue
Block a user