1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

ukify: Add support for systemd-sbsign

This commit is contained in:
Daan De Meyer 2024-11-05 13:44:18 +01:00
parent 8cbd9d8328
commit d835c4476b
2 changed files with 44 additions and 7 deletions

View File

@ -440,9 +440,9 @@
<term><varname>SecureBootSigningTool=<replaceable>SIGNER</replaceable></varname></term>
<term><option>--signtool=<replaceable>SIGNER</replaceable></option></term>
<listitem><para>Whether to use <literal>sbsign</literal> or <literal>pesign</literal>.
Depending on this choice, different parameters are required in order to sign an image.
Defaults to <literal>sbsign</literal>.</para>
<listitem><para>Whether to use <literal>sbsign</literal>, <literal>pesign</literal>, or
<literal>systemd-sbsign</literal>. Depending on this choice, different parameters are required in
order to sign an image. Defaults to <literal>sbsign</literal>.</para>
<xi:include href="version-info.xml" xpointer="v254"/></listitem>
</varlistentry>

View File

@ -526,6 +526,40 @@ class SbSign(SignTool):
return 'No signature table present' in info
class SystemdSbSign(SignTool):
@staticmethod
def sign(input_f: str, output_f: str, opts: UkifyConfig) -> None:
assert opts.sb_key is not None
assert opts.sb_cert is not None
tool = find_tool(
'systemd-sbsign',
'/usr/lib/systemd/systemd-sbsign',
opts=opts,
msg='systemd-sbsign, required for signing, is not installed',
)
cmd = [
tool,
"sign",
'--private-key', opts.sb_key,
'--certificate', opts.sb_cert,
*(
['--private-key-source', f'engine:{opts.signing_engine}']
if opts.signing_engine is not None
else []
),
input_f,
'--output', output_f,
] # fmt: skip
print('+', shell_join(cmd))
subprocess.check_call(cmd)
@staticmethod
def verify(opts: UkifyConfig) -> bool:
raise NotImplementedError('systemd-sbsign cannot yet verify if existing PE binaries are signed')
def parse_banks(s: str) -> list[str]:
banks = re.split(r',|\s+', s)
# TODO: do some sanity checking here
@ -1477,6 +1511,8 @@ class SignToolAction(argparse.Action):
setattr(namespace, 'signtool', SbSign)
elif values == 'pesign':
setattr(namespace, 'signtool', PeSign)
elif values == 'systemd-sbsign':
setattr(namespace, 'signtool', SystemdSbSign)
else:
raise ValueError(f"Unknown signtool '{values}' (this is unreachable)")
@ -1624,7 +1660,7 @@ CONFIG_ITEMS = [
),
ConfigItem(
'--signtool',
choices=('sbsign', 'pesign'),
choices=('sbsign', 'pesign', 'systemd-sbsign'),
action=SignToolAction,
dest='signtool',
help=(
@ -1637,7 +1673,7 @@ CONFIG_ITEMS = [
ConfigItem(
'--secureboot-private-key',
dest='sb_key',
help='required by --signtool=sbsign. Path to key file or engine-specific designation for SB signing',
help='required by --signtool=sbsign|systemd-sbsign. Path to key file or engine-specific designation for SB signing', # noqa: E501
config_key='UKI/SecureBootPrivateKey',
),
ConfigItem(
@ -1940,11 +1976,12 @@ def finalize_options(opts: argparse.Namespace) -> None:
)
elif bool(opts.sb_key) and bool(opts.sb_cert):
# both param given, infer sbsign and in case it was given, ensure signtool=sbsign
if opts.signtool and opts.signtool != SbSign:
if opts.signtool and opts.signtool not in (SbSign, SystemdSbSign):
raise ValueError(
f'Cannot provide --signtool={opts.signtool} with --secureboot-private-key= and --secureboot-certificate=' # noqa: E501
)
opts.signtool = SbSign
if not opts.signtool:
opts.signtool = SbSign
elif bool(opts.sb_cert_name):
# sb_cert_name given, infer pesign and in case it was given, ensure signtool=pesign
if opts.signtool and opts.signtool != PeSign: