Add support for bootctl secure boot auto enrollment

Matching PR for systemd/systemd#34948
systemd · Nov 1, 2024 · 8387c4b · 8387c4b
1 parent 5c7db36
commit 8387c4b
Showing 1 changed file with 39 additions and 4 deletions.
diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py
@@ -18,6 +18,7 @@
     OutputFormat,
     SecureBootSignTool,
     ShimBootloader,
+    systemd_tool_version,
 )
 from mkosi.context import Context
 from mkosi.distributions import Distribution
@@ -680,11 +681,45 @@ def install_systemd_boot(context: Context) -> None:
                 output = directory / f"{input}.signed"
                 sign_efi_binary(context, input, output)
 
+    cmd = ["bootctl", "install", "--root=/buildroot", "--all-architectures", "--no-variables"]
+    options: list[PathString] = ["--bind", context.root, "/buildroot"]
+
+    bootctlver = systemd_tool_version("bootctl", sandbox=context.sandbox)
+
+    if context.config.secure_boot and context.config.secure_boot_auto_enroll and bootctlver >= 257:
+        assert context.config.secure_boot_certificate
+        assert context.config.secure_boot_key
+
+        cmd += [
+            "--secure-boot-auto-enroll=yes",
+            "--certificate", workdir(context.config.secure_boot_certificate),
+        ]  # fmt: skip
+        options += [
+            "--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate),  # noqa: E501
+        ]  # fmt: skip
+        if context.config.secure_boot_key_source.type == KeySourceType.engine:
+            cmd += ["--private-key-source", str(context.config.secure_boot_key_source)]
+            options += ["--bind", "/run", "/run"]
+        if context.config.secure_boot_key.exists():
+            cmd += ["--private-key", workdir(context.config.secure_boot_key)]
+            options += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)]
+        else:
+            cmd += ["--private-key", context.config.secure_boot_key]
+
     with complete_step("Installing systemd-boot…"):
         run(
-            ["bootctl", "install", "--root=/buildroot", "--all-architectures", "--no-variables"],
-            env={"SYSTEMD_ESP_PATH": "/efi", "SYSTEMD_XBOOTLDR_PATH": "/boot"},
-            sandbox=context.sandbox(binary="bootctl", options=["--bind", context.root, "/buildroot"]),
+            cmd,
+            stdin=(
+                sys.stdin
+                if context.config.secure_boot_key_source.type != KeySourceType.file
+                else subprocess.DEVNULL
+            ),
+            env=context.config.environment | {"SYSTEMD_ESP_PATH": "/efi", "SYSTEMD_XBOOTLDR_PATH": "/boot"},
+            sandbox=context.sandbox(
+                binary="bootctl",
+                options=options,
+                devices=context.config.secure_boot_key_source.type != KeySourceType.file,
+            ),
         )
         # TODO: Use --random-seed=no when we can depend on systemd 256.
         Path(context.root / "efi/loader/random-seed").unlink(missing_ok=True)
@@ -695,7 +730,7 @@ def install_systemd_boot(context: Context) -> None:
                 context.root / shim_second_stage_binary(context),
             )
 
-    if context.config.secure_boot and context.config.secure_boot_auto_enroll:
+    if context.config.secure_boot and context.config.secure_boot_auto_enroll and bootctlver < 257:
         assert context.config.secure_boot_key
         assert context.config.secure_boot_certificate