From 8387c4bd4f15383e40e3371016ca0b99c602c4e4 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Fri, 1 Nov 2024 20:00:55 +0100 Subject: [PATCH] Add support for bootctl secure boot auto enrollment Matching PR for https://github.com/systemd/systemd/pull/34948 --- mkosi/bootloader.py | 43 +++++++++++++++++++++++++++++++++++++++---- 1 file changed, 39 insertions(+), 4 deletions(-) diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py index c1c6dc16f..539ecaa21 100644 --- a/mkosi/bootloader.py +++ b/mkosi/bootloader.py @@ -18,6 +18,7 @@ OutputFormat, SecureBootSignTool, ShimBootloader, + systemd_tool_version, ) from mkosi.context import Context from mkosi.distributions import Distribution @@ -680,11 +681,45 @@ def install_systemd_boot(context: Context) -> None: output = directory / f"{input}.signed" sign_efi_binary(context, input, output) + cmd = ["bootctl", "install", "--root=/buildroot", "--all-architectures", "--no-variables"] + options: list[PathString] = ["--bind", context.root, "/buildroot"] + + bootctlver = systemd_tool_version("bootctl", sandbox=context.sandbox) + + if context.config.secure_boot and context.config.secure_boot_auto_enroll and bootctlver >= 257: + assert context.config.secure_boot_certificate + assert context.config.secure_boot_key + + cmd += [ + "--secure-boot-auto-enroll=yes", + "--certificate", workdir(context.config.secure_boot_certificate), + ] # fmt: skip + options += [ + "--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate), # noqa: E501 + ] # fmt: skip + if context.config.secure_boot_key_source.type == KeySourceType.engine: + cmd += ["--private-key-source", str(context.config.secure_boot_key_source)] + options += ["--bind", "/run", "/run"] + if context.config.secure_boot_key.exists(): + cmd += ["--private-key", workdir(context.config.secure_boot_key)] + options += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)] + else: + cmd += ["--private-key", context.config.secure_boot_key] + with complete_step("Installing systemd-boot…"): run( - ["bootctl", "install", "--root=/buildroot", "--all-architectures", "--no-variables"], - env={"SYSTEMD_ESP_PATH": "/efi", "SYSTEMD_XBOOTLDR_PATH": "/boot"}, - sandbox=context.sandbox(binary="bootctl", options=["--bind", context.root, "/buildroot"]), + cmd, + stdin=( + sys.stdin + if context.config.secure_boot_key_source.type != KeySourceType.file + else subprocess.DEVNULL + ), + env=context.config.environment | {"SYSTEMD_ESP_PATH": "/efi", "SYSTEMD_XBOOTLDR_PATH": "/boot"}, + sandbox=context.sandbox( + binary="bootctl", + options=options, + devices=context.config.secure_boot_key_source.type != KeySourceType.file, + ), ) # TODO: Use --random-seed=no when we can depend on systemd 256. Path(context.root / "efi/loader/random-seed").unlink(missing_ok=True) @@ -695,7 +730,7 @@ def install_systemd_boot(context: Context) -> None: context.root / shim_second_stage_binary(context), ) - if context.config.secure_boot and context.config.secure_boot_auto_enroll: + if context.config.secure_boot and context.config.secure_boot_auto_enroll and bootctlver < 257: assert context.config.secure_boot_key assert context.config.secure_boot_certificate