Merge pull request #3166 from DaanDeMeyer/provider

Add support for openssl providers as key sources
systemd · Nov 4, 2024 · af20716 · af20716
2 parents 4755841 + b20749d
commit af20716
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 17 deletions.
diff --git a/mkosi/__init__.py b/mkosi/__init__.py
@@ -4596,7 +4596,7 @@ def run_verb(args: Args, images: Sequence[Config], *, resources: Path) -> None:
 
         return
 
-    assert args.verb.needs_build()
+    assert args.verb == Verb.sandbox or args.verb.needs_build()
 
     if (
         tools

diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py
@@ -703,7 +703,7 @@ def install_systemd_boot(context: Context) -> None:
         options += [
             "--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate),  # noqa: E501
         ]  # fmt: skip
-        if context.config.secure_boot_key_source.type == KeySourceType.engine:
+        if context.config.secure_boot_key_source.type != KeySourceType.file:
             cmd += ["--private-key-source", str(context.config.secure_boot_key_source)]
             options += ["--bind", "/run", "/run"]
         if context.config.secure_boot_key.exists():

diff --git a/mkosi/config.py b/mkosi/config.py
@@ -104,7 +104,6 @@ def needs_build(self) -> bool:
             Verb.serve,
             Verb.burn,
             Verb.sysupdate,
-            Verb.sandbox,
         )
 
     def needs_config(self) -> bool:
@@ -1303,6 +1302,7 @@ def file_run_or_read(file: Path) -> str:
 class KeySourceType(StrEnum):
     file = enum.auto()
     engine = enum.auto()
+    provider = enum.auto()
 
 
 @dataclasses.dataclass(frozen=True)
@@ -3924,7 +3924,10 @@ def parse_new_includes(self) -> None:
             self.includes.add((st.st_dev, st.st_ino))
 
             if any(p == Path(c) for c in BUILTIN_CONFIGS):
-                _, [config] = parse_config(["--directory", "", "--include", os.fspath(path)])
+                _, [config] = parse_config(
+                    ["--directory", "", "--include", os.fspath(path)],
+                    only_sections=self.only_sections,
+                )
                 make_executable(
                     *config.configure_scripts,
                     *config.clean_scripts,
@@ -4213,7 +4216,10 @@ def parse_config_one(self, path: Path, parse_profiles: bool = False, parse_local
 
 
 def parse_config(
-    argv: Sequence[str] = (), *, resources: Path = Path("/")
+    argv: Sequence[str] = (),
+    *,
+    resources: Path = Path("/"),
+    only_sections: Sequence[str] = (),
 ) -> tuple[Args, tuple[Config, ...]]:
     argv = list(argv)
 
@@ -4291,6 +4297,7 @@ def parse_config(
 
         context.only_sections = ("Include", "Host")
     else:
+        context.only_sections = tuple(only_sections)
         prev = None
 
     context.parse_new_includes()

diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md
@@ -1135,10 +1135,6 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
     `SignExpectedPcr=` is also used. When `SecureBootKeySource=` is specified,
     the input type depends on the source.
 
-`SecureBootKeySource=`, `--secure-boot-key-source=`
-:   Source of `SecureBootKey=`, to support OpenSSL engines. E.g.:
-    `--secure-boot-key-source=engine:pkcs11`
-
 `SecureBootCertificate=`, `--secure-boot-certificate=`
 :   Path to the X.509 file containing the certificate for the signed
     UEFI kernel image, if `SecureBoot=` is used.
@@ -1169,10 +1165,6 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
     partition is added with systemd-repart. When `VerityKeySource=` is specified, the input type depends on
     the source.
 
-`VerityKeySource=`, `--verity-key-source=`
-:   Source of `VerityKey=`, to support OpenSSL engines. E.g.:
-    `--verity-key-source=engine:pkcs11`
-
 `VerityCertificate=`, `--verity-certificate=`
 :   Path to the X.509 file containing the certificate for signing the verity signature, if a verity signature
     partition is added with systemd-repart.
@@ -1190,13 +1182,14 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
     When `SignExpectedPcrKeySource=` is specified, the input type depends on
     the source.
 
-`SignExpectedPcrKeySource=`, `--sign-expected-key-source=`
-:   Source of `VerityKey=`, to support OpenSSL engines. E.g.:
-    `--verity-key-source=engine:pkcs11`
-
 `SignExpectedPcrCertificate=`, `--sign-expected-pcr-certificate=`
 :   Path to the X.509 file containing the certificate for signing the expected PCR signatures.
 
+`SecureBootKeySource=`, `--secure-boot-key-source=`, `VerityKeySource=`, `--verity-key-source=`, `SignExpectedPcrKeySource=`, `--sign-expected-key-source=`
+:   The source of the corresponding private key `SecureBootKey=`, to support OpenSSL engines and providers,
+    e.g. `--secure-boot-key-source=engine:pkcs11` or `--secure-boot-key-source=provider:pkcs11`. Note that
+    providers are currently only supported for the verity key.
+
 `Passphrase=`, `--passphrase`
 :   Specify the path to a file containing the passphrase to use for LUKS
     encryption. It should contain the passphrase literally, and not end in