From 3cc8c6f5e9363813eb2c8f2160ffe0e529a8f40c Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 3 Nov 2024 20:18:39 +0100
Subject: [PATCH 1/3] Remove sandbox verb from needs_build()

It's not a clear cut case whether the sandbox needs a build or not.
The needs_build() method was originally intended for verbs that need
a full image build but the sandbox build only needs the tools tree.
Also, the tools tree is only built if ToolsTree=default and not if
set explicitly.

More practically, we don't want the JSON history from .mkosi-private
to be used when using mkosi sandbox, and that's the only usage of
the needs_build() method, so to fix that problem let's remove the sandbox
verb from needs_build().
---
 mkosi/__init__.py | 2 +-
 mkosi/config.py   | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index dfc59d27d..afcc21b00 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -4596,7 +4596,7 @@ def run_verb(args: Args, images: Sequence[Config], *, resources: Path) -> None:
 
         return
 
-    assert args.verb.needs_build()
+    assert args.verb == Verb.sandbox or args.verb.needs_build()
 
     if (
         tools
diff --git a/mkosi/config.py b/mkosi/config.py
index 75bdb1401..0d09ce2da 100644
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -104,7 +104,6 @@ def needs_build(self) -> bool:
             Verb.serve,
             Verb.burn,
             Verb.sysupdate,
-            Verb.sandbox,
         )
 
     def needs_config(self) -> bool:

From 400c8125cf75b891842a2860881c3fbee422e6c9 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 3 Nov 2024 20:31:01 +0100
Subject: [PATCH 2/3] Make sure we only parse [Include] and [Host] from builtin
 configs as well

When we're reusing the history, we were still parsing all sections
from builtin configs instead of only the [Include] and [Host] sections.
---
 mkosi/config.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/mkosi/config.py b/mkosi/config.py
index 0d09ce2da..af4d3846c 100644
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -3923,7 +3923,10 @@ def parse_new_includes(self) -> None:
             self.includes.add((st.st_dev, st.st_ino))
 
             if any(p == Path(c) for c in BUILTIN_CONFIGS):
-                _, [config] = parse_config(["--directory", "", "--include", os.fspath(path)])
+                _, [config] = parse_config(
+                    ["--directory", "", "--include", os.fspath(path)],
+                    only_sections=self.only_sections,
+                )
                 make_executable(
                     *config.configure_scripts,
                     *config.clean_scripts,
@@ -4212,7 +4215,10 @@ def parse_config_one(self, path: Path, parse_profiles: bool = False, parse_local
 
 
 def parse_config(
-    argv: Sequence[str] = (), *, resources: Path = Path("/")
+    argv: Sequence[str] = (),
+    *,
+    resources: Path = Path("/"),
+    only_sections: Sequence[str] = (),
 ) -> tuple[Args, tuple[Config, ...]]:
     argv = list(argv)
 
@@ -4290,6 +4296,7 @@ def parse_config(
 
         context.only_sections = ("Include", "Host")
     else:
+        context.only_sections = tuple(only_sections)
         prev = None
 
     context.parse_new_includes()

From b20749d65c0e03fcd7ada23ebe463584b9a07edf Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 3 Nov 2024 18:08:07 +0100
Subject: [PATCH 3/3] Add support for openssl providers as key sources

---
 mkosi/bootloader.py            |  2 +-
 mkosi/config.py                |  1 +
 mkosi/resources/man/mkosi.1.md | 17 +++++------------
 3 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py
index 89f105470..4665bf881 100644
--- a/mkosi/bootloader.py
+++ b/mkosi/bootloader.py
@@ -703,7 +703,7 @@ def install_systemd_boot(context: Context) -> None:
         options += [
             "--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate),  # noqa: E501
         ]  # fmt: skip
-        if context.config.secure_boot_key_source.type == KeySourceType.engine:
+        if context.config.secure_boot_key_source.type != KeySourceType.file:
             cmd += ["--private-key-source", str(context.config.secure_boot_key_source)]
             options += ["--bind", "/run", "/run"]
         if context.config.secure_boot_key.exists():
diff --git a/mkosi/config.py b/mkosi/config.py
index af4d3846c..8653bf9a0 100644
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -1302,6 +1302,7 @@ def file_run_or_read(file: Path) -> str:
 class KeySourceType(StrEnum):
     file = enum.auto()
     engine = enum.auto()
+    provider = enum.auto()
 
 
 @dataclasses.dataclass(frozen=True)
diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md
index d89c6af31..9625ed22e 100644
--- a/mkosi/resources/man/mkosi.1.md
+++ b/mkosi/resources/man/mkosi.1.md
@@ -1135,10 +1135,6 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
     `SignExpectedPcr=` is also used. When `SecureBootKeySource=` is specified,
     the input type depends on the source.
 
-`SecureBootKeySource=`, `--secure-boot-key-source=`
-:   Source of `SecureBootKey=`, to support OpenSSL engines. E.g.:
-    `--secure-boot-key-source=engine:pkcs11`
-
 `SecureBootCertificate=`, `--secure-boot-certificate=`
 :   Path to the X.509 file containing the certificate for the signed
     UEFI kernel image, if `SecureBoot=` is used.
@@ -1169,10 +1165,6 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
     partition is added with systemd-repart. When `VerityKeySource=` is specified, the input type depends on
     the source.
 
-`VerityKeySource=`, `--verity-key-source=`
-:   Source of `VerityKey=`, to support OpenSSL engines. E.g.:
-    `--verity-key-source=engine:pkcs11`
-
 `VerityCertificate=`, `--verity-certificate=`
 :   Path to the X.509 file containing the certificate for signing the verity signature, if a verity signature
     partition is added with systemd-repart.
@@ -1190,13 +1182,14 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
     When `SignExpectedPcrKeySource=` is specified, the input type depends on
     the source.
 
-`SignExpectedPcrKeySource=`, `--sign-expected-key-source=`
-:   Source of `VerityKey=`, to support OpenSSL engines. E.g.:
-    `--verity-key-source=engine:pkcs11`
-
 `SignExpectedPcrCertificate=`, `--sign-expected-pcr-certificate=`
 :   Path to the X.509 file containing the certificate for signing the expected PCR signatures.
 
+`SecureBootKeySource=`, `--secure-boot-key-source=`, `VerityKeySource=`, `--verity-key-source=`, `SignExpectedPcrKeySource=`, `--sign-expected-key-source=`
+:   The source of the corresponding private key `SecureBootKey=`, to support OpenSSL engines and providers,
+    e.g. `--secure-boot-key-source=engine:pkcs11` or `--secure-boot-key-source=provider:pkcs11`. Note that
+    providers are currently only supported for the verity key.
+
 `Passphrase=`, `--passphrase`
 :   Specify the path to a file containing the passphrase to use for LUKS
     encryption. It should contain the passphrase literally, and not end in