Skip to content

Commit

Permalink
Merge pull request #3063 from DaanDeMeyer/engine
Browse files Browse the repository at this point in the history
Fix signing with engine
  • Loading branch information
DaanDeMeyer authored Sep 23, 2024
2 parents 803f5f8 + d1b125d commit 5eab779
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 0 deletions.
4 changes: 4 additions & 0 deletions mkosi/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -1497,6 +1497,7 @@ def build_uki(
] # fmt: skip
if context.config.secure_boot_key_source.type == KeySourceType.engine:
cmd += ["--signing-engine", context.config.secure_boot_key_source.source]
options += ["--bind-try", "/run/pcscd", "/run/pcscd"]
if context.config.secure_boot_key.exists():
options += ["--ro-bind", context.config.secure_boot_key, context.config.secure_boot_key]
else:
Expand Down Expand Up @@ -1526,6 +1527,7 @@ def build_uki(
] # fmt: skip
options += [
"--ro-bind", context.config.secure_boot_certificate, context.config.secure_boot_certificate, # noqa
"--bind-try", "/run/pcscd", "/run/pcscd",
] # fmt: skip

cmd += ["build", "--linux", kimg]
Expand Down Expand Up @@ -2296,6 +2298,7 @@ def check_tools(config: Config, verb: Verb) -> None:
check_systemd_tool(
config,
"systemd-measure",
"/usr/lib/systemd/systemd-measure",
version="256",
reason="sign PCR hashes with OpenSSL engine",
)
Expand Down Expand Up @@ -2788,6 +2791,7 @@ def make_image(
if context.config.verity_key:
if context.config.verity_key_source.type != KeySourceType.file:
cmdline += ["--private-key-source", str(context.config.verity_key_source)]
options += ["--bind-try", "/run/pcscd", "/run/pcscd"]
if context.config.verity_key.exists():
cmdline += ["--private-key", workdir(context.config.verity_key)]
options += ["--ro-bind", context.config.verity_key, workdir(context.config.verity_key)]
Expand Down
2 changes: 2 additions & 0 deletions mkosi/bootloader.py
Original file line number Diff line number Diff line change
Expand Up @@ -516,6 +516,7 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path:
] # fmt: skip
if context.config.secure_boot_key_source.type == KeySourceType.engine:
cmd += ["--engine", context.config.secure_boot_key_source.source]
options += ["--bind-try", "/run/pcscd", "/run/pcscd"]
if context.config.secure_boot_key.exists():
cmd += ["--key", workdir(context.config.secure_boot_key)]
options += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)]
Expand Down Expand Up @@ -750,6 +751,7 @@ def install_systemd_boot(context: Context) -> None:
] # fmt: skip
if context.config.secure_boot_key_source.type == KeySourceType.engine:
cmd += ["--engine", context.config.secure_boot_key_source.source]
options += ["--bind-try", "/run/pcscd", "/run/pcscd"]
if context.config.secure_boot_key.exists():
cmd += ["--key", workdir(context.config.secure_boot_key)]
options += [
Expand Down

0 comments on commit 5eab779

Please sign in to comment.