You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
68 lines
3.3 KiB
68 lines
3.3 KiB
1 month ago
|
From de81c5b27d15ffc61a2c586f8b9a6a7943c061c7 Mon Sep 17 00:00:00 2001
|
||
|
From: Frantisek Sumsal <frantisek@sumsal.cz>
|
||
|
Date: Tue, 5 Mar 2024 20:22:19 +0100
|
||
|
Subject: [PATCH] mkosi: use pesign for signing UKI addons
|
||
|
|
||
|
In C9S/RHEL9 we don't ship sbsign, so we have to use pesign instead.
|
||
|
Unfortunately, ukify doesn't support singing with pesign, so we have to
|
||
|
do that manually.
|
||
|
|
||
|
Related: RHEL-27512
|
||
|
RHEL-only
|
||
|
---
|
||
|
.../system/mkosi.conf.d/10-centos/mkosi.conf | 3 +++
|
||
|
.../usr/lib/systemd/mkosi-check-and-shutdown.sh | 2 +-
|
||
|
mkosi.images/system/mkosi.postinst.chroot | 13 ++++++++++---
|
||
|
3 files changed, 14 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
|
||
|
index 146e03a895..c79ced5130 100644
|
||
|
--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
|
||
|
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
|
||
|
@@ -6,3 +6,6 @@ Distribution=centos
|
||
|
[Content]
|
||
|
Packages=
|
||
|
kernel-modules # For squashfs support
|
||
|
+ nss-tools
|
||
|
+ openssl
|
||
|
+ pesign
|
||
|
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
|
||
|
index 4011ab930b..f32128ead2 100755
|
||
|
--- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
|
||
|
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
|
||
|
@@ -10,7 +10,7 @@ if ! systemd-detect-virt --container; then
|
||
|
cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
|
||
|
cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
|
||
|
|
||
|
- if command -v sbsign &>/dev/null; then
|
||
|
+ if command -v pesign &>/dev/null; then
|
||
|
cat /proc/cmdline
|
||
|
grep -q this_should_be_here /proc/cmdline
|
||
|
(! grep -q this_should_not_be_here /proc/cmdline)
|
||
|
diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot
|
||
|
index 330fa3b73e..8d2c3d6a37 100755
|
||
|
--- a/mkosi.images/system/mkosi.postinst.chroot
|
||
|
+++ b/mkosi.images/system/mkosi.postinst.chroot
|
||
|
@@ -101,11 +101,18 @@ cat >/usr/lib/tmpfiles.d/testuser.conf <<EOF
|
||
|
q /home/testuser 0700 4711 4711
|
||
|
EOF
|
||
|
|
||
|
-# sbsign is not available on CentOS Stream
|
||
|
-if command -v sbsign &>/dev/null; then
|
||
|
+# RHEL 9 only: we don't ship sbsigntools in RHEL 9 so we have to use pesign
|
||
|
+# instead. Unfortunately, ATTOW ukify doesn't support signing with pesign, so we
|
||
|
+# have to do it manually :(
|
||
|
+if command -v pesign &>/dev/null; then
|
||
|
# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
|
||
|
addons_dir=/efi/loader/addons
|
||
|
mkdir -p "$addons_dir"
|
||
|
- ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
|
||
|
+ ukify build --cmdline this_should_be_here -o "good.addon.efi"
|
||
|
ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
|
||
|
+
|
||
|
+ openssl pkcs12 -name "mkosi" -passin "pass:" -passout "pass:" -export -out mkosi.p12 -inkey mkosi.key -in mkosi.crt
|
||
|
+ pk12util -W "" -i mkosi.p12 -d /etc/pki/pesign
|
||
|
+ pesign -v -s -c "mkosi" -i "good.addon.efi" -o "$addons_dir/good.addon.efi"
|
||
|
+ pesign -S -i"$addons_dir/good.addon.efi"
|
||
|
fi
|