rpms/systemd
7
0
Fork 0
Code Issues Pull Requests Releases Activity
981555c9c2
systemd/0798-mkosi-use-pesign-for-signing-UKI-addons.patch
Jan Macku 75aa201631 systemd-252-37 
Resolves: RHEL-13159,RHEL-20322,RHEL-27512,RHEL-30372,RHEL-31070,RHEL-31219,RHEL-33890,RHEL-35703,RHEL-38864,RHEL-40878,RHEL-6589
2024-06-13 16:16:12 +02:00

68 lines
3.3 KiB
Diff
Raw Blame History

From de81c5b27d15ffc61a2c586f8b9a6a7943c061c7 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 5 Mar 2024 20:22:19 +0100
Subject: [PATCH] mkosi: use pesign for signing UKI addons
In C9S/RHEL9 we don't ship sbsign, so we have to use pesign instead.
Unfortunately, ukify doesn't support singing with pesign, so we have to
do that manually.
Related: RHEL-27512
RHEL-only
---
.../system/mkosi.conf.d/10-centos/mkosi.conf | 3 +++
.../usr/lib/systemd/mkosi-check-and-shutdown.sh | 2 +-
mkosi.images/system/mkosi.postinst.chroot | 13 ++++++++++---
3 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
index 146e03a895..c79ced5130 100644
--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
@@ -6,3 +6,6 @@ Distribution=centos
[Content]
Packages=
kernel-modules # For squashfs support
+ nss-tools
+ openssl
+ pesign
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
index 4011ab930b..f32128ead2 100755
--- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
@@ -10,7 +10,7 @@ if ! systemd-detect-virt --container; then
cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
- if command -v sbsign &>/dev/null; then
+ if command -v pesign &>/dev/null; then
cat /proc/cmdline
grep -q this_should_be_here /proc/cmdline
(! grep -q this_should_not_be_here /proc/cmdline)
diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot
index 330fa3b73e..8d2c3d6a37 100755
--- a/mkosi.images/system/mkosi.postinst.chroot
+++ b/mkosi.images/system/mkosi.postinst.chroot
@@ -101,11 +101,18 @@ cat >/usr/lib/tmpfiles.d/testuser.conf <<EOF
q /home/testuser 0700 4711 4711
EOF
-# sbsign is not available on CentOS Stream
-if command -v sbsign &>/dev/null; then
+# RHEL 9 only: we don't ship sbsigntools in RHEL 9 so we have to use pesign
+# instead. Unfortunately, ATTOW ukify doesn't support signing with pesign, so we
+# have to do it manually :(
+if command -v pesign &>/dev/null; then
# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
addons_dir=/efi/loader/addons
mkdir -p "$addons_dir"
- ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
+ ukify build --cmdline this_should_be_here -o "good.addon.efi"
ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
+
+ openssl pkcs12 -name "mkosi" -passin "pass:" -passout "pass:" -export -out mkosi.p12 -inkey mkosi.key -in mkosi.crt
+ pk12util -W "" -i mkosi.p12 -d /etc/pki/pesign
+ pesign -v -s -c "mkosi" -i "good.addon.efi" -o "$addons_dir/good.addon.efi"
+ pesign -S -i"$addons_dir/good.addon.efi"
fi
Reference in New Issue View Git Blame Copy Permalink