mkosi: Sign expected PCRs

This is now possible without a TMP device so let's start signing PCRs when building images with mkosi.
author: Daan De Meyer <daan.j.demeyer@gmail.com> 2023-05-30 14:09:44 +0200
committer: Daan De Meyer <daan.j.demeyer@gmail.com> 2023-06-02 15:43:28 +0200
commit: ee6eedab821c3ad9491efa062ade49f2f550d7f7 (patch)
tree: ff309c95d5e314006e2cd0d1b58811676167a873
parent: mkosi: Remove file blacklisting erofs module in opensuse initrd (diff)
download: systemd-ee6eedab821c3ad9491efa062ade49f2f550d7f7.tar.xz
systemd-ee6eedab821c3ad9491efa062ade49f2f550d7f7.zip
2 files changed, 3 insertions, 6 deletions
diff --git a/mkosi.conf.d/10-systemd.conf b/mkosi.conf.d/10-systemd.conf
index 640214c8a3..09e8c5c3f1 100644
--- a/mkosi.conf.d/10-systemd.conf
+++ b/mkosi.conf.d/10-systemd.conf
@@ -11,11 +11,6 @@ OutputDirectory=mkosi.output
 BuildDirectory=mkosi.builddir
 CacheDirectory=mkosi.cache
 
-[Validation]
-SecureBoot=yes
-# Disabled until systemd-measure can operate without a TPM device.
-SignExpectedPcr=no
-
 [Host]
 QemuMem=2G
 ExtraSearchPaths=build/
diff --git a/mkosi.presets/20-final/mkosi.conf b/mkosi.presets/20-final/mkosi.conf
index ec0a90feff..bb158eb059 100644
--- a/mkosi.presets/20-final/mkosi.conf
+++ b/mkosi.presets/20-final/mkosi.conf
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 [Content]
+Autologin=yes
 BaseTrees=../../mkosi.output/base
 ExtraTrees=../../src:/root/src
 Initrds=../../mkosi.output/initrd
@@ -35,4 +36,5 @@ Packages=
         zsh
 
 [Validation]
-Autologin=yes
+SecureBoot=yes
+SignExpectedPcr=yes
author	Daan De Meyer <daan.j.demeyer@gmail.com>	2023-05-30 14:09:44 +0200
committer	Daan De Meyer <daan.j.demeyer@gmail.com>	2023-06-02 15:43:28 +0200
commit	ee6eedab821c3ad9491efa062ade49f2f550d7f7 (patch)
tree	ff309c95d5e314006e2cd0d1b58811676167a873
parent	mkosi: Remove file blacklisting erofs module in opensuse initrd (diff)
download	systemd-ee6eedab821c3ad9491efa062ade49f2f550d7f7.tar.xz systemd-ee6eedab821c3ad9491efa062ade49f2f550d7f7.zip