diff options
| author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2023-05-08 16:06:41 +0200 |
|---|---|---|
| committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2023-05-13 10:49:17 +0200 |
| commit | 47e5e12866af14112452aeb8bc43a66191c6fbc1 (patch) | |
| tree | f1f38524a56a3e7a5a3957ed638ba493bbb48650 /mkosi.conf.d/10-systemd.conf | |
| parent | mkosi: Store /etc under /usr/share/factory/mkosi (diff) | |
| download | systemd-47e5e12866af14112452aeb8bc43a66191c6fbc1.tar.xz systemd-47e5e12866af14112452aeb8bc43a66191c6fbc1.zip | |
mkosi: Package a erofs usr partition with signed verity
Let's start moving towards a more involved partitioning setup to
test our stuff more when using mkosi.
The root partition is generated on boot with systemd-repart.
CentOS supports neither erofs nor btrfs so we use squashfs and xfs
instead.
We also enable SecureBoot= locally for additional coverage. This
and the use of verity means users need to run `mkosi genkey` once
to generate the keys necessary to do secure boot and verity.
Diffstat (limited to 'mkosi.conf.d/10-systemd.conf')
| -rw-r--r-- | mkosi.conf.d/10-systemd.conf | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/mkosi.conf.d/10-systemd.conf b/mkosi.conf.d/10-systemd.conf index 41a8c2e856..ec0f690d4e 100644 --- a/mkosi.conf.d/10-systemd.conf +++ b/mkosi.conf.d/10-systemd.conf @@ -11,6 +11,11 @@ OutputDirectory=mkosi.output BuildDirectory=mkosi.builddir CacheDirectory=mkosi.cache +[Validation] +SecureBoot=yes +# Disabled until systemd-measure can operate without a TPM device. +SignExpectedPcr=no + [Host] QemuMem=2G ExtraSearchPaths=build/ @@ -29,3 +34,5 @@ KernelCommandLineExtra=systemd.crash_shell ip=enp0s1:any # Make sure sulogin works even with a locked root account. SYSTEMD_SULOGIN_FORCE=1 + # Make sure /sysroot is mounted rw in the initrd. + rw |