Merge pull request #27539 from esposem/ukify_pesign

ukify: support pesign as alternative to sbsign 

1 files changed, 54 insertions, 3 deletions

diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
index 6853205958..692b7a384b 100755
--- a/src/ukify/test/test_ukify.py
+++ b/src/ukify/test/test_ukify.py
@@ -221,12 +221,15 @@ def test_config_priority(tmp_path):
         DeviceTree = some/path2
         Splash = some/path3
         Uname = 1.2.3
-        EFIArch=arm
+        EFIArch = arm
         Stub = some/path4
         PCRBanks = sha512,sha1
         SigningEngine = engine1
+        SignTool = pesign
         SecureBootPrivateKey = some/path5
         SecureBootCertificate = some/path6
+        SecureBootCertificateDir = some/path7
+        SecureBootCertificateName = some/name1
         SignKernel = no
 
         [PCRSignature:NAME]
@@ -248,8 +251,11 @@ def test_config_priority(tmp_path):
          '--pcr-public-key=PKEY2',
          '--pcr-banks=SHA1,SHA256',
          '--signing-engine=ENGINE',
+         '--signtool=pesign',
          '--secureboot-private-key=SBKEY',
          '--secureboot-certificate=SBCERT',
+         '--secureboot-certificate-dir=SBPATH',
+         '--secureboot-certificate-name=SBNAME',
          '--sign-kernel',
          '--no-sign-kernel',
          '--tools=TOOLZ///',
@@ -279,8 +285,11 @@ def test_config_priority(tmp_path):
                                     pathlib.Path('some/path8')]
     assert opts.pcr_banks == ['SHA1', 'SHA256']
     assert opts.signing_engine == 'ENGINE'
+    assert opts.signtool == 'pesign'
     assert opts.sb_key == 'SBKEY'
     assert opts.sb_cert == 'SBCERT'
+    assert opts.sb_certdir == 'SBPATH'
+    assert opts.sb_cert_name == 'SBNAME'
     assert opts.sign_kernel is False
     assert opts.tools == [pathlib.Path('TOOLZ/')]
     assert opts.output == pathlib.Path('OUTPUT')
@@ -314,7 +323,7 @@ def kernel_initrd():
     for item in items:
         try:
             linux = f"{item['root']}{item['linux']}"
-            initrd = f"{item['root']}{item['initrd'][0]}"
+            initrd = f"{item['root']}{item['initrd'][0].split(' ')[0]}"
         except (KeyError, IndexError):
             continue
         return [linux, initrd]
@@ -410,7 +419,7 @@ def test_uname_scraping(kernel_initrd):
     uname = ukify.Uname.scrape(kernel_initrd[0])
     assert re.match(r'\d+\.\d+\.\d+', uname)
 
-def test_efi_signing(kernel_initrd, tmpdir):
+def test_efi_signing_sbsign(kernel_initrd, tmpdir):
     if kernel_initrd is None:
         pytest.skip('linux+initrd not found')
     if not shutil.which('sbsign'):
@@ -447,6 +456,48 @@ def test_efi_signing(kernel_initrd, tmpdir):
 
         assert 'Signature verification OK' in dump
 
+def test_efi_signing_pesign(kernel_initrd, tmpdir):
+    if kernel_initrd is None:
+        pytest.skip('linux+initrd not found')
+    if not shutil.which('pesign'):
+        pytest.skip('pesign not found')
+
+    nss_db = f'{tmpdir}/nss_db'
+    name = 'Test_Secureboot'
+    author = 'systemd'
+
+    subprocess.check_call(['mkdir', '-p', nss_db])
+    cmd = f'certutil -N --empty-password -d {nss_db}'.split(' ')
+    subprocess.check_call(cmd)
+    cmd = f'efikeygen -d {nss_db} -S -k -c CN={author} -n {name}'.split(' ')
+    subprocess.check_call(cmd)
+
+    output = f'{tmpdir}/signed.efi'
+    opts = ukify.parse_args([
+        *kernel_initrd,
+        f'--output={output}',
+        '--uname=1.2.3',
+        '--signtool=pesign',
+        '--cmdline=ARG1 ARG2 ARG3',
+        f'--secureboot-certificate-name={name}',
+        f'--secureboot-certificate-dir={nss_db}',
+    ])
+
+    try:
+        ukify.check_inputs(opts)
+    except OSError as e:
+        pytest.skip(str(e))
+
+    ukify.make_uki(opts)
+
+    # let's check that sbverify likes the resulting file
+    dump = subprocess.check_output([
+        'pesign', '-S',
+        '-i', output,
+    ], text=True)
+
+    assert f"The signer's common name is {author}" in dump
+
 def test_pcr_signing(kernel_initrd, tmpdir):
     if kernel_initrd is None:
         pytest.skip('linux+initrd not found')