summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--man/ukify.xml8
-rwxr-xr-xsrc/ukify/ukify.py15
2 files changed, 21 insertions, 2 deletions
diff --git a/man/ukify.xml b/man/ukify.xml
index 33d9d26d2d..06ae550530 100644
--- a/man/ukify.xml
+++ b/man/ukify.xml
@@ -330,6 +330,14 @@
</varlistentry>
<varlistentry>
+ <term><varname>SecureBootCertificateValidity=<replaceable>DAYS</replaceable></varname></term>
+ <term><option>--secureboot-certificate-validity=<replaceable>DAYS</replaceable></option></term>
+
+ <listitem><para>Period of validity (in days) for a certificate created by
+ <command>genkey</command>. Defaults to 3650, i.e. 10 years.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>SigningEngine=<replaceable>ENGINE</replaceable></varname></term>
<term><option>--signing-engine=<replaceable>ENGINE</replaceable></option></term>
diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
index 4fc3ce2e19..3db2bac384 100755
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -759,8 +759,8 @@ def temporary_umask(mask: int):
def generate_key_cert_pair(
common_name: str,
+ valid_days: int,
keylength: int = 2048,
- valid_days: int = 365 * 10, # TODO: can we drop the expiration date?
) -> tuple[bytes]:
from cryptography import x509
@@ -835,7 +835,10 @@ def generate_keys(opts):
if opts.sb_key or opts.sb_cert:
fqdn = socket.getfqdn()
cn = f'SecureBoot signing key on host {fqdn}'
- key_pem, cert_pem = generate_key_cert_pair(common_name=cn)
+ key_pem, cert_pem = generate_key_cert_pair(
+ common_name=cn,
+ valid_days=opts.sb_cert_validity,
+ )
print(f'Writing SecureBoot private key to {opts.sb_key}')
with temporary_umask(0o077):
opts.sb_key.write_bytes(key_pem)
@@ -1153,6 +1156,14 @@ uki.addon,1,UKI Addon,uki.addon,1,https://www.freedesktop.org/software/systemd/m
help = 'required by --signtool=pesign. pesign needs a certificate nickname of nss certificate database entry to use for PE signing',
config_key = 'UKI/SecureBootCertificateName',
),
+ ConfigItem(
+ '--secureboot-certificate-validity',
+ metavar = 'DAYS',
+ dest = 'sb_cert_validity',
+ default = 365 * 10,
+ help = "period of validity (in days) for a certificate created by 'genkey'",
+ config_key = 'UKI/SecureBootCertificateValidity',
+ ),
ConfigItem(
'--sign-kernel',