| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently in mkosi and ukify we use sbsigntools to do secure boot
signing. This has multiple issues:
- sbsigntools is practically unmaintained, sbvarsign is completely
broken with the latest gnu-efi when built without -fshort-wchar and
upstream has completely ignored my bug report about this.
- sbsigntools only supports openssl engines and not the new providers
API.
- sbsigntools doesn't allow us to cache hardware token pins in the
kernel keyring like we do nowadays when we sign stuff ourselves in
systemd-repart or systemd-measure
There are alternative tools like sbctl and pesign but these do not
support caching hardware token pins in the kernel keyring either.
To get around the issues with sbsigntools, let's introduce our own
tool systemd-sbsign to do secure boot signing. This allows us to
take advantage of our own openssl infra so that hardware token pins
are cached in the kernel keyring as expected and we get openssl
provider support as well.
|
| |
|
|
|
| |
Let's move these to shared so we can reuse pe_hash() in the upcoming
systemd-sbsign.
|
| | |
|
| |
|
|
|
|
|
|
| |
This splits out the core part into a new function
pe_section_table_find().
pe_header_find_section() takes a PeHeader as input, while
pe_section_table_find() just takes the section table and its size.
|
| |
|
|
|
|
| |
This renames pe_read_section_data() to pe_read_section_data_by_name()
and makes pe_read_section_data() a bit more low-level: it takes a header
table entry directly, instead of searching it first by name.
|
| |
|
|
| |
PE EFI add-on
|
| |
|
|
|
|
|
| |
.osrel is also optional, but sd-boot and bootctl requires it.
So, let's keep .osrel section at least now.
Fixes #32774.
|
| |
|
|
| |
If it's not a UEFI binary, then it's not a UKI.
|
| |
|
