| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The API introduced in https://github.com/systemd/systemd/pull/34295
is less than ideal:
- It doesn't consider signing at all (ukify can't sign separately yet)
- Measurement is completely broken (all profile sections are marked to
not be measured)
- It focuses on a very niche use case of extending existing UKIs and makes
the more common use case of building a UKI with several profiles included
much harder than needed.
Let's instead rework the API to focus on the primary use case of building
a UKI with multiple profiles added to it immediately. We require the profiles
to be built upfront as separate PE binaries with UKI. There's no need to sign
or measure these, they're solely vehicles for profile sections. This saves us
from having to complicate the command line and config parsing to support defining
multiple profiles.
To add the profiles when building a UKI, we introduce the new --add-profile
switch which takes a path to a PE binary describing a profile. The required
sections are read from each PE binary, measured and added as a profile.
The integration test is disabled until the new API is merged and exposed in
mkosi so that building a UKI with profiles can be left to mkosi and the integration
test will only test the switching between profiles and not the building of UKIs
with profiles.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
sections to later extend"
This reverts commit b6570095ce889b07242d36cd05fa1d1899d0bc6c.
|
| |
|
|
| |
This reverts commit bc3e2c5a5774ae7b212817d04e04abccf30088ae.
|
| |
|
|
|
|
| |
Now that we properly leave sufficient space for inline execution of
the .linux section, let's remove the special casing of the .linux
section as it doesn't need to be the last section anymore now.
|
| |
|
|
|
|
|
|
|
| |
The SizeOfImage is bigger than the image itself so that space is
guaranteed to be available for in place execution of the linux image. Let's
make sure we take this into account and use SizeOfImage as the section's virtual
size instead of the size of the image itself.
Fixes #34578
|
| | |
|
| |
|
|
|
| |
This prints a python data structure which we shouldn't do during
normal operation.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
later extend
This options is pretty simple, it allows specifying an UKI whose
sections to import first, and place at the beginning of the new UKI.
This is useful for generating multi-profile UKIs piecemeal: generate the
base UKI first, then append a profile, and another one and another one.
The sections imported this way are not included in any PCR signature,
the assumption is that that already happened before in the imported UKI.
|
| |
|
|
|
|
| |
This just allows including .profile sections, but doesn't try to be
smart about it. This alone won't help you much to create valid
multi-profile UKIs.
|
| |
|
|
|
|
|
|
|
| |
Follow up for 8b3b01c4b7e0fde39b4be354990ee68f5e612c52
We switch to PROJECT_VERSION instead of PROJECT_VERSION_FULL where
we report our version and which is likely being parsed to avoid
breaking compat. If we didn't, the output would change from systemd
255 to systemd 255.1 which could break various tools.
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, the order was quite chaotic, even sometimes interleaved with
entirely unrelated switches. Let's clean this up and use the same order
as in the spec.
This doesn't change anything real, but I think it's a worthy clean-up in
particular as this order is documented as the PCR measurement order of
these sections, hence there's actually a bit of relevance to always
communicate the same order everywhere.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Let's follow our usual ordering.
Follow-up for a05fa30f88e522101c8412deecd7f598e2254b20.
|
| |
|
|
|
| |
This commit teaches ukify how to build a .ucode section into UKIs. This
section is functionally an initrd, intended for microcode updates.
|
| |
|
|
|
|
|
|
|
|
| |
This was lost on refactor, and only addons had a default uki
line in the .sbat. Add it back, and differentiate between the
default for UKIs vs the default for addons, so that they can
be revoked separately. These are only defaults and users are
encouraged to provide their own.
Follow-up for a8b645dec8e6abf4c9ba0c93a6a0088953a2155e
|
| |
|
|
| |
Follow-up for 419b25ddcac39cf967555c7a2eaa274fbf1ad03c
|
| | |
|
| |
|
|
|
|
| |
Generic EFI zboot added since kernel 6.1
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/firmware/efi/libstub/Makefile.zboot?h=v6.1
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/firmware/efi/libstub/zboot-header.S?h=v6.1
|
| |
|
|
|
| |
GIT_VERSION isn't actually available so use VERSION_TAG instead which
is available.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's make sure that versions generated by meson-vcs-tag.sh always
sort higher than official and stable releases. We achieve this by
immediately updating the meson version in meson.build after a new
release. To make sure this version always sorts lower than future
rcs, we suffix it with "~devel" which will sort lower than "~rcX".
The new release workflow is to update the version in meson.build
for each rc and the official release and to also update the version
number after a new release to the next development version.
The full version is exposed as PROJECT_VERSION_FULL and used where
it makes sense over PROJECT_VERSION.
We also switch to reading the version from a meson.version file in
the repo instead of hardcoding it in meson.build. This makes it
easier to access both inside and outside of the project.
The meson-vcs-tag.sh script is rewritten to query the version from
meson.version instead of passing it in via the command line. This
makes it easier to use outside of systemd since users don't have to
query the version themselves first.
|
| |
|
|
|
| |
https://www.kernel.org/ links to https://docs.kernel.org/ for the documentation.
These URLs are shorter and nicer looking.
|
| |
|
|
|
| |
For compat with older Python versions, since datetime.UTC is an alias
introduced in Python 3.11.
|
| |\
| |
| | |
Use exec() to import ukify
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The idea is that genkey is called with either
--secureboot-private-key= + --secureboot-certificate=, and then it
writes those, or with --pcr-private-key + optionally --pcr-public-key
and then it writes those, or both. But when called with no arguments
whatsover, it did nothing.
There is no implicit value for any of those parameters as input (unlike in
mkosi), so we also don't want to have implicit values when used as output.
But we shouldn't return success if no work was done, this is quite confusing.
|
| | |
| |
| |
| | |
As requested in review.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Before:
$ python src/ukify/ukify.py genkey --secureboot-private-key=sb2.key --secureboot-certificate=sb2.cert --secureboot-certificate-validity=111
Traceback (most recent call last):
File "/home/zbyszek/src/systemd-work/src/ukify/ukify.py", line 1660, in <module>
main()
File "/home/zbyszek/src/systemd-work/src/ukify/ukify.py", line 1652, in main
generate_keys(opts)
File "/home/zbyszek/src/systemd-work/src/ukify/ukify.py", line 943, in generate_keys
key_pem, cert_pem = generate_key_cert_pair(
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/zbyszek/src/systemd-work/src/ukify/ukify.py", line 891, in generate_key_cert_pair
now + ONE_DAY * valid_days
~~~~~~~~^~~~~~~~~~~~
TypeError: can't multiply sequence by non-int of type 'datetime.timedelta'
Now:
$ python src/ukify/ukify.py genkey --secureboot-private-key=sb2.key --secureboot-certificate=sb2.cert --secureboot-certificate-validity=111
Writing SecureBoot private key to sb2.key
Writing SecureBoot certificate to sb2.cert
The new code is also clearer.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for
removal in a future version. Use timezone-aware objects to
represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
The difference between the two is that .now(datetime.UTC) returns an object with
a timezone attached, "the numbers" are the same.
>>> datetime.datetime.utcnow(), datetime.datetime.now(datetime.UTC)
(datetime.datetime(2023, 12, 1, 9, 37, 53, 891669),
datetime.datetime(2023, 12, 1, 9, 37, 53, 891688, tzinfo=datetime.timezone.utc))
This value is fed to cryptography's x509.CertificateBuilder object, so as long
as it can accept a datetime object with tzinfo, the result should be identical.
|
| |
|
|
|
|
|
|
| |
Fixup for e87dec82bec6eff015b368b3c746810d684fc6af:
I misunderstood the format. It's actually CBOR, i.e. some binary format.
When trying to show show text we would first check if it's valid UTF-8,
so we would handle this gracefully, i.e. emit a warning and not print
the contents.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There are draft proposals to embed SBOM metadata in the .sbom section of PE
binaries [1], in the coSWID XML format. Some details of how this is actually
implemented might change, but it seems very likely that both section name and
it being text will stay. Let's show the section as text to make such binaries
easier to inspect. ([1] recommends using 'objcopy -j .sbom' which isn't
particularly readable.) Once there's more standarization of the actual
format, we can add pretty-printing and/or syntax highlighting.
[1] https://uefi.org/blog/firmware-sbom-proposal
[2] https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-21.html
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The details of formatting are copied from mkosi. This results in the following:
usage:
ukify build [--linux=LINUX] [--initrd=INITRD] [options…]
ukify genkey [options…]
ukify inspect FILE… [options…]
Build and sign Unified Kernel Images
options:
--version show program's version number and exit
...
I put "[options…]" at the end, because that's what one would generally do
with long options like "--cmdline" and others.
|
| | |
|
| |\
| |
| | |
ukify: automatically infer --signtool from the parameters given
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
If an option like SecureBootCertificateDir is given, it should override
the default '/etc/pki/pesign'. Until now the config file option were
always ignored if they had a default.
So from now on, every ConfigItem with a config_key and default field
should also give config_push = ConfigItem.config_set.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
--signtool is actually useless: it can be inferred depending on if
--secureboot-certificate-name (pesign) is given, or
--secureboot-private-key and --secureboot-certificate (sbsign) is given.
Leave the option just for backwards compatibility.
|
| | |
| |
| |
| | |
Fixup for df4a46733a609f1673de0bebb38e89fffd70c16c.
|
| |/
|
|
|
|
| |
* Explicitly import attributes rsa and serialization from cryptography.hazmat
Signed-off-by: Valentin Lefebvre <valentin.lefebvre@suse.com>
|
| | |
|
| |
|
|
|
| |
If the user does not specify a config file to use, ukify will try looking for one at {/run,/etc,/usr/local/lib,/usr/lib}/systemd/ukify.conf in order and then use the first one found. Also made sure the --config input is a pathlib.Path by specifying its type in its CONFIG_ITEMS entry.
Big cheers to Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> for helping!
|
| |
|
|
|
| |
Inspired by https://github.com/systemd/systemd/pull/28997.
Noticed by Alvin Alvarado <alvin@striczkof.io>.
|
| |
|
|
|
|
|
| |
ignore_padding= was only added in a recent version of pefile. Let's
set length= to the virtual size instead which is what ignore_padding
does behind the scenes so we're compatible with older versions of
pefile.
|
| |
|
|
| |
Also, drop the respective disable directives from existing files.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Handle the case when all the arguments are passed in through a
configuration file:
$ cat ukify.conf
[UKI]
Linux = /boot/vmlinuz-linux
Initrd = /boot/initramfs-linux.img
Before:
$ src/ukify/ukify.py --config ukify.conf build
Traceback (most recent call last):
File "/root/systemd/src/ukify/ukify.py", line 1604, in <module>
main()
File "/root/systemd/src/ukify/ukify.py", line 1590, in main
opts = parse_args()
^^^^^^^^^^^^
File "/root/systemd/src/ukify/ukify.py", line 1584, in parse_args
apply_config(opts)
File "/root/systemd/src/ukify/ukify.py", line 1431, in apply_config
item.apply_config(namespace, section_name, group, key, value)
File "/root/systemd/src/ukify/ukify.py", line 1123, in apply_config
self.config_push(namespace, group, dest, value)
File "/root/systemd/src/ukify/ukify.py", line 1019, in config_list_prepend
setattr(namespace, dest, value + old)
~~~~~~^~~~~
TypeError: can only concatenate list (not "NoneType") to list
After:
$ src/ukify/ukify.py --config ukify.conf build
Kernel version not specified, starting autodetection 😖.
Found uname version: 6.4.7-arch1-3
Wrote unsigned vmlinuz-linux.unsigned.efi
Resolves: #28688
|
| |
|
|
|
|
|
|
| |
We were running systemd-measure before adding the sbat section,
let's fix that.
Also make sure we only pass --linux to systemd-measure once instead
of twice.
|
| |
|
|
| |
Follow-up for df4a46733a609f1673de0bebb38e89fffd70c16c.
|
