summaryrefslogtreecommitdiffstats
path: root/src/ukify/ukify.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* ukify: Switch to JSON HWID description format (#35208)Zbigniew Jędrzejewski-Szmek5 days1-65/+19
|\ | | | | Fixes #35176
| * ukify: Switch to JSON HWID description formatanonymix00710 days1-65/+19
| |
* | ukify: Fix typing errorDaan De Meyer7 days1-1/+1
|/
* ukify: fix parsing of SignTool configuration optionZbigniew Jędrzejewski-Szmek13 days1-31/+24
| | | | | | | | | | | | | | | | | This partially reverts 02eabaffe98c9a3b5dec1c4837968a4d3e2ff7db. As noted in https://github.com/systemd/systemd/pull/35211: > The configuration parsing simply stores the string as-is, rather than > creating the appropriate object One way to fix the issue would be to store the "appropriate object", i.e. actually the class. But that makes the code very verbose, with the conversion being done in two places. And that still doesn't fix the issue, because we need to map the class objects back to the original name in error messages. So instead, store the setting as a string and only map it to the class much later. This makes the code simpler and fixes the error messages too. Resolves https://github.com/systemd/systemd/pull/35193
* ukify: Use new .hwids PE section formatanonymix0072024-11-151-5/+17
|
* ukify: Support building UKIs with a .hwids sectionanonymix0072024-11-141-2/+125
| | | | This section contains a predefined set of HWIDs and the corresponding compatibles to be used in dtb matching
* ukify: Support building UKIs with .dtbauto sectionsanonymix0072024-11-141-49/+82
|
* Introduce systemd-keyutil to do various key/certificate operations (#35095)Lennart Poettering2024-11-111-6/+6
|\ | | | | | | | | | | | | Let's gather generic key/certificate operations in a new tool systemd-keyutil instead of spreading them across various special purpose tools. Fixes #35087
| * Introduce systemd-keyutil to do various key/certificate operationsDaan De Meyer2024-11-081-6/+6
| | | | | | | | | | | | | | | | Let's gather generic key/certificate operations in a new tool systemd-keyutil instead of spreading them across various special purpose tools. Fixes #35087
* | ukify: Fix broken assert when building a signed addonValentin David2024-11-091-2/+1
|/ | | | | | | An assert always expected a kernel when signature key was present in command line. That prevented building signed addons. Fixes #35041
* ukify: Introduce --certificate-provider= optionDaan De Meyer2024-11-071-38/+52
| | | | | This translates to --certificate-source=provider:<provider> for signing tools invoked by ukify.
* ukify: Add --signing-provider= optionDaan De Meyer2024-11-061-7/+29
|
* ukify: Add support for systemd-sbsignDaan De Meyer2024-11-061-4/+41
|
* ukify: fix typoYu Watanabe2024-10-161-1/+1
| | | | Follow-up for 02eabaffe98c9a3b5dec1c4837968a4d3e2ff7db.
* ukify: Add more mypy optionsJörg Behrmann2024-10-141-2/+3
| | | | | | | This achieves parity with the mypy config used in mkosi. The import of builtins is needed because otherwise type is attempted to be resolved to the variable in the scope.
* ukify: Add UkifyConfigJörg Behrmann2024-10-141-36/+86
| | | | | Using a dataclass instead of an argparse namespace to pass around the parsed options allows to track the types properly.
* ukify: Add a unified interface for signing toolsJörg Behrmann2024-10-141-95/+104
|
* ukify: Fix type of UKI.executableJörg Behrmann2024-10-141-1/+1
|
* ukify: Require both key and cert be set in generate_keysJörg Behrmann2024-10-121-1/+1
| | | | If either is None the write in this branch of the code will fail.
* ukify: Add missing typing for iteratorJörg Behrmann2024-10-121-1/+1
|
* ukify: fix return value type of resolve_at_path()Yu Watanabe2024-10-101-1/+1
| | | | Follow-up for eca003de2f3a708c44946d36af6517cbcf3392ff.
* ukify: Read .profile from path starting with @Daan De Meyer2024-10-091-0/+2
|
* ukify: Introduce resolve_at_path()Daan De Meyer2024-10-091-6/+13
|
* ukify: Fix off by one errorDaan De Meyer2024-10-091-1/+1
| | | | We weren't measuring the profile section itself.
* ukify: Factor out sbat into constantsJörg Behrmann2024-10-091-10/+13
|
* ukify: Ensure that find_tool always returns a tool or throws an errorJörg Behrmann2024-10-091-19/+5
| | | | | This also makes the error message configurable, so that find_sbsign and find_pesign can be inlined again.
* ukify: Move summary option handling out of finalize_optionsJörg Behrmann2024-10-091-6/+4
| | | | This way finalize_options will not call sys.exit by itself.
* ukify: Type-annotate ukifyJörg Behrmann2024-10-091-79/+117
|
* ukify: Make it lint cleanJörg Behrmann2024-10-091-11/+20
|
* ukify: Use OSError insteead of IOErrorJörg Behrmann2024-10-091-1/+1
| | | | The latter was deprecated for the former and is only an alias for it.
* ukify: Use non-deprecated import for SequenceJörg Behrmann2024-10-091-1/+1
|
* ukify: Sort importsJörg Behrmann2024-10-091-4/+4
|
* ukify: Import Path directlyJörg Behrmann2024-10-091-41/+41
|
* ukify: Format with ruffJörg Behrmann2024-10-091-330/+388
|
* ukify: Rework multi-profile UKIsDaan De Meyer2024-10-041-19/+103
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The API introduced in https://github.com/systemd/systemd/pull/34295 is less than ideal: - It doesn't consider signing at all (ukify can't sign separately yet) - Measurement is completely broken (all profile sections are marked to not be measured) - It focuses on a very niche use case of extending existing UKIs and makes the more common use case of building a UKI with several profiles included much harder than needed. Let's instead rework the API to focus on the primary use case of building a UKI with multiple profiles added to it immediately. We require the profiles to be built upfront as separate PE binaries with UKI. There's no need to sign or measure these, they're solely vehicles for profile sections. This saves us from having to complicate the command line and config parsing to support defining multiple profiles. To add the profiles when building a UKI, we introduce the new --add-profile switch which takes a path to a PE binary describing a profile. The required sections are read from each PE binary, measured and added as a profile. The integration test is disabled until the new API is merged and exposed in mkosi so that building a UKI with profiles can be left to mkosi and the integration test will only test the switching between profiles and not the building of UKIs with profiles.
* ukify: Fix Profile config settingDaan De Meyer2024-10-031-3/+3
|
* ukify: Introduce pe_strip_section_name()Daan De Meyer2024-10-031-3/+7
|
* Revert "ukify: add new --extend= switch for importing an existing UKI's ↵Daan De Meyer2024-10-031-65/+17
| | | | | | sections to later extend" This reverts commit b6570095ce889b07242d36cd05fa1d1899d0bc6c.
* Revert "ukify: introduce new --measure-base= switch"Daan De Meyer2024-10-031-65/+6
| | | | This reverts commit bc3e2c5a5774ae7b212817d04e04abccf30088ae.
* ukify: Remove special casing for .linux sectionDaan De Meyer2024-09-301-21/+11
| | | | | | Now that we properly leave sufficient space for inline execution of the .linux section, let's remove the special casing of the .linux section as it doesn't need to be the last section anymore now.
* ukify: Use SizeOfImage from linux image as virtual size of .linux sectionDaan De Meyer2024-09-301-2/+12
| | | | | | | | | The SizeOfImage is bigger than the image itself so that space is guaranteed to be available for in place execution of the linux image. Let's make sure we take this into account and use SizeOfImage as the section's virtual size instead of the size of the image itself. Fixes #34578
* ukify: Drop unused size() methodDaan De Meyer2024-09-301-3/+0
|
* ukify: Remove debug logDaan De Meyer2024-09-171-3/+0
| | | | | This prints a python data structure which we shouldn't do during normal operation.
* ukify: introduce new --measure-base= switchLennart Poettering2024-09-061-8/+72
|
* ukify: add new --extend= switch for importing an existing UKI's sections to ↵Lennart Poettering2024-09-061-17/+65
| | | | | | | | | | | | | later extend This options is pretty simple, it allows specifying an UKI whose sections to import first, and place at the beginning of the new UKI. This is useful for generating multi-profile UKIs piecemeal: generate the base UKI first, then append a profile, and another one and another one. The sections imported this way are not included in any PCR signature, the assumption is that that already happened before in the imported UKI.
* ukify: add basic .profile supportLennart Poettering2024-09-061-0/+9
| | | | | | This just allows including .profile sections, but doesn't try to be smart about it. This alone won't help you much to create valid multi-profile UKIs.
* meson: Fix various versionsDaan De Meyer2024-07-041-1/+1
| | | | | | | | | Follow up for 8b3b01c4b7e0fde39b4be354990ee68f5e612c52 We switch to PROJECT_VERSION instead of PROJECT_VERSION_FULL where we report our version and which is likely being parsed to avoid breaking compat. If we didn't, the output would change from systemd 255 to systemd 255.1 which could break various tools.
* ukify: bring order of EFI sections in man + --help into same order as specLennart Poettering2024-07-031-44/+47
| | | | | | | | | | | Previously, the order was quite chaotic, even sometimes interleaved with entirely unrelated switches. Let's clean this up and use the same order as in the spec. This doesn't change anything real, but I think it's a worthy clean-up in particular as this order is documented as the PCR measurement order of these sections, hence there's actually a bit of relevance to always communicate the same order everywhere.
* ukify: suffix switches that take parameters with = in log outputLennart Poettering2024-07-031-1/+1
|
* treewide: fix a few typos in NEWS, docs, comments, and log messagesDmitry V. Levin2024-04-271-1/+1
|
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 01:25:55 +0100