| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
later extend
This options is pretty simple, it allows specifying an UKI whose
sections to import first, and place at the beginning of the new UKI.
This is useful for generating multi-profile UKIs piecemeal: generate the
base UKI first, then append a profile, and another one and another one.
The sections imported this way are not included in any PCR signature,
the assumption is that that already happened before in the imported UKI.
|
| |
|
|
|
|
| |
This just allows including .profile sections, but doesn't try to be
smart about it. This alone won't help you much to create valid
multi-profile UKIs.
|
| | |
|
| | |
|
| |
|
|
| |
Follow-up for 987f4bce938e790622a4b4b89d37daa7adfdc141.
|
| |
|
|
| |
Copied directly from a1d6dbb1c94685d7972f63ed2762fe4ba0251287.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On Fedora, with crypto policy TEST-FEDORA41, sha1 is not allowed:
$ SYSTEMD_LOG_LEVEL=debug build/systemd-measure sign
--linux=/lib/modules/6.9.7-200.fc40.x86_64/vmlinuz
--osrel=/tmp/tmp.osrelbl2sr77f
--cmdline=/tmp/tmp.cmdlineouc7hqtj
--uname=/tmp/tmp.unamecbjgesty
--pcrpkey=/tmp/tmpufiadu8l
--initrd=/boot/3a9d668b4db749398a4a5e78a03bffa5/6.9.7-200.fc40.x86_64/initrd
--sbat=/tmp/tmp.sbataz9arpy0
--private-key=/tmp/tmppyf0gx6w
--public-key=/tmp/tmpufiadu8l
--bank=sha1
Measuring boot phases: enter-initrd, enter-initrd:leave-initrd, enter-initrd:leave-initrd:sysinit, enter-initrd:leave-initrd:sysinit:ready
Loaded 'libtss2-esys.so.0' via dlopen()
Loaded 'libtss2-rc.so.0' via dlopen()
Loaded 'libtss2-mu.so.0' via dlopen()
PolicyPCR calculated digest: cec1a2ccb188ddd171a2be7bfa6b31cb9148776647354eb1069e0f891ed2dbe7
Failed to initialize signature context: error:03000098:digital envelope routines::invalid digest
Failed to sign PCR policy: Input/output error
|
| |
|
|
|
|
| |
They might not be readable to the unprivileged user running the tests
and it shouldn't really matter what is used. OTOH, we need a real kernel
because we look at the header.
|
| |
|
|
|
|
|
|
|
| |
Follow up for 8b3b01c4b7e0fde39b4be354990ee68f5e612c52
We switch to PROJECT_VERSION instead of PROJECT_VERSION_FULL where
we report our version and which is likely being parsed to avoid
breaking compat. If we didn't, the output would change from systemd
255 to systemd 255.1 which could break various tools.
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, the order was quite chaotic, even sometimes interleaved with
entirely unrelated switches. Let's clean this up and use the same order
as in the spec.
This doesn't change anything real, but I think it's a worthy clean-up in
particular as this order is documented as the PCR measurement order of
these sections, hence there's actually a bit of relevance to always
communicate the same order everywhere.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Let's follow our usual ordering.
Follow-up for a05fa30f88e522101c8412deecd7f598e2254b20.
|
| |
|
|
|
| |
This commit teaches ukify how to build a .ucode section into UKIs. This
section is functionally an initrd, intended for microcode updates.
|
| |
|
|
|
|
|
|
|
|
| |
This was lost on refactor, and only addons had a default uki
line in the .sbat. Add it back, and differentiate between the
default for UKIs vs the default for addons, so that they can
be revoked separately. These are only defaults and users are
encouraged to provide their own.
Follow-up for a8b645dec8e6abf4c9ba0c93a6a0088953a2155e
|
| |
|
|
| |
Follow-up for 419b25ddcac39cf967555c7a2eaa274fbf1ad03c
|
| | |
|
| |
|
|
|
|
| |
Generic EFI zboot added since kernel 6.1
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/firmware/efi/libstub/Makefile.zboot?h=v6.1
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/firmware/efi/libstub/zboot-header.S?h=v6.1
|
| |
|
|
|
| |
GIT_VERSION isn't actually available so use VERSION_TAG instead which
is available.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
I have a large initrd (built with mkosi-initrd) and the test-ukify takes 30 s.
Let's use the usual approach of skipping the slowests tests.
(pytest has marks, and it would be nicer to mark tests with pytest.mark.slow,
and then use "-m 'not slow'" in the meson test invocation. But markers must be
pre-registered, otherwise pytest emits a warning. There are a few ways to
register markers, but they all require "project configuration", but because of
how we invoke pytest, this is hard to do. So let's just use an environment
variable.)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's make sure that versions generated by meson-vcs-tag.sh always
sort higher than official and stable releases. We achieve this by
immediately updating the meson version in meson.build after a new
release. To make sure this version always sorts lower than future
rcs, we suffix it with "~devel" which will sort lower than "~rcX".
The new release workflow is to update the version in meson.build
for each rc and the official release and to also update the version
number after a new release to the next development version.
The full version is exposed as PROJECT_VERSION_FULL and used where
it makes sense over PROJECT_VERSION.
We also switch to reading the version from a meson.version file in
the repo instead of hardcoding it in meson.build. This makes it
easier to access both inside and outside of the project.
The meson-vcs-tag.sh script is rewritten to query the version from
meson.version instead of passing it in via the command line. This
makes it easier to use outside of systemd since users don't have to
query the version themselves first.
|
| |
|
|
|
|
|
|
|
| |
To get rid of the "invalid escape sequence" warning:
=============================== warnings summary ===============================
../src/ukify/test/test_ukify.py:876
../src/ukify/test/test_ukify.py:876: SyntaxWarning: invalid escape sequence '\s'
assert re.search('Issuer: CN\s?=\s?SecureBoot signing key on host', out)
|
| |
|
|
|
| |
https://www.kernel.org/ links to https://docs.kernel.org/ for the documentation.
These URLs are shorter and nicer looking.
|
| |
|
|
|
| |
For compat with older Python versions, since datetime.UTC is an alias
introduced in Python 3.11.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Which dropped some whitespaces in the output:
$ openssl version
OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
$ openssl x509 -in cert.pem -text -noout | grep Issuer
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
$ openssl version
OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
$ openssl x509 -in cert.pem -text -noout | grep Issuer
Issuer: C = XX, L = Default City, O = Default Company Ltd
Making test-ukify unhappy:
> assert 'Issuer: CN = SecureBoot signing key on host' in out
E AssertionError: assert 'Issuer: CN = SecureBoot signing key on host' in '<...snip...>Issuer: CN=SecureBoot signing key on host archlinux2\n...'
|
| |\
| |
| | |
Use exec() to import ukify
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
With a sufficiently large initrd, the tests take 25 s on my laptop.
Normally, they'd be quicker, but since we use what we find on the
system, we don't control this. Let's raise the timeout to reduce the
chances of a spurious failure.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pytest intentionally keeps around a limited number of the previous test
temporary directories [1]. This is generally OK, but in our tests that generate
initrds, we create a few very large files (both the initrd and kernel in a few
copies), which quickly adds up. I had a particularly large initrd (because of
some mkosi-initrd shenanigans), and I unded up with dozens of gigabytes of
temporary files from the tests. Let's just nuke the dirs where we write
kernel data.
[1] https://github.com/pytest-dev/pytest/issues/543
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Quoting https://docs.pytest.org/en/stable/how-to/tmp_path.html#the-default-base-temporary-directory:
> The tmpdir and tmpdir_factory fixtures are similar to tmp_path and
> tmp_path_factory, but use/return legacy py.path.local objects rather than
> standard pathlib.Path objects.
>
> These days, it is preferred to use tmp_path and tmp_path_factory.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The idea is that genkey is called with either
--secureboot-private-key= + --secureboot-certificate=, and then it
writes those, or with --pcr-private-key + optionally --pcr-public-key
and then it writes those, or both. But when called with no arguments
whatsover, it did nothing.
There is no implicit value for any of those parameters as input (unlike in
mkosi), so we also don't want to have implicit values when used as output.
But we shouldn't return success if no work was done, this is quite confusing.
|
| | |
| |
| |
| | |
As requested in review.
|
| | |
| |
| |
| | |
Follow-up for bf35f9c83541785726dce41e54496a07f4841621.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Before:
$ python src/ukify/ukify.py genkey --secureboot-private-key=sb2.key --secureboot-certificate=sb2.cert --secureboot-certificate-validity=111
Traceback (most recent call last):
File "/home/zbyszek/src/systemd-work/src/ukify/ukify.py", line 1660, in <module>
main()
File "/home/zbyszek/src/systemd-work/src/ukify/ukify.py", line 1652, in main
generate_keys(opts)
File "/home/zbyszek/src/systemd-work/src/ukify/ukify.py", line 943, in generate_keys
key_pem, cert_pem = generate_key_cert_pair(
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/zbyszek/src/systemd-work/src/ukify/ukify.py", line 891, in generate_key_cert_pair
now + ONE_DAY * valid_days
~~~~~~~~^~~~~~~~~~~~
TypeError: can't multiply sequence by non-int of type 'datetime.timedelta'
Now:
$ python src/ukify/ukify.py genkey --secureboot-private-key=sb2.key --secureboot-certificate=sb2.cert --secureboot-certificate-validity=111
Writing SecureBoot private key to sb2.key
Writing SecureBoot certificate to sb2.cert
The new code is also clearer.
|
| | |
| |
| |
| |
| |
| | |
The regexp only worked if the sections were small enough for the size to
start with "0". I have an initrd that is 0x1078ec7e bytes, so the tests
would spuriously fail.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for
removal in a future version. Use timezone-aware objects to
represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
The difference between the two is that .now(datetime.UTC) returns an object with
a timezone attached, "the numbers" are the same.
>>> datetime.datetime.utcnow(), datetime.datetime.now(datetime.UTC)
(datetime.datetime(2023, 12, 1, 9, 37, 53, 891669),
datetime.datetime(2023, 12, 1, 9, 37, 53, 891688, tzinfo=datetime.timezone.utc))
This value is fed to cryptography's x509.CertificateBuilder object, so as long
as it can accept a datetime object with tzinfo, the result should be identical.
|
| |
|
|
|
|
|
|
| |
Fixup for e87dec82bec6eff015b368b3c746810d684fc6af:
I misunderstood the format. It's actually CBOR, i.e. some binary format.
When trying to show show text we would first check if it's valid UTF-8,
so we would handle this gracefully, i.e. emit a warning and not print
the contents.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There are draft proposals to embed SBOM metadata in the .sbom section of PE
binaries [1], in the coSWID XML format. Some details of how this is actually
implemented might change, but it seems very likely that both section name and
it being text will stay. Let's show the section as text to make such binaries
easier to inspect. ([1] recommends using 'objcopy -j .sbom' which isn't
particularly readable.) Once there's more standarization of the actual
format, we can add pretty-printing and/or syntax highlighting.
[1] https://uefi.org/blog/firmware-sbom-proposal
[2] https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-21.html
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The details of formatting are copied from mkosi. This results in the following:
usage:
ukify build [--linux=LINUX] [--initrd=INITRD] [options…]
ukify genkey [options…]
ukify inspect FILE… [options…]
Build and sign Unified Kernel Images
options:
--version show program's version number and exit
...
I put "[options…]" at the end, because that's what one would generally do
with long options like "--cmdline" and others.
|
| | |
|
| |\
| |
| | |
ukify: automatically infer --signtool from the parameters given
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
If an option like SecureBootCertificateDir is given, it should override
the default '/etc/pki/pesign'. Until now the config file option were
always ignored if they had a default.
So from now on, every ConfigItem with a config_key and default field
should also give config_push = ConfigItem.config_set.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
--signtool is actually useless: it can be inferred depending on if
--secureboot-certificate-name (pesign) is given, or
--secureboot-private-key and --secureboot-certificate (sbsign) is given.
Leave the option just for backwards compatibility.
|
| | |
| |
| |
| | |
Fixup for df4a46733a609f1673de0bebb38e89fffd70c16c.
|
| |/
|
|
|
|
| |
* Explicitly import attributes rsa and serialization from cryptography.hazmat
Signed-off-by: Valentin Lefebvre <valentin.lefebvre@suse.com>
|
| | |
|
| |
|
|
|
| |
If the user does not specify a config file to use, ukify will try looking for one at {/run,/etc,/usr/local/lib,/usr/lib}/systemd/ukify.conf in order and then use the first one found. Also made sure the --config input is a pathlib.Path by specifying its type in its CONFIG_ITEMS entry.
Big cheers to Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> for helping!
|
| |
|
|
|
| |
Inspired by https://github.com/systemd/systemd/pull/28997.
Noticed by Alvin Alvarado <alvin@striczkof.io>.
|
