From ee6eedab821c3ad9491efa062ade49f2f550d7f7 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 30 May 2023 14:09:44 +0200
Subject: mkosi: Sign expected PCRs

This is now possible without a TMP device so let's start signing
PCRs when building images with mkosi.
---
 mkosi.conf.d/10-systemd.conf      | 5 -----
 mkosi.presets/20-final/mkosi.conf | 4 +++-
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/mkosi.conf.d/10-systemd.conf b/mkosi.conf.d/10-systemd.conf
index 640214c8a3..09e8c5c3f1 100644
--- a/mkosi.conf.d/10-systemd.conf
+++ b/mkosi.conf.d/10-systemd.conf
@@ -11,11 +11,6 @@ OutputDirectory=mkosi.output
 BuildDirectory=mkosi.builddir
 CacheDirectory=mkosi.cache
 
-[Validation]
-SecureBoot=yes
-# Disabled until systemd-measure can operate without a TPM device.
-SignExpectedPcr=no
-
 [Host]
 QemuMem=2G
 ExtraSearchPaths=build/
diff --git a/mkosi.presets/20-final/mkosi.conf b/mkosi.presets/20-final/mkosi.conf
index ec0a90feff..bb158eb059 100644
--- a/mkosi.presets/20-final/mkosi.conf
+++ b/mkosi.presets/20-final/mkosi.conf
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 [Content]
+Autologin=yes
 BaseTrees=../../mkosi.output/base
 ExtraTrees=../../src:/root/src
 Initrds=../../mkosi.output/initrd
@@ -35,4 +36,5 @@ Packages=
         zsh
 
 [Validation]
-Autologin=yes
+SecureBoot=yes
+SignExpectedPcr=yes
-- 
cgit v1.2.3