mkosi: use pesign for signing UKI addons

In C9S/RHEL9 we don't ship sbsign, so we have to use pesign instead. Unfortunately, ukify doesn't support singing with pesign, so we have to do that manually. Related: RHEL-1086 RHEL-only
redhat-plumbers · Mar 5, 2024 · 9152fc5 · 9152fc5
1 parent 2f29641
commit 9152fc5
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 4 deletions.
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf
@@ -6,3 +6,6 @@ Distribution=centos
 [Content]
 Packages=
         kernel-modules # For squashfs support
+        nss-tools
+        openssl
+        pesign
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
@@ -10,7 +10,7 @@ if ! systemd-detect-virt --container; then
     cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
     cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
 
-    if command -v sbsign &>/dev/null; then
+    if command -v pesign &>/dev/null; then
         cat /proc/cmdline
         grep -q this_should_be_here /proc/cmdline
         (! grep -q this_should_not_be_here /proc/cmdline)

diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot
@@ -101,11 +101,18 @@ cat >/usr/lib/tmpfiles.d/testuser.conf <<EOF
 q	/home/testuser	0700	4711	4711
 EOF
 
-# sbsign is not available on CentOS Stream
-if command -v sbsign &>/dev/null; then
+# RHEL 9 only: we don't ship sbsigntools in RHEL 9 so we have to use pesign
+# instead. Unfortunately, ATTOW ukify doesn't support signing with pesign, so we
+# have to do it manually :(
+if command -v pesign &>/dev/null; then
     # Ensure that side-loaded PE addons are loaded if signed, and ignored if not
     addons_dir=/efi/loader/addons
     mkdir -p "$addons_dir"
-    ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
+    ukify build --cmdline this_should_be_here -o "good.addon.efi"
     ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
+
+    openssl pkcs12 -name "mkosi" -passin "pass:" -passout "pass:" -export -out mkosi.p12 -inkey mkosi.key -in mkosi.crt
+    pk12util -W "" -i mkosi.p12 -d /etc/pki/pesign
+    pesign -v -s -c "mkosi" -i "good.addon.efi" -o "$addons_dir/good.addon.efi"
+    pesign -S -i"$addons_dir/good.addon.efi"
 fi