From 094011d1502867ba2dfea8cc0c338fea41366820 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Sun, 6 Apr 2025 21:37:33 +0200 Subject: [PATCH 1/2] Merge factory reset profiles Let's have a single factory reset profile instead of two. To keep all functionality, we only keep the tpm2 clear profile. --- mkosi.uki-profiles/90-factory-reset.conf | 10 +++++----- .../91-factory-reset-with-tpm-clear.conf | 14 -------------- 2 files changed, 5 insertions(+), 19 deletions(-) delete mode 100644 mkosi.uki-profiles/91-factory-reset-with-tpm-clear.conf diff --git a/mkosi.uki-profiles/90-factory-reset.conf b/mkosi.uki-profiles/90-factory-reset.conf index 7b314e76..73c46a2d 100644 --- a/mkosi.uki-profiles/90-factory-reset.conf +++ b/mkosi.uki-profiles/90-factory-reset.conf @@ -3,12 +3,12 @@ [UKIProfile] Profile= ID=factory-reset - TITLE=Reset System to Factory Defaults [CAUTION!] + TITLE=Reset System to Factory Defaults + TPM2 Clear [CAUTION!] Cmdline= - systemd.factory_reset=1 - rw + rd.systemd.unit=factory-reset.target + ro audit=0 - systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted:swap=encrypted+unused+absent:home=unprotected:=ignore + systemd.image_policy=- -SignExpectedPcr=yes +SignExpectedPcr=no diff --git a/mkosi.uki-profiles/91-factory-reset-with-tpm-clear.conf b/mkosi.uki-profiles/91-factory-reset-with-tpm-clear.conf deleted file mode 100644 index e74c0fd0..00000000 --- a/mkosi.uki-profiles/91-factory-reset-with-tpm-clear.conf +++ /dev/null @@ -1,14 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[UKIProfile] -Profile= - ID=factory-reset-tpm2-clear - TITLE=Reset System to Factory Defaults + TPM2 Clear [CAUTION!] - -Cmdline= - rd.systemd.unit=factory-reset.target - ro - audit=0 - systemd.image_policy=- - -SignExpectedPcr=no From 7a162f4ff942d871141ef989ba43fac7c1219801 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Sun, 6 Apr 2025 21:38:35 +0200 Subject: [PATCH 2/2] Drop the emergency UKI profile The UEFI firmware on my laptop (American Megatrends Inc) enforces a limit of 25 PE sections on any loaded UEFI binary. Unti we figure out a better way to deal with this limit, drop the emergency profile to get the number of PE sections under 25 again. --- mkosi.uki-profiles/95-emergency.conf | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 mkosi.uki-profiles/95-emergency.conf diff --git a/mkosi.uki-profiles/95-emergency.conf b/mkosi.uki-profiles/95-emergency.conf deleted file mode 100644 index cc736fc8..00000000 --- a/mkosi.uki-profiles/95-emergency.conf +++ /dev/null @@ -1,14 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later - -[UKIProfile] -Profile= - ID=emergency - TITLE=Boot into Emergency Mode - -Cmdline= - systemd.unit=emergency.target - rw - audit=0 - systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted:swap=encrypted+unused+absent:home=unprotected:=ignore - -SignExpectedPcr=yes