Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package uki-tool for openSUSE:Factory checked in at 2025-01-05 15:30:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/uki-tool (Old) and /work/SRC/openSUSE:Factory/.uki-tool.new.1881 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "uki-tool" Sun Jan 5 15:30:34 2025 rev:5 rq:1234742 version:1.4.1+0.g2720d37 Changes: -------- --- /work/SRC/openSUSE:Factory/uki-tool/uki-tool.changes 2024-12-17 19:25:58.151933087 +0100 +++ /work/SRC/openSUSE:Factory/.uki-tool.new.1881/uki-tool.changes 2025-01-05 15:30:50.932756722 +0100 @@ -1,0 +2,6 @@ +Thu Jan 2 17:33:49 UTC 2025 - Valentin Lefebvre <[email protected]> + +- Generate and use PCR keys only if it is required + [+ create-pcrkeys-arg.patch] + +------------------------------------------------------------------- New: ---- create-pcrkeys-arg.patch BETA DEBUG BEGIN: New:- Generate and use PCR keys only if it is required [+ create-pcrkeys-arg.patch] BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ uki-tool.spec ++++++ --- /var/tmp/diff_new_pack.AAGBRZ/_old 2025-01-05 15:30:52.224809866 +0100 +++ /var/tmp/diff_new_pack.AAGBRZ/_new 2025-01-05 15:30:52.232810195 +0100 @@ -1,7 +1,7 @@ # # spec file for package uki-tool # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,6 +26,8 @@ License: MIT URL: https://github.com/keentux/unified-kernel-image-tool.git Source: %{archive_name}-%{version}.tar.xz +#PATCH-FIXED-UPSTREAM +Patch: create-pcrkeys-arg.patch BuildArch: noarch BuildRequires: ShellCheck BuildRequires: bash-sh @@ -58,7 +60,7 @@ This package contains the documentation for the uki-tool. %prep -%autosetup -n %{archive_name}-%{version} +%autosetup -p1 -n %{archive_name}-%{version} %build sh ./build.sh ++++++ create-pcrkeys-arg.patch ++++++ >From f9d93e463e8a15062ac015702c7fd85499dc7080 Mon Sep 17 00:00:00 2001 From: vlefebvre <[email protected]> Date: Thu, 2 Jan 2025 18:30:17 +0100 Subject: [PATCH] create: pcrkeys arg * create: PCR keys will be generated and used only if asked. * new arg: --pcrkeys Signed-off-by: vlefebvre <[email protected]> --- CHANGELOG.md | 3 ++ README.md | 9 +++-- src/commands/create.sh | 82 ++++++++++++++++++++++++++---------------- 3 files changed, 61 insertions(+), 33 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d7a4b37..9cb4959 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,9 @@ All notable changes to this project will be documented in this file. ### Changed +- create: PCR keys will be generated and used only if asked + - new arg: --pcrkeys + ### Fixed ## [1.4.1] - 2024-12-16 diff --git a/README.md b/README.md index 9ee42e7..665a5cb 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ > * **Author**: Valentin LEFEBVRE <[email protected]> > * **Created at**: 2023-05-04 -> * **Updated at**: 2024-12-16 +> * **Updated at**: 2025-01-02 > * **Description**:Utilities to help with UKI and static initrd projects. > * **version**: 1.4.1 > * **Topics** @@ -77,7 +77,7 @@ Generate PCR keys and use them to create an UKI. USAGE: uki-tool create [OPTIONS] OPTIONS: -k|--kerver: Kernel Version - [default: $(uname -r)] + [default: 6.11.8-1-default] -i|--initrd: Path to the initrd [default: /usr/share/initrd/initrd-dracut-generic-kerver.unsigned] -n|--name: Name to the UKI to generate @@ -86,6 +86,9 @@ OPTIONS: [Default: rw rhgb] -o|--output: Output dir where to generate the UKI. [Default: $PWD] + --pcrkeys : Generate and use PCR keys for the generated UKI + Keys will be stored in ./<ukiname>.keys/ + (see ukify genkey for more info) help: Print this helper INFO: @@ -93,7 +96,7 @@ INFO: 'ukify' EXAMPLE: - uki-tool create -k 6.7.6-1-default -n uki-0.1.0.efi -o /usr/lib/modules/6.7.6-1-default/ + uki-tool create -k 6.11.8-1-default -n uki-0.1.0.efi -o /usr/lib/modules/6.11.8-1-default/ ``` ### c) extension diff --git a/src/commands/create.sh b/src/commands/create.sh index 44eb72b..1e20a95 100644 --- a/src/commands/create.sh +++ b/src/commands/create.sh @@ -23,6 +23,7 @@ CREATE_DEFAULT_UKI_NAME="uki" CREATE_DEFAULT_CMDLINE="rw rhgb" +CREATE_GENKEYS="n" ####################################################################### # PRIVATE FUNCTIONS # @@ -49,6 +50,9 @@ kerver.unsigned] [Default: $CREATE_DEFAULT_CMDLINE] -o|--output: Output dir where to generate the UKI. [Default: $PWD] + --pcrkeys : Generate and use PCR keys for the generated UKI + Keys will be stored in ./<ukiname>.keys/ + (see ukify genkey for more info) help: Print this helper INFO: @@ -79,7 +83,12 @@ _create_generate_pcr_keys() { err=1 fi output_dir="$1" - if [ $err -eq 0 ]; then + if test -f "$output_dir"/pcr-initrd.key.pem \ + -o -f "$output_dir"/pcr-initrd.pub.pem \ + -o -f "$output_dir"/pcr-system.key.pem \ + -o -f "$output_dir"/pcr-system.pub.pem; then + echo_info "PCR keys has already been created. Cancel." + elif [ $err -eq 0 ]; then if $UKIFY genkey \ --pcr-private-key="$output_dir"/pcr-initrd.key.pem \ --pcr-public-key="$output_dir"/pcr-initrd.pub.pem \ @@ -112,37 +121,43 @@ _create_generate_pcr_keys() { # 0 in succes, >0 otherwise ### _create_generate_uki() { + output_dir="$1" + pcrkeys_dir="$2" + kerver="$3" + name="$4" + cmdline="$5" + initrd_p="$6" err=0 if [ $# -lt 6 ]; then echo_error "Missing arguments" err=1 - elif [ ! -d "$1" ]; then - echo_error "No dir at $1" - err=1 - elif [ ! -d "$2" ]; then - echo_error "No dir at $2" + elif [ ! -d "${output_dir}" ]; then + echo_error "No dir at ${output_dir}" err=1 fi if [ $err -ne 1 ]; then - if $UKIFY build \ - --initrd="$6" \ - --linux="${COMMON_KERNEL_MODULESDIR}/$3/$KER_NAME" \ - --uname="$3" \ - --pcr-private-key="$2/pcr-initrd.key.pem" \ - --pcr-public-key="$2/pcr-initrd.pub.pem" \ - --phases='enter-initrd' \ - --pcr-private-key="$2/pcr-system.key.pem" \ - --pcr-public-key="$2/pcr-system.pub.pem" \ - --pcrpkey="$2/pcr-system.pub.pem" \ - --phases='enter-initrd:leave-initrd + set -- --initrd="${initrd_p}" + set -- "$@" --linux="${COMMON_KERNEL_MODULESDIR}/${kerver}/${KER_NAME}" + set -- "$@" --uname="${kerver}" + set -- "$@" --output="${output_dir}/${name}" + set -- "$@" --cmdline="${cmdline}" + if test "${CREATE_GENKEYS}" = "y" -a -d "${pcrkeys_dir}"; then + set -- "$@" --pcr-private-key="${pcrkeys_dir}/pcr-initrd.key.pem" + set -- "$@" --pcr-public-key="${pcrkeys_dir}/pcr-initrd.pub.pem" + set -- "$@" --phases='enter-initrd' + set -- "$@" --pcr-private-key="${pcrkeys_dir}/pcr-system.key.pem" + set -- "$@" --pcr-public-key="${pcrkeys_dir}/pcr-system.pub.pem" + set -- "$@" --pcrpkey="${pcrkeys_dir}/pcr-system.pub.pem" + set -- "$@" --phases='enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit - enter-initrd:leave-initrd:sysinit:ready' \ - --pcr-banks=sha256 \ - --cmdline="$5" \ - --output="$1/$4"; then - echo_info "UKI generated: $1/$4" + enter-initrd:leave-initrd:sysinit:ready' + set -- "$@" --pcr-banks=sha256 + fi + if $UKIFY build "$@"; then + echo_info "UKI generated: ${output_dir}/${name}" else - echo_error "$UKIFY failed to create the UKI at $1/$4" + echo_error "$UKIFY failed to create the UKI at ${output_dir}/\ +${name}" err=1 fi fi @@ -186,7 +201,7 @@ create_exec() { printf "Execute command create\n" # Get arguments args=$(getopt -a -n extension -o k:i:n:c:o:\ - --long kerver:,initrd:,name:,cmdline:,output: -- "$@") + --long kerver:,initrd:,name:,cmdline:,output:,pcrkeys -- "$@") eval set --"$args" while : do @@ -196,6 +211,7 @@ create_exec() { -n | --name) name="$2" ; shift 2 ;; -c | --cmdline) cmdline="$2" ; shift 2 ;; -o | --output) output="$2" ; shift 2 ;; + --pcrkeys) CREATE_GENKEYS="y" ; shift 1 ;; --) shift ; break ;; *) echo_warning "Unexpected option: $1"; _create_usage ;; esac @@ -215,12 +231,18 @@ create_exec() { if [ ! ${output+x} ]; then output="$PWD" fi + keys_dir="" + if [ "${CREATE_GENKEYS}" = "y" ]; then + keys_dir="./${name}.keys" + mkdir -p "$keys_dir" + if _create_generate_pcr_keys "$keys_dir"; then + echo_info "PCR keys generated in: $keys_dir/" + else + echo_error "Failed to generate PCR keys" + return 1 + fi + fi # Generate UKI - tmp_dir="$(mktemp -d)" - if _create_generate_pcr_keys "$tmp_dir"; then - _create_generate_uki "$output" "$tmp_dir" "$kerver" "$name" "$cmdline" \ + _create_generate_uki "$output" "$keys_dir" "$kerver" "$name" "$cmdline" \ "$initrd_path" - fi - # Clean - rm -rf "$tmp_dir" } -- 2.47.0
