system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-21 02:05:05 +00:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

ukify: make the certficate validity configurable

Browse source 
Requested in 4cc743319a (r1228592001)
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2023-06-14 12:38:37 +02:00
parent a3f758b310
commit 814e4d7a67
2 changed files with 21 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
man/ukify.xml
View file

@ -329,6 +329,14 @@
This option is required by <varname>SecureBootSigningTool=pesign</varname>/<option>--signtool=pesign</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>SecureBootCertificateValidity=<replaceable>DAYS</replaceable></varname></term>
<term><option>--secureboot-certificate-validity=<replaceable>DAYS</replaceable></option></term>
<listitem><para>Period of validity (in days) for a certificate created by
<command>genkey</command>. Defaults to 3650, i.e. 10 years.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>SigningEngine=<replaceable>ENGINE</replaceable></varname></term>
<term><option>--signing-engine=<replaceable>ENGINE</replaceable></option></term>

15
src/ukify/ukify.py
View file

@ -759,8 +759,8 @@ def temporary_umask(mask: int):
def generate_key_cert_pair(
common_name: str,
valid_days: int,
keylength: int = 2048,
valid_days: int = 365 * 10, # TODO: can we drop the expiration date?
) -> tuple[bytes]:
from cryptography import x509
@ -835,7 +835,10 @@ def generate_keys(opts):
if opts.sb_key or opts.sb_cert:
fqdn = socket.getfqdn()
cn = f'SecureBoot signing key on host {fqdn}'
key_pem, cert_pem = generate_key_cert_pair(common_name=cn)
key_pem, cert_pem = generate_key_cert_pair(
common_name=cn,
valid_days=opts.sb_cert_validity,
)
print(f'Writing SecureBoot private key to {opts.sb_key}')
with temporary_umask(0o077):
opts.sb_key.write_bytes(key_pem)
@ -1153,6 +1156,14 @@ uki.addon,1,UKI Addon,uki.addon,1,https://www.freedesktop.org/software/systemd/m
help = 'required by --signtool=pesign. pesign needs a certificate nickname of nss certificate database entry to use for PE signing',
config_key = 'UKI/SecureBootCertificateName',
),
ConfigItem(
'--secureboot-certificate-validity',
metavar = 'DAYS',
dest = 'sb_cert_validity',
default = 365 * 10,
help = "period of validity (in days) for a certificate created by 'genkey'",
config_key = 'UKI/SecureBootCertificateValidity',
),
ConfigItem(
'--sign-kernel',