Skip to content

mkosi-obs: Replace usage of pesign/efitools with systemd-sbsign #3568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
daandemeyer wants to merge 1 commit into
base: main
Choose a base branch
from
Open

mkosi-obs: Replace usage of pesign/efitools with systemd-sbsign #3568

daandemeyer wants to merge 1 commit into from
+60 −66

Conversation

@daandemeyer
Copy link
Contributor

@daandemeyer daandemeyer commented Mar 1, 2025

Let's consolidate on systemd-sbsign across mkosi to do everything related to secure boot signing.

@daandemeyer
mkosi-obs: Replace usage of pesign/efitools with systemd-sbsign
54bc457 
Let's consolidate on systemd-sbsign across mkosi to do everything
related to secure boot signing.
@daandemeyer
Copy link
Contributor Author

daandemeyer commented Mar 1, 2025

Requires systemd/systemd#36574

@bluca
Copy link
Member

bluca commented Mar 2, 2025

It's fine to use these new tools elsewhere, but I do not want them in the OBS scripts. Everything else in OBS uses pesign, including package builds, so I want to use the same thing, to guarantee it works. pesign has also been battle-tested on real hardware for 10 years, while this new stuff hasn't, I imagine it will take a few years of actual usage before it becomes compatible with all the firmwares and hardware out there

@behrmann
Copy link
Contributor

behrmann commented Mar 2, 2025

I mean, shouldn't we have both at least as an option? Assuming that it doesn't work in all cases, then if we don't dogfood it, it won't.

@bluca
Copy link
Member

bluca commented Mar 2, 2025

Sure it's fine to use these other tools elsewhere, in the ci, for local builds, etc etc

@daandemeyer
Copy link
Contributor Author

daandemeyer commented Mar 2, 2025

It's fine to use these new tools elsewhere, but I do not want them in the OBS scripts. Everything else in OBS uses pesign, including package builds, so I want to use the same thing, to guarantee it works. pesign has also been battle-tested on real hardware for 10 years, while this new stuff hasn't, I imagine it will take a few years of actual usage before it becomes compatible with all the firmwares and hardware out there

This is a bit ridiculous, as long as we generate identical output to the other tools, of course we'll be compatible. I'll add integration tests in systemd that ensure we generate the same output.

@bluca
Copy link
Member

bluca commented Mar 2, 2025

You cannot verify that you have the same output, because you don't have access to the same input - the certificate. And yes that matters. Hardware quirks matter too, as you found out the hard way with the padding bug in the stub. What the spec says and what happens in real life often diverge.

@daandemeyer
Copy link
Contributor Author

daandemeyer commented Mar 2, 2025
edited
Loading

Cool I'll just modify this PR to have it call both systemd-sbsign and the existing tool and verify the output is identical for both tools and fail the build if it isn't. Then you can be happy knowing we're using your supposedly stable better tools and I can be happy knowing systemd-sbsign is dogfooded and if the comparison ever fails we'll automatically get a bug report so we can fix whatever is different in systemd-sbsign.

And eventually we'll just drop the other tools.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dont-merge

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@daandemeyer @bluca @behrmann