mkosi: Sign expected PCRs

This is now possible without a TMP device so let's start signing PCRs when building images with mkosi.
2026-04-14 00:14:32 +09:00 · 2023-05-30 14:09:44 +02:00
parent e577318ddb
commit ee6eedab82
2 changed files with 3 additions and 6 deletions
--- a/mkosi.conf.d/10-systemd.conf
+++ b/mkosi.conf.d/10-systemd.conf
@@ -11,11 +11,6 @@ OutputDirectory=mkosi.output
 BuildDirectory=mkosi.builddir
 CacheDirectory=mkosi.cache

-[Validation]
-SecureBoot=yes
-# Disabled until systemd-measure can operate without a TPM device.
-SignExpectedPcr=no
-
 [Host]
 QemuMem=2G
 ExtraSearchPaths=build/
--- a/mkosi.presets/20-final/mkosi.conf
+++ b/mkosi.presets/20-final/mkosi.conf
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later

 [Content]
+Autologin=yes
 BaseTrees=../../mkosi.output/base
 ExtraTrees=../../src:/root/src
 Initrds=../../mkosi.output/initrd
@@ -35,4 +36,5 @@ Packages=
        zsh

 [Validation]
-Autologin=yes
+SecureBoot=yes
+SignExpectedPcr=yes