4 store_verity_type
= "@NIX_STORE_VERITY@" # replaced at import by Nix
7 def extract_uki_cmdline_params(ukify_json
: dict) -> dict[str, str]:
9 Return a dict of the parameters in the .cmdline section of the UKI
10 Exits early if "usrhash" is not included.
12 cmdline
= ukify_json
.get(".cmdline", {}).get("text")
14 print("Failed to get cmdline from ukify output")
17 for param
in cmdline
.split():
18 key
, val
= param
.partition("=")[::2]
21 if "usrhash" not in params
:
23 f
"UKI cmdline does not contain a usrhash:\n{cmdline}"
30 def hashes_match(partition
: dict[str, str], expected
: str) -> bool:
32 Checks if the value of the "roothash" key in the passed partition object matches `expected`.
34 if partition
.get("roothash") != expected
:
35 pretty_part
= json
.dumps(partition
, indent
=2)
37 f
"hash mismatch, expected to find roothash {expected} in:\n{pretty_part}"
45 partitions
: list[dict], uki_params
: dict[str, str]
48 Checks if the usrhash from `uki_params` has a matching roothash
49 for the corresponding partition in `partitions`.
51 for part
in partitions
:
52 if part
.get("type") == store_verity_type
:
53 expected
= uki_params
["usrhash"]
54 return hashes_match(part
, expected
)
60 ukify_json
= json
.load(sys
.stdin
)
61 repart_json_output
= sys
.argv
[1]
63 with
open(repart_json_output
, "r") as r
:
64 repart_json
= json
.load(r
)
66 uki_params
= extract_uki_cmdline_params(ukify_json
)
68 if check_partitions(repart_json
, uki_params
):
69 print("UKI and repart verity hashes match")
71 print("Compatibility check for UKI and image failed!")
72 print(f
"UKI cmdline parameters:\n{uki_params}")
73 print(f
"repart config: {repart_json_output}")
77 if __name__
== "__main__":
