From 5ab22a771555645c0f0a66cddb719914abfb586a Mon Sep 17 00:00:00 2001 From: Noel Georgi Date: Fri, 10 Jan 2025 22:51:07 +0530 Subject: [PATCH] chore: uki code restructure UKI code re-structure, no-op. Signed-off-by: Noel Georgi --- Dockerfile | 4 +- cmd/talosctl/cmd/mgmt/gen/secureboot.go | 2 +- internal/app/init/main.go | 9 +-- .../v1alpha1/v1alpha1_sequencer_tasks.go | 9 +-- internal/pkg/encryption/keys/tpm2.go | 6 +- internal/pkg/mount/switchroot/switchroot.go | 9 +-- .../certs/db/MicCorUEFCA2011_2011-06-27.der | Bin .../db/microsoft option rom uefi ca 2023.der | Bin .../certs/db/microsoft uefi ca 2023.der | Bin .../certs/kek/MicCorKEKCA2011_2011-06-24.der | Bin .../microsoft corporation kek 2k ca 2023.der | Bin .../{ => uki}/secureboot/database/database.go | 2 +- .../measure/internal/pcr/bank_data.go | 11 ++-- .../measure/internal/pcr/bank_data_test.go | 14 ++--- .../secureboot/measure/internal/pcr/extend.go | 0 .../measure/internal/pcr/extend_test.go | 2 +- .../secureboot/measure/internal/pcr/sign.go | 0 .../measure/internal/pcr/sign_test.go | 2 +- .../measure/internal/pcr/testdata/a | 0 .../measure/internal/pcr/testdata/b | 0 .../measure/internal/pcr/testdata/c | 0 .../{ => uki}/secureboot/measure/measure.go | 10 ++-- .../secureboot/measure/measure_test.go | 10 ++-- .../measure/testdata/pcr-signing-key.pem | 0 .../pkg/{ => uki}/secureboot/pesign/pesign.go | 0 .../secureboot/pesign/pesign_test.go | 2 +- .../pesign/testdata/systemd-bootx64.efi | Bin .../pkg/{ => uki}/secureboot/secureboot.go | 50 +---------------- .../pkg/{ => uki}/secureboot/tpm2/keys.go | 0 internal/pkg/{ => uki}/secureboot/tpm2/pcr.go | 11 ++-- .../pkg/{ => uki}/secureboot/tpm2/pcr_test.go | 2 +- .../pkg/{ => uki}/secureboot/tpm2/policy.go | 0 .../{ => uki}/secureboot/tpm2/policy_test.go | 2 +- .../pkg/{ => uki}/secureboot/tpm2/seal.go | 6 +- .../{ => uki}/secureboot/tpm2/signature.go | 0 .../tpm2/testdata/pcr-signing-crt.pem | 0 .../pkg/{ => uki}/secureboot/tpm2/tpm2.go | 0 .../pkg/{ => uki}/secureboot/tpm2/unseal.go | 7 ++- .../pkg/{ => uki}/secureboot/uki/assemble.go | 0 .../pkg/{ => uki}/secureboot/uki/generate.go | 24 ++++---- .../pkg/{ => uki}/secureboot/uki/kernel.go | 0 .../{ => uki}/secureboot/uki/kernel_test.go | 2 +- internal/pkg/{ => uki}/secureboot/uki/sbat.go | 4 +- .../pkg/{ => uki}/secureboot/uki/sbat_test.go | 2 +- .../{ => uki}/secureboot/uki/testdata/kernel | Bin internal/pkg/{ => uki}/secureboot/uki/uki.go | 8 +-- internal/pkg/uki/uki.go | 53 ++++++++++++++++++ pkg/imager/imager.go | 2 +- pkg/imager/out.go | 4 +- pkg/imager/profile/input.go | 4 +- pkg/imager/profile/internal/signer/aws/pcr.go | 2 +- .../profile/internal/signer/aws/secureboot.go | 2 +- .../profile/internal/signer/azure/pcr.go | 2 +- .../internal/signer/azure/secureboot.go | 2 +- .../profile/internal/signer/file/pcr.go | 2 +- .../internal/signer/file/secureboot.go | 2 +- 56 files changed, 149 insertions(+), 136 deletions(-) rename internal/pkg/{ => uki}/secureboot/database/certs/db/MicCorUEFCA2011_2011-06-27.der (100%) rename internal/pkg/{ => uki}/secureboot/database/certs/db/microsoft option rom uefi ca 2023.der (100%) rename internal/pkg/{ => uki}/secureboot/database/certs/db/microsoft uefi ca 2023.der (100%) rename internal/pkg/{ => uki}/secureboot/database/certs/kek/MicCorKEKCA2011_2011-06-24.der (100%) rename internal/pkg/{ => uki}/secureboot/database/certs/kek/microsoft corporation kek 2k ca 2023.der (100%) rename internal/pkg/{ => uki}/secureboot/database/database.go (98%) rename internal/pkg/{ => uki}/secureboot/measure/internal/pcr/bank_data.go (85%) rename internal/pkg/{ => uki}/secureboot/measure/internal/pcr/bank_data_test.go (84%) rename internal/pkg/{ => uki}/secureboot/measure/internal/pcr/extend.go (100%) rename internal/pkg/{ => uki}/secureboot/measure/internal/pcr/extend_test.go (92%) rename internal/pkg/{ => uki}/secureboot/measure/internal/pcr/sign.go (100%) rename internal/pkg/{ => uki}/secureboot/measure/internal/pcr/sign_test.go (95%) rename internal/pkg/{ => uki}/secureboot/measure/internal/pcr/testdata/a (100%) rename internal/pkg/{ => uki}/secureboot/measure/internal/pcr/testdata/b (100%) rename internal/pkg/{ => uki}/secureboot/measure/internal/pcr/testdata/c (100%) rename internal/pkg/{ => uki}/secureboot/measure/measure.go (79%) rename internal/pkg/{ => uki}/secureboot/measure/measure_test.go (95%) rename internal/pkg/{ => uki}/secureboot/measure/testdata/pcr-signing-key.pem (100%) rename internal/pkg/{ => uki}/secureboot/pesign/pesign.go (100%) rename internal/pkg/{ => uki}/secureboot/pesign/pesign_test.go (95%) rename internal/pkg/{ => uki}/secureboot/pesign/testdata/systemd-bootx64.efi (100%) rename internal/pkg/{ => uki}/secureboot/secureboot.go (63%) rename internal/pkg/{ => uki}/secureboot/tpm2/keys.go (100%) rename internal/pkg/{ => uki}/secureboot/tpm2/pcr.go (92%) rename internal/pkg/{ => uki}/secureboot/tpm2/pcr_test.go (92%) rename internal/pkg/{ => uki}/secureboot/tpm2/policy.go (100%) rename internal/pkg/{ => uki}/secureboot/tpm2/policy_test.go (95%) rename internal/pkg/{ => uki}/secureboot/tpm2/seal.go (94%) rename internal/pkg/{ => uki}/secureboot/tpm2/signature.go (100%) rename internal/pkg/{ => uki}/secureboot/tpm2/testdata/pcr-signing-crt.pem (100%) rename internal/pkg/{ => uki}/secureboot/tpm2/tpm2.go (100%) rename internal/pkg/{ => uki}/secureboot/tpm2/unseal.go (97%) rename internal/pkg/{ => uki}/secureboot/uki/assemble.go (100%) rename internal/pkg/{ => uki}/secureboot/uki/generate.go (91%) rename internal/pkg/{ => uki}/secureboot/uki/kernel.go (100%) rename internal/pkg/{ => uki}/secureboot/uki/kernel_test.go (88%) rename internal/pkg/{ => uki}/secureboot/uki/sbat.go (87%) rename internal/pkg/{ => uki}/secureboot/uki/sbat_test.go (91%) rename internal/pkg/{ => uki}/secureboot/uki/testdata/kernel (100%) rename internal/pkg/{ => uki}/secureboot/uki/uki.go (95%) create mode 100644 internal/pkg/uki/uki.go diff --git a/Dockerfile b/Dockerfile index 2e377a47ce..fbf5846e8b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -438,8 +438,8 @@ COPY --from=ipxe-generate / /pkg/provision/providers/vm/internal/ipxe/data/ipxe/ COPY --from=selinux-generate / /internal/pkg/selinux/ COPY --from=embed-abbrev / / COPY --from=pkg-ca-certificates /etc/ssl/certs/ca-certificates /internal/app/machined/pkg/controllers/secrets/data/ -COPY --from=microsoft-key-keys / /internal/pkg/secureboot/database/certs/ -COPY --from=microsoft-db-keys / /internal/pkg/secureboot/database/certs/ +COPY --from=microsoft-key-keys / /internal/pkg/uki/secureboot/database/certs/ +COPY --from=microsoft-db-keys / /internal/pkg/uki/secureboot/database/certs/ # The base target provides a container that can be used to build all Talos # assets. diff --git a/cmd/talosctl/cmd/mgmt/gen/secureboot.go b/cmd/talosctl/cmd/mgmt/gen/secureboot.go index f26652b232..6d2b081b7b 100644 --- a/cmd/talosctl/cmd/mgmt/gen/secureboot.go +++ b/cmd/talosctl/cmd/mgmt/gen/secureboot.go @@ -18,7 +18,7 @@ import ( "github.com/spf13/cobra" "github.com/siderolabs/talos/cmd/talosctl/pkg/mgmt/helpers" - "github.com/siderolabs/talos/internal/pkg/secureboot/database" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/database" "github.com/siderolabs/talos/pkg/imager/profile" "github.com/siderolabs/talos/pkg/machinery/config/generate/secrets" "github.com/siderolabs/talos/pkg/machinery/constants" diff --git a/internal/app/init/main.go b/internal/app/init/main.go index c60f8ee27b..8b447d1a67 100644 --- a/internal/app/init/main.go +++ b/internal/app/init/main.go @@ -24,8 +24,9 @@ import ( "github.com/siderolabs/talos/internal/pkg/mount/switchroot" "github.com/siderolabs/talos/internal/pkg/mount/v2" "github.com/siderolabs/talos/internal/pkg/rng" - "github.com/siderolabs/talos/internal/pkg/secureboot" - "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2" + "github.com/siderolabs/talos/internal/pkg/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2" "github.com/siderolabs/talos/pkg/machinery/constants" "github.com/siderolabs/talos/pkg/machinery/extensions" "github.com/siderolabs/talos/pkg/machinery/version" @@ -60,8 +61,8 @@ func run() error { } // extend PCR 11 with enter-initrd - if err := tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.EnterInitrd)); err != nil { - return fmt.Errorf("failed to extend PCR %d with enter-initrd: %v", secureboot.UKIPCR, err) + if err := tpm2.PCRExtend(uki.PCR, []byte(secureboot.EnterInitrd)); err != nil { + return fmt.Errorf("failed to extend PCR %d with enter-initrd: %v", uki.PCR, err) } log.Printf("booting Talos %s", version.Tag) diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go index b84cb07325..229f84a4f3 100644 --- a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go +++ b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go @@ -56,9 +56,10 @@ import ( "github.com/siderolabs/talos/internal/pkg/mount" mountv2 "github.com/siderolabs/talos/internal/pkg/mount/v2" "github.com/siderolabs/talos/internal/pkg/partition" - "github.com/siderolabs/talos/internal/pkg/secureboot" - "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2" "github.com/siderolabs/talos/internal/pkg/selinux" + "github.com/siderolabs/talos/internal/pkg/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2" "github.com/siderolabs/talos/internal/pkg/zboot" "github.com/siderolabs/talos/pkg/conditions" "github.com/siderolabs/talos/pkg/images" @@ -328,7 +329,7 @@ func WriteUdevRules(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) { // StartMachined represents the task to start machined. func StartMachined(_ runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string) { return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) error { - if err := tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.EnterMachined)); err != nil { + if err := tpm2.PCRExtend(uki.PCR, []byte(secureboot.EnterMachined)); err != nil { return err } @@ -412,7 +413,7 @@ func StartUdevd(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) { // ExtendPCRStartAll represents the task to extend the PCR with the StartTheWorld PCR phase. func ExtendPCRStartAll(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) { return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) { - return tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.StartTheWorld)) + return tpm2.PCRExtend(uki.PCR, []byte(secureboot.StartTheWorld)) }, "extendPCRStartAll" } diff --git a/internal/pkg/encryption/keys/tpm2.go b/internal/pkg/encryption/keys/tpm2.go index e0c5af7deb..facd84c157 100644 --- a/internal/pkg/encryption/keys/tpm2.go +++ b/internal/pkg/encryption/keys/tpm2.go @@ -16,8 +16,8 @@ import ( "github.com/siderolabs/go-blockdevice/v2/encryption/luks" "github.com/siderolabs/go-blockdevice/v2/encryption/token" - "github.com/siderolabs/talos/internal/pkg/secureboot" - "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2" + "github.com/siderolabs/talos/internal/pkg/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2" ) // TPMToken is the userdata stored in the partition token metadata. @@ -74,7 +74,7 @@ func (h *TPMKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Toke KeySlots: []int{h.slot}, SealedBlobPrivate: resp.SealedBlobPrivate, SealedBlobPublic: resp.SealedBlobPublic, - PCRs: []int{secureboot.UKIPCR}, + PCRs: []int{uki.PCR}, Alg: "sha256", PolicyHash: resp.PolicyDigest, KeyName: resp.KeyName, diff --git a/internal/pkg/mount/switchroot/switchroot.go b/internal/pkg/mount/switchroot/switchroot.go index 1cef339ffb..0423c183d4 100644 --- a/internal/pkg/mount/switchroot/switchroot.go +++ b/internal/pkg/mount/switchroot/switchroot.go @@ -16,9 +16,10 @@ import ( "golang.org/x/sys/unix" "github.com/siderolabs/talos/internal/pkg/mount/v2" - "github.com/siderolabs/talos/internal/pkg/secureboot" - "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2" "github.com/siderolabs/talos/internal/pkg/selinux" + "github.com/siderolabs/talos/internal/pkg/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2" "github.com/siderolabs/talos/pkg/machinery/constants" ) @@ -78,8 +79,8 @@ func Switch(prefix string, mountpoints mount.Points) (err error) { } // extend PCR 11 with leave-initrd - if err = tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.LeaveInitrd)); err != nil { - return fmt.Errorf("failed to extend PCR %d with leave-initrd: %v", secureboot.UKIPCR, err) + if err = tpm2.PCRExtend(uki.PCR, []byte(secureboot.LeaveInitrd)); err != nil { + return fmt.Errorf("failed to extend PCR %d with leave-initrd: %v", uki.PCR, err) } // Note that /sbin/init is machined. We call it init since this is the diff --git a/internal/pkg/secureboot/database/certs/db/MicCorUEFCA2011_2011-06-27.der b/internal/pkg/uki/secureboot/database/certs/db/MicCorUEFCA2011_2011-06-27.der similarity index 100% rename from internal/pkg/secureboot/database/certs/db/MicCorUEFCA2011_2011-06-27.der rename to internal/pkg/uki/secureboot/database/certs/db/MicCorUEFCA2011_2011-06-27.der diff --git a/internal/pkg/secureboot/database/certs/db/microsoft option rom uefi ca 2023.der b/internal/pkg/uki/secureboot/database/certs/db/microsoft option rom uefi ca 2023.der similarity index 100% rename from internal/pkg/secureboot/database/certs/db/microsoft option rom uefi ca 2023.der rename to internal/pkg/uki/secureboot/database/certs/db/microsoft option rom uefi ca 2023.der diff --git a/internal/pkg/secureboot/database/certs/db/microsoft uefi ca 2023.der b/internal/pkg/uki/secureboot/database/certs/db/microsoft uefi ca 2023.der similarity index 100% rename from internal/pkg/secureboot/database/certs/db/microsoft uefi ca 2023.der rename to internal/pkg/uki/secureboot/database/certs/db/microsoft uefi ca 2023.der diff --git a/internal/pkg/secureboot/database/certs/kek/MicCorKEKCA2011_2011-06-24.der b/internal/pkg/uki/secureboot/database/certs/kek/MicCorKEKCA2011_2011-06-24.der similarity index 100% rename from internal/pkg/secureboot/database/certs/kek/MicCorKEKCA2011_2011-06-24.der rename to internal/pkg/uki/secureboot/database/certs/kek/MicCorKEKCA2011_2011-06-24.der diff --git a/internal/pkg/secureboot/database/certs/kek/microsoft corporation kek 2k ca 2023.der b/internal/pkg/uki/secureboot/database/certs/kek/microsoft corporation kek 2k ca 2023.der similarity index 100% rename from internal/pkg/secureboot/database/certs/kek/microsoft corporation kek 2k ca 2023.der rename to internal/pkg/uki/secureboot/database/certs/kek/microsoft corporation kek 2k ca 2023.der diff --git a/internal/pkg/secureboot/database/database.go b/internal/pkg/uki/secureboot/database/database.go similarity index 98% rename from internal/pkg/secureboot/database/database.go rename to internal/pkg/uki/secureboot/database/database.go index 4b536282e4..0f9c76c60f 100644 --- a/internal/pkg/secureboot/database/database.go +++ b/internal/pkg/uki/secureboot/database/database.go @@ -17,7 +17,7 @@ import ( "github.com/foxboron/go-uefi/efivar" "github.com/google/uuid" - "github.com/siderolabs/talos/internal/pkg/secureboot/pesign" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/pesign" "github.com/siderolabs/talos/pkg/machinery/constants" ) diff --git a/internal/pkg/secureboot/measure/internal/pcr/bank_data.go b/internal/pkg/uki/secureboot/measure/internal/pcr/bank_data.go similarity index 85% rename from internal/pkg/secureboot/measure/internal/pcr/bank_data.go rename to internal/pkg/uki/secureboot/measure/internal/pcr/bank_data.go index cc4f5b2293..6391fc2e69 100644 --- a/internal/pkg/secureboot/measure/internal/pcr/bank_data.go +++ b/internal/pkg/uki/secureboot/measure/internal/pcr/bank_data.go @@ -15,8 +15,9 @@ import ( "github.com/google/go-tpm/tpm2" - "github.com/siderolabs/talos/internal/pkg/secureboot" - tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2" + "github.com/siderolabs/talos/internal/pkg/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot" + tpm2internal "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2" ) // RSAKey is the input for the CalculateBankData function. @@ -30,7 +31,7 @@ type RSAKey interface { // This mimics the process happening happening in the TPM when the UKI is being loaded. // //nolint:gocyclo -func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureboot.Section]string, rsaKey RSAKey) ([]tpm2internal.BankData, error) { +func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[uki.Section]string, rsaKey RSAKey) ([]tpm2internal.BankData, error) { // get fingerprint of public key pubKeyFingerprint := sha256.Sum256(x509.MarshalPKCS1PublicKey(rsaKey.PublicRSAKey())) @@ -39,7 +40,7 @@ func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureb return nil, err } - pcrSelector, err := tpm2internal.CreateSelector([]int{secureboot.UKIPCR}) + pcrSelector, err := tpm2internal.CreateSelector([]int{uki.PCR}) if err != nil { return nil, fmt.Errorf("failed to create PCR selection: %v", err) } @@ -55,7 +56,7 @@ func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureb hashData := NewDigest(hashAlg) - for _, section := range secureboot.OrderedSections() { + for _, section := range uki.OrderedSections() { if file := sectionData[section]; file != "" { hashData.Extend(append([]byte(section), 0)) diff --git a/internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go b/internal/pkg/uki/secureboot/measure/internal/pcr/bank_data_test.go similarity index 84% rename from internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go rename to internal/pkg/uki/secureboot/measure/internal/pcr/bank_data_test.go index 814cb17bea..69b6238275 100644 --- a/internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go +++ b/internal/pkg/uki/secureboot/measure/internal/pcr/bank_data_test.go @@ -14,9 +14,9 @@ import ( "github.com/google/go-tpm/tpm2" "github.com/stretchr/testify/require" - "github.com/siderolabs/talos/internal/pkg/secureboot" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" - tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2" + "github.com/siderolabs/talos/internal/pkg/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure/internal/pcr" + tpm2internal "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2" ) type keyWrapper struct { @@ -40,10 +40,10 @@ func TestCalculateBankData(t *testing.T) { require.NoError(t, err) bankData, err := pcr.CalculateBankData(15, tpm2.TPMAlgSHA256, - map[secureboot.Section]string{ - secureboot.Initrd: "testdata/a", - secureboot.Linux: "testdata/b", - secureboot.DTB: "testdata/c", + map[uki.Section]string{ + uki.Initrd: "testdata/a", + uki.Linux: "testdata/b", + uki.DTB: "testdata/c", }, keyWrapper{key}) require.NoError(t, err) diff --git a/internal/pkg/secureboot/measure/internal/pcr/extend.go b/internal/pkg/uki/secureboot/measure/internal/pcr/extend.go similarity index 100% rename from internal/pkg/secureboot/measure/internal/pcr/extend.go rename to internal/pkg/uki/secureboot/measure/internal/pcr/extend.go diff --git a/internal/pkg/secureboot/measure/internal/pcr/extend_test.go b/internal/pkg/uki/secureboot/measure/internal/pcr/extend_test.go similarity index 92% rename from internal/pkg/secureboot/measure/internal/pcr/extend_test.go rename to internal/pkg/uki/secureboot/measure/internal/pcr/extend_test.go index 3c061164d6..9a86c4eab3 100644 --- a/internal/pkg/secureboot/measure/internal/pcr/extend_test.go +++ b/internal/pkg/uki/secureboot/measure/internal/pcr/extend_test.go @@ -10,7 +10,7 @@ import ( "github.com/stretchr/testify/assert" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure/internal/pcr" ) func TestExtend(t *testing.T) { diff --git a/internal/pkg/secureboot/measure/internal/pcr/sign.go b/internal/pkg/uki/secureboot/measure/internal/pcr/sign.go similarity index 100% rename from internal/pkg/secureboot/measure/internal/pcr/sign.go rename to internal/pkg/uki/secureboot/measure/internal/pcr/sign.go diff --git a/internal/pkg/secureboot/measure/internal/pcr/sign_test.go b/internal/pkg/uki/secureboot/measure/internal/pcr/sign_test.go similarity index 95% rename from internal/pkg/secureboot/measure/internal/pcr/sign_test.go rename to internal/pkg/uki/secureboot/measure/internal/pcr/sign_test.go index 4e29c5bf13..0c56fc46ba 100644 --- a/internal/pkg/secureboot/measure/internal/pcr/sign_test.go +++ b/internal/pkg/uki/secureboot/measure/internal/pcr/sign_test.go @@ -14,7 +14,7 @@ import ( "github.com/stretchr/testify/require" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure/internal/pcr" ) func TestSign(t *testing.T) { diff --git a/internal/pkg/secureboot/measure/internal/pcr/testdata/a b/internal/pkg/uki/secureboot/measure/internal/pcr/testdata/a similarity index 100% rename from internal/pkg/secureboot/measure/internal/pcr/testdata/a rename to internal/pkg/uki/secureboot/measure/internal/pcr/testdata/a diff --git a/internal/pkg/secureboot/measure/internal/pcr/testdata/b b/internal/pkg/uki/secureboot/measure/internal/pcr/testdata/b similarity index 100% rename from internal/pkg/secureboot/measure/internal/pcr/testdata/b rename to internal/pkg/uki/secureboot/measure/internal/pcr/testdata/b diff --git a/internal/pkg/secureboot/measure/internal/pcr/testdata/c b/internal/pkg/uki/secureboot/measure/internal/pcr/testdata/c similarity index 100% rename from internal/pkg/secureboot/measure/internal/pcr/testdata/c rename to internal/pkg/uki/secureboot/measure/internal/pcr/testdata/c diff --git a/internal/pkg/secureboot/measure/measure.go b/internal/pkg/uki/secureboot/measure/measure.go similarity index 79% rename from internal/pkg/secureboot/measure/measure.go rename to internal/pkg/uki/secureboot/measure/measure.go index abb3f0a3de..0b226cdcc1 100644 --- a/internal/pkg/secureboot/measure/measure.go +++ b/internal/pkg/uki/secureboot/measure/measure.go @@ -13,13 +13,13 @@ import ( "github.com/google/go-tpm/tpm2" - "github.com/siderolabs/talos/internal/pkg/secureboot" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" - tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2" + "github.com/siderolabs/talos/internal/pkg/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure/internal/pcr" + tpm2internal "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2" ) // SectionsData holds a map of Section to file path to the corresponding section. -type SectionsData map[secureboot.Section]string +type SectionsData map[uki.Section]string // RSAKey is the input for the CalculateBankData function. type RSAKey interface { @@ -48,7 +48,7 @@ func GenerateSignedPCR(sectionsData SectionsData, rsaKey RSAKey) (*tpm2internal. bankDataSetter: &data.SHA512, }, } { - bankData, err := pcr.CalculateBankData(secureboot.UKIPCR, algo.alg, sectionsData, rsaKey) + bankData, err := pcr.CalculateBankData(uki.PCR, algo.alg, sectionsData, rsaKey) if err != nil { return nil, err } diff --git a/internal/pkg/secureboot/measure/measure_test.go b/internal/pkg/uki/secureboot/measure/measure_test.go similarity index 95% rename from internal/pkg/secureboot/measure/measure_test.go rename to internal/pkg/uki/secureboot/measure/measure_test.go index 102625a6ec..dff74f8afe 100644 --- a/internal/pkg/secureboot/measure/measure_test.go +++ b/internal/pkg/uki/secureboot/measure/measure_test.go @@ -19,8 +19,8 @@ import ( "github.com/stretchr/testify/assert" - "github.com/siderolabs/talos/internal/pkg/secureboot" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure" ) const ( @@ -70,7 +70,7 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) { sectionsData := measure.SectionsData{} // create temporary files with the ordered section name and data as the section name - for _, section := range secureboot.OrderedSections() { + for _, section := range uki.OrderedSections() { sectionFile := filepath.Join(tmpDir, string(section)) if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil { @@ -101,10 +101,10 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) { func getSignatureUsingSDMeasure(t *testing.T) string { tmpDir := t.TempDir() - sdMeasureArgs := make([]string, len(secureboot.OrderedSections())) + sdMeasureArgs := make([]string, len(uki.OrderedSections())) // create temporary files with the ordered section name and data as the section name - for i, section := range secureboot.OrderedSections() { + for i, section := range uki.OrderedSections() { sectionFile := filepath.Join(tmpDir, string(section)) if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil { diff --git a/internal/pkg/secureboot/measure/testdata/pcr-signing-key.pem b/internal/pkg/uki/secureboot/measure/testdata/pcr-signing-key.pem similarity index 100% rename from internal/pkg/secureboot/measure/testdata/pcr-signing-key.pem rename to internal/pkg/uki/secureboot/measure/testdata/pcr-signing-key.pem diff --git a/internal/pkg/secureboot/pesign/pesign.go b/internal/pkg/uki/secureboot/pesign/pesign.go similarity index 100% rename from internal/pkg/secureboot/pesign/pesign.go rename to internal/pkg/uki/secureboot/pesign/pesign.go diff --git a/internal/pkg/secureboot/pesign/pesign_test.go b/internal/pkg/uki/secureboot/pesign/pesign_test.go similarity index 95% rename from internal/pkg/secureboot/pesign/pesign_test.go rename to internal/pkg/uki/secureboot/pesign/pesign_test.go index ce9f311c01..256a9ad674 100644 --- a/internal/pkg/secureboot/pesign/pesign_test.go +++ b/internal/pkg/uki/secureboot/pesign/pesign_test.go @@ -15,7 +15,7 @@ import ( "github.com/siderolabs/crypto/x509" "github.com/stretchr/testify/require" - "github.com/siderolabs/talos/internal/pkg/secureboot/pesign" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/pesign" "github.com/siderolabs/talos/pkg/machinery/config/generate/secrets" ) diff --git a/internal/pkg/secureboot/pesign/testdata/systemd-bootx64.efi b/internal/pkg/uki/secureboot/pesign/testdata/systemd-bootx64.efi similarity index 100% rename from internal/pkg/secureboot/pesign/testdata/systemd-bootx64.efi rename to internal/pkg/uki/secureboot/pesign/testdata/systemd-bootx64.efi diff --git a/internal/pkg/secureboot/secureboot.go b/internal/pkg/uki/secureboot/secureboot.go similarity index 63% rename from internal/pkg/secureboot/secureboot.go rename to internal/pkg/uki/secureboot/secureboot.go index 27721fd347..7974592022 100644 --- a/internal/pkg/secureboot/secureboot.go +++ b/internal/pkg/uki/secureboot/secureboot.go @@ -5,50 +5,6 @@ // Package secureboot contains base definitions for the Secure Boot process. package secureboot -// Section is a name of a PE file section (UEFI binary). -type Section string - -// List of well-known section names. -const ( - Linux Section = ".linux" - OSRel Section = ".osrel" - CMDLine Section = ".cmdline" - Initrd Section = ".initrd" - Ucode Section = ".ucode" - Splash Section = ".splash" - DTB Section = ".dtb" - Uname Section = ".uname" - SBAT Section = ".sbat" - PCRSig Section = ".pcrsig" - PCRPKey Section = ".pcrpkey" - Profile Section = ".profile" - DTBAuto Section = ".dtbauto" - HWIDS Section = ".hwids" -) - -// OrderedSections returns the sections that are measured into PCR. -// -// Derived from https://github.com/systemd/systemd/blob/v257.1/src/fundamental/uki.h#L6 -// .pcrsig section is omitted here since that's what we are calulating here. -func OrderedSections() []Section { - // DO NOT REARRANGE - return []Section{ - Linux, - OSRel, - CMDLine, - Initrd, - Ucode, - Splash, - DTB, - Uname, - SBAT, - PCRPKey, - Profile, - DTBAuto, - HWIDS, - } -} - // Phase is the phase value extended to the PCR. type Phase string @@ -97,9 +53,7 @@ func OrderedPhases() []PhaseInfo { } const ( - // UKIPCR is the PCR number where sections except `.pcrsig` are measured. - UKIPCR = 11 - // SecureBootStatePCR is the PCR number where the secure boot state and the signature are measured. + // BootStatePCR is the PCR number where the secure boot state and the signature are measured. // PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated. - SecureBootStatePCR = 7 + BootStatePCR = 7 ) diff --git a/internal/pkg/secureboot/tpm2/keys.go b/internal/pkg/uki/secureboot/tpm2/keys.go similarity index 100% rename from internal/pkg/secureboot/tpm2/keys.go rename to internal/pkg/uki/secureboot/tpm2/keys.go diff --git a/internal/pkg/secureboot/tpm2/pcr.go b/internal/pkg/uki/secureboot/tpm2/pcr.go similarity index 92% rename from internal/pkg/secureboot/tpm2/pcr.go rename to internal/pkg/uki/secureboot/tpm2/pcr.go index e0f21a4ccf..866ef0c95a 100644 --- a/internal/pkg/secureboot/tpm2/pcr.go +++ b/internal/pkg/uki/secureboot/tpm2/pcr.go @@ -16,8 +16,9 @@ import ( "github.com/google/go-tpm/tpm2" "github.com/google/go-tpm/tpm2/transport" - "github.com/siderolabs/talos/internal/pkg/secureboot" "github.com/siderolabs/talos/internal/pkg/tpm" + "github.com/siderolabs/talos/internal/pkg/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot" ) // CreateSelector converts PCR numbers into a bitmask. @@ -129,21 +130,21 @@ func PolicyPCRDigest(t transport.TPM, policyHandle tpm2.TPMHandle, pcrSelection //nolint:gocyclo func validatePCRBanks(t transport.TPM) error { - pcrValue, err := ReadPCR(t, secureboot.UKIPCR) + pcrValue, err := ReadPCR(t, uki.PCR) if err != nil { return fmt.Errorf("failed to read PCR: %w", err) } - if err = validatePCRNotZeroAndNotFilled(pcrValue, secureboot.UKIPCR); err != nil { + if err = validatePCRNotZeroAndNotFilled(pcrValue, uki.PCR); err != nil { return err } - pcrValue, err = ReadPCR(t, secureboot.SecureBootStatePCR) + pcrValue, err = ReadPCR(t, secureboot.BootStatePCR) if err != nil { return fmt.Errorf("failed to read PCR: %w", err) } - if err = validatePCRNotZeroAndNotFilled(pcrValue, secureboot.SecureBootStatePCR); err != nil { + if err = validatePCRNotZeroAndNotFilled(pcrValue, secureboot.BootStatePCR); err != nil { return err } diff --git a/internal/pkg/secureboot/tpm2/pcr_test.go b/internal/pkg/uki/secureboot/tpm2/pcr_test.go similarity index 92% rename from internal/pkg/secureboot/tpm2/pcr_test.go rename to internal/pkg/uki/secureboot/tpm2/pcr_test.go index f94d8e70d2..05b5f77d69 100644 --- a/internal/pkg/secureboot/tpm2/pcr_test.go +++ b/internal/pkg/uki/secureboot/tpm2/pcr_test.go @@ -10,7 +10,7 @@ import ( "github.com/stretchr/testify/require" - tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2" + tpm2internal "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2" ) func TestGetSelection(t *testing.T) { diff --git a/internal/pkg/secureboot/tpm2/policy.go b/internal/pkg/uki/secureboot/tpm2/policy.go similarity index 100% rename from internal/pkg/secureboot/tpm2/policy.go rename to internal/pkg/uki/secureboot/tpm2/policy.go diff --git a/internal/pkg/secureboot/tpm2/policy_test.go b/internal/pkg/uki/secureboot/tpm2/policy_test.go similarity index 95% rename from internal/pkg/secureboot/tpm2/policy_test.go rename to internal/pkg/uki/secureboot/tpm2/policy_test.go index 15264ccd0b..f00ac24800 100644 --- a/internal/pkg/secureboot/tpm2/policy_test.go +++ b/internal/pkg/uki/secureboot/tpm2/policy_test.go @@ -11,7 +11,7 @@ import ( "github.com/google/go-tpm/tpm2" "github.com/stretchr/testify/require" - tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2" + tpm2internal "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2" ) func TestCalculatePolicy(t *testing.T) { diff --git a/internal/pkg/secureboot/tpm2/seal.go b/internal/pkg/uki/secureboot/tpm2/seal.go similarity index 94% rename from internal/pkg/secureboot/tpm2/seal.go rename to internal/pkg/uki/secureboot/tpm2/seal.go index 86828458bb..a848afa0a0 100644 --- a/internal/pkg/secureboot/tpm2/seal.go +++ b/internal/pkg/uki/secureboot/tpm2/seal.go @@ -11,8 +11,8 @@ import ( "github.com/google/go-tpm/tpm2" "github.com/google/go-tpm/tpm2/transport" - "github.com/siderolabs/talos/internal/pkg/secureboot" "github.com/siderolabs/talos/internal/pkg/tpm" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot" "github.com/siderolabs/talos/pkg/machinery/constants" ) @@ -112,7 +112,7 @@ func Seal(key []byte) (*SealedResponse, error) { } func calculateSealingPolicyDigest(t transport.TPM) ([]byte, error) { - pcrSelector, err := CreateSelector([]int{secureboot.SecureBootStatePCR}) + pcrSelector, err := CreateSelector([]int{secureboot.BootStatePCR}) if err != nil { return nil, fmt.Errorf("failed to create PCR selection: %v", err) } @@ -126,7 +126,7 @@ func calculateSealingPolicyDigest(t transport.TPM) ([]byte, error) { }, } - pcrValue, err := ReadPCR(t, secureboot.SecureBootStatePCR) + pcrValue, err := ReadPCR(t, secureboot.BootStatePCR) if err != nil { return nil, err } diff --git a/internal/pkg/secureboot/tpm2/signature.go b/internal/pkg/uki/secureboot/tpm2/signature.go similarity index 100% rename from internal/pkg/secureboot/tpm2/signature.go rename to internal/pkg/uki/secureboot/tpm2/signature.go diff --git a/internal/pkg/secureboot/tpm2/testdata/pcr-signing-crt.pem b/internal/pkg/uki/secureboot/tpm2/testdata/pcr-signing-crt.pem similarity index 100% rename from internal/pkg/secureboot/tpm2/testdata/pcr-signing-crt.pem rename to internal/pkg/uki/secureboot/tpm2/testdata/pcr-signing-crt.pem diff --git a/internal/pkg/secureboot/tpm2/tpm2.go b/internal/pkg/uki/secureboot/tpm2/tpm2.go similarity index 100% rename from internal/pkg/secureboot/tpm2/tpm2.go rename to internal/pkg/uki/secureboot/tpm2/tpm2.go diff --git a/internal/pkg/secureboot/tpm2/unseal.go b/internal/pkg/uki/secureboot/tpm2/unseal.go similarity index 97% rename from internal/pkg/secureboot/tpm2/unseal.go rename to internal/pkg/uki/secureboot/tpm2/unseal.go index 8a8c1562b1..77300f7169 100644 --- a/internal/pkg/secureboot/tpm2/unseal.go +++ b/internal/pkg/uki/secureboot/tpm2/unseal.go @@ -16,8 +16,9 @@ import ( "github.com/google/go-tpm/tpm2" - "github.com/siderolabs/talos/internal/pkg/secureboot" "github.com/siderolabs/talos/internal/pkg/tpm" + "github.com/siderolabs/talos/internal/pkg/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot" "github.com/siderolabs/talos/pkg/machinery/constants" ) @@ -136,7 +137,7 @@ func Unseal(sealed SealedResponse) ([]byte, error) { } }() - pcrSelector, err := CreateSelector([]int{secureboot.UKIPCR}) + pcrSelector, err := CreateSelector([]int{uki.PCR}) if err != nil { return nil, err } @@ -225,7 +226,7 @@ func Unseal(sealed SealedResponse) ([]byte, error) { return nil, fmt.Errorf("failed to execute policy authorize: %w", err) } - secureBootStatePCRSelector, err := CreateSelector([]int{secureboot.SecureBootStatePCR}) + secureBootStatePCRSelector, err := CreateSelector([]int{secureboot.BootStatePCR}) if err != nil { return nil, err } diff --git a/internal/pkg/secureboot/uki/assemble.go b/internal/pkg/uki/secureboot/uki/assemble.go similarity index 100% rename from internal/pkg/secureboot/uki/assemble.go rename to internal/pkg/uki/secureboot/uki/assemble.go diff --git a/internal/pkg/secureboot/uki/generate.go b/internal/pkg/uki/secureboot/uki/generate.go similarity index 91% rename from internal/pkg/secureboot/uki/generate.go rename to internal/pkg/uki/secureboot/uki/generate.go index 1ea5851567..770f36bd41 100644 --- a/internal/pkg/secureboot/uki/generate.go +++ b/internal/pkg/uki/secureboot/uki/generate.go @@ -14,8 +14,8 @@ import ( talosx509 "github.com/siderolabs/crypto/x509" "github.com/siderolabs/gen/xslices" - "github.com/siderolabs/talos/internal/pkg/secureboot" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure" "github.com/siderolabs/talos/pkg/machinery/constants" "github.com/siderolabs/talos/pkg/machinery/version" "github.com/siderolabs/talos/pkg/splash" @@ -35,7 +35,7 @@ func (builder *Builder) generateOSRel() error { builder.sections = append(builder.sections, section{ - Name: secureboot.OSRel, + Name: uki.OSRel, Path: path, Measure: true, Append: true, @@ -54,7 +54,7 @@ func (builder *Builder) generateCmdline() error { builder.sections = append(builder.sections, section{ - Name: secureboot.CMDLine, + Name: uki.CMDLine, Path: path, Measure: true, Append: true, @@ -67,7 +67,7 @@ func (builder *Builder) generateCmdline() error { func (builder *Builder) generateInitrd() error { builder.sections = append(builder.sections, section{ - Name: secureboot.Initrd, + Name: uki.Initrd, Path: builder.InitrdPath, Measure: true, Append: true, @@ -86,7 +86,7 @@ func (builder *Builder) generateSplash() error { builder.sections = append(builder.sections, section{ - Name: secureboot.Splash, + Name: uki.Splash, Path: path, Measure: true, Append: true, @@ -122,7 +122,7 @@ func (builder *Builder) generateUname() error { builder.sections = append(builder.sections, section{ - Name: secureboot.Uname, + Name: uki.Uname, Path: path, Measure: true, Append: true, @@ -146,7 +146,7 @@ func (builder *Builder) generateSBAT() error { builder.sections = append(builder.sections, section{ - Name: secureboot.SBAT, + Name: uki.SBAT, Path: path, Measure: true, }, @@ -174,7 +174,7 @@ func (builder *Builder) generatePCRPublicKey() error { builder.sections = append(builder.sections, section{ - Name: secureboot.PCRPKey, + Name: uki.PCRPKey, Path: path, Append: true, Measure: true, @@ -197,7 +197,7 @@ func (builder *Builder) generateKernel() error { builder.sections = append(builder.sections, section{ - Name: secureboot.Linux, + Name: uki.Linux, Path: path, Append: true, Measure: true, @@ -214,7 +214,7 @@ func (builder *Builder) generatePCRSig() error { return s.Measure }, ), - func(s section) (secureboot.Section, string) { + func(s section) (uki.Section, string) { return s.Name, s.Path }) @@ -236,7 +236,7 @@ func (builder *Builder) generatePCRSig() error { builder.sections = append(builder.sections, section{ - Name: secureboot.PCRSig, + Name: uki.PCRSig, Path: path, Append: true, }, diff --git a/internal/pkg/secureboot/uki/kernel.go b/internal/pkg/uki/secureboot/uki/kernel.go similarity index 100% rename from internal/pkg/secureboot/uki/kernel.go rename to internal/pkg/uki/secureboot/uki/kernel.go diff --git a/internal/pkg/secureboot/uki/kernel_test.go b/internal/pkg/uki/secureboot/uki/kernel_test.go similarity index 88% rename from internal/pkg/secureboot/uki/kernel_test.go rename to internal/pkg/uki/secureboot/uki/kernel_test.go index 7fb4edfef2..3554ab0432 100644 --- a/internal/pkg/secureboot/uki/kernel_test.go +++ b/internal/pkg/uki/secureboot/uki/kernel_test.go @@ -10,7 +10,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/siderolabs/talos/internal/pkg/secureboot/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/uki" ) func TestKernelVersion(t *testing.T) { diff --git a/internal/pkg/secureboot/uki/sbat.go b/internal/pkg/uki/secureboot/uki/sbat.go similarity index 87% rename from internal/pkg/secureboot/uki/sbat.go rename to internal/pkg/uki/secureboot/uki/sbat.go index 75fa5a4e1d..840878994d 100644 --- a/internal/pkg/secureboot/uki/sbat.go +++ b/internal/pkg/uki/secureboot/uki/sbat.go @@ -8,7 +8,7 @@ import ( "debug/pe" "errors" - "github.com/siderolabs/talos/internal/pkg/secureboot" + "github.com/siderolabs/talos/internal/pkg/uki" ) // GetSBAT returns the SBAT section from the PE file. @@ -21,7 +21,7 @@ func GetSBAT(path string) ([]byte, error) { defer pefile.Close() //nolint:errcheck for _, section := range pefile.Sections { - if section.Name == string(secureboot.SBAT) { + if section.Name == string(uki.SBAT) { data, err := section.Data() if err != nil { return nil, err diff --git a/internal/pkg/secureboot/uki/sbat_test.go b/internal/pkg/uki/secureboot/uki/sbat_test.go similarity index 91% rename from internal/pkg/secureboot/uki/sbat_test.go rename to internal/pkg/uki/secureboot/uki/sbat_test.go index 13f7f8023c..f7044ba7d2 100644 --- a/internal/pkg/secureboot/uki/sbat_test.go +++ b/internal/pkg/uki/secureboot/uki/sbat_test.go @@ -9,7 +9,7 @@ import ( "github.com/stretchr/testify/require" - "github.com/siderolabs/talos/internal/pkg/secureboot/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/uki" ) func TestGetSBAT(t *testing.T) { diff --git a/internal/pkg/secureboot/uki/testdata/kernel b/internal/pkg/uki/secureboot/uki/testdata/kernel similarity index 100% rename from internal/pkg/secureboot/uki/testdata/kernel rename to internal/pkg/uki/secureboot/uki/testdata/kernel diff --git a/internal/pkg/secureboot/uki/uki.go b/internal/pkg/uki/secureboot/uki/uki.go similarity index 95% rename from internal/pkg/secureboot/uki/uki.go rename to internal/pkg/uki/secureboot/uki/uki.go index f762c24be8..f0aa0e0be3 100644 --- a/internal/pkg/secureboot/uki/uki.go +++ b/internal/pkg/uki/secureboot/uki/uki.go @@ -10,16 +10,16 @@ import ( "log" "os" - "github.com/siderolabs/talos/internal/pkg/secureboot" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" - "github.com/siderolabs/talos/internal/pkg/secureboot/pesign" + "github.com/siderolabs/talos/internal/pkg/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/pesign" "github.com/siderolabs/talos/pkg/imager/utils" ) // section is a UKI file section. type section struct { // Section name. - Name secureboot.Section + Name uki.Section // Path to the contents of the section. Path string // Should the section be measured to the TPM? diff --git a/internal/pkg/uki/uki.go b/internal/pkg/uki/uki.go new file mode 100644 index 0000000000..42ead20f94 --- /dev/null +++ b/internal/pkg/uki/uki.go @@ -0,0 +1,53 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Package uki defines the UKI sections. +package uki + +// PCR is the PCR number where sections except `.pcrsig` are measured. +const PCR = 11 + +// Section is a name of a PE file section (UEFI binary). +type Section string + +// List of well-known section names. +const ( + Linux Section = ".linux" + OSRel Section = ".osrel" + CMDLine Section = ".cmdline" + Initrd Section = ".initrd" + Ucode Section = ".ucode" + Splash Section = ".splash" + DTB Section = ".dtb" + Uname Section = ".uname" + SBAT Section = ".sbat" + PCRSig Section = ".pcrsig" + PCRPKey Section = ".pcrpkey" + Profile Section = ".profile" + DTBAuto Section = ".dtbauto" + HWIDS Section = ".hwids" +) + +// OrderedSections returns the sections that are measured into PCR. +// +// Derived from https://github.com/systemd/systemd/blob/v257.1/src/fundamental/uki.h#L6 +// .pcrsig section is omitted here since that's what we are calulating here. +func OrderedSections() []Section { + // DO NOT REARRANGE + return []Section{ + Linux, + OSRel, + CMDLine, + Initrd, + Ucode, + Splash, + DTB, + Uname, + SBAT, + PCRPKey, + Profile, + DTBAuto, + HWIDS, + } +} diff --git a/pkg/imager/imager.go b/pkg/imager/imager.go index 75f7a136df..3926acdf93 100644 --- a/pkg/imager/imager.go +++ b/pkg/imager/imager.go @@ -20,7 +20,7 @@ import ( talosruntime "github.com/siderolabs/talos/internal/app/machined/pkg/runtime" "github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/board" "github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/platform" - "github.com/siderolabs/talos/internal/pkg/secureboot/uki" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/uki" "github.com/siderolabs/talos/pkg/imager/extensions" "github.com/siderolabs/talos/pkg/imager/overlay/executor" "github.com/siderolabs/talos/pkg/imager/profile" diff --git a/pkg/imager/out.go b/pkg/imager/out.go index 5b837ec058..8927c0e718 100644 --- a/pkg/imager/out.go +++ b/pkg/imager/out.go @@ -30,8 +30,8 @@ import ( "github.com/siderolabs/talos/cmd/installer/pkg/install" "github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/bootloader/options" - "github.com/siderolabs/talos/internal/pkg/secureboot/database" - "github.com/siderolabs/talos/internal/pkg/secureboot/pesign" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/database" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/pesign" "github.com/siderolabs/talos/pkg/imager/filemap" "github.com/siderolabs/talos/pkg/imager/iso" "github.com/siderolabs/talos/pkg/imager/ova" diff --git a/pkg/imager/profile/input.go b/pkg/imager/profile/input.go index 137f7f46b5..70ef550928 100644 --- a/pkg/imager/profile/input.go +++ b/pkg/imager/profile/input.go @@ -21,8 +21,8 @@ import ( "github.com/siderolabs/gen/value" "golang.org/x/sync/errgroup" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" - "github.com/siderolabs/talos/internal/pkg/secureboot/pesign" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/pesign" "github.com/siderolabs/talos/pkg/archiver" "github.com/siderolabs/talos/pkg/imager/profile/internal/signer/aws" "github.com/siderolabs/talos/pkg/imager/profile/internal/signer/azure" diff --git a/pkg/imager/profile/internal/signer/aws/pcr.go b/pkg/imager/profile/internal/signer/aws/pcr.go index 2735bc030c..7a6734f28d 100644 --- a/pkg/imager/profile/internal/signer/aws/pcr.go +++ b/pkg/imager/profile/internal/signer/aws/pcr.go @@ -16,7 +16,7 @@ import ( "github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/kms/types" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure" ) // KeySigner implements measure.RSAKey interface. diff --git a/pkg/imager/profile/internal/signer/aws/secureboot.go b/pkg/imager/profile/internal/signer/aws/secureboot.go index 8c17d48d08..4d866949a7 100644 --- a/pkg/imager/profile/internal/signer/aws/secureboot.go +++ b/pkg/imager/profile/internal/signer/aws/secureboot.go @@ -12,7 +12,7 @@ import ( "fmt" "os" - "github.com/siderolabs/talos/internal/pkg/secureboot/pesign" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/pesign" ) // SecureBootSigner implements pesign.CertificateSigner interface. diff --git a/pkg/imager/profile/internal/signer/azure/pcr.go b/pkg/imager/profile/internal/signer/azure/pcr.go index 28c0a868cf..82ef487d56 100644 --- a/pkg/imager/profile/internal/signer/azure/pcr.go +++ b/pkg/imager/profile/internal/signer/azure/pcr.go @@ -16,7 +16,7 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys" "github.com/siderolabs/go-pointer" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure" ) // KeySigner implements measure.RSAKey interface. diff --git a/pkg/imager/profile/internal/signer/azure/secureboot.go b/pkg/imager/profile/internal/signer/azure/secureboot.go index 701169672a..5155deab76 100644 --- a/pkg/imager/profile/internal/signer/azure/secureboot.go +++ b/pkg/imager/profile/internal/signer/azure/secureboot.go @@ -13,7 +13,7 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates" "github.com/siderolabs/go-pointer" - "github.com/siderolabs/talos/internal/pkg/secureboot/pesign" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/pesign" ) // SecureBootSigner implements pesign.CertificateSigner interface. diff --git a/pkg/imager/profile/internal/signer/file/pcr.go b/pkg/imager/profile/internal/signer/file/pcr.go index 8a8b58bd63..73fd9fc349 100644 --- a/pkg/imager/profile/internal/signer/file/pcr.go +++ b/pkg/imager/profile/internal/signer/file/pcr.go @@ -15,7 +15,7 @@ import ( "io" "os" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure" ) // PCRSigner implements measure.RSAKey interface. diff --git a/pkg/imager/profile/internal/signer/file/secureboot.go b/pkg/imager/profile/internal/signer/file/secureboot.go index 322d223563..df74a684a2 100644 --- a/pkg/imager/profile/internal/signer/file/secureboot.go +++ b/pkg/imager/profile/internal/signer/file/secureboot.go @@ -13,7 +13,7 @@ import ( "fmt" "os" - "github.com/siderolabs/talos/internal/pkg/secureboot/pesign" + "github.com/siderolabs/talos/internal/pkg/uki/secureboot/pesign" ) // SecureBootSigner implements pesign.CertificateSigner interface.