chore: uki code restructure

Dockerfile

@@ -438,8 +438,8 @@ COPY --from=ipxe-generate / /pkg/provision/providers/vm/internal/ipxe/data/ipxe/
 COPY --from=selinux-generate / /internal/pkg/selinux/
 COPY --from=embed-abbrev / /
 COPY --from=pkg-ca-certificates /etc/ssl/certs/ca-certificates /internal/app/machined/pkg/controllers/secrets/data/
-COPY --from=microsoft-key-keys / /internal/pkg/secureboot/database/certs/
-COPY --from=microsoft-db-keys / /internal/pkg/secureboot/database/certs/
+COPY --from=microsoft-key-keys / /internal/pkg/uki/secureboot/database/certs/
+COPY --from=microsoft-db-keys / /internal/pkg/uki/secureboot/database/certs/
 
 # The base target provides a container that can be used to build all Talos
 # assets.

cmd/talosctl/cmd/mgmt/gen/secureboot.go

@@ -18,7 +18,7 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/siderolabs/talos/cmd/talosctl/pkg/mgmt/helpers"
-	"github.com/siderolabs/talos/internal/pkg/secureboot/database"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot/database"
 	"github.com/siderolabs/talos/pkg/imager/profile"
 	"github.com/siderolabs/talos/pkg/machinery/config/generate/secrets"
 	"github.com/siderolabs/talos/pkg/machinery/constants"

internal/app/init/main.go

@@ -24,8 +24,9 @@ import (
 	"github.com/siderolabs/talos/internal/pkg/mount/switchroot"
 	"github.com/siderolabs/talos/internal/pkg/mount/v2"
 	"github.com/siderolabs/talos/internal/pkg/rng"
-	"github.com/siderolabs/talos/internal/pkg/secureboot"
-	"github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
+	"github.com/siderolabs/talos/internal/pkg/uki"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/extensions"
 	"github.com/siderolabs/talos/pkg/machinery/version"
@@ -60,8 +61,8 @@ func run() error {
 	}
 
 	// extend PCR 11 with enter-initrd
-	if err := tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.EnterInitrd)); err != nil {
-		return fmt.Errorf("failed to extend PCR %d with enter-initrd: %v", secureboot.UKIPCR, err)
+	if err := tpm2.PCRExtend(uki.PCR, []byte(secureboot.EnterInitrd)); err != nil {
+		return fmt.Errorf("failed to extend PCR %d with enter-initrd: %v", uki.PCR, err)
 	}
 
 	log.Printf("booting Talos %s", version.Tag)

internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go

@@ -56,9 +56,10 @@ import (
 	"github.com/siderolabs/talos/internal/pkg/mount"
 	mountv2 "github.com/siderolabs/talos/internal/pkg/mount/v2"
 	"github.com/siderolabs/talos/internal/pkg/partition"
-	"github.com/siderolabs/talos/internal/pkg/secureboot"
-	"github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
 	"github.com/siderolabs/talos/internal/pkg/selinux"
+	"github.com/siderolabs/talos/internal/pkg/uki"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2"
 	"github.com/siderolabs/talos/internal/pkg/zboot"
 	"github.com/siderolabs/talos/pkg/conditions"
 	"github.com/siderolabs/talos/pkg/images"
@@ -328,7 +329,7 @@ func WriteUdevRules(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 // StartMachined represents the task to start machined.
 func StartMachined(_ runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string) {
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) error {
-		if err := tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.EnterMachined)); err != nil {
+		if err := tpm2.PCRExtend(uki.PCR, []byte(secureboot.EnterMachined)); err != nil {
 			return err
 		}
 
@@ -412,7 +413,7 @@ func StartUdevd(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 // ExtendPCRStartAll represents the task to extend the PCR with the StartTheWorld PCR phase.
 func ExtendPCRStartAll(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) {
-		return tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.StartTheWorld))
+		return tpm2.PCRExtend(uki.PCR, []byte(secureboot.StartTheWorld))
 	}, "extendPCRStartAll"
 }
 

internal/pkg/encryption/keys/tpm2.go

@@ -16,8 +16,8 @@ import (
 	"github.com/siderolabs/go-blockdevice/v2/encryption/luks"
 	"github.com/siderolabs/go-blockdevice/v2/encryption/token"
 
-	"github.com/siderolabs/talos/internal/pkg/secureboot"
-	"github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
+	"github.com/siderolabs/talos/internal/pkg/uki"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2"
 )
 
 // TPMToken is the userdata stored in the partition token metadata.
@@ -74,7 +74,7 @@ func (h *TPMKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Toke
 			KeySlots:          []int{h.slot},
 			SealedBlobPrivate: resp.SealedBlobPrivate,
 			SealedBlobPublic:  resp.SealedBlobPublic,
-			PCRs:              []int{secureboot.UKIPCR},
+			PCRs:              []int{uki.PCR},
 			Alg:               "sha256",
 			PolicyHash:        resp.PolicyDigest,
 			KeyName:           resp.KeyName,

internal/pkg/mount/switchroot/switchroot.go

@@ -16,9 +16,10 @@ import (
 	"golang.org/x/sys/unix"
 
 	"github.com/siderolabs/talos/internal/pkg/mount/v2"
-	"github.com/siderolabs/talos/internal/pkg/secureboot"
-	"github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
 	"github.com/siderolabs/talos/internal/pkg/selinux"
+	"github.com/siderolabs/talos/internal/pkg/uki"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 
@@ -78,8 +79,8 @@ func Switch(prefix string, mountpoints mount.Points) (err error) {
 	}
 
 	// extend PCR 11 with leave-initrd
-	if err = tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.LeaveInitrd)); err != nil {
-		return fmt.Errorf("failed to extend PCR %d with leave-initrd: %v", secureboot.UKIPCR, err)
+	if err = tpm2.PCRExtend(uki.PCR, []byte(secureboot.LeaveInitrd)); err != nil {
+		return fmt.Errorf("failed to extend PCR %d with leave-initrd: %v", uki.PCR, err)
 	}
 
 	// Note that /sbin/init is machined. We call it init since this is the

internal/pkg/secureboot/database/database.go → internal/pkg/uki/secureboot/database/database.go

@@ -17,7 +17,7 @@ import (
 	"github.com/foxboron/go-uefi/efivar"
 	"github.com/google/uuid"
 
-	"github.com/siderolabs/talos/internal/pkg/secureboot/pesign"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot/pesign"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 

internal/pkg/secureboot/measure/internal/pcr/bank_data.go → internal/pkg/uki/secureboot/measure/internal/pcr/bank_data.go

@@ -15,8 +15,9 @@ import (
 
 	"github.com/google/go-tpm/tpm2"
 
-	"github.com/siderolabs/talos/internal/pkg/secureboot"
-	tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
+	"github.com/siderolabs/talos/internal/pkg/uki"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot"
+	tpm2internal "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2"
 )
 
 // RSAKey is the input for the CalculateBankData function.
@@ -30,7 +31,7 @@ type RSAKey interface {
 // This mimics the process happening happening in the TPM when the UKI is being loaded.
 //
 //nolint:gocyclo
-func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureboot.Section]string, rsaKey RSAKey) ([]tpm2internal.BankData, error) {
+func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[uki.Section]string, rsaKey RSAKey) ([]tpm2internal.BankData, error) {
 	// get fingerprint of public key
 	pubKeyFingerprint := sha256.Sum256(x509.MarshalPKCS1PublicKey(rsaKey.PublicRSAKey()))
 
@@ -39,7 +40,7 @@ func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureb
 		return nil, err
 	}
 
-	pcrSelector, err := tpm2internal.CreateSelector([]int{secureboot.UKIPCR})
+	pcrSelector, err := tpm2internal.CreateSelector([]int{uki.PCR})
 	if err != nil {
 		return nil, fmt.Errorf("failed to create PCR selection: %v", err)
 	}
@@ -55,7 +56,7 @@ func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureb
 
 	hashData := NewDigest(hashAlg)
 
-	for _, section := range secureboot.OrderedSections() {
+	for _, section := range uki.OrderedSections() {
 		if file := sectionData[section]; file != "" {
 			hashData.Extend(append([]byte(section), 0))
 

internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go → internal/pkg/uki/secureboot/measure/internal/pcr/bank_data_test.go

@@ -14,9 +14,9 @@ import (
 	"github.com/google/go-tpm/tpm2"
 	"github.com/stretchr/testify/require"
 
-	"github.com/siderolabs/talos/internal/pkg/secureboot"
-	"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
-	tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
+	"github.com/siderolabs/talos/internal/pkg/uki"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure/internal/pcr"
+	tpm2internal "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2"
 )
 
 type keyWrapper struct {
@@ -40,10 +40,10 @@ func TestCalculateBankData(t *testing.T) {
 	require.NoError(t, err)
 
 	bankData, err := pcr.CalculateBankData(15, tpm2.TPMAlgSHA256,
-		map[secureboot.Section]string{
-			secureboot.Initrd: "testdata/a",
-			secureboot.Linux:  "testdata/b",
-			secureboot.DTB:    "testdata/c",
+		map[uki.Section]string{
+			uki.Initrd: "testdata/a",
+			uki.Linux:  "testdata/b",
+			uki.DTB:    "testdata/c",
 		},
 		keyWrapper{key})
 	require.NoError(t, err)

internal/pkg/secureboot/measure/internal/pcr/extend_test.go → internal/pkg/uki/secureboot/measure/internal/pcr/extend_test.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
-	"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure/internal/pcr"
 )
 
 func TestExtend(t *testing.T) {

internal/pkg/secureboot/measure/internal/pcr/sign_test.go → internal/pkg/uki/secureboot/measure/internal/pcr/sign_test.go

@@ -14,7 +14,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure/internal/pcr"
 )
 
 func TestSign(t *testing.T) {

internal/pkg/secureboot/measure/measure.go → internal/pkg/uki/secureboot/measure/measure.go

@@ -13,13 +13,13 @@ import (
 
 	"github.com/google/go-tpm/tpm2"
 
-	"github.com/siderolabs/talos/internal/pkg/secureboot"
-	"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
-	tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
+	"github.com/siderolabs/talos/internal/pkg/uki"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure/internal/pcr"
+	tpm2internal "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2"
 )
 
 // SectionsData holds a map of Section to file path to the corresponding section.
-type SectionsData map[secureboot.Section]string
+type SectionsData map[uki.Section]string
 
 // RSAKey is the input for the CalculateBankData function.
 type RSAKey interface {
@@ -48,7 +48,7 @@ func GenerateSignedPCR(sectionsData SectionsData, rsaKey RSAKey) (*tpm2internal.
 			bankDataSetter: &data.SHA512,
 		},
 	} {
-		bankData, err := pcr.CalculateBankData(secureboot.UKIPCR, algo.alg, sectionsData, rsaKey)
+		bankData, err := pcr.CalculateBankData(uki.PCR, algo.alg, sectionsData, rsaKey)
 		if err != nil {
 			return nil, err
 		}

internal/pkg/secureboot/measure/measure_test.go → internal/pkg/uki/secureboot/measure/measure_test.go

@@ -19,8 +19,8 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
-	"github.com/siderolabs/talos/internal/pkg/secureboot"
-	"github.com/siderolabs/talos/internal/pkg/secureboot/measure"
+	"github.com/siderolabs/talos/internal/pkg/uki"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot/measure"
 )
 
 const (
@@ -70,7 +70,7 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) {
 	sectionsData := measure.SectionsData{}
 
 	// create temporary files with the ordered section name and data as the section name
-	for _, section := range secureboot.OrderedSections() {
+	for _, section := range uki.OrderedSections() {
 		sectionFile := filepath.Join(tmpDir, string(section))
 
 		if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil {
@@ -101,10 +101,10 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) {
 func getSignatureUsingSDMeasure(t *testing.T) string {
 	tmpDir := t.TempDir()
 
-	sdMeasureArgs := make([]string, len(secureboot.OrderedSections()))
+	sdMeasureArgs := make([]string, len(uki.OrderedSections()))
 
 	// create temporary files with the ordered section name and data as the section name
-	for i, section := range secureboot.OrderedSections() {
+	for i, section := range uki.OrderedSections() {
 		sectionFile := filepath.Join(tmpDir, string(section))
 
 		if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil {

internal/pkg/secureboot/pesign/pesign_test.go → internal/pkg/uki/secureboot/pesign/pesign_test.go

@@ -15,7 +15,7 @@ import (
 	"github.com/siderolabs/crypto/x509"
 	"github.com/stretchr/testify/require"
 
-	"github.com/siderolabs/talos/internal/pkg/secureboot/pesign"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot/pesign"
 	"github.com/siderolabs/talos/pkg/machinery/config/generate/secrets"
 )
 

internal/pkg/secureboot/secureboot.go → internal/pkg/uki/secureboot/secureboot.go

@@ -5,50 +5,6 @@
 // Package secureboot contains base definitions for the Secure Boot process.
 package secureboot
 
-// Section is a name of a PE file section (UEFI binary).
-type Section string
-
-// List of well-known section names.
-const (
-	Linux   Section = ".linux"
-	OSRel   Section = ".osrel"
-	CMDLine Section = ".cmdline"
-	Initrd  Section = ".initrd"
-	Ucode   Section = ".ucode"
-	Splash  Section = ".splash"
-	DTB     Section = ".dtb"
-	Uname   Section = ".uname"
-	SBAT    Section = ".sbat"
-	PCRSig  Section = ".pcrsig"
-	PCRPKey Section = ".pcrpkey"
-	Profile Section = ".profile"
-	DTBAuto Section = ".dtbauto"
-	HWIDS   Section = ".hwids"
-)
-
-// OrderedSections returns the sections that are measured into PCR.
-//
-// Derived from https://github.com/systemd/systemd/blob/v257.1/src/fundamental/uki.h#L6
-// .pcrsig section is omitted here since that's what we are calulating here.
-func OrderedSections() []Section {
-	// DO NOT REARRANGE
-	return []Section{
-		Linux,
-		OSRel,
-		CMDLine,
-		Initrd,
-		Ucode,
-		Splash,
-		DTB,
-		Uname,
-		SBAT,
-		PCRPKey,
-		Profile,
-		DTBAuto,
-		HWIDS,
-	}
-}
-
 // Phase is the phase value extended to the PCR.
 type Phase string
 
@@ -97,9 +53,7 @@ func OrderedPhases() []PhaseInfo {
 }
 
 const (
-	// UKIPCR is the PCR number where sections except `.pcrsig` are measured.
-	UKIPCR = 11
-	// SecureBootStatePCR is the PCR number where the secure boot state and the signature are measured.
+	// BootStatePCR is the PCR number where the secure boot state and the signature are measured.
 	// PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated.
-	SecureBootStatePCR = 7
+	BootStatePCR = 7
 )

internal/pkg/secureboot/tpm2/pcr.go → internal/pkg/uki/secureboot/tpm2/pcr.go

@@ -16,8 +16,9 @@ import (
 	"github.com/google/go-tpm/tpm2"
 	"github.com/google/go-tpm/tpm2/transport"
 
-	"github.com/siderolabs/talos/internal/pkg/secureboot"
 	"github.com/siderolabs/talos/internal/pkg/tpm"
+	"github.com/siderolabs/talos/internal/pkg/uki"
+	"github.com/siderolabs/talos/internal/pkg/uki/secureboot"
 )
 
 // CreateSelector converts PCR  numbers into a bitmask.
@@ -129,21 +130,21 @@ func PolicyPCRDigest(t transport.TPM, policyHandle tpm2.TPMHandle, pcrSelection
 
 //nolint:gocyclo
 func validatePCRBanks(t transport.TPM) error {
-	pcrValue, err := ReadPCR(t, secureboot.UKIPCR)
+	pcrValue, err := ReadPCR(t, uki.PCR)
 	if err != nil {
 		return fmt.Errorf("failed to read PCR: %w", err)
 	}
 
-	if err = validatePCRNotZeroAndNotFilled(pcrValue, secureboot.UKIPCR); err != nil {
+	if err = validatePCRNotZeroAndNotFilled(pcrValue, uki.PCR); err != nil {
 		return err
 	}
 
-	pcrValue, err = ReadPCR(t, secureboot.SecureBootStatePCR)
+	pcrValue, err = ReadPCR(t, secureboot.BootStatePCR)
 	if err != nil {
 		return fmt.Errorf("failed to read PCR: %w", err)
 	}
 
-	if err = validatePCRNotZeroAndNotFilled(pcrValue, secureboot.SecureBootStatePCR); err != nil {
+	if err = validatePCRNotZeroAndNotFilled(pcrValue, secureboot.BootStatePCR); err != nil {
 		return err
 	}
 

internal/pkg/secureboot/tpm2/pcr_test.go → internal/pkg/uki/secureboot/tpm2/pcr_test.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
+	tpm2internal "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2"
 )
 
 func TestGetSelection(t *testing.T) {

internal/pkg/secureboot/tpm2/policy_test.go → internal/pkg/uki/secureboot/tpm2/policy_test.go

@@ -11,7 +11,7 @@ import (
 	"github.com/google/go-tpm/tpm2"
 	"github.com/stretchr/testify/require"
 
-	tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
+	tpm2internal "github.com/siderolabs/talos/internal/pkg/uki/secureboot/tpm2"
 )
 
 func TestCalculatePolicy(t *testing.T) {