Skip to content

Commit

Permalink
chore: uki code restructure
Browse files Browse the repository at this point in the history
UKI code re-structure, no-op.

Signed-off-by: Noel Georgi <[email protected]>
  • Loading branch information
frezbo committed Jan 13, 2025
1 parent faa1490 commit 36ed072
Show file tree
Hide file tree
Showing 41 changed files with 129 additions and 128 deletions.
4 changes: 2 additions & 2 deletions internal/app/init/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,8 @@ func run() error {
}

// extend PCR 11 with enter-initrd
if err := tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.EnterInitrd)); err != nil {
return fmt.Errorf("failed to extend PCR %d with enter-initrd: %v", secureboot.UKIPCR, err)
if err := tpm2.PCRExtend(constants.UKIPCR, []byte(secureboot.EnterInitrd)); err != nil {
return fmt.Errorf("failed to extend PCR %d with enter-initrd: %v", constants.UKIPCR, err)
}

log.Printf("booting Talos %s", version.Tag)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -328,7 +328,7 @@ func WriteUdevRules(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
// StartMachined represents the task to start machined.
func StartMachined(_ runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string) {
return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) error {
if err := tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.EnterMachined)); err != nil {
if err := tpm2.PCRExtend(constants.UKIPCR, []byte(secureboot.EnterMachined)); err != nil {
return err
}

Expand Down Expand Up @@ -412,7 +412,7 @@ func StartUdevd(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
// ExtendPCRStartAll represents the task to extend the PCR with the StartTheWorld PCR phase.
func ExtendPCRStartAll(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) {
return tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.StartTheWorld))
return tpm2.PCRExtend(constants.UKIPCR, []byte(secureboot.StartTheWorld))
}, "extendPCRStartAll"
}

Expand Down
4 changes: 2 additions & 2 deletions internal/pkg/encryption/keys/tpm2.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ import (
"github.com/siderolabs/go-blockdevice/v2/encryption/luks"
"github.com/siderolabs/go-blockdevice/v2/encryption/token"

"github.com/siderolabs/talos/internal/pkg/secureboot"
"github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
"github.com/siderolabs/talos/pkg/machinery/constants"
)

// TPMToken is the userdata stored in the partition token metadata.
Expand Down Expand Up @@ -74,7 +74,7 @@ func (h *TPMKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Toke
KeySlots: []int{h.slot},
SealedBlobPrivate: resp.SealedBlobPrivate,
SealedBlobPublic: resp.SealedBlobPublic,
PCRs: []int{secureboot.UKIPCR},
PCRs: []int{constants.UKIPCR},
Alg: "sha256",
PolicyHash: resp.PolicyDigest,
KeyName: resp.KeyName,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import (

"github.com/siderolabs/talos/internal/pkg/secureboot"
tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
"github.com/siderolabs/talos/pkg/machinery/constants"
)

// RSAKey is the input for the CalculateBankData function.
Expand All @@ -30,7 +31,7 @@ type RSAKey interface {
// This mimics the process happening happening in the TPM when the UKI is being loaded.
//
//nolint:gocyclo
func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureboot.Section]string, rsaKey RSAKey) ([]tpm2internal.BankData, error) {
func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[string]string, rsaKey RSAKey) ([]tpm2internal.BankData, error) {
// get fingerprint of public key
pubKeyFingerprint := sha256.Sum256(x509.MarshalPKCS1PublicKey(rsaKey.PublicRSAKey()))

Expand All @@ -39,7 +40,7 @@ func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureb
return nil, err
}

pcrSelector, err := tpm2internal.CreateSelector([]int{secureboot.UKIPCR})
pcrSelector, err := tpm2internal.CreateSelector([]int{constants.UKIPCR})
if err != nil {
return nil, fmt.Errorf("failed to create PCR selection: %v", err)
}
Expand All @@ -55,7 +56,7 @@ func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureb

hashData := NewDigest(hashAlg)

for _, section := range secureboot.OrderedSections() {
for _, section := range OrderedSections() {
if file := sectionData[section]; file != "" {
hashData.Extend(append([]byte(section), 0))

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,7 @@ import (
"github.com/google/go-tpm/tpm2"
"github.com/stretchr/testify/require"

"github.com/siderolabs/talos/internal/pkg/secureboot"
"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
"github.com/siderolabs/talos/internal/pkg/measure/internal/pcr"
tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
)

Expand All @@ -40,10 +39,10 @@ func TestCalculateBankData(t *testing.T) {
require.NoError(t, err)

bankData, err := pcr.CalculateBankData(15, tpm2.TPMAlgSHA256,
map[secureboot.Section]string{
secureboot.Initrd: "testdata/a",
secureboot.Linux: "testdata/b",
secureboot.DTB: "testdata/c",
map[string]string{
".initrd": "testdata/a",
".linux": "testdata/b",
".dtb": "testdata/c",
},
keyWrapper{key})
require.NoError(t, err)
Expand Down
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (

"github.com/stretchr/testify/assert"

"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
"github.com/siderolabs/talos/internal/pkg/measure/internal/pcr"
)

func TestExtend(t *testing.T) {
Expand Down
28 changes: 28 additions & 0 deletions internal/pkg/measure/internal/pcr/sections.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

package pcr

// OrderedSections returns the sections that are measured into PCR.
//
// Derived from https://github.com/systemd/systemd/blob/v257.1/src/fundamental/uki.h#L6
// .pcrsig section is omitted here since that's what we are calulating here.
func OrderedSections() []string {
// DO NOT REARRANGE
return []string{
".linux",
".osrel",
".cmdline",
".initrd",
".ucode",
".splash",
".dtb",
".uname",
".sbat",
".pcrpkey",
".profile",
".dtbauto",
".hwids",
}
}
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ import (

"github.com/stretchr/testify/require"

"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
"github.com/siderolabs/talos/internal/pkg/measure/internal/pcr"
)

func TestSign(t *testing.T) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,13 @@ import (

"github.com/google/go-tpm/tpm2"

"github.com/siderolabs/talos/internal/pkg/secureboot"
"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
"github.com/siderolabs/talos/internal/pkg/measure/internal/pcr"
tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
"github.com/siderolabs/talos/pkg/machinery/constants"
)

// SectionsData holds a map of Section to file path to the corresponding section.
type SectionsData map[secureboot.Section]string
type SectionsData map[string]string

// RSAKey is the input for the CalculateBankData function.
type RSAKey interface {
Expand Down Expand Up @@ -48,7 +48,7 @@ func GenerateSignedPCR(sectionsData SectionsData, rsaKey RSAKey) (*tpm2internal.
bankDataSetter: &data.SHA512,
},
} {
bankData, err := pcr.CalculateBankData(secureboot.UKIPCR, algo.alg, sectionsData, rsaKey)
bankData, err := pcr.CalculateBankData(constants.UKIPCR, algo.alg, sectionsData, rsaKey)
if err != nil {
return nil, err
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@ import (

"github.com/stretchr/testify/assert"

"github.com/siderolabs/talos/internal/pkg/secureboot"
"github.com/siderolabs/talos/internal/pkg/secureboot/measure"
"github.com/siderolabs/talos/internal/pkg/measure"
"github.com/siderolabs/talos/internal/pkg/measure/internal/pcr"
)

const (
Expand Down Expand Up @@ -70,8 +70,8 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) {
sectionsData := measure.SectionsData{}

// create temporary files with the ordered section name and data as the section name
for _, section := range secureboot.OrderedSections() {
sectionFile := filepath.Join(tmpDir, string(section))
for _, section := range pcr.OrderedSections() {
sectionFile := filepath.Join(tmpDir, section)

if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil {
t.Fatal(err)
Expand Down Expand Up @@ -101,17 +101,17 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) {
func getSignatureUsingSDMeasure(t *testing.T) string {
tmpDir := t.TempDir()

sdMeasureArgs := make([]string, len(secureboot.OrderedSections()))
sdMeasureArgs := make([]string, len(pcr.OrderedSections()))

// create temporary files with the ordered section name and data as the section name
for i, section := range secureboot.OrderedSections() {
sectionFile := filepath.Join(tmpDir, string(section))
for i, section := range pcr.OrderedSections() {
sectionFile := filepath.Join(tmpDir, section)

if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil {
t.Error(err)
}

sdMeasureArgs[i] = fmt.Sprintf("--%s=%s", strings.TrimPrefix(string(section), "."), sectionFile)
sdMeasureArgs[i] = fmt.Sprintf("--%s=%s", strings.TrimPrefix(section, "."), sectionFile)
}

var (
Expand Down
4 changes: 2 additions & 2 deletions internal/pkg/mount/switchroot/switchroot.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,8 @@ func Switch(prefix string, mountpoints mount.Points) (err error) {
}

// extend PCR 11 with leave-initrd
if err = tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.LeaveInitrd)); err != nil {
return fmt.Errorf("failed to extend PCR %d with leave-initrd: %v", secureboot.UKIPCR, err)
if err = tpm2.PCRExtend(constants.UKIPCR, []byte(secureboot.LeaveInitrd)); err != nil {
return fmt.Errorf("failed to extend PCR %d with leave-initrd: %v", constants.UKIPCR, err)
}

// Note that /sbin/init is machined. We call it init since this is the
Expand Down
52 changes: 0 additions & 52 deletions internal/pkg/secureboot/secureboot.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,50 +5,6 @@
// Package secureboot contains base definitions for the Secure Boot process.
package secureboot

// Section is a name of a PE file section (UEFI binary).
type Section string

// List of well-known section names.
const (
Linux Section = ".linux"
OSRel Section = ".osrel"
CMDLine Section = ".cmdline"
Initrd Section = ".initrd"
Ucode Section = ".ucode"
Splash Section = ".splash"
DTB Section = ".dtb"
Uname Section = ".uname"
SBAT Section = ".sbat"
PCRSig Section = ".pcrsig"
PCRPKey Section = ".pcrpkey"
Profile Section = ".profile"
DTBAuto Section = ".dtbauto"
HWIDS Section = ".hwids"
)

// OrderedSections returns the sections that are measured into PCR.
//
// Derived from https://github.com/systemd/systemd/blob/v257.1/src/fundamental/uki.h#L6
// .pcrsig section is omitted here since that's what we are calulating here.
func OrderedSections() []Section {
// DO NOT REARRANGE
return []Section{
Linux,
OSRel,
CMDLine,
Initrd,
Ucode,
Splash,
DTB,
Uname,
SBAT,
PCRPKey,
Profile,
DTBAuto,
HWIDS,
}
}

// Phase is the phase value extended to the PCR.
type Phase string

Expand Down Expand Up @@ -95,11 +51,3 @@ func OrderedPhases() []PhaseInfo {
},
}
}

const (
// UKIPCR is the PCR number where sections except `.pcrsig` are measured.
UKIPCR = 11
// SecureBootStatePCR is the PCR number where the secure boot state and the signature are measured.
// PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated.
SecureBootStatePCR = 7
)
10 changes: 5 additions & 5 deletions internal/pkg/secureboot/tpm2/pcr.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ import (
"github.com/google/go-tpm/tpm2"
"github.com/google/go-tpm/tpm2/transport"

"github.com/siderolabs/talos/internal/pkg/secureboot"
"github.com/siderolabs/talos/internal/pkg/tpm"
"github.com/siderolabs/talos/pkg/machinery/constants"
)

// CreateSelector converts PCR numbers into a bitmask.
Expand Down Expand Up @@ -129,21 +129,21 @@ func PolicyPCRDigest(t transport.TPM, policyHandle tpm2.TPMHandle, pcrSelection

//nolint:gocyclo
func validatePCRBanks(t transport.TPM) error {
pcrValue, err := ReadPCR(t, secureboot.UKIPCR)
pcrValue, err := ReadPCR(t, constants.UKIPCR)
if err != nil {
return fmt.Errorf("failed to read PCR: %w", err)
}

if err = validatePCRNotZeroAndNotFilled(pcrValue, secureboot.UKIPCR); err != nil {
if err = validatePCRNotZeroAndNotFilled(pcrValue, constants.UKIPCR); err != nil {
return err
}

pcrValue, err = ReadPCR(t, secureboot.SecureBootStatePCR)
pcrValue, err = ReadPCR(t, SecureBootStatePCR)
if err != nil {
return fmt.Errorf("failed to read PCR: %w", err)
}

if err = validatePCRNotZeroAndNotFilled(pcrValue, secureboot.SecureBootStatePCR); err != nil {
if err = validatePCRNotZeroAndNotFilled(pcrValue, SecureBootStatePCR); err != nil {
return err
}

Expand Down
5 changes: 2 additions & 3 deletions internal/pkg/secureboot/tpm2/seal.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import (
"github.com/google/go-tpm/tpm2"
"github.com/google/go-tpm/tpm2/transport"

"github.com/siderolabs/talos/internal/pkg/secureboot"
"github.com/siderolabs/talos/internal/pkg/tpm"
"github.com/siderolabs/talos/pkg/machinery/constants"
)
Expand Down Expand Up @@ -112,7 +111,7 @@ func Seal(key []byte) (*SealedResponse, error) {
}

func calculateSealingPolicyDigest(t transport.TPM) ([]byte, error) {
pcrSelector, err := CreateSelector([]int{secureboot.SecureBootStatePCR})
pcrSelector, err := CreateSelector([]int{SecureBootStatePCR})
if err != nil {
return nil, fmt.Errorf("failed to create PCR selection: %v", err)
}
Expand All @@ -126,7 +125,7 @@ func calculateSealingPolicyDigest(t transport.TPM) ([]byte, error) {
},
}

pcrValue, err := ReadPCR(t, secureboot.SecureBootStatePCR)
pcrValue, err := ReadPCR(t, SecureBootStatePCR)
if err != nil {
return nil, err
}
Expand Down
6 changes: 6 additions & 0 deletions internal/pkg/secureboot/tpm2/tpm2.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@
// Package tpm2 provides TPM2.0 related functionality helpers.
package tpm2

const (
// SecureBootStatePCR is the PCR number where the secure boot state and the signature are measured.
// PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated.
SecureBootStatePCR = 7
)

// SealedResponse is the response from the TPM2.0 Seal operation.
type SealedResponse struct {
SealedBlobPrivate []byte
Expand Down
5 changes: 2 additions & 3 deletions internal/pkg/secureboot/tpm2/unseal.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ import (

"github.com/google/go-tpm/tpm2"

"github.com/siderolabs/talos/internal/pkg/secureboot"
"github.com/siderolabs/talos/internal/pkg/tpm"
"github.com/siderolabs/talos/pkg/machinery/constants"
)
Expand Down Expand Up @@ -136,7 +135,7 @@ func Unseal(sealed SealedResponse) ([]byte, error) {
}
}()

pcrSelector, err := CreateSelector([]int{secureboot.UKIPCR})
pcrSelector, err := CreateSelector([]int{constants.UKIPCR})
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -225,7 +224,7 @@ func Unseal(sealed SealedResponse) ([]byte, error) {
return nil, fmt.Errorf("failed to execute policy authorize: %w", err)
}

secureBootStatePCRSelector, err := CreateSelector([]int{secureboot.SecureBootStatePCR})
secureBootStatePCRSelector, err := CreateSelector([]int{SecureBootStatePCR})
if err != nil {
return nil, err
}
Expand Down
Loading

0 comments on commit 36ed072

Please sign in to comment.