From 9b957df64680a97a16575db67d4af27cfc0ef7d2 Mon Sep 17 00:00:00 2001 From: Noel Georgi Date: Mon, 13 Jan 2025 22:27:56 +0530 Subject: [PATCH] chore: uki code restructure UKI code re-structure, no-op. Signed-off-by: Noel Georgi --- hack/release.toml | 1 + internal/app/init/main.go | 4 +- .../v1alpha1/v1alpha1_sequencer_tasks.go | 4 +- internal/pkg/encryption/keys/tpm2.go | 4 +- .../measure/internal/pcr/bank_data.go | 7 ++- .../measure/internal/pcr/bank_data_test.go | 11 ++-- .../measure/internal/pcr/extend.go | 0 .../measure/internal/pcr/extend_test.go | 2 +- internal/pkg/measure/internal/pcr/sections.go | 28 ++++++++++ .../measure/internal/pcr/sign.go | 0 .../measure/internal/pcr/sign_test.go | 2 +- .../measure/internal/pcr/testdata/a | 0 .../measure/internal/pcr/testdata/b | 0 .../measure/internal/pcr/testdata/c | 0 .../pkg/{secureboot => }/measure/measure.go | 8 +-- .../{secureboot => }/measure/measure_test.go | 16 +++--- .../measure/testdata/pcr-signing-key.pem | 0 internal/pkg/mount/switchroot/switchroot.go | 4 +- internal/pkg/secureboot/secureboot.go | 52 ------------------ internal/pkg/secureboot/tpm2/pcr.go | 10 ++-- internal/pkg/secureboot/tpm2/seal.go | 5 +- internal/pkg/secureboot/tpm2/tpm2.go | 6 ++ internal/pkg/secureboot/tpm2/unseal.go | 5 +- internal/pkg/{secureboot => }/uki/assemble.go | 2 +- internal/pkg/{secureboot => }/uki/generate.go | 23 ++++---- .../uki/internal/pe/native.go | 5 +- .../uki/internal/pe/objcopy.go | 0 .../{secureboot => }/uki/internal/pe/pe.go | 6 +- .../uki/internal/pe/pe_test.go | 2 +- .../internal/pe/testdata/sd-stub-amd64.efi | Bin internal/pkg/{secureboot => }/uki/kernel.go | 0 .../pkg/{secureboot => }/uki/kernel_test.go | 2 +- internal/pkg/{secureboot => }/uki/sbat.go | 4 +- .../pkg/{secureboot => }/uki/sbat_test.go | 4 +- .../pkg/{secureboot => }/uki/testdata/kernel | Bin internal/pkg/{secureboot => }/uki/uki.go | 30 +++++++++- pkg/imager/imager.go | 2 +- pkg/imager/profile/input.go | 2 +- pkg/imager/profile/internal/signer/aws/pcr.go | 2 +- .../profile/internal/signer/azure/pcr.go | 2 +- .../profile/internal/signer/file/pcr.go | 2 +- pkg/machinery/constants/constants.go | 3 + 42 files changed, 131 insertions(+), 129 deletions(-) rename internal/pkg/{secureboot => }/measure/internal/pcr/bank_data.go (90%) rename internal/pkg/{secureboot => }/measure/internal/pcr/bank_data_test.go (87%) rename internal/pkg/{secureboot => }/measure/internal/pcr/extend.go (100%) rename internal/pkg/{secureboot => }/measure/internal/pcr/extend_test.go (92%) create mode 100644 internal/pkg/measure/internal/pcr/sections.go rename internal/pkg/{secureboot => }/measure/internal/pcr/sign.go (100%) rename internal/pkg/{secureboot => }/measure/internal/pcr/sign_test.go (95%) rename internal/pkg/{secureboot => }/measure/internal/pcr/testdata/a (100%) rename internal/pkg/{secureboot => }/measure/internal/pcr/testdata/b (100%) rename internal/pkg/{secureboot => }/measure/internal/pcr/testdata/c (100%) rename internal/pkg/{secureboot => }/measure/measure.go (84%) rename internal/pkg/{secureboot => }/measure/measure_test.go (92%) rename internal/pkg/{secureboot => }/measure/testdata/pcr-signing-key.pem (100%) rename internal/pkg/{secureboot => }/uki/assemble.go (87%) rename internal/pkg/{secureboot => }/uki/generate.go (91%) rename internal/pkg/{secureboot => }/uki/internal/pe/native.go (97%) rename internal/pkg/{secureboot => }/uki/internal/pe/objcopy.go (100%) rename internal/pkg/{secureboot => }/uki/internal/pe/pe.go (87%) rename internal/pkg/{secureboot => }/uki/internal/pe/pe_test.go (97%) rename internal/pkg/{secureboot => }/uki/internal/pe/testdata/sd-stub-amd64.efi (100%) rename internal/pkg/{secureboot => }/uki/kernel.go (100%) rename internal/pkg/{secureboot => }/uki/kernel_test.go (89%) rename internal/pkg/{secureboot => }/uki/sbat.go (86%) rename internal/pkg/{secureboot => }/uki/sbat_test.go (84%) rename internal/pkg/{secureboot => }/uki/testdata/kernel (100%) rename internal/pkg/{secureboot => }/uki/uki.go (84%) diff --git a/hack/release.toml b/hack/release.toml index 6e98264789..db995dc380 100644 --- a/hack/release.toml +++ b/hack/release.toml @@ -73,6 +73,7 @@ cluster: ``` Usage of `authorization-mode` CLI argument will not support this form of customization. +""" [make_deps] diff --git a/internal/app/init/main.go b/internal/app/init/main.go index c60f8ee27b..da7c890bb4 100644 --- a/internal/app/init/main.go +++ b/internal/app/init/main.go @@ -60,8 +60,8 @@ func run() error { } // extend PCR 11 with enter-initrd - if err := tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.EnterInitrd)); err != nil { - return fmt.Errorf("failed to extend PCR %d with enter-initrd: %v", secureboot.UKIPCR, err) + if err := tpm2.PCRExtend(constants.UKIPCR, []byte(secureboot.EnterInitrd)); err != nil { + return fmt.Errorf("failed to extend PCR %d with enter-initrd: %v", constants.UKIPCR, err) } log.Printf("booting Talos %s", version.Tag) diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go index 55d54e7cd4..b6fe937421 100644 --- a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go +++ b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go @@ -328,7 +328,7 @@ func WriteUdevRules(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) { // StartMachined represents the task to start machined. func StartMachined(_ runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string) { return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) error { - if err := tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.EnterMachined)); err != nil { + if err := tpm2.PCRExtend(constants.UKIPCR, []byte(secureboot.EnterMachined)); err != nil { return err } @@ -423,7 +423,7 @@ func StartUdevd(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) { // ExtendPCRStartAll represents the task to extend the PCR with the StartTheWorld PCR phase. func ExtendPCRStartAll(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) { return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) { - return tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.StartTheWorld)) + return tpm2.PCRExtend(constants.UKIPCR, []byte(secureboot.StartTheWorld)) }, "extendPCRStartAll" } diff --git a/internal/pkg/encryption/keys/tpm2.go b/internal/pkg/encryption/keys/tpm2.go index e0c5af7deb..6d7efe2718 100644 --- a/internal/pkg/encryption/keys/tpm2.go +++ b/internal/pkg/encryption/keys/tpm2.go @@ -16,8 +16,8 @@ import ( "github.com/siderolabs/go-blockdevice/v2/encryption/luks" "github.com/siderolabs/go-blockdevice/v2/encryption/token" - "github.com/siderolabs/talos/internal/pkg/secureboot" "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2" + "github.com/siderolabs/talos/pkg/machinery/constants" ) // TPMToken is the userdata stored in the partition token metadata. @@ -74,7 +74,7 @@ func (h *TPMKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Toke KeySlots: []int{h.slot}, SealedBlobPrivate: resp.SealedBlobPrivate, SealedBlobPublic: resp.SealedBlobPublic, - PCRs: []int{secureboot.UKIPCR}, + PCRs: []int{constants.UKIPCR}, Alg: "sha256", PolicyHash: resp.PolicyDigest, KeyName: resp.KeyName, diff --git a/internal/pkg/secureboot/measure/internal/pcr/bank_data.go b/internal/pkg/measure/internal/pcr/bank_data.go similarity index 90% rename from internal/pkg/secureboot/measure/internal/pcr/bank_data.go rename to internal/pkg/measure/internal/pcr/bank_data.go index cc4f5b2293..d69510ee8a 100644 --- a/internal/pkg/secureboot/measure/internal/pcr/bank_data.go +++ b/internal/pkg/measure/internal/pcr/bank_data.go @@ -17,6 +17,7 @@ import ( "github.com/siderolabs/talos/internal/pkg/secureboot" tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2" + "github.com/siderolabs/talos/pkg/machinery/constants" ) // RSAKey is the input for the CalculateBankData function. @@ -30,7 +31,7 @@ type RSAKey interface { // This mimics the process happening happening in the TPM when the UKI is being loaded. // //nolint:gocyclo -func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureboot.Section]string, rsaKey RSAKey) ([]tpm2internal.BankData, error) { +func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[string]string, rsaKey RSAKey) ([]tpm2internal.BankData, error) { // get fingerprint of public key pubKeyFingerprint := sha256.Sum256(x509.MarshalPKCS1PublicKey(rsaKey.PublicRSAKey())) @@ -39,7 +40,7 @@ func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureb return nil, err } - pcrSelector, err := tpm2internal.CreateSelector([]int{secureboot.UKIPCR}) + pcrSelector, err := tpm2internal.CreateSelector([]int{constants.UKIPCR}) if err != nil { return nil, fmt.Errorf("failed to create PCR selection: %v", err) } @@ -55,7 +56,7 @@ func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureb hashData := NewDigest(hashAlg) - for _, section := range secureboot.OrderedSections() { + for _, section := range OrderedSections() { if file := sectionData[section]; file != "" { hashData.Extend(append([]byte(section), 0)) diff --git a/internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go b/internal/pkg/measure/internal/pcr/bank_data_test.go similarity index 87% rename from internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go rename to internal/pkg/measure/internal/pcr/bank_data_test.go index 814cb17bea..739a21295a 100644 --- a/internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go +++ b/internal/pkg/measure/internal/pcr/bank_data_test.go @@ -14,8 +14,7 @@ import ( "github.com/google/go-tpm/tpm2" "github.com/stretchr/testify/require" - "github.com/siderolabs/talos/internal/pkg/secureboot" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" + "github.com/siderolabs/talos/internal/pkg/measure/internal/pcr" tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2" ) @@ -40,10 +39,10 @@ func TestCalculateBankData(t *testing.T) { require.NoError(t, err) bankData, err := pcr.CalculateBankData(15, tpm2.TPMAlgSHA256, - map[secureboot.Section]string{ - secureboot.Initrd: "testdata/a", - secureboot.Linux: "testdata/b", - secureboot.DTB: "testdata/c", + map[string]string{ + ".initrd": "testdata/a", + ".linux": "testdata/b", + ".dtb": "testdata/c", }, keyWrapper{key}) require.NoError(t, err) diff --git a/internal/pkg/secureboot/measure/internal/pcr/extend.go b/internal/pkg/measure/internal/pcr/extend.go similarity index 100% rename from internal/pkg/secureboot/measure/internal/pcr/extend.go rename to internal/pkg/measure/internal/pcr/extend.go diff --git a/internal/pkg/secureboot/measure/internal/pcr/extend_test.go b/internal/pkg/measure/internal/pcr/extend_test.go similarity index 92% rename from internal/pkg/secureboot/measure/internal/pcr/extend_test.go rename to internal/pkg/measure/internal/pcr/extend_test.go index 3c061164d6..36f21440c3 100644 --- a/internal/pkg/secureboot/measure/internal/pcr/extend_test.go +++ b/internal/pkg/measure/internal/pcr/extend_test.go @@ -10,7 +10,7 @@ import ( "github.com/stretchr/testify/assert" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" + "github.com/siderolabs/talos/internal/pkg/measure/internal/pcr" ) func TestExtend(t *testing.T) { diff --git a/internal/pkg/measure/internal/pcr/sections.go b/internal/pkg/measure/internal/pcr/sections.go new file mode 100644 index 0000000000..66723f03f0 --- /dev/null +++ b/internal/pkg/measure/internal/pcr/sections.go @@ -0,0 +1,28 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package pcr + +// OrderedSections returns the sections that are measured into PCR. +// +// Derived from https://github.com/systemd/systemd/blob/v257.1/src/fundamental/uki.h#L6 +// .pcrsig section is omitted here since that's what we are calulating here. +func OrderedSections() []string { + // DO NOT REARRANGE + return []string{ + ".linux", + ".osrel", + ".cmdline", + ".initrd", + ".ucode", + ".splash", + ".dtb", + ".uname", + ".sbat", + ".pcrpkey", + ".profile", + ".dtbauto", + ".hwids", + } +} diff --git a/internal/pkg/secureboot/measure/internal/pcr/sign.go b/internal/pkg/measure/internal/pcr/sign.go similarity index 100% rename from internal/pkg/secureboot/measure/internal/pcr/sign.go rename to internal/pkg/measure/internal/pcr/sign.go diff --git a/internal/pkg/secureboot/measure/internal/pcr/sign_test.go b/internal/pkg/measure/internal/pcr/sign_test.go similarity index 95% rename from internal/pkg/secureboot/measure/internal/pcr/sign_test.go rename to internal/pkg/measure/internal/pcr/sign_test.go index 4e29c5bf13..807064af23 100644 --- a/internal/pkg/secureboot/measure/internal/pcr/sign_test.go +++ b/internal/pkg/measure/internal/pcr/sign_test.go @@ -14,7 +14,7 @@ import ( "github.com/stretchr/testify/require" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" + "github.com/siderolabs/talos/internal/pkg/measure/internal/pcr" ) func TestSign(t *testing.T) { diff --git a/internal/pkg/secureboot/measure/internal/pcr/testdata/a b/internal/pkg/measure/internal/pcr/testdata/a similarity index 100% rename from internal/pkg/secureboot/measure/internal/pcr/testdata/a rename to internal/pkg/measure/internal/pcr/testdata/a diff --git a/internal/pkg/secureboot/measure/internal/pcr/testdata/b b/internal/pkg/measure/internal/pcr/testdata/b similarity index 100% rename from internal/pkg/secureboot/measure/internal/pcr/testdata/b rename to internal/pkg/measure/internal/pcr/testdata/b diff --git a/internal/pkg/secureboot/measure/internal/pcr/testdata/c b/internal/pkg/measure/internal/pcr/testdata/c similarity index 100% rename from internal/pkg/secureboot/measure/internal/pcr/testdata/c rename to internal/pkg/measure/internal/pcr/testdata/c diff --git a/internal/pkg/secureboot/measure/measure.go b/internal/pkg/measure/measure.go similarity index 84% rename from internal/pkg/secureboot/measure/measure.go rename to internal/pkg/measure/measure.go index abb3f0a3de..eee8821e95 100644 --- a/internal/pkg/secureboot/measure/measure.go +++ b/internal/pkg/measure/measure.go @@ -13,13 +13,13 @@ import ( "github.com/google/go-tpm/tpm2" - "github.com/siderolabs/talos/internal/pkg/secureboot" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" + "github.com/siderolabs/talos/internal/pkg/measure/internal/pcr" tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2" + "github.com/siderolabs/talos/pkg/machinery/constants" ) // SectionsData holds a map of Section to file path to the corresponding section. -type SectionsData map[secureboot.Section]string +type SectionsData map[string]string // RSAKey is the input for the CalculateBankData function. type RSAKey interface { @@ -48,7 +48,7 @@ func GenerateSignedPCR(sectionsData SectionsData, rsaKey RSAKey) (*tpm2internal. bankDataSetter: &data.SHA512, }, } { - bankData, err := pcr.CalculateBankData(secureboot.UKIPCR, algo.alg, sectionsData, rsaKey) + bankData, err := pcr.CalculateBankData(constants.UKIPCR, algo.alg, sectionsData, rsaKey) if err != nil { return nil, err } diff --git a/internal/pkg/secureboot/measure/measure_test.go b/internal/pkg/measure/measure_test.go similarity index 92% rename from internal/pkg/secureboot/measure/measure_test.go rename to internal/pkg/measure/measure_test.go index 102625a6ec..c8d74b03d3 100644 --- a/internal/pkg/secureboot/measure/measure_test.go +++ b/internal/pkg/measure/measure_test.go @@ -19,8 +19,8 @@ import ( "github.com/stretchr/testify/assert" - "github.com/siderolabs/talos/internal/pkg/secureboot" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/measure" + "github.com/siderolabs/talos/internal/pkg/measure/internal/pcr" ) const ( @@ -70,8 +70,8 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) { sectionsData := measure.SectionsData{} // create temporary files with the ordered section name and data as the section name - for _, section := range secureboot.OrderedSections() { - sectionFile := filepath.Join(tmpDir, string(section)) + for _, section := range pcr.OrderedSections() { + sectionFile := filepath.Join(tmpDir, section) if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil { t.Fatal(err) @@ -101,17 +101,17 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) { func getSignatureUsingSDMeasure(t *testing.T) string { tmpDir := t.TempDir() - sdMeasureArgs := make([]string, len(secureboot.OrderedSections())) + sdMeasureArgs := make([]string, len(pcr.OrderedSections())) // create temporary files with the ordered section name and data as the section name - for i, section := range secureboot.OrderedSections() { - sectionFile := filepath.Join(tmpDir, string(section)) + for i, section := range pcr.OrderedSections() { + sectionFile := filepath.Join(tmpDir, section) if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil { t.Error(err) } - sdMeasureArgs[i] = fmt.Sprintf("--%s=%s", strings.TrimPrefix(string(section), "."), sectionFile) + sdMeasureArgs[i] = fmt.Sprintf("--%s=%s", strings.TrimPrefix(section, "."), sectionFile) } var ( diff --git a/internal/pkg/secureboot/measure/testdata/pcr-signing-key.pem b/internal/pkg/measure/testdata/pcr-signing-key.pem similarity index 100% rename from internal/pkg/secureboot/measure/testdata/pcr-signing-key.pem rename to internal/pkg/measure/testdata/pcr-signing-key.pem diff --git a/internal/pkg/mount/switchroot/switchroot.go b/internal/pkg/mount/switchroot/switchroot.go index 1cef339ffb..a96729cf92 100644 --- a/internal/pkg/mount/switchroot/switchroot.go +++ b/internal/pkg/mount/switchroot/switchroot.go @@ -78,8 +78,8 @@ func Switch(prefix string, mountpoints mount.Points) (err error) { } // extend PCR 11 with leave-initrd - if err = tpm2.PCRExtend(secureboot.UKIPCR, []byte(secureboot.LeaveInitrd)); err != nil { - return fmt.Errorf("failed to extend PCR %d with leave-initrd: %v", secureboot.UKIPCR, err) + if err = tpm2.PCRExtend(constants.UKIPCR, []byte(secureboot.LeaveInitrd)); err != nil { + return fmt.Errorf("failed to extend PCR %d with leave-initrd: %v", constants.UKIPCR, err) } // Note that /sbin/init is machined. We call it init since this is the diff --git a/internal/pkg/secureboot/secureboot.go b/internal/pkg/secureboot/secureboot.go index 27721fd347..eb6f815730 100644 --- a/internal/pkg/secureboot/secureboot.go +++ b/internal/pkg/secureboot/secureboot.go @@ -5,50 +5,6 @@ // Package secureboot contains base definitions for the Secure Boot process. package secureboot -// Section is a name of a PE file section (UEFI binary). -type Section string - -// List of well-known section names. -const ( - Linux Section = ".linux" - OSRel Section = ".osrel" - CMDLine Section = ".cmdline" - Initrd Section = ".initrd" - Ucode Section = ".ucode" - Splash Section = ".splash" - DTB Section = ".dtb" - Uname Section = ".uname" - SBAT Section = ".sbat" - PCRSig Section = ".pcrsig" - PCRPKey Section = ".pcrpkey" - Profile Section = ".profile" - DTBAuto Section = ".dtbauto" - HWIDS Section = ".hwids" -) - -// OrderedSections returns the sections that are measured into PCR. -// -// Derived from https://github.com/systemd/systemd/blob/v257.1/src/fundamental/uki.h#L6 -// .pcrsig section is omitted here since that's what we are calulating here. -func OrderedSections() []Section { - // DO NOT REARRANGE - return []Section{ - Linux, - OSRel, - CMDLine, - Initrd, - Ucode, - Splash, - DTB, - Uname, - SBAT, - PCRPKey, - Profile, - DTBAuto, - HWIDS, - } -} - // Phase is the phase value extended to the PCR. type Phase string @@ -95,11 +51,3 @@ func OrderedPhases() []PhaseInfo { }, } } - -const ( - // UKIPCR is the PCR number where sections except `.pcrsig` are measured. - UKIPCR = 11 - // SecureBootStatePCR is the PCR number where the secure boot state and the signature are measured. - // PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated. - SecureBootStatePCR = 7 -) diff --git a/internal/pkg/secureboot/tpm2/pcr.go b/internal/pkg/secureboot/tpm2/pcr.go index e0f21a4ccf..e63e816791 100644 --- a/internal/pkg/secureboot/tpm2/pcr.go +++ b/internal/pkg/secureboot/tpm2/pcr.go @@ -16,8 +16,8 @@ import ( "github.com/google/go-tpm/tpm2" "github.com/google/go-tpm/tpm2/transport" - "github.com/siderolabs/talos/internal/pkg/secureboot" "github.com/siderolabs/talos/internal/pkg/tpm" + "github.com/siderolabs/talos/pkg/machinery/constants" ) // CreateSelector converts PCR numbers into a bitmask. @@ -129,21 +129,21 @@ func PolicyPCRDigest(t transport.TPM, policyHandle tpm2.TPMHandle, pcrSelection //nolint:gocyclo func validatePCRBanks(t transport.TPM) error { - pcrValue, err := ReadPCR(t, secureboot.UKIPCR) + pcrValue, err := ReadPCR(t, constants.UKIPCR) if err != nil { return fmt.Errorf("failed to read PCR: %w", err) } - if err = validatePCRNotZeroAndNotFilled(pcrValue, secureboot.UKIPCR); err != nil { + if err = validatePCRNotZeroAndNotFilled(pcrValue, constants.UKIPCR); err != nil { return err } - pcrValue, err = ReadPCR(t, secureboot.SecureBootStatePCR) + pcrValue, err = ReadPCR(t, SecureBootStatePCR) if err != nil { return fmt.Errorf("failed to read PCR: %w", err) } - if err = validatePCRNotZeroAndNotFilled(pcrValue, secureboot.SecureBootStatePCR); err != nil { + if err = validatePCRNotZeroAndNotFilled(pcrValue, SecureBootStatePCR); err != nil { return err } diff --git a/internal/pkg/secureboot/tpm2/seal.go b/internal/pkg/secureboot/tpm2/seal.go index 86828458bb..45bf28edc6 100644 --- a/internal/pkg/secureboot/tpm2/seal.go +++ b/internal/pkg/secureboot/tpm2/seal.go @@ -11,7 +11,6 @@ import ( "github.com/google/go-tpm/tpm2" "github.com/google/go-tpm/tpm2/transport" - "github.com/siderolabs/talos/internal/pkg/secureboot" "github.com/siderolabs/talos/internal/pkg/tpm" "github.com/siderolabs/talos/pkg/machinery/constants" ) @@ -112,7 +111,7 @@ func Seal(key []byte) (*SealedResponse, error) { } func calculateSealingPolicyDigest(t transport.TPM) ([]byte, error) { - pcrSelector, err := CreateSelector([]int{secureboot.SecureBootStatePCR}) + pcrSelector, err := CreateSelector([]int{SecureBootStatePCR}) if err != nil { return nil, fmt.Errorf("failed to create PCR selection: %v", err) } @@ -126,7 +125,7 @@ func calculateSealingPolicyDigest(t transport.TPM) ([]byte, error) { }, } - pcrValue, err := ReadPCR(t, secureboot.SecureBootStatePCR) + pcrValue, err := ReadPCR(t, SecureBootStatePCR) if err != nil { return nil, err } diff --git a/internal/pkg/secureboot/tpm2/tpm2.go b/internal/pkg/secureboot/tpm2/tpm2.go index 89d1d71657..7e42d72e96 100644 --- a/internal/pkg/secureboot/tpm2/tpm2.go +++ b/internal/pkg/secureboot/tpm2/tpm2.go @@ -5,6 +5,12 @@ // Package tpm2 provides TPM2.0 related functionality helpers. package tpm2 +const ( + // SecureBootStatePCR is the PCR number where the secure boot state and the signature are measured. + // PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated. + SecureBootStatePCR = 7 +) + // SealedResponse is the response from the TPM2.0 Seal operation. type SealedResponse struct { SealedBlobPrivate []byte diff --git a/internal/pkg/secureboot/tpm2/unseal.go b/internal/pkg/secureboot/tpm2/unseal.go index 8a8c1562b1..52d533b585 100644 --- a/internal/pkg/secureboot/tpm2/unseal.go +++ b/internal/pkg/secureboot/tpm2/unseal.go @@ -16,7 +16,6 @@ import ( "github.com/google/go-tpm/tpm2" - "github.com/siderolabs/talos/internal/pkg/secureboot" "github.com/siderolabs/talos/internal/pkg/tpm" "github.com/siderolabs/talos/pkg/machinery/constants" ) @@ -136,7 +135,7 @@ func Unseal(sealed SealedResponse) ([]byte, error) { } }() - pcrSelector, err := CreateSelector([]int{secureboot.UKIPCR}) + pcrSelector, err := CreateSelector([]int{constants.UKIPCR}) if err != nil { return nil, err } @@ -225,7 +224,7 @@ func Unseal(sealed SealedResponse) ([]byte, error) { return nil, fmt.Errorf("failed to execute policy authorize: %w", err) } - secureBootStatePCRSelector, err := CreateSelector([]int{secureboot.SecureBootStatePCR}) + secureBootStatePCRSelector, err := CreateSelector([]int{SecureBootStatePCR}) if err != nil { return nil, err } diff --git a/internal/pkg/secureboot/uki/assemble.go b/internal/pkg/uki/assemble.go similarity index 87% rename from internal/pkg/secureboot/uki/assemble.go rename to internal/pkg/uki/assemble.go index 27876772f9..8638e14c1a 100644 --- a/internal/pkg/secureboot/uki/assemble.go +++ b/internal/pkg/uki/assemble.go @@ -7,7 +7,7 @@ package uki import ( "path/filepath" - "github.com/siderolabs/talos/internal/pkg/secureboot/uki/internal/pe" + "github.com/siderolabs/talos/internal/pkg/uki/internal/pe" ) // assemble the UKI file out of sections. diff --git a/internal/pkg/secureboot/uki/generate.go b/internal/pkg/uki/generate.go similarity index 91% rename from internal/pkg/secureboot/uki/generate.go rename to internal/pkg/uki/generate.go index 1ea5851567..6dba9297d2 100644 --- a/internal/pkg/secureboot/uki/generate.go +++ b/internal/pkg/uki/generate.go @@ -14,8 +14,7 @@ import ( talosx509 "github.com/siderolabs/crypto/x509" "github.com/siderolabs/gen/xslices" - "github.com/siderolabs/talos/internal/pkg/secureboot" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/measure" "github.com/siderolabs/talos/pkg/machinery/constants" "github.com/siderolabs/talos/pkg/machinery/version" "github.com/siderolabs/talos/pkg/splash" @@ -35,7 +34,7 @@ func (builder *Builder) generateOSRel() error { builder.sections = append(builder.sections, section{ - Name: secureboot.OSRel, + Name: SectionOSRel.String(), Path: path, Measure: true, Append: true, @@ -54,7 +53,7 @@ func (builder *Builder) generateCmdline() error { builder.sections = append(builder.sections, section{ - Name: secureboot.CMDLine, + Name: SectionCmdline.String(), Path: path, Measure: true, Append: true, @@ -67,7 +66,7 @@ func (builder *Builder) generateCmdline() error { func (builder *Builder) generateInitrd() error { builder.sections = append(builder.sections, section{ - Name: secureboot.Initrd, + Name: SectionInitrd.String(), Path: builder.InitrdPath, Measure: true, Append: true, @@ -86,7 +85,7 @@ func (builder *Builder) generateSplash() error { builder.sections = append(builder.sections, section{ - Name: secureboot.Splash, + Name: SectionSplash.String(), Path: path, Measure: true, Append: true, @@ -122,7 +121,7 @@ func (builder *Builder) generateUname() error { builder.sections = append(builder.sections, section{ - Name: secureboot.Uname, + Name: SectionUname.String(), Path: path, Measure: true, Append: true, @@ -146,7 +145,7 @@ func (builder *Builder) generateSBAT() error { builder.sections = append(builder.sections, section{ - Name: secureboot.SBAT, + Name: SectionSBAT.String(), Path: path, Measure: true, }, @@ -174,7 +173,7 @@ func (builder *Builder) generatePCRPublicKey() error { builder.sections = append(builder.sections, section{ - Name: secureboot.PCRPKey, + Name: SectionPCRPKey.String(), Path: path, Append: true, Measure: true, @@ -197,7 +196,7 @@ func (builder *Builder) generateKernel() error { builder.sections = append(builder.sections, section{ - Name: secureboot.Linux, + Name: SectionLinux.String(), Path: path, Append: true, Measure: true, @@ -214,7 +213,7 @@ func (builder *Builder) generatePCRSig() error { return s.Measure }, ), - func(s section) (secureboot.Section, string) { + func(s section) (string, string) { return s.Name, s.Path }) @@ -236,7 +235,7 @@ func (builder *Builder) generatePCRSig() error { builder.sections = append(builder.sections, section{ - Name: secureboot.PCRSig, + Name: SectionPCRSig.String(), Path: path, Append: true, }, diff --git a/internal/pkg/secureboot/uki/internal/pe/native.go b/internal/pkg/uki/internal/pe/native.go similarity index 97% rename from internal/pkg/secureboot/uki/internal/pe/native.go rename to internal/pkg/uki/internal/pe/native.go index 9a12b8a147..e4820de0a4 100644 --- a/internal/pkg/secureboot/uki/internal/pe/native.go +++ b/internal/pkg/uki/internal/pe/native.go @@ -16,7 +16,6 @@ import ( "github.com/siderolabs/gen/xslices" - "github.com/siderolabs/talos/internal/pkg/secureboot" "github.com/siderolabs/talos/pkg/imager/utils" ) @@ -136,7 +135,7 @@ func AssembleNative(srcPath, dstPath string, sections []Section) error { newSections = append(newSections, &pe.Section{ SectionHeader: pe.SectionHeader{ - Name: string(sections[i].Name), + Name: sections[i].Name, VirtualSize: uint32(sections[i].virtualSize), VirtualAddress: uint32(sections[i].virtualAddress), Size: uint32((sections[i].virtualSize + fileAlignment) &^ fileAlignment), @@ -213,7 +212,7 @@ func AssembleNative(srcPath, dstPath string, sections []Section) error { var sectionData io.ReadCloser for _, section := range sections { - if section.Append && section.Name == secureboot.Section(name) { + if section.Append && section.Name == name { sectionData, err = os.Open(section.Path) if err != nil { return fmt.Errorf("failed to open section data: %w", err) diff --git a/internal/pkg/secureboot/uki/internal/pe/objcopy.go b/internal/pkg/uki/internal/pe/objcopy.go similarity index 100% rename from internal/pkg/secureboot/uki/internal/pe/objcopy.go rename to internal/pkg/uki/internal/pe/objcopy.go diff --git a/internal/pkg/secureboot/uki/internal/pe/pe.go b/internal/pkg/uki/internal/pe/pe.go similarity index 87% rename from internal/pkg/secureboot/uki/internal/pe/pe.go rename to internal/pkg/uki/internal/pe/pe.go index 5d9e4ba124..e5fc8ac274 100644 --- a/internal/pkg/secureboot/uki/internal/pe/pe.go +++ b/internal/pkg/uki/internal/pe/pe.go @@ -5,14 +5,10 @@ // Package pe handles appending sections to PE files. package pe -import ( - "github.com/siderolabs/talos/internal/pkg/secureboot" -) - // Section is a UKI file section. type Section struct { // Section name. - Name secureboot.Section + Name string // Path to the contents of the section. Path string // Should the section be measured to the TPM? diff --git a/internal/pkg/secureboot/uki/internal/pe/pe_test.go b/internal/pkg/uki/internal/pe/pe_test.go similarity index 97% rename from internal/pkg/secureboot/uki/internal/pe/pe_test.go rename to internal/pkg/uki/internal/pe/pe_test.go index 8d2ede41c9..c4fb828fde 100644 --- a/internal/pkg/secureboot/uki/internal/pe/pe_test.go +++ b/internal/pkg/uki/internal/pe/pe_test.go @@ -15,7 +15,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/siderolabs/talos/internal/pkg/secureboot/uki/internal/pe" + "github.com/siderolabs/talos/internal/pkg/uki/internal/pe" ) func TestAssembleNative(t *testing.T) { diff --git a/internal/pkg/secureboot/uki/internal/pe/testdata/sd-stub-amd64.efi b/internal/pkg/uki/internal/pe/testdata/sd-stub-amd64.efi similarity index 100% rename from internal/pkg/secureboot/uki/internal/pe/testdata/sd-stub-amd64.efi rename to internal/pkg/uki/internal/pe/testdata/sd-stub-amd64.efi diff --git a/internal/pkg/secureboot/uki/kernel.go b/internal/pkg/uki/kernel.go similarity index 100% rename from internal/pkg/secureboot/uki/kernel.go rename to internal/pkg/uki/kernel.go diff --git a/internal/pkg/secureboot/uki/kernel_test.go b/internal/pkg/uki/kernel_test.go similarity index 89% rename from internal/pkg/secureboot/uki/kernel_test.go rename to internal/pkg/uki/kernel_test.go index 7fb4edfef2..aa996e0899 100644 --- a/internal/pkg/secureboot/uki/kernel_test.go +++ b/internal/pkg/uki/kernel_test.go @@ -10,7 +10,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/siderolabs/talos/internal/pkg/secureboot/uki" + "github.com/siderolabs/talos/internal/pkg/uki" ) func TestKernelVersion(t *testing.T) { diff --git a/internal/pkg/secureboot/uki/sbat.go b/internal/pkg/uki/sbat.go similarity index 86% rename from internal/pkg/secureboot/uki/sbat.go rename to internal/pkg/uki/sbat.go index 75fa5a4e1d..dd68448ede 100644 --- a/internal/pkg/secureboot/uki/sbat.go +++ b/internal/pkg/uki/sbat.go @@ -7,8 +7,6 @@ package uki import ( "debug/pe" "errors" - - "github.com/siderolabs/talos/internal/pkg/secureboot" ) // GetSBAT returns the SBAT section from the PE file. @@ -21,7 +19,7 @@ func GetSBAT(path string) ([]byte, error) { defer pefile.Close() //nolint:errcheck for _, section := range pefile.Sections { - if section.Name == string(secureboot.SBAT) { + if section.Name == string(SectionSBAT) { data, err := section.Data() if err != nil { return nil, err diff --git a/internal/pkg/secureboot/uki/sbat_test.go b/internal/pkg/uki/sbat_test.go similarity index 84% rename from internal/pkg/secureboot/uki/sbat_test.go rename to internal/pkg/uki/sbat_test.go index 13f7f8023c..2738fe4f3f 100644 --- a/internal/pkg/secureboot/uki/sbat_test.go +++ b/internal/pkg/uki/sbat_test.go @@ -9,13 +9,13 @@ import ( "github.com/stretchr/testify/require" - "github.com/siderolabs/talos/internal/pkg/secureboot/uki" + "github.com/siderolabs/talos/internal/pkg/uki" ) func TestGetSBAT(t *testing.T) { t.Parallel() - data, err := uki.GetSBAT("../pesign/testdata/systemd-bootx64.efi") + data, err := uki.GetSBAT("internal/pe/testdata/sd-stub-amd64.efi") require.NoError(t, err) require.Equal(t, diff --git a/internal/pkg/secureboot/uki/testdata/kernel b/internal/pkg/uki/testdata/kernel similarity index 100% rename from internal/pkg/secureboot/uki/testdata/kernel rename to internal/pkg/uki/testdata/kernel diff --git a/internal/pkg/secureboot/uki/uki.go b/internal/pkg/uki/uki.go similarity index 84% rename from internal/pkg/secureboot/uki/uki.go rename to internal/pkg/uki/uki.go index a493102e92..1a6c29a2ce 100644 --- a/internal/pkg/secureboot/uki/uki.go +++ b/internal/pkg/uki/uki.go @@ -10,12 +10,38 @@ import ( "log" "os" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/measure" "github.com/siderolabs/talos/internal/pkg/secureboot/pesign" - "github.com/siderolabs/talos/internal/pkg/secureboot/uki/internal/pe" + "github.com/siderolabs/talos/internal/pkg/uki/internal/pe" "github.com/siderolabs/talos/pkg/imager/utils" ) +// Section is a name of a PE file section (UEFI binary). +type Section string + +// List of well-known section names. +const ( + SectionLinux Section = ".linux" + SectionOSRel Section = ".osrel" + SectionCmdline Section = ".cmdline" + SectionInitrd Section = ".initrd" + SectionUcode Section = ".ucode" + SectionSplash Section = ".splash" + SectionDTB Section = ".dtb" + SectionUname Section = ".uname" + SectionSBAT Section = ".sbat" + SectionPCRSig Section = ".pcrsig" + SectionPCRPKey Section = ".pcrpkey" + SectionProfile Section = ".profile" + SectionDTBAuto Section = ".dtbauto" + SectionHWIDS Section = ".hwids" +) + +// String returns the string representation of the section. +func (s Section) String() string { + return string(s) +} + type section = pe.Section // Builder is a UKI file builder. diff --git a/pkg/imager/imager.go b/pkg/imager/imager.go index 75f7a136df..c4cfdf5c13 100644 --- a/pkg/imager/imager.go +++ b/pkg/imager/imager.go @@ -20,7 +20,7 @@ import ( talosruntime "github.com/siderolabs/talos/internal/app/machined/pkg/runtime" "github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/board" "github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/platform" - "github.com/siderolabs/talos/internal/pkg/secureboot/uki" + "github.com/siderolabs/talos/internal/pkg/uki" "github.com/siderolabs/talos/pkg/imager/extensions" "github.com/siderolabs/talos/pkg/imager/overlay/executor" "github.com/siderolabs/talos/pkg/imager/profile" diff --git a/pkg/imager/profile/input.go b/pkg/imager/profile/input.go index 137f7f46b5..744e6694cc 100644 --- a/pkg/imager/profile/input.go +++ b/pkg/imager/profile/input.go @@ -21,7 +21,7 @@ import ( "github.com/siderolabs/gen/value" "golang.org/x/sync/errgroup" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/measure" "github.com/siderolabs/talos/internal/pkg/secureboot/pesign" "github.com/siderolabs/talos/pkg/archiver" "github.com/siderolabs/talos/pkg/imager/profile/internal/signer/aws" diff --git a/pkg/imager/profile/internal/signer/aws/pcr.go b/pkg/imager/profile/internal/signer/aws/pcr.go index 2735bc030c..51657b9c44 100644 --- a/pkg/imager/profile/internal/signer/aws/pcr.go +++ b/pkg/imager/profile/internal/signer/aws/pcr.go @@ -16,7 +16,7 @@ import ( "github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/kms/types" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/measure" ) // KeySigner implements measure.RSAKey interface. diff --git a/pkg/imager/profile/internal/signer/azure/pcr.go b/pkg/imager/profile/internal/signer/azure/pcr.go index 28c0a868cf..f35a40dee1 100644 --- a/pkg/imager/profile/internal/signer/azure/pcr.go +++ b/pkg/imager/profile/internal/signer/azure/pcr.go @@ -16,7 +16,7 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys" "github.com/siderolabs/go-pointer" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/measure" ) // KeySigner implements measure.RSAKey interface. diff --git a/pkg/imager/profile/internal/signer/file/pcr.go b/pkg/imager/profile/internal/signer/file/pcr.go index 8a8b58bd63..d326a5d703 100644 --- a/pkg/imager/profile/internal/signer/file/pcr.go +++ b/pkg/imager/profile/internal/signer/file/pcr.go @@ -15,7 +15,7 @@ import ( "io" "os" - "github.com/siderolabs/talos/internal/pkg/secureboot/measure" + "github.com/siderolabs/talos/internal/pkg/measure" ) // PCRSigner implements measure.RSAKey interface. diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go index 24cb42032e..14dd527582 100644 --- a/pkg/machinery/constants/constants.go +++ b/pkg/machinery/constants/constants.go @@ -701,6 +701,9 @@ const ( // https://www.mankier.com/7/systemd-stub#Initrd_Resources PCRPublicKey = SDStubDynamicInitrdPath + "/" + "tpm2-pcr-public-key.pem" + // UKIPCR is the PCR number where systemd-stub measures the UKI. + UKIPCR = 11 + // DefaultCertificateValidityDuration is the default duration for a certificate. DefaultCertificateValidityDuration = x509.DefaultCertificateValidityDuration