talm
62 строки · 1.9 Кб
1// This Source Code Form is subject to the terms of the Mozilla Public
2// License, v. 2.0. If a copy of the MPL was not distributed with this
3// file, You can obtain one at http://mozilla.org/MPL/2.0/.
4
5// Package database generates SecureBoot auto-enrollment database.
6package database7
8import (9"crypto/sha256"10
11"github.com/foxboron/go-uefi/efi"12"github.com/foxboron/go-uefi/efi/signature"13"github.com/foxboron/go-uefi/efi/util"14"github.com/google/uuid"15
16"github.com/aenix-io/talm/internal/pkg/secureboot/pesign"17"github.com/siderolabs/talos/pkg/machinery/constants"18)
19
20// Entry is a UEFI database entry.
21type Entry struct {22Name string23Contents []byte24}
25
26// Generate generates a UEFI database to enroll the signing certificate.
27//
28// ref: https://blog.hansenpartnership.com/the-meaning-of-all-the-uefi-keys/
29func Generate(enrolledCertificate []byte, signer pesign.CertificateSigner) ([]Entry, error) {30// derive UUID from enrolled certificate31uuid := uuid.NewHash(sha256.New(), uuid.NameSpaceX500, enrolledCertificate, 4)32
33efiGUID := util.StringToGUID(uuid.String())34
35// Create ESL36db := signature.NewSignatureDatabase()37if err := db.Append(signature.CERT_X509_GUID, *efiGUID, enrolledCertificate); err != nil {38return nil, err39}40
41// Sign the ESL, but for each EFI variable42signedDB, err := efi.SignEFIVariable(signer.Signer(), signer.Certificate(), "db", db.Bytes())43if err != nil {44return nil, err45}46
47signedKEK, err := efi.SignEFIVariable(signer.Signer(), signer.Certificate(), "KEK", db.Bytes())48if err != nil {49return nil, err50}51
52signedPK, err := efi.SignEFIVariable(signer.Signer(), signer.Certificate(), "PK", db.Bytes())53if err != nil {54return nil, err55}56
57return []Entry{58{Name: constants.SignatureKeyAsset, Contents: signedDB},59{Name: constants.KeyExchangeKeyAsset, Contents: signedKEK},60{Name: constants.PlatformKeyAsset, Contents: signedPK},61}, nil62}
63