talm

1
// This Source Code Form is subject to the terms of the Mozilla Public
2
// License, v. 2.0. If a copy of the MPL was not distributed with this
3
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
4

5
// Package measure contains Go implementation of 'systemd-measure' command.
6
//
7
// This implements TPM PCR emulation, UKI signature measurement, signing the measured values.
8
package measure
9

10
import (
11
	"crypto"
12
	"crypto/rsa"
13

14
	"github.com/google/go-tpm/tpm2"
15

16
	"github.com/aenix-io/talm/internal/pkg/secureboot"
17
	"github.com/aenix-io/talm/internal/pkg/secureboot/measure/internal/pcr"
18
	tpm2internal "github.com/aenix-io/talm/internal/pkg/secureboot/tpm2"
19
)
20

21
// SectionsData holds a map of Section to file path to the corresponding section.
22
type SectionsData map[secureboot.Section]string
23

24
// RSAKey is the input for the CalculateBankData function.
25
type RSAKey interface {
26
	crypto.Signer
27
	PublicRSAKey() *rsa.PublicKey
28
}
29

30
// GenerateSignedPCR generates the PCR signed data for a given set of UKI file sections.
31
func GenerateSignedPCR(sectionsData SectionsData, rsaKey RSAKey) (*tpm2internal.PCRData, error) {
32
	data := &tpm2internal.PCRData{}
33

34
	for _, algo := range []struct {
35
		alg            tpm2.TPMAlgID
36
		bankDataSetter *[]tpm2internal.BankData
37
	}{
38
		{
39
			alg:            tpm2.TPMAlgSHA256,
40
			bankDataSetter: &data.SHA256,
41
		},
42
		{
43
			alg:            tpm2.TPMAlgSHA384,
44
			bankDataSetter: &data.SHA384,
45
		},
46
		{
47
			alg:            tpm2.TPMAlgSHA512,
48
			bankDataSetter: &data.SHA512,
49
		},
50
	} {
51
		bankData, err := pcr.CalculateBankData(secureboot.UKIPCR, algo.alg, sectionsData, rsaKey)
52
		if err != nil {
53
			return nil, err
54
		}
55

56
		*algo.bankDataSetter = bankData
57
	}
58

59
	return data, nil
60
}
61