talm
242 строки · 4.9 Кб
1// This Source Code Form is subject to the terms of the Mozilla Public
2// License, v. 2.0. If a copy of the MPL was not distributed with this
3// file, You can obtain one at http://mozilla.org/MPL/2.0/.
4
5package uki6
7import (8"crypto/x509"9"encoding/json"10"encoding/pem"11"os"12"path/filepath"13
14talosx509 "github.com/siderolabs/crypto/x509"15"github.com/siderolabs/gen/xslices"16
17"github.com/aenix-io/talm/internal/pkg/secureboot"18"github.com/aenix-io/talm/internal/pkg/secureboot/measure"19"github.com/siderolabs/talos/pkg/machinery/constants"20"github.com/siderolabs/talos/pkg/machinery/version"21"github.com/siderolabs/talos/pkg/splash"22)
23
24func (builder *Builder) generateOSRel() error {25osRelease, err := version.OSReleaseFor(version.Name, builder.Version)26if err != nil {27return err28}29
30path := filepath.Join(builder.scratchDir, "os-release")31
32if err = os.WriteFile(path, osRelease, 0o600); err != nil {33return err34}35
36builder.sections = append(builder.sections,37section{38Name: secureboot.OSRel,39Path: path,40Measure: true,41Append: true,42},43)44
45return nil46}
47
48func (builder *Builder) generateCmdline() error {49path := filepath.Join(builder.scratchDir, "cmdline")50
51if err := os.WriteFile(path, []byte(builder.Cmdline), 0o600); err != nil {52return err53}54
55builder.sections = append(builder.sections,56section{57Name: secureboot.CMDLine,58Path: path,59Measure: true,60Append: true,61},62)63
64return nil65}
66
67func (builder *Builder) generateInitrd() error {68builder.sections = append(builder.sections,69section{70Name: secureboot.Initrd,71Path: builder.InitrdPath,72Measure: true,73Append: true,74},75)76
77return nil78}
79
80func (builder *Builder) generateSplash() error {81path := filepath.Join(builder.scratchDir, "splash.bmp")82
83if err := os.WriteFile(path, splash.GetBootImage(), 0o600); err != nil {84return err85}86
87builder.sections = append(builder.sections,88section{89Name: secureboot.Splash,90Path: path,91Measure: true,92Append: true,93},94)95
96return nil97}
98
99func (builder *Builder) generateUname() error {100// it is not always possible to get the kernel version from the kernel image, so we101// do a bit of pre-checks102var kernelVersion string103
104if builder.Version == version.Tag {105// if building from the same version of Talos, use default kernel version106kernelVersion = constants.DefaultKernelVersion107} else {108// otherwise, try to get the kernel version from the kernel image109kernelVersion, _ = DiscoverKernelVersion(builder.KernelPath) //nolint:errcheck110}111
112if kernelVersion == "" {113// we haven't got the kernel version, skip the uname section114return nil115}116
117path := filepath.Join(builder.scratchDir, "uname")118
119if err := os.WriteFile(path, []byte(kernelVersion), 0o600); err != nil {120return err121}122
123builder.sections = append(builder.sections,124section{125Name: secureboot.Uname,126Path: path,127Measure: true,128Append: true,129},130)131
132return nil133}
134
135func (builder *Builder) generateSBAT() error {136sbat, err := GetSBAT(builder.SdStubPath)137if err != nil {138return err139}140
141path := filepath.Join(builder.scratchDir, "sbat")142
143if err = os.WriteFile(path, sbat, 0o600); err != nil {144return err145}146
147builder.sections = append(builder.sections,148section{149Name: secureboot.SBAT,150Path: path,151Measure: true,152},153)154
155return nil156}
157
158func (builder *Builder) generatePCRPublicKey() error {159publicKeyBytes, err := x509.MarshalPKIXPublicKey(builder.PCRSigner.PublicRSAKey())160if err != nil {161return err162}163
164publicKeyPEM := pem.EncodeToMemory(&pem.Block{165Type: talosx509.PEMTypeRSAPublic,166Bytes: publicKeyBytes,167})168
169path := filepath.Join(builder.scratchDir, "pcr-public.pem")170
171if err = os.WriteFile(path, publicKeyPEM, 0o600); err != nil {172return err173}174
175builder.sections = append(builder.sections,176section{177Name: secureboot.PCRPKey,178Path: path,179Append: true,180Measure: true,181},182)183
184return nil185}
186
187func (builder *Builder) generateKernel() error {188path := filepath.Join(builder.scratchDir, "kernel")189
190if err := builder.peSigner.Sign(builder.KernelPath, path); err != nil {191return err192}193
194builder.sections = append(builder.sections,195section{196Name: secureboot.Linux,197Path: path,198Append: true,199Measure: true,200},201)202
203return nil204}
205
206func (builder *Builder) generatePCRSig() error {207sectionsData := xslices.ToMap(208xslices.Filter(builder.sections,209func(s section) bool {210return s.Measure211},212),213func(s section) (secureboot.Section, string) {214return s.Name, s.Path215})216
217pcrData, err := measure.GenerateSignedPCR(sectionsData, builder.PCRSigner)218if err != nil {219return err220}221
222pcrSignatureData, err := json.Marshal(pcrData)223if err != nil {224return err225}226
227path := filepath.Join(builder.scratchDir, "pcrpsig")228
229if err = os.WriteFile(path, pcrSignatureData, 0o600); err != nil {230return err231}232
233builder.sections = append(builder.sections,234section{235Name: secureboot.PCRSig,236Path: path,237Append: true,238},239)240
241return nil242}
243