talm

generate.go
242 строки · 4.9 Кб
Перенос по словам
1
// This Source Code Form is subject to the terms of the Mozilla Public
2
// License, v. 2.0. If a copy of the MPL was not distributed with this
3
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
4

5
package uki
6

7
import (
8
	"crypto/x509"
9
	"encoding/json"
10
	"encoding/pem"
11
	"os"
12
	"path/filepath"
13

14
	talosx509 "github.com/siderolabs/crypto/x509"
15
	"github.com/siderolabs/gen/xslices"
16

17
	"github.com/aenix-io/talm/internal/pkg/secureboot"
18
	"github.com/aenix-io/talm/internal/pkg/secureboot/measure"
19
	"github.com/siderolabs/talos/pkg/machinery/constants"
20
	"github.com/siderolabs/talos/pkg/machinery/version"
21
	"github.com/siderolabs/talos/pkg/splash"
22
)
23

24
func (builder *Builder) generateOSRel() error {
25
	osRelease, err := version.OSReleaseFor(version.Name, builder.Version)
26
	if err != nil {
27
		return err
28
	}
29

30
	path := filepath.Join(builder.scratchDir, "os-release")
31

32
	if err = os.WriteFile(path, osRelease, 0o600); err != nil {
33
		return err
34
	}
35

36
	builder.sections = append(builder.sections,
37
		section{
38
			Name:    secureboot.OSRel,
39
			Path:    path,
40
			Measure: true,
41
			Append:  true,
42
		},
43
	)
44

45
	return nil
46
}
47

48
func (builder *Builder) generateCmdline() error {
49
	path := filepath.Join(builder.scratchDir, "cmdline")
50

51
	if err := os.WriteFile(path, []byte(builder.Cmdline), 0o600); err != nil {
52
		return err
53
	}
54

55
	builder.sections = append(builder.sections,
56
		section{
57
			Name:    secureboot.CMDLine,
58
			Path:    path,
59
			Measure: true,
60
			Append:  true,
61
		},
62
	)
63

64
	return nil
65
}
66

67
func (builder *Builder) generateInitrd() error {
68
	builder.sections = append(builder.sections,
69
		section{
70
			Name:    secureboot.Initrd,
71
			Path:    builder.InitrdPath,
72
			Measure: true,
73
			Append:  true,
74
		},
75
	)
76

77
	return nil
78
}
79

80
func (builder *Builder) generateSplash() error {
81
	path := filepath.Join(builder.scratchDir, "splash.bmp")
82

83
	if err := os.WriteFile(path, splash.GetBootImage(), 0o600); err != nil {
84
		return err
85
	}
86

87
	builder.sections = append(builder.sections,
88
		section{
89
			Name:    secureboot.Splash,
90
			Path:    path,
91
			Measure: true,
92
			Append:  true,
93
		},
94
	)
95

96
	return nil
97
}
98

99
func (builder *Builder) generateUname() error {
100
	// it is not always possible to get the kernel version from the kernel image, so we
101
	// do a bit of pre-checks
102
	var kernelVersion string
103

104
	if builder.Version == version.Tag {
105
		// if building from the same version of Talos, use default kernel version
106
		kernelVersion = constants.DefaultKernelVersion
107
	} else {
108
		// otherwise, try to get the kernel version from the kernel image
109
		kernelVersion, _ = DiscoverKernelVersion(builder.KernelPath) //nolint:errcheck
110
	}
111

112
	if kernelVersion == "" {
113
		// we haven't got the kernel version, skip the uname section
114
		return nil
115
	}
116

117
	path := filepath.Join(builder.scratchDir, "uname")
118

119
	if err := os.WriteFile(path, []byte(kernelVersion), 0o600); err != nil {
120
		return err
121
	}
122

123
	builder.sections = append(builder.sections,
124
		section{
125
			Name:    secureboot.Uname,
126
			Path:    path,
127
			Measure: true,
128
			Append:  true,
129
		},
130
	)
131

132
	return nil
133
}
134

135
func (builder *Builder) generateSBAT() error {
136
	sbat, err := GetSBAT(builder.SdStubPath)
137
	if err != nil {
138
		return err
139
	}
140

141
	path := filepath.Join(builder.scratchDir, "sbat")
142

143
	if err = os.WriteFile(path, sbat, 0o600); err != nil {
144
		return err
145
	}
146

147
	builder.sections = append(builder.sections,
148
		section{
149
			Name:    secureboot.SBAT,
150
			Path:    path,
151
			Measure: true,
152
		},
153
	)
154

155
	return nil
156
}
157

158
func (builder *Builder) generatePCRPublicKey() error {
159
	publicKeyBytes, err := x509.MarshalPKIXPublicKey(builder.PCRSigner.PublicRSAKey())
160
	if err != nil {
161
		return err
162
	}
163

164
	publicKeyPEM := pem.EncodeToMemory(&pem.Block{
165
		Type:  talosx509.PEMTypeRSAPublic,
166
		Bytes: publicKeyBytes,
167
	})
168

169
	path := filepath.Join(builder.scratchDir, "pcr-public.pem")
170

171
	if err = os.WriteFile(path, publicKeyPEM, 0o600); err != nil {
172
		return err
173
	}
174

175
	builder.sections = append(builder.sections,
176
		section{
177
			Name:    secureboot.PCRPKey,
178
			Path:    path,
179
			Append:  true,
180
			Measure: true,
181
		},
182
	)
183

184
	return nil
185
}
186

187
func (builder *Builder) generateKernel() error {
188
	path := filepath.Join(builder.scratchDir, "kernel")
189

190
	if err := builder.peSigner.Sign(builder.KernelPath, path); err != nil {
191
		return err
192
	}
193

194
	builder.sections = append(builder.sections,
195
		section{
196
			Name:    secureboot.Linux,
197
			Path:    path,
198
			Append:  true,
199
			Measure: true,
200
		},
201
	)
202

203
	return nil
204
}
205

206
func (builder *Builder) generatePCRSig() error {
207
	sectionsData := xslices.ToMap(
208
		xslices.Filter(builder.sections,
209
			func(s section) bool {
210
				return s.Measure
211
			},
212
		),
213
		func(s section) (secureboot.Section, string) {
214
			return s.Name, s.Path
215
		})
216

217
	pcrData, err := measure.GenerateSignedPCR(sectionsData, builder.PCRSigner)
218
	if err != nil {
219
		return err
220
	}
221

222
	pcrSignatureData, err := json.Marshal(pcrData)
223
	if err != nil {
224
		return err
225
	}
226

227
	path := filepath.Join(builder.scratchDir, "pcrpsig")
228

229
	if err = os.WriteFile(path, pcrSignatureData, 0o600); err != nil {
230
		return err
231
	}
232

233
	builder.sections = append(builder.sections,
234
		section{
235
			Name:   secureboot.PCRSig,
236
			Path:   path,
237
			Append: true,
238
		},
239
	)
240

241
	return nil
242
}
243
talm

Использование cookies
