trust

package
v0.0.13 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 1, 2023 License: Apache-2.0 Imports: 47 Imported by: 0

Documentation

Index

Constants

View Source 
const DBX = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

Using DBX data from current ovmf_vars.fd in bootkit. Revisit if ovmf or dbx changes. We need to eventually manage dbx.

View Source 
const DBXGuid = "a3a8baa01d04a848bc87c36d121b5e3d"
View Source 
const MiB, GiB = uint64(1024 * 1024), uint64(1024 * 1024 * 1024)
View Source 
const PBFMountpoint = "/factory/pbf"
View Source 
const PBFPartitionName = "pbf"

PBF - Plaintext Block Factory

View Source 
const RootfsPCRFile = "/pcr7.bin"
View Source 
const SBAT = "sbat,1,2021030218\012"
View Source 
const SBFMapperName = "secureBootFlash"
View Source 
const SBFPartitionName = "sbf"

SBF - Secure Block Factory

View Source 
const ShimLockGUID = "605dab50-e046-4300-abb6-3dd810dd8b23"
View Source 
const ShimVendordbGUID = "00000000-0000-0000-0000-000000000000"
View Source 
const SignDataDir = "/pcr7data"
View Source 
const TPM_PCRS_DEF = "sha256:7"
View Source 
const TpmLayoutVersion int = 3

Variables

View Source 
var BootkitVersion string
View Source 
var PBFPartitionTypeID = [16]byte{
	0x9f, 0xe1, 0xa3, 0x01, 0xea, 0x9f, 0x47, 0xed, 0x92, 0xc2, 0xe7, 0x56, 0x39, 0xff, 0x56, 0x01}

PBFPartitionTypeID - 01A3E19F-9FEA-ED47-92C2-E75639FF5601

View Source 
var SBFPartitionTypeID = [16]byte{
	0x9f, 0xe1, 0xa3, 0x01, 0xea, 0x9f, 0x47, 0xed, 0x92, 0xc2, 0xe7, 0x56, 0x39, 0xff, 0x56, 0x02}

SBFPartitionTypeID is 01A3E19F-9FEA-ED47-92C2-E75639FF5602

View Source 
var Version string

Functions

func ChooseSignData 

func ChooseSignData() (string, string, error)

ChooseSignData: assumes that someone has placed the pcr7data 

under SignDataDir (/pcr7data).  Finds the pcr7 data for the
running host+shim+kernel.

Returns:

  1. the signdata directory name for this host's pcr7 value
  2. the type of key this was signed by (e.g. "production")

func ComputePCR7 added in v0.0.7 

func ComputePCR7(keysetName string) ([]byte, []byte, []byte, error)

func CopyFile 

func CopyFile(src, dest string) error

func CopyFiles 

func CopyFiles(src, dest string) error

if src == /tmp/a and dst == /tmp/b, and /tmp/a/x exists, then make sure we have /tmp/b/x. The way gorecurcopy.CopyDirectory() works, if $dest does not exists, it will fail, so create it first.

func EnsureDir 

func EnsureDir(dir string) error

func GenLuksPolicy added in v0.0.7 

func GenLuksPolicy(prodPcr7 []byte, policyVersion string) ([]byte, error)

GenLuksPolicy creates a tpm ea policy digest using the pcr7 value while booting with uki-production key. This policy is used to access the luks secret in the TPM. It returns the TPM EA Policy Digest that is generated.

func GenPasswdPolicy added in v0.0.7 

func GenPasswdPolicy(tpmPcr7 []byte) ([]byte, error)

GenPasswdPolicy creates a tpm ea policy digest using the pcr7 value while booting with uki-tpm key. This policy is used to access the tpm password in the TPM. It returns the TPM EA Policy Digest that is generated.

func GetCommandErrorRC 

func GetCommandErrorRC(err error) int

func GetCommandErrorRCDefault 

func GetCommandErrorRCDefault(err error, rcError int) int

func GetRootlessMapOptions added in v0.0.7 

func GetRootlessMapOptions() (layer.MapOptions, error)

func HWRNGPoolSize 

func HWRNGPoolSize() (int, error)

func HWRNGRead 

func HWRNGRead(size int) ([]byte, error)

func HWRNGSeed 

func HWRNGSeed() error

func MountTmpfs 

func MountTmpfs(dest, size string) error

func NewCpio added in v0.0.11 

func NewCpio(cpio, path string) error

Just create a cpio file. @path will be the top level directory or the file in the new cpio file index.

func NewTpm2 

func NewTpm2() (*tpm2V3Context, error)

func PathExists 

func PathExists(d string) bool

func ReplaceManifestCert added in v0.0.7 

func ReplaceManifestCert(dir, keysetPath string) (string, error)

Given a tempdir with bootkit artifacts, update it for our keyset. In initrd, add newcert as /manifestCA.pem. Build a new kernel.efi and return that filename. Note that the filename will always be ${dir}/newkernel.efi, but whatever.

func Run 

func Run(args ...string) (string, error)

Run: run a command. Return the output and an error if any.

func RunCommand 

func RunCommand(args ...string) error

func RunCommandWithOutputErrorRc 

func RunCommandWithOutputErrorRc(args ...string) ([]byte, []byte, int)

func RunCommandWithRc 

func RunCommandWithRc(args ...string) ([]byte, int)

func RunWithStdall 

func RunWithStdall(stdinString string, args ...string) (string, string, error)

Run the command @args, passing @stdinString on standard input. Return the stdout, stderr, and any error returned.

func SetupBootkit added in v0.0.7 

func SetupBootkit(keysetName, bootkitVersion string) error

func Sign 

func Sign(sourcePath, signedPath, keyPath string) error

Sign signs a file Sign the contents of @sourcePath using the key at @keyPath, storing the result in the file called @signedpath

func SignEFI 

func SignEFI(sourcePath, signedPath, keyPath, certPath string) error

SignEFI signs an efi binary Sign the contents of @sourcePath using the key at @keyPath and the cert at @certPath storing the result in the file called @signedPath

func Tpm2Clear 

func Tpm2Clear() error

func Tpm2NVIndexLength 

func Tpm2NVIndexLength(nvindex NVIndex) (int, error)

func Tpm2Read 

func Tpm2Read(nvindex NVIndex, size int) (string, error)

func UnpackLayer added in v0.0.7 

func UnpackLayer(ociDir string, oci casext.Engine, tag string, dest string) error

func UpdateShim added in v0.0.7 

func UpdateShim(inShim, newShim, keysetPath string) error

func UserDataDir added in v0.0.7 

func UserDataDir() (string, error)

UserDataDir returns the user's data directory

func VerifyCert 

func VerifyCert(parsedCert *x509.Certificate, caPath string) error

VerifyCert checks that the product cert was signed by the global puzzleos cert. This version can be used by outside callers, like atomix extract-soci. Note that this version does not verify product pid.

func VerifyEFI 

func VerifyEFI(certPath, signedPath string) (bool, error)

Verfiy signature of an efi binary Verify the signature on the efi binary at signedPath with the cert at certPath

func VerifyManifest 

func VerifyManifest(contents []byte, sigPath, certPath, caPath string) error

VerifyManifest checks that @contents is signed by

Types

type DiskPart 

type DiskPart struct {
	Disk disko.Disk
	PNum uint
}

type EAPolicyVersion 

type EAPolicyVersion int
const PolicyVersion EAPolicyVersion = 1

func (EAPolicyVersion) String 

func (v EAPolicyVersion) String() string

type KeyType 

type KeyType string

type NVIndex 

type NVIndex int
const (
	// This is the password for TPM administration.
	TPM2IndexPassword NVIndex = 0x1500001
	// Version of 'TPM layout'.  Any time a nvindex is added,
	// removed, or changed, bump this version.
	TPM2IndexTPMVersion NVIndex = 0x1500002
	// This is the EA policy version.  Policies to read
	// LUKS nvindex are depending on the version.
	TPM2IndexEAVersion NVIndex = 0x1500020
	// These are the provisioned certificate and key.
	TPM2IndexCert NVIndex = 0x1500021
	TPM2IndexKey  NVIndex = 0x1500022
	// The LUKS password for the sbs
	TPM2IndexSBSKey NVIndex = 0x1500030
	// The LUKS password for OS filesystems
	TPM2IndexOSKey NVIndex = 0x1500040
)

func (NVIndex) String 

func (i NVIndex) String() string

type TrialPolicy 

type TrialPolicy bool
const (
	PolicySession TrialPolicy = false
	TrialSession              = true
)

type Truststore 

type Truststore interface {
	Provision(certPath, keyPath string) error
	InitrdSetup() error
	PreInstall() error
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.