Documentation ¶
Index ¶
- Constants
- Variables
- func ChooseSignData() (string, string, error)
- func ComputePCR7(keysetName string) ([]byte, []byte, []byte, error)
- func CopyFile(src, dest string) error
- func CopyFiles(src, dest string) error
- func EnsureDir(dir string) error
- func GenLuksPolicy(prodPcr7 []byte, policyVersion string) ([]byte, error)
- func GenPasswdPolicy(tpmPcr7 []byte) ([]byte, error)
- func GetCommandErrorRC(err error) int
- func GetCommandErrorRCDefault(err error, rcError int) int
- func GetRootlessMapOptions() (layer.MapOptions, error)
- func HWRNGPoolSize() (int, error)
- func HWRNGRead(size int) ([]byte, error)
- func HWRNGSeed() error
- func MountTmpfs(dest, size string) error
- func NewCpio(cpio, path string) error
- func NewTpm2() (*tpm2V3Context, error)
- func PathExists(d string) bool
- func ReplaceManifestCert(dir, keysetPath string) (string, error)
- func Run(args ...string) (string, error)
- func RunCommand(args ...string) error
- func RunCommandWithOutputErrorRc(args ...string) ([]byte, []byte, int)
- func RunCommandWithRc(args ...string) ([]byte, int)
- func RunWithStdall(stdinString string, args ...string) (string, string, error)
- func SetupBootkit(keysetName, bootkitVersion string) error
- func Sign(sourcePath, signedPath, keyPath string) error
- func SignEFI(sourcePath, signedPath, keyPath, certPath string) error
- func Tpm2Clear() error
- func Tpm2NVIndexLength(nvindex NVIndex) (int, error)
- func Tpm2Read(nvindex NVIndex, size int) (string, error)
- func UnpackLayer(ociDir string, oci casext.Engine, tag string, dest string) error
- func UpdateShim(inShim, newShim, keysetPath string) error
- func UserDataDir() (string, error)
- func VerifyCert(parsedCert *x509.Certificate, caPath string) error
- func VerifyEFI(certPath, signedPath string) (bool, error)
- func VerifyManifest(contents []byte, sigPath, certPath, caPath string) error
- type DiskPart
- type EAPolicyVersion
- type KeyType
- type NVIndex
- type TrialPolicy
- type Truststore
Constants ¶
const DBX = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
Using DBX data from current ovmf_vars.fd in bootkit. Revisit if ovmf or dbx changes. We need to eventually manage dbx.
const DBXGuid = "a3a8baa01d04a848bc87c36d121b5e3d"
const MiB, GiB = uint64(1024 * 1024), uint64(1024 * 1024 * 1024)
const PBFMountpoint = "/factory/pbf"
const PBFPartitionName = "pbf"
PBF - Plaintext Block Factory
const RootfsPCRFile = "/pcr7.bin"
const SBAT = "sbat,1,2021030218\012"
const SBFMapperName = "secureBootFlash"
const SBFPartitionName = "sbf"
SBF - Secure Block Factory
const ShimLockGUID = "605dab50-e046-4300-abb6-3dd810dd8b23"
const ShimVendordbGUID = "00000000-0000-0000-0000-000000000000"
const SignDataDir = "/pcr7data"
const TPM_PCRS_DEF = "sha256:7"
const TpmLayoutVersion int = 3
Variables ¶
var BootkitVersion string
var PBFPartitionTypeID = [16]byte{
0x9f, 0xe1, 0xa3, 0x01, 0xea, 0x9f, 0x47, 0xed, 0x92, 0xc2, 0xe7, 0x56, 0x39, 0xff, 0x56, 0x01}
PBFPartitionTypeID - 01A3E19F-9FEA-ED47-92C2-E75639FF5601
var SBFPartitionTypeID = [16]byte{
0x9f, 0xe1, 0xa3, 0x01, 0xea, 0x9f, 0x47, 0xed, 0x92, 0xc2, 0xe7, 0x56, 0x39, 0xff, 0x56, 0x02}
SBFPartitionTypeID is 01A3E19F-9FEA-ED47-92C2-E75639FF5602
var Version string
Functions ¶
func ChooseSignData ¶
ChooseSignData: assumes that someone has placed the pcr7data
under SignDataDir (/pcr7data). Finds the pcr7 data for the running host+shim+kernel.
Returns:
- the signdata directory name for this host's pcr7 value
- the type of key this was signed by (e.g. "production")
func ComputePCR7 ¶ added in v0.0.7
func CopyFiles ¶
if src == /tmp/a and dst == /tmp/b, and /tmp/a/x exists, then make sure we have /tmp/b/x. The way gorecurcopy.CopyDirectory() works, if $dest does not exists, it will fail, so create it first.
func GenLuksPolicy ¶ added in v0.0.7
GenLuksPolicy creates a tpm ea policy digest using the pcr7 value while booting with uki-production key. This policy is used to access the luks secret in the TPM. It returns the TPM EA Policy Digest that is generated.
func GenPasswdPolicy ¶ added in v0.0.7
GenPasswdPolicy creates a tpm ea policy digest using the pcr7 value while booting with uki-tpm key. This policy is used to access the tpm password in the TPM. It returns the TPM EA Policy Digest that is generated.
func GetCommandErrorRC ¶
func GetRootlessMapOptions ¶ added in v0.0.7
func GetRootlessMapOptions() (layer.MapOptions, error)
func HWRNGPoolSize ¶
func MountTmpfs ¶
func NewCpio ¶ added in v0.0.11
Just create a cpio file. @path will be the top level directory or the file in the new cpio file index.
func PathExists ¶
func ReplaceManifestCert ¶ added in v0.0.7
Given a tempdir with bootkit artifacts, update it for our keyset. In initrd, add newcert as /manifestCA.pem. Build a new kernel.efi and return that filename. Note that the filename will always be ${dir}/newkernel.efi, but whatever.
func RunCommand ¶
func RunCommandWithRc ¶
func RunWithStdall ¶
Run the command @args, passing @stdinString on standard input. Return the stdout, stderr, and any error returned.
func SetupBootkit ¶ added in v0.0.7
func Sign ¶
Sign signs a file Sign the contents of @sourcePath using the key at @keyPath, storing the result in the file called @signedpath
func SignEFI ¶
SignEFI signs an efi binary Sign the contents of @sourcePath using the key at @keyPath and the cert at @certPath storing the result in the file called @signedPath
func Tpm2NVIndexLength ¶
func UnpackLayer ¶ added in v0.0.7
func UpdateShim ¶ added in v0.0.7
func UserDataDir ¶ added in v0.0.7
UserDataDir returns the user's data directory
func VerifyCert ¶
func VerifyCert(parsedCert *x509.Certificate, caPath string) error
VerifyCert checks that the product cert was signed by the global puzzleos cert. This version can be used by outside callers, like atomix extract-soci. Note that this version does not verify product pid.
func VerifyEFI ¶
Verfiy signature of an efi binary Verify the signature on the efi binary at signedPath with the cert at certPath
func VerifyManifest ¶
VerifyManifest checks that @contents is signed by
Types ¶
type EAPolicyVersion ¶
type EAPolicyVersion int
const PolicyVersion EAPolicyVersion = 1
func (EAPolicyVersion) String ¶
func (v EAPolicyVersion) String() string
type NVIndex ¶
type NVIndex int
const ( // This is the password for TPM administration. TPM2IndexPassword NVIndex = 0x1500001 // Version of 'TPM layout'. Any time a nvindex is added, // removed, or changed, bump this version. TPM2IndexTPMVersion NVIndex = 0x1500002 // This is the EA policy version. Policies to read // LUKS nvindex are depending on the version. TPM2IndexEAVersion NVIndex = 0x1500020 // These are the provisioned certificate and key. TPM2IndexCert NVIndex = 0x1500021 TPM2IndexKey NVIndex = 0x1500022 // The LUKS password for the sbs TPM2IndexSBSKey NVIndex = 0x1500030 // The LUKS password for OS filesystems TPM2IndexOSKey NVIndex = 0x1500040 )
type TrialPolicy ¶
type TrialPolicy bool
const ( PolicySession TrialPolicy = false TrialSession = true )