secureboot

package

v0.0.13 Latest Latest Go to latest Published: May 20, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/telekom/BOOTy

Links

Open Source Insights

Documentation ¶

Rendered for

Overview ¶

Package secureboot verifies and manages Secure Boot chains.

Index ¶

type ChainResult
type ChainVerifier
- func NewChainVerifier(vars *efi.EFIVarReader) *ChainVerifier
- func (cv *ChainVerifier) Verify() (*ChainResult, error)
type ComponentStatus
type MOKEnroller
- func NewMOKEnroller(certPath, password string) *MOKEnroller
- func (m *MOKEnroller) Enroll(ctx context.Context) error
- func (m *MOKEnroller) IsEnrolled(ctx context.Context) (bool, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type ChainResult ¶

type ChainResult struct {
	SecureBootEnabled bool              `json:"secureBootEnabled"`
	SetupMode         bool              `json:"setupMode"`
	Components        []ComponentStatus `json:"components"`
	// PreconditionsMet is true when Secure Boot is enabled, setup mode is off,
	// and all expected boot-chain files exist on disk. It does NOT verify
	// cryptographic signatures.
	PreconditionsMet bool `json:"preconditionsMet"`
}

ChainResult holds the verification result for a Secure Boot chain.

type ChainVerifier ¶

type ChainVerifier struct {
	// contains filtered or unexported fields
}

ChainVerifier validates the Secure Boot chain using EFI variables.

func NewChainVerifier ¶

func NewChainVerifier(vars *efi.EFIVarReader) *ChainVerifier

NewChainVerifier creates a chain verifier with the given EFI variable reader.

func (*ChainVerifier) Verify ¶

func (cv *ChainVerifier) Verify() (*ChainResult, error)

Verify checks the Secure Boot chain and returns a result.

type ComponentStatus ¶

type ComponentStatus struct {
	Name     string `json:"name"`
	Signed   bool   `json:"signed"`
	Trusted  bool   `json:"trusted"`
	SignerCN string `json:"signerCN,omitempty"`
	Error    string `json:"error,omitempty"`
}

ComponentStatus represents the verification status of a Secure Boot component.

type MOKEnroller ¶

type MOKEnroller struct {
	// contains filtered or unexported fields
}

MOKEnroller handles Machine Owner Key enrollment.

func NewMOKEnroller ¶

func NewMOKEnroller(certPath, password string) *MOKEnroller

NewMOKEnroller creates a MOK enroller with the certificate path and one-time password.

func (*MOKEnroller) Enroll ¶

func (m *MOKEnroller) Enroll(ctx context.Context) error

Enroll enrolls a MOK certificate for the next reboot using mokutil.

func (*MOKEnroller) IsEnrolled ¶

func (m *MOKEnroller) IsEnrolled(ctx context.Context) (bool, error)

IsEnrolled checks if the MOK certificate is pending or already enrolled by using mokutil --test-key, which directly validates the key against the MOK list.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL