2022-11-23 09:26:26 -05:00
|
|
|
use std::fs;
|
2022-11-25 09:15:58 -05:00
|
|
|
use std::io::Write;
|
2022-11-23 09:26:26 -05:00
|
|
|
use std::os::unix::fs::MetadataExt;
|
2022-11-26 17:19:08 -05:00
|
|
|
use std::os::unix::prelude::OpenOptionsExt;
|
2022-11-23 11:26:56 -05:00
|
|
|
use std::path::{Path, PathBuf};
|
2022-11-23 09:26:26 -05:00
|
|
|
use std::process::Command;
|
|
|
|
|
2022-11-24 07:33:01 -05:00
|
|
|
use anyhow::{Context, Result};
|
2022-11-23 14:40:01 -05:00
|
|
|
use goblin::pe::PE;
|
2022-11-23 09:26:26 -05:00
|
|
|
|
2022-11-25 09:46:33 -05:00
|
|
|
use crate::utils;
|
|
|
|
|
2022-11-25 19:24:33 -05:00
|
|
|
use tempfile::TempDir;
|
|
|
|
|
2022-11-27 20:23:43 -05:00
|
|
|
/// Attach all information that lanzaboote needs into the PE binary.
|
|
|
|
///
|
|
|
|
/// When this function is called the referenced files already need to
|
|
|
|
/// be present in the ESP. This is required, because we need to read
|
|
|
|
/// them to compute hashes.
|
2022-11-25 09:15:58 -05:00
|
|
|
pub fn lanzaboote_image(
|
2022-11-25 19:24:33 -05:00
|
|
|
target_dir: &TempDir,
|
2022-11-23 14:40:01 -05:00
|
|
|
lanzaboote_stub: &Path,
|
2022-11-23 09:26:26 -05:00
|
|
|
os_release: &Path,
|
|
|
|
kernel_cmdline: &[String],
|
|
|
|
kernel_path: &Path,
|
|
|
|
initrd_path: &Path,
|
2022-11-25 09:15:58 -05:00
|
|
|
esp: &Path,
|
2022-11-23 11:26:56 -05:00
|
|
|
) -> Result<PathBuf> {
|
2022-11-27 20:23:43 -05:00
|
|
|
// objcopy can only copy files into the PE binary. That's why we
|
|
|
|
// have to write the contents of some bootspec properties to disk.
|
|
|
|
let kernel_cmdline_file = write_to_tmp(target_dir, "kernel-cmdline", kernel_cmdline.join(" "))?;
|
|
|
|
|
|
|
|
let kernel_path_file = write_to_tmp(
|
2022-11-26 17:19:08 -05:00
|
|
|
target_dir,
|
2022-11-25 19:50:51 -05:00
|
|
|
"kernel-esp-path",
|
2022-11-26 17:19:08 -05:00
|
|
|
esp_relative_path_string(esp, kernel_path),
|
|
|
|
)?;
|
2022-11-27 20:23:43 -05:00
|
|
|
let kernel_hash_file = write_to_tmp(
|
|
|
|
target_dir,
|
|
|
|
"kernel-hash",
|
|
|
|
file_hash(kernel_path)?.as_bytes(),
|
|
|
|
)?;
|
|
|
|
|
|
|
|
let initrd_path_file = write_to_tmp(
|
2022-11-26 17:19:08 -05:00
|
|
|
target_dir,
|
2022-11-25 19:50:51 -05:00
|
|
|
"initrd-esp-path",
|
2022-11-26 17:19:08 -05:00
|
|
|
esp_relative_path_string(esp, initrd_path),
|
|
|
|
)?;
|
2022-11-27 20:23:43 -05:00
|
|
|
let initrd_hash_file = write_to_tmp(
|
|
|
|
target_dir,
|
|
|
|
"initrd-hash",
|
|
|
|
file_hash(initrd_path)?.as_bytes(),
|
|
|
|
)?;
|
2022-11-25 19:24:33 -05:00
|
|
|
|
2022-11-23 14:40:01 -05:00
|
|
|
let os_release_offs = stub_offset(lanzaboote_stub)?;
|
2022-11-26 17:19:08 -05:00
|
|
|
let kernel_cmdline_offs = os_release_offs + file_size(os_release)?;
|
2022-11-25 09:15:58 -05:00
|
|
|
let initrd_path_offs = kernel_cmdline_offs + file_size(&kernel_cmdline_file)?;
|
|
|
|
let kernel_path_offs = initrd_path_offs + file_size(&initrd_path_file)?;
|
2022-11-27 20:23:43 -05:00
|
|
|
let initrd_hash_offs = kernel_path_offs + file_size(&kernel_path_file)?;
|
|
|
|
let kernel_hash_offs = initrd_hash_offs + file_size(&initrd_hash_file)?;
|
2022-11-25 09:15:58 -05:00
|
|
|
|
|
|
|
let sections = vec![
|
|
|
|
s(".osrel", os_release, os_release_offs),
|
|
|
|
s(".cmdline", kernel_cmdline_file, kernel_cmdline_offs),
|
|
|
|
s(".initrdp", initrd_path_file, initrd_path_offs),
|
|
|
|
s(".kernelp", kernel_path_file, kernel_path_offs),
|
2022-11-27 20:23:43 -05:00
|
|
|
s(".initrdh", initrd_hash_file, initrd_hash_offs),
|
|
|
|
s(".kernelh", kernel_hash_file, kernel_hash_offs),
|
2022-11-23 09:26:26 -05:00
|
|
|
];
|
|
|
|
|
2022-11-26 17:19:08 -05:00
|
|
|
wrap_in_pe(target_dir, "lanzaboote-stub.efi", lanzaboote_stub, sections)
|
2022-11-25 19:24:33 -05:00
|
|
|
}
|
|
|
|
|
2022-11-27 20:23:43 -05:00
|
|
|
/// Compute the blake3 hash of a file.
|
|
|
|
fn file_hash(file: &Path) -> Result<blake3::Hash> {
|
|
|
|
Ok(blake3::hash(&fs::read(file)?))
|
|
|
|
}
|
|
|
|
|
2022-11-27 20:10:41 -05:00
|
|
|
/// Take a PE binary stub and attach sections to it.
|
|
|
|
///
|
|
|
|
/// The result is then written to a new file. Returns the filename of
|
|
|
|
/// the generated file.
|
2022-11-26 17:19:08 -05:00
|
|
|
fn wrap_in_pe(
|
|
|
|
target_dir: &TempDir,
|
2022-11-27 20:10:41 -05:00
|
|
|
output_filename: &str,
|
2022-11-26 17:19:08 -05:00
|
|
|
stub: &Path,
|
|
|
|
sections: Vec<Section>,
|
|
|
|
) -> Result<PathBuf> {
|
2022-11-27 20:10:41 -05:00
|
|
|
let image_path = target_dir.path().join(output_filename);
|
2022-11-25 19:24:33 -05:00
|
|
|
let _ = fs::OpenOptions::new()
|
|
|
|
.create(true)
|
|
|
|
.write(true)
|
|
|
|
.mode(0o600)
|
|
|
|
.open(&image_path)
|
|
|
|
.context("Failed to generate named temp file")?;
|
2022-11-25 09:15:58 -05:00
|
|
|
|
|
|
|
let mut args: Vec<String> = sections.iter().flat_map(Section::to_objcopy).collect();
|
2022-11-26 17:19:08 -05:00
|
|
|
let extra_args = vec![
|
|
|
|
utils::path_to_string(stub),
|
|
|
|
utils::path_to_string(&image_path),
|
|
|
|
];
|
2022-11-25 09:15:58 -05:00
|
|
|
args.extend(extra_args);
|
|
|
|
|
2022-11-24 07:33:01 -05:00
|
|
|
let status = Command::new("objcopy")
|
|
|
|
.args(&args)
|
|
|
|
.status()
|
|
|
|
.context("Failed to run objcopy command")?;
|
2022-11-23 09:26:26 -05:00
|
|
|
if !status.success() {
|
2022-11-26 17:19:08 -05:00
|
|
|
return Err(anyhow::anyhow!(
|
|
|
|
"Failed to wrap in pe with args `{:?}`",
|
|
|
|
&args
|
|
|
|
));
|
2022-11-23 09:26:26 -05:00
|
|
|
}
|
|
|
|
|
2022-11-25 19:24:33 -05:00
|
|
|
Ok(image_path)
|
2022-11-25 09:15:58 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
struct Section {
|
|
|
|
name: &'static str,
|
|
|
|
file_path: PathBuf,
|
|
|
|
offset: u64,
|
2022-11-23 09:26:26 -05:00
|
|
|
}
|
|
|
|
|
2022-11-25 09:15:58 -05:00
|
|
|
impl Section {
|
|
|
|
fn to_objcopy(&self) -> Vec<String> {
|
|
|
|
vec![
|
|
|
|
String::from("--add-section"),
|
2022-11-25 09:46:33 -05:00
|
|
|
format!("{}={}", self.name, utils::path_to_string(&self.file_path)),
|
2022-11-25 09:15:58 -05:00
|
|
|
String::from("--change-section-vma"),
|
|
|
|
format!("{}={:#x}", self.name, self.offset),
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
fn s(name: &'static str, file_path: impl AsRef<Path>, offset: u64) -> Section {
|
|
|
|
Section {
|
|
|
|
name,
|
|
|
|
file_path: file_path.as_ref().into(),
|
|
|
|
offset,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-11-27 20:23:43 -05:00
|
|
|
/// Write a `u8` slice to a temporary file.
|
2022-11-26 17:19:08 -05:00
|
|
|
fn write_to_tmp(
|
|
|
|
secure_temp: &TempDir,
|
|
|
|
filename: &str,
|
|
|
|
contents: impl AsRef<[u8]>,
|
2022-11-27 20:23:43 -05:00
|
|
|
) -> Result<PathBuf> {
|
|
|
|
let path = secure_temp.path().join(filename);
|
|
|
|
|
2022-11-25 19:24:33 -05:00
|
|
|
let mut tmpfile = fs::OpenOptions::new()
|
|
|
|
.create(true)
|
|
|
|
.write(true)
|
|
|
|
.mode(0o600)
|
2022-11-27 20:23:43 -05:00
|
|
|
.open(&path)
|
2022-11-25 19:24:33 -05:00
|
|
|
.context("Failed to create tempfile")?;
|
2022-11-27 20:23:43 -05:00
|
|
|
|
2022-11-25 09:15:58 -05:00
|
|
|
tmpfile
|
|
|
|
.write_all(contents.as_ref())
|
|
|
|
.context("Failed to write to tempfile")?;
|
2022-11-27 20:23:43 -05:00
|
|
|
|
|
|
|
Ok(path)
|
2022-11-25 09:15:58 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
fn esp_relative_path_string(esp: &Path, path: &Path) -> String {
|
2022-11-23 14:54:13 -05:00
|
|
|
let relative_path = path
|
2022-11-25 09:15:58 -05:00
|
|
|
.strip_prefix(esp)
|
2022-11-23 14:54:13 -05:00
|
|
|
.expect("Failed to make path relative to esp")
|
|
|
|
.to_owned();
|
|
|
|
let relative_path_string = relative_path
|
|
|
|
.into_os_string()
|
|
|
|
.into_string()
|
|
|
|
.expect("Failed to convert path '{}' to a relative string path")
|
2022-11-26 17:19:08 -05:00
|
|
|
.replace('/', "\\");
|
2022-11-23 14:54:13 -05:00
|
|
|
format!("\\{}", &relative_path_string)
|
|
|
|
}
|
|
|
|
|
2022-11-23 14:40:01 -05:00
|
|
|
fn stub_offset(binary: &Path) -> Result<u64> {
|
2022-11-24 07:33:01 -05:00
|
|
|
let pe_binary = fs::read(binary).context("Failed to read PE binary file")?;
|
|
|
|
let pe = PE::parse(&pe_binary).context("Failed to parse PE binary file")?;
|
2022-11-23 14:40:01 -05:00
|
|
|
|
|
|
|
let image_base = image_base(&pe);
|
|
|
|
|
|
|
|
// The Virtual Memory Addresss (VMA) is relative to the image base, aka the image base
|
|
|
|
// needs to be added to the virtual address to get the actual (but still virtual address)
|
|
|
|
Ok(u64::from(
|
|
|
|
pe.sections
|
|
|
|
.last()
|
2022-11-26 17:19:08 -05:00
|
|
|
.map(|s| s.virtual_size + s.virtual_address)
|
2022-11-23 14:40:01 -05:00
|
|
|
.expect("Failed to calculate offset"),
|
|
|
|
) + image_base)
|
|
|
|
}
|
|
|
|
|
|
|
|
fn image_base(pe: &PE) -> u64 {
|
|
|
|
pe.header
|
|
|
|
.optional_header
|
|
|
|
.expect("Failed to find optional header, you're fucked")
|
|
|
|
.windows_fields
|
|
|
|
.image_base
|
2022-11-23 12:04:57 -05:00
|
|
|
}
|
|
|
|
|
2022-11-25 09:15:58 -05:00
|
|
|
fn file_size(path: impl AsRef<Path>) -> Result<u64> {
|
2022-11-23 09:26:26 -05:00
|
|
|
Ok(fs::File::open(path)?.metadata()?.size())
|
|
|
|
}
|