lanzaboote/rust/lanzatool/src/install.rs

use std::fs;
use std::os::unix::prelude::PermissionsExt;
use std::path::{Path, PathBuf};
use std::process::Command;

use anyhow::{Context, Result};
use nix::unistd::sync;
use tempfile::tempdir;

use crate::esp::EspPaths;
use crate::generation::Generation;
use crate::pe;
use crate::signature::KeyPair;

pub struct Installer {
    lanzaboote_stub: PathBuf,
    key_pair: KeyPair,
    esp: PathBuf,
    generations: Vec<PathBuf>,
}

impl Installer {
    pub fn new(
        lanzaboote_stub: PathBuf,
        key_pair: KeyPair,
        esp: PathBuf,
        generations: Vec<PathBuf>,
    ) -> Self {
        Self {
            lanzaboote_stub,
            key_pair,
            esp,
            generations,
        }
    }

    pub fn install(&self) -> Result<()> {
        for toplevel in &self.generations {
            let generation_result = Generation::from_toplevel(toplevel).with_context(|| {
                format!("Failed to build generation from toplevel: {toplevel:?}")
            });

            let generation = match generation_result {
                Ok(generation) => generation,
                Err(e) => {
                    println!("Malformed generation: {:?}", e);
                    continue;
                }
            };
            
            println!("Installing generation {generation}");

            self.install_generation(&generation)
                .context("Failed to install generation")?;

            for (name, bootspec) in &generation.spec.bootspec.specialisation {
                let specialised_generation = generation.specialise(name, bootspec)?;

                println!("Installing specialisation: {name} of generation: {generation}");

                self.install_generation(&specialised_generation)
                    .context("Failed to install specialisation")?;
            }
        }

        Ok(())
    }

    fn install_generation(&self, generation: &Generation) -> Result<()> {
        let bootspec = &generation.spec.bootspec;
        let secureboot_extensions = &generation.spec.extensions;

        let esp_paths = EspPaths::new(&self.esp, generation)?;

        let kernel_cmdline =
            assemble_kernel_cmdline(&bootspec.init, bootspec.kernel_params.clone());

        // prepare a secure temporary directory
        // permission bits are not set, because when files below
        // are opened, they are opened with 600 mode bits.
        // hence, they cannot be read except by the current user
        // which is assumed to be root in most cases.
        // TODO(Raito): prove to niksnur this is actually acceptable.
        let secure_temp_dir = tempdir()?;

        println!("Appending secrets to initrd...");

        let initrd_location = secure_temp_dir.path().join("initrd");
        copy(
            bootspec
                .initrd
                .as_ref()
                .context("Lanzaboote does not support missing initrd yet")?,
            &initrd_location,
        )?;
        if let Some(initrd_secrets_script) = &bootspec.initrd_secrets {
            append_initrd_secrets(initrd_secrets_script, &initrd_location)?;
        }

        let systemd_boot = bootspec
            .toplevel
            .0
            .join("systemd/lib/systemd/boot/efi/systemd-bootx64.efi");

        [
            (&systemd_boot, &esp_paths.efi_fallback),
            (&systemd_boot, &esp_paths.systemd_boot),
            (&bootspec.kernel, &esp_paths.kernel),
        ]
        .into_iter()
        .try_for_each(|(from, to)| install_signed(&self.key_pair, from, to))?;

        // The initrd doesn't need to be signed. Lanzaboote has its
        // hash embedded and will refuse loading it when the hash
        // mismatches.
        install(&initrd_location, &esp_paths.initrd).context("Failed to install initrd to ESP")?;

        let lanzaboote_image = pe::lanzaboote_image(
            &secure_temp_dir,
            &self.lanzaboote_stub,
            &secureboot_extensions.os_release,
            &kernel_cmdline,
            &esp_paths.kernel,
            &esp_paths.initrd,
            &esp_paths.esp,
        )
        .context("Failed to assemble stub")?;

        install_signed(
            &self.key_pair,
            &lanzaboote_image,
            &esp_paths.lanzaboote_image,
        )
        .context("Failed to install lanzaboote")?;

        // Sync files to persistent storage. This may improve the
        // chance of a consistent boot directory in case the system
        // crashes.
        sync();

        println!(
            "Successfully installed lanzaboote to '{}'",
            esp_paths.esp.display()
        );

        Ok(())
    }
}

/// Install a PE file. The PE gets signed in the process.
///
/// The file is only signed and copied if it doesn't exist at the destination
fn install_signed(key_pair: &KeyPair, from: &Path, to: &Path) -> Result<()> {
    if to.exists() {
        println!("{} already exists, skipping...", to.display());
    } else {
        println!("Signing and installing {}...", to.display());
        ensure_parent_dir(to);
        key_pair
            .sign_and_copy(from, to)
            .with_context(|| format!("Failed to copy and sign file from {:?} to {:?}", from, to))?;
    }

    Ok(())
}

/// Install an arbitrary file
///
/// The file is only copied if it doesn't exist at the destination
fn install(from: &Path, to: &Path) -> Result<()> {
    if to.exists() {
        println!("{} already exists, skipping...", to.display());
    } else {
        println!("Installing {}...", to.display());
        ensure_parent_dir(to);
        copy(from, to)?;
    }

    Ok(())
}

pub fn append_initrd_secrets(
    append_initrd_secrets_path: &Path,
    initrd_path: &PathBuf,
) -> Result<()> {
    let status = Command::new(append_initrd_secrets_path)
        .args(vec![initrd_path])
        .status()
        .context("Failed to append initrd secrets")?;
    if !status.success() {
        return Err(anyhow::anyhow!(
            "Failed to append initrd secrets with args `{:?}`",
            vec![append_initrd_secrets_path, initrd_path]
        ));
    }

    Ok(())
}

fn assemble_kernel_cmdline(init: &Path, kernel_params: Vec<String>) -> Vec<String> {
    let init_string = String::from(
        init.to_str()
            .expect("Failed to convert init path to string"),
    );
    let mut kernel_cmdline: Vec<String> = vec![format!("init={}", init_string)];
    kernel_cmdline.extend(kernel_params);
    kernel_cmdline
}

fn copy(from: &Path, to: &Path) -> Result<()> {
    ensure_parent_dir(to);
    fs::copy(from, to)
        .with_context(|| format!("Failed to copy from {} to {}", from.display(), to.display()))?;

    // Set permission of all files copied to 0o755
    let mut perms = fs::metadata(to)
        .with_context(|| format!("File {} doesn't have metadata", to.display()))?
        .permissions();
    perms.set_mode(0o755);
    fs::set_permissions(to, perms)
        .with_context(|| format!("Failed to set permissions to: {}", to.display()))?;

    Ok(())
}

// Ensures the parent directory of an arbitrary path exists
fn ensure_parent_dir(path: &Path) {
    if let Some(parent) = path.parent() {
        fs::create_dir_all(parent).ok();
    }
}
lanzatool.install: init 2022-11-23 09:26:26 -05:00			`use std::fs;`
lanzatool: set permissons for all files in esp to 755 2022-11-25 11:47:24 -05:00			`use std::os::unix::prelude::PermissionsExt;`
lanzatool: improve signer code 2022-11-25 07:07:04 -05:00			`use std::path::{Path, PathBuf};`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`use std::process::Command;`
lanzatool.install: init 2022-11-23 09:26:26 -05:00
lanzatool: improve error handling 2022-11-24 07:33:01 -05:00			`use anyhow::{Context, Result};`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`use nix::unistd::sync;`
			`use tempfile::tempdir;`
lanzatool.install: init 2022-11-23 09:26:26 -05:00
			`use crate::esp::EspPaths;`
nixos/lanzaboote: use upstream bootspec for extension generation 2022-12-17 18:31:09 -05:00			`use crate::generation::Generation;`
lanzatool: init wrapping initrd 2022-11-23 14:40:01 -05:00			`use crate::pe;`
lanzatool: appease clippy 2022-11-26 17:19:08 -05:00			`use crate::signature::KeyPair;`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 05:59:54 -05:00
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`pub struct Installer {`
			`lanzaboote_stub: PathBuf,`
lanzatool: appease clippy 2022-11-26 17:19:08 -05:00			`key_pair: KeyPair,`
lanzatool: bootspec from generation The bootspec is now read from each generation so that more than one entry can be generated when calling install 2022-11-26 16:23:00 -05:00			`esp: PathBuf,`
lanzatool: add support for generations and correct naming of kernels a… (#12) * lanzatool: add support for generations and correct naming of kerels and initrds * test: use convert_to_esp(extract_bspec_attr(⋅)) for unsigned tests * lanzatool: ryan is a B class engineer Co-authored-by: nikstur@outlook.com 2022-11-25 21:14:21 -05:00			`generations: Vec<PathBuf>,`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`}`

			`impl Installer {`
			`pub fn new(`
			`lanzaboote_stub: PathBuf,`
lanzatool: appease clippy 2022-11-26 17:19:08 -05:00			`key_pair: KeyPair,`
lanzatool: bootspec from generation The bootspec is now read from each generation so that more than one entry can be generated when calling install 2022-11-26 16:23:00 -05:00			`esp: PathBuf,`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`generations: Vec<PathBuf>,`
			`) -> Self {`
			`Self {`
			`lanzaboote_stub,`
lanzatool: appease clippy 2022-11-26 17:19:08 -05:00			`key_pair,`
lanzatool: bootspec from generation The bootspec is now read from each generation so that more than one entry can be generated when calling install 2022-11-26 16:23:00 -05:00			`esp,`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`generations,`
			`}`
feature: support initrd secrets 2022-11-25 19:50:51 -05:00			`}`
lanzatool: perform secure assembling for lanzaboote_image and PE wrapping 2022-11-25 19:24:33 -05:00
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`pub fn install(&self) -> Result<()> {`
			`for toplevel in &self.generations {`
lanzatool: ignore malformed generations 2022-12-25 20:36:24 -05:00			`let generation_result = Generation::from_toplevel(toplevel).with_context(\|\| {`
lanzatool: bootspec from generation The bootspec is now read from each generation so that more than one entry can be generated when calling install 2022-11-26 16:23:00 -05:00			`format!("Failed to build generation from toplevel: {toplevel:?}")`
lanzatool: ignore malformed generations 2022-12-25 20:36:24 -05:00			`});`
lanzatool: improve signer code 2022-11-25 07:07:04 -05:00
lanzatool: ignore malformed generations 2022-12-25 20:36:24 -05:00			`let generation = match generation_result {`
			`Ok(generation) => generation,`
			`Err(e) => {`
			`println!("Malformed generation: {:?}", e);`
			`continue;`
			`}`
			`};`

lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`println!("Installing generation {generation}");`
lanzatool: improve signer code 2022-11-25 07:07:04 -05:00
lanzatool: enable specialisation 2022-11-27 05:19:02 -05:00			`self.install_generation(&generation)`
			`.context("Failed to install generation")?;`

nixos/lanzaboote: use upstream bootspec for extension generation 2022-12-17 18:31:09 -05:00			`for (name, bootspec) in &generation.spec.bootspec.specialisation {`
			`let specialised_generation = generation.specialise(name, bootspec)?;`
lanzatool: enable specialisation 2022-11-27 05:19:02 -05:00
			`println!("Installing specialisation: {name} of generation: {generation}");`

			`self.install_generation(&specialised_generation)`
			`.context("Failed to install specialisation")?;`
			`}`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`}`
lanzatool: improve signer code 2022-11-25 07:07:04 -05:00
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`Ok(())`
lanzatool: improve signer code 2022-11-25 07:07:04 -05:00			`}`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 05:59:54 -05:00
nixos/lanzaboote: use upstream bootspec for extension generation 2022-12-17 18:31:09 -05:00			`fn install_generation(&self, generation: &Generation) -> Result<()> {`
			`let bootspec = &generation.spec.bootspec;`
			`let secureboot_extensions = &generation.spec.extensions;`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00
lanzatool: enable specialisation 2022-11-27 05:19:02 -05:00			`let esp_paths = EspPaths::new(&self.esp, generation)?;`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00
lanzatool: bootspec from generation The bootspec is now read from each generation so that more than one entry can be generated when calling install 2022-11-26 16:23:00 -05:00			`let kernel_cmdline =`
			`assemble_kernel_cmdline(&bootspec.init, bootspec.kernel_params.clone());`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00
			`// prepare a secure temporary directory`
			`// permission bits are not set, because when files below`
			`// are opened, they are opened with 600 mode bits.`
			`// hence, they cannot be read except by the current user`
			`// which is assumed to be root in most cases.`
			`// TODO(Raito): prove to niksnur this is actually acceptable.`
			`let secure_temp_dir = tempdir()?;`

lanzatool: skip existing files in esp 2022-12-03 07:16:46 -05:00			`println!("Appending secrets to initrd...");`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00
			`let initrd_location = secure_temp_dir.path().join("initrd");`
nixos/lanzaboote: use upstream bootspec for extension generation 2022-12-17 18:31:09 -05:00			`copy(`
			`bootspec`
			`.initrd`
			`.as_ref()`
			`.context("Lanzaboote does not support missing initrd yet")?,`
			`&initrd_location,`
			`)?;`
lanzatool: bootspec from generation The bootspec is now read from each generation so that more than one entry can be generated when calling install 2022-11-26 16:23:00 -05:00			`if let Some(initrd_secrets_script) = &bootspec.initrd_secrets {`
lanzatool: appease clippy 2022-11-26 17:19:08 -05:00			`append_initrd_secrets(initrd_secrets_script, &initrd_location)?;`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`}`

lanzatool: bootspec from generation The bootspec is now read from each generation so that more than one entry can be generated when calling install 2022-11-26 16:23:00 -05:00			`let systemd_boot = bootspec`
nixos/lanzaboote: use upstream bootspec for extension generation 2022-12-17 18:31:09 -05:00			`.toplevel`
			`.0`
lanzatool: bootspec from generation The bootspec is now read from each generation so that more than one entry can be generated when calling install 2022-11-26 16:23:00 -05:00			`.join("systemd/lib/systemd/boot/efi/systemd-bootx64.efi");`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00
lanzatool: embed kernel and initrd hashes 2022-11-27 20:23:43 -05:00			`[`
lanzatool: sign and copy in one step) 2022-11-26 09:32:43 -05:00			`(&systemd_boot, &esp_paths.efi_fallback),`
			`(&systemd_boot, &esp_paths.systemd_boot),`
lanzatool: bootspec from generation The bootspec is now read from each generation so that more than one entry can be generated when calling install 2022-11-26 16:23:00 -05:00			`(&bootspec.kernel, &esp_paths.kernel),`
lanzatool: embed kernel and initrd hashes 2022-11-27 20:23:43 -05:00			`]`
			`.into_iter()`
			`.try_for_each(\|(from, to)\| install_signed(&self.key_pair, from, to))?;`

lanzatool, lanzaboote: don't wrap initrd as PE ... because we check its integrity using the embedded blake3 hash. So there is no need for the LoadImage hack anymore. 2022-11-27 20:39:36 -05:00			`// The initrd doesn't need to be signed. Lanzaboote has its`
lanzatool: skip existing files in esp 2022-12-03 07:16:46 -05:00			`// hash embedded and will refuse loading it when the hash`
lanzatool, lanzaboote: don't wrap initrd as PE ... because we check its integrity using the embedded blake3 hash. So there is no need for the LoadImage hack anymore. 2022-11-27 20:39:36 -05:00			`// mismatches.`
lanzatool: skip existing files in esp 2022-12-03 07:16:46 -05:00			`install(&initrd_location, &esp_paths.initrd).context("Failed to install initrd to ESP")?;`
lanzatool, lanzaboote: don't wrap initrd as PE ... because we check its integrity using the embedded blake3 hash. So there is no need for the LoadImage hack anymore. 2022-11-27 20:39:36 -05:00
lanzatool: embed kernel and initrd hashes 2022-11-27 20:23:43 -05:00			`let lanzaboote_image = pe::lanzaboote_image(`
			`&secure_temp_dir,`
			`&self.lanzaboote_stub,`
nixos/lanzaboote: use upstream bootspec for extension generation 2022-12-17 18:31:09 -05:00			`&secureboot_extensions.os_release,`
lanzatool: embed kernel and initrd hashes 2022-11-27 20:23:43 -05:00			`&kernel_cmdline,`
			`&esp_paths.kernel,`
			`&esp_paths.initrd,`
			`&esp_paths.esp,`
			`)`
			`.context("Failed to assemble stub")?;`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00
lanzatool: embed kernel and initrd hashes 2022-11-27 20:23:43 -05:00			`install_signed(`
			`&self.key_pair,`
			`&lanzaboote_image,`
			`&esp_paths.lanzaboote_image,`
			`)`
			`.context("Failed to install lanzaboote")?;`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00
lanzatool: embed kernel and initrd hashes 2022-11-27 20:23:43 -05:00			`// Sync files to persistent storage. This may improve the`
			`// chance of a consistent boot directory in case the system`
			`// crashes.`
			`sync();`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00
			`println!(`
			`"Successfully installed lanzaboote to '{}'",`
			`esp_paths.esp.display()`
			`);`

			`Ok(())`
			`}`
lanzatool: improve error handling 2022-11-24 07:33:01 -05:00			`}`
lanzatool.install: init 2022-11-23 09:26:26 -05:00
lanzatool: embed kernel and initrd hashes 2022-11-27 20:23:43 -05:00			`/// Install a PE file. The PE gets signed in the process.`
lanzatool: skip existing files in esp 2022-12-03 07:16:46 -05:00			`///`
			`/// The file is only signed and copied if it doesn't exist at the destination`
lanzatool: embed kernel and initrd hashes 2022-11-27 20:23:43 -05:00			`fn install_signed(key_pair: &KeyPair, from: &Path, to: &Path) -> Result<()> {`
lanzatool: skip existing files in esp 2022-12-03 07:16:46 -05:00			`if to.exists() {`
			`println!("{} already exists, skipping...", to.display());`
			`} else {`
			`println!("Signing and installing {}...", to.display());`
			`ensure_parent_dir(to);`
			`key_pair`
			`.sign_and_copy(from, to)`
			`.with_context(\|\| format!("Failed to copy and sign file from {:?} to {:?}", from, to))?;`
			`}`
lanzatool: embed kernel and initrd hashes 2022-11-27 20:23:43 -05:00
lanzatool: skip existing files in esp 2022-12-03 07:16:46 -05:00			`Ok(())`
			`}`

			`/// Install an arbitrary file`
			`///`
			`/// The file is only copied if it doesn't exist at the destination`
			`fn install(from: &Path, to: &Path) -> Result<()> {`
			`if to.exists() {`
			`println!("{} already exists, skipping...", to.display());`
			`} else {`
			`println!("Installing {}...", to.display());`
			`ensure_parent_dir(to);`
			`copy(from, to)?;`
			`}`
lanzatool: embed kernel and initrd hashes 2022-11-27 20:23:43 -05:00
			`Ok(())`
			`}`

lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`pub fn append_initrd_secrets(`
			`append_initrd_secrets_path: &Path,`
			`initrd_path: &PathBuf,`
			`) -> Result<()> {`
feature: support initrd secrets 2022-11-25 19:50:51 -05:00			`let status = Command::new(append_initrd_secrets_path)`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`.args(vec![initrd_path])`
feature: support initrd secrets 2022-11-25 19:50:51 -05:00			`.status()`
			`.context("Failed to append initrd secrets")?;`
			`if !status.success() {`
lanzatool: make it more typedriven 2022-11-26 08:55:15 -05:00			`return Err(anyhow::anyhow!(`
			"Failed to append initrd secrets with args `{:?}`",
			`vec![append_initrd_secrets_path, initrd_path]`
lanzatool: appease clippy 2022-11-26 17:19:08 -05:00			`));`
feature: support initrd secrets 2022-11-25 19:50:51 -05:00			`}`

			`Ok(())`
			`}`

lanzatool: bootspec from generation The bootspec is now read from each generation so that more than one entry can be generated when calling install 2022-11-26 16:23:00 -05:00			`fn assemble_kernel_cmdline(init: &Path, kernel_params: Vec<String>) -> Vec<String> {`
			`let init_string = String::from(`
			`init.to_str()`
			`.expect("Failed to convert init path to string"),`
			`);`
lanzatool: improve signer code 2022-11-25 07:07:04 -05:00			`let mut kernel_cmdline: Vec<String> = vec![format!("init={}", init_string)];`
			`kernel_cmdline.extend(kernel_params);`
			`kernel_cmdline`
			`}`

lanzatool: improve error handling 2022-11-24 07:33:01 -05:00			`fn copy(from: &Path, to: &Path) -> Result<()> {`
lanzatool: sign and copy in one step) 2022-11-26 09:32:43 -05:00			`ensure_parent_dir(to);`
lanzatool: improve error handling 2022-11-24 07:33:01 -05:00			`fs::copy(from, to)`
			`.with_context(\|\| format!("Failed to copy from {} to {}", from.display(), to.display()))?;`
lanzatool: set permissons for all files in esp to 755 2022-11-25 11:47:24 -05:00
			`// Set permission of all files copied to 0o755`
			`let mut perms = fs::metadata(to)`
			`.with_context(\|\| format!("File {} doesn't have metadata", to.display()))?`
			`.permissions();`
			`perms.set_mode(0o755);`
			`fs::set_permissions(to, perms)`
			`.with_context(\|\| format!("Failed to set permissions to: {}", to.display()))?;`

lanzatool.install: init 2022-11-23 09:26:26 -05:00			`Ok(())`
			`}`
lanzatool: sign and copy in one step) 2022-11-26 09:32:43 -05:00
			`// Ensures the parent directory of an arbitrary path exists`
			`fn ensure_parent_dir(path: &Path) {`
			`if let Some(parent) = path.parent() {`
			`fs::create_dir_all(parent).ok();`
			`}`
			`}`