nixos: add a lanzaboote module
- Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys
This commit is contained in:
Raito Bezarius
parent
c53477fbf5
commit
ccdd02bf1c
24
flake.lock
24
flake.lock
|
|
@ -35,11 +35,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1669001258,
|
||||
"narHash": "sha256-fi0hCUCalMwd+RUi6zUBzNb0ShowaJk+o+p8qtF/Iv4=",
|
||||
"lastModified": 1669207345,
|
||||
"narHash": "sha256-KwfRW0f70Y19EkbB6D9wy7AoYqCYPuIL/2taiJPvuxg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c6e5939c8fa2ab2230baf1378a34746e8db1aed7",
|
||||
"rev": "3ea5616c21dd186129f90a86c66352359a45cb07",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -49,11 +49,11 @@
|
|||
},
|
||||
"nixpkgs-test": {
|
||||
"locked": {
|
||||
"lastModified": 1669200924,
|
||||
"narHash": "sha256-NUPT9VMQHnFRqqd/ILcfMSbOvPTLbVBXGO7SWj0N7Dg=",
|
||||
"lastModified": 1669288333,
|
||||
"narHash": "sha256-PMP3JiUBIYu40gmWAIw+DG2UVsx7m5exGaGxdSQE3ew=",
|
||||
"owner": "RaitoBezarius",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "542f657a93ae903e07d6274de413142c4b99d6ed",
|
||||
"rev": "308e09c57da1df2abeccc236431a2675a2b38555",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -65,11 +65,11 @@
|
|||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1669001258,
|
||||
"narHash": "sha256-fi0hCUCalMwd+RUi6zUBzNb0ShowaJk+o+p8qtF/Iv4=",
|
||||
"lastModified": 1669207345,
|
||||
"narHash": "sha256-KwfRW0f70Y19EkbB6D9wy7AoYqCYPuIL/2taiJPvuxg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c6e5939c8fa2ab2230baf1378a34746e8db1aed7",
|
||||
"rev": "3ea5616c21dd186129f90a86c66352359a45cb07",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -109,11 +109,11 @@
|
|||
"nixpkgs": "nixpkgs_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1668998422,
|
||||
"narHash": "sha256-G/BklIplCHZEeDIabaaxqgITdIXtMolRGlwxn9jG2/Q=",
|
||||
"lastModified": 1669257187,
|
||||
"narHash": "sha256-NURtNyepbHLrJs2kwsQ9u2SUKhuGU1T9mPkXasG9hpk=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "68ab029c93f8f8eed4cf3ce9a89a9fd4504b2d6e",
|
||||
"rev": "018df6d3f900fc53d567045bd86208f5c00d8956",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
|||
31
flake.nix
31
flake.nix
|
|
@ -90,8 +90,10 @@
|
|||
# tell lanzatool where to find our UEFI binaries.
|
||||
makeWrapper ${lanzatoolBin}/bin/lanzatool $out/bin/lanzatool \
|
||||
--set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped ]} \
|
||||
--set RUST_BACKTRACE full \
|
||||
--set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi \
|
||||
--set LANZABOOTE_INITRD_STUB ${initrd-stub}/bin/initrd-stub.efi
|
||||
--set LANZABOOTE_INITRD_STUB ${initrd-stub}/bin/initrd-stub.efi \
|
||||
--set SBSIGNTOOL "${pkgs.sbsigntool}/bin/sbsign"
|
||||
'';
|
||||
|
||||
# A script that takes an initrd and turns it into a PE image.
|
||||
|
|
@ -129,7 +131,8 @@
|
|||
'';
|
||||
in {
|
||||
overlays.default = final: prev: {
|
||||
inherit lanzaboote lanzatool;
|
||||
inherit lanzaboote;
|
||||
lanzatool = lanzatoolBin;
|
||||
};
|
||||
|
||||
nixosModules.lanzaboote = import ./nix/lanzaboote.nix;
|
||||
|
|
@ -146,6 +149,10 @@
|
|||
lanzatool
|
||||
pkgs.openssl
|
||||
wrapInitrd
|
||||
(pkgs.sbctl.override {
|
||||
databasePath = "pki";
|
||||
})
|
||||
pkgs.sbsigntool
|
||||
];
|
||||
|
||||
inputsFrom = [
|
||||
|
|
@ -165,10 +172,26 @@
|
|||
imports = [ self.nixosModules.lanzaboote ];
|
||||
nixpkgs.overlays = [ self.overlays.default ];
|
||||
|
||||
boot.lanzaboote.enable = true;
|
||||
virtualisation = {
|
||||
useBootLoader = true;
|
||||
useEFIBoot = true;
|
||||
# useSecureBoot = true;
|
||||
};
|
||||
|
||||
boot.loader.efi = {
|
||||
enable = true;
|
||||
canTouchEfiVariables = true;
|
||||
};
|
||||
boot.lanzaboote = {
|
||||
enable = true;
|
||||
enrollKeys = true;
|
||||
pkiBundle = ./pki/keys;
|
||||
package = lanzatool;
|
||||
};
|
||||
};
|
||||
testScript = ''
|
||||
start_all()
|
||||
machine.start()
|
||||
machine.shutdown()
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{ lib, config, ... }:
|
||||
{ lib, config, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.boot.lanzaboote;
|
||||
|
|
@ -6,12 +6,36 @@ in
|
|||
{
|
||||
options.boot.lanzaboote = {
|
||||
enable = mkEnableOption "Enable the LANZABOOTE";
|
||||
enrollKeys = mkEnableOption "Automatic enrollment of the keys";
|
||||
pkiBundle = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = "PKI bundle containg db, PK, KEK";
|
||||
};
|
||||
publicKeyFile = mkOption {
|
||||
type = types.path;
|
||||
default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/db/db.pem" else null;
|
||||
description = "Public key to sign your boot files";
|
||||
};
|
||||
privateKeyFile = mkOption {
|
||||
type = types.path;
|
||||
default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/db/db.key" else null;
|
||||
description = "Private key to sign your boot files";
|
||||
};
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.lanzatool;
|
||||
description = "Lanzatool package";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
boot.loader.external = {
|
||||
enable = true;
|
||||
installHook = "${pkgs.lanzatool}/bin/lanzatool install";
|
||||
passBootspec = true;
|
||||
installHook = if cfg.pkiBundle != null
|
||||
then "${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--autoenroll"} --pki-bundle ${cfg.pkiBundle}"
|
||||
else "${cfg.package}/bin/lanzatool install --public-key ${cfg.publicKeyFile} --private-key ${cfg.privateKeyFile}";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,52 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDadlSw2a35+y4k
|
||||
oQHp2Un/DUM6e/hIT37jIchplGzlVAPQMGJ2IPW+b9OAn/dRc7D5/w57fYvB02d9
|
||||
J+0K0jc5Po3WMaYnptVtJ03ks/qmlgQm52uZszSeIBiPIdUNQaPxrOPAckR6z6hN
|
||||
gnvB2V3ornI6cpWSZ6LR7cJoNWcPTaVDqWq0mC5XstKt17rnQkkLGfx/4qIb/eUA
|
||||
QXVJx+UJ7zyAN58hAy+Altz41Mn9DMf40B3O3sQJosbXOsiSojUkD5GMQKT0NG0o
|
||||
YRHnGVwZvCHZRRMlw8zMj/lA+tuU4+lBjPIdFhwFu9iBXNSLcJRvvLVF1W0idvYR
|
||||
S+GNce/3PAvkjU+a1LWpfTs0UNyfFoBxry8JbJACNJt8EVY6io2EsoY5upppJWIw
|
||||
x+LsRmx+g+67cVZ5OZuuoI3EXhduBbPxQ3VutygpwrBV7uMABE1Y529CLnbS13yy
|
||||
QR+8k1hUjmJaEyH/Yrqr62P/m4cXqVjvVwXbRVPiVl7DOBUGkwPptzuwHWGUThUB
|
||||
jisQNTx88FGfcDFiJ7iBDIIUbW2YGs4X+baD4mrJrCkfIqrm3hLkQFxuXqA69t67
|
||||
0s+O2LQpiMuXSX2TDxow5RI5U+dV7YiK1aCRSPYd1nTuKJ6kiGwfwlWxidchESSO
|
||||
qzK/1ZbegE8RW/9+Eur8oKTuTewnkwIDAQABAoICAQCKJZgKuay1zuvwB8zw9xI+
|
||||
8kEYI7ru5y5jLULR2SU/o/BBX8dz0gX0pjyGMyIvZMx+Wpbq6opNSIVB9NSGKkb3
|
||||
sSH6WC0tF+gQ/XDZdiLD40u+2ksFx/g3Ii7FnGxg1Kh6tIzVbqz1SImychgWjoE/
|
||||
GclsQndpPJYO0J5GTbbdS4l9jw3GJBHyLUfi3O/5O8Z6+bTdnhBLSTPeBIbJ4Flq
|
||||
/dkxb3r2YlBQrZYQ2Gbe2Y0/P0QKRH6NZVz+T9L0PxUBt8KfgWWOc/SvOysaC8Rd
|
||||
FcYF4hNopzfECCtjtv7SWYlwhVO5pviTe6U+sNhLUSbcveWXwo4f5EBY0bZRPsKy
|
||||
VmsEkW9if/+nthYPsonVfWoiBl5mn+06+zPn8NMWVhlLRMLTYDnYyz22eGqjvS3m
|
||||
FPSroNK/A2D2lNSfuORJ4fAHhYoB9K8F5wBPFRrndlXn5tHiofYaKywSQPgymOGN
|
||||
YCtzXPAnYvEsiIlD0HDBEI6F/6aRNlEgjPreGOInuiQD1o81yv/N4o4JFtsD3T8Y
|
||||
LEngIdAzn2D9qEHsg0H4qoUJum6Z9Gw2IZYEH+CRM56jp50QrrYnLD++eGF8wPsP
|
||||
PNgU1I/gNq/JbH5fYGMX1QAMopbDMnib4uPKG/wxUTEUFkVV7rtCFhKGg9WnGdjn
|
||||
y2IDWEIowGwLsp8ARrNS2QKCAQEA3ABLBY4BkWLbfIGIjseLTDPvSxB4UErrIIJ3
|
||||
qpxHdp3ORr66BIqQ117g26TuCQL0iAiiNgK1WLqohOpSvlaEh2UTXux4Poh02Hiy
|
||||
p7t/BdAXU/Zz937p767fa319Sn4UG8Lf4p6BNu4mgVAgZ0yelwpkgHmNtJqcnywn
|
||||
JtYBhPNgr7VSHQ12iiQw+lEgw+D7pV7FmIi33E0Te52YSBOPBRYqOWMJXI2e4nHH
|
||||
wqSP99xx0SQ6WAnx9Uvj7RrpEHexYTOSkjqaAl5eS1ATnuCtgs1dNWryw7SgLjnG
|
||||
tt+UfBPBAfwy7Bfs0hSdCrw/14paE5dRrkwqIV4SJr+WagQvDwKCAQEA/jWS2AQw
|
||||
WQXZ+DbtMGcyP45XwNRqkBxtLeNXzP7H1ixZ+r/CD0oh6tqjK+2QyCD31ufE2tmb
|
||||
TltgBiJuMt5kELtj87vVtZ4ER2YCXEMB3EpONDDG7Tb6T589LiMno09YKeApRcKH
|
||||
XLM0R3ffKzTMl0j5KTtlOXzfdVDSV2ef5vI8hyUJpqBZbBPHmLyeyTi7MfF1X3MD
|
||||
jqEoHVnx7kxBNRzUwW4E+9i9qdwSjlfPPD/HbKbNrYHbp9UVL7CTdTQ4tBdhj46A
|
||||
mqETKzHWWcSXgNcG8MT+DhZXV+SX80eNI7YAdHK+3UpHG/2jJmOK7EChSFd3kI9K
|
||||
UOJArJ5OfyP/PQKCAQEAkmavhfbGHFXI8cXRdhJcJE27RByls+jnJy8rKyHsfIbv
|
||||
Kizp5PPBB1FgGUpcDSsmRxBXwdFzlKRCWJEGlxtD/kXI6jY6noJ4H0XSvcQL93ZO
|
||||
z9UFvwF588JPc1yC7/uOrhq0mj4YhtFcVllX9uYJ80E7ODOrlS/+Yf4j37gyMqMz
|
||||
CDqFdkfrRmpnHWy3fSJO0/GJVMRGdhfkizKIkA5T8nKZjq7VH/4uaUqGQIT6OVs9
|
||||
covFN6kGltH1z2dFCWxdYe3L7/uHWWQrI7saE3Q4gv7etBmDi7C7l4djMXb/fMI4
|
||||
gnWt/Wa+dd650tcLNQgggUEFXhPZRXMwaRC9q7c1CQKCAQBYivqByTu51kLspN0K
|
||||
zfb/kinYnWQcm/ofUJ9lZJzgaYRRxXbncm/L6KmLBG04d9s7fHDhtYfVzBfvKxDt
|
||||
IO8DsPGIlLVEVCyzXcGWtzQvsaX5ob+4Ij0ffJyHtHD6/gj8VPqrNK2HSVf9SLBv
|
||||
0S0tyJoYlXqVgnwm1abeENbuTxNsEyeAZTugXGdaOOCpv9vb8nlqbJohlNpvFsQg
|
||||
t2jDAi7MzPBpdD3jqya/c7BYEPL6UkMzmxaSJ7MAcGV8HltdxwMRSJZcxZvyoKJD
|
||||
lCkdFEhzlnnTGE8F6zZN428ysBMKfGkklNmd00N/fI6H6Z8Dnoujy3UcJSJXvbAj
|
||||
srsVAoIBABWmstJYCh294LL2q9Io746NkWsgAcXPK9Klg5+Tgl3UQkH4FejZ07rO
|
||||
mchehpzwZ0hbSb++IJP+5DVGpxdIJ6N36742bANNLt3SSXTpj21X0uFpF9cD5GMt
|
||||
pZd/4PjrL2Jfj4Hl8di+v0u9WUd5+++CLoMNm+CYUF85eLJtQxGTR0qJZMSPUBBW
|
||||
WaNyfguwx0WNJ0UadoWU+tXsOm1eVS5TTepOOU7kkqos5n0+VAnHgzsPOtwLRrrF
|
||||
8XJ8gBBU7M5LY1uoEwSjtkll9uAsfffsBMt+FKM4sHHV75Sxg2AYLwGy3eUZfNAQ
|
||||
k+GbSvCxlZqSnyXYt1dMWTcDQXDN1H8=
|
||||
-----END PRIVATE KEY-----
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFCTCCAvGgAwIBAgIRALFOG3w2ptEQcQqzvAg6PzwwDQYJKoZIhvcNAQELBQAw
|
||||
NjEZMBcGA1UEBhMQS2V5IEV4Y2hhbmdlIEtleTEZMBcGA1UEAxMQS2V5IEV4Y2hh
|
||||
bmdlIEtleTAeFw0yMjExMjMxMjU2NTNaFw0yNzExMjMxMjU2NTNaMDYxGTAXBgNV
|
||||
BAYTEEtleSBFeGNoYW5nZSBLZXkxGTAXBgNVBAMTEEtleSBFeGNoYW5nZSBLZXkw
|
||||
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDadlSw2a35+y4koQHp2Un/
|
||||
DUM6e/hIT37jIchplGzlVAPQMGJ2IPW+b9OAn/dRc7D5/w57fYvB02d9J+0K0jc5
|
||||
Po3WMaYnptVtJ03ks/qmlgQm52uZszSeIBiPIdUNQaPxrOPAckR6z6hNgnvB2V3o
|
||||
rnI6cpWSZ6LR7cJoNWcPTaVDqWq0mC5XstKt17rnQkkLGfx/4qIb/eUAQXVJx+UJ
|
||||
7zyAN58hAy+Altz41Mn9DMf40B3O3sQJosbXOsiSojUkD5GMQKT0NG0oYRHnGVwZ
|
||||
vCHZRRMlw8zMj/lA+tuU4+lBjPIdFhwFu9iBXNSLcJRvvLVF1W0idvYRS+GNce/3
|
||||
PAvkjU+a1LWpfTs0UNyfFoBxry8JbJACNJt8EVY6io2EsoY5upppJWIwx+LsRmx+
|
||||
g+67cVZ5OZuuoI3EXhduBbPxQ3VutygpwrBV7uMABE1Y529CLnbS13yyQR+8k1hU
|
||||
jmJaEyH/Yrqr62P/m4cXqVjvVwXbRVPiVl7DOBUGkwPptzuwHWGUThUBjisQNTx8
|
||||
8FGfcDFiJ7iBDIIUbW2YGs4X+baD4mrJrCkfIqrm3hLkQFxuXqA69t670s+O2LQp
|
||||
iMuXSX2TDxow5RI5U+dV7YiK1aCRSPYd1nTuKJ6kiGwfwlWxidchESSOqzK/1Zbe
|
||||
gE8RW/9+Eur8oKTuTewnkwIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZI
|
||||
hvcNAQELBQADggIBACYvqkZYAIPnFZ5hwZDYfZeBJ99uIv+yft7DR7l4g3scBheg
|
||||
eZTn7SKIKAqRnJXuvdOANb40eLyzEuU59bzBCIonp7BsKSoNPWJvfZu5EjdybaWv
|
||||
owUmBKfmQcnM9LSkKnr6qsvj0PBw9m69l8d4sWz4eRGlQc7mY2Fgsik4swmjkj9J
|
||||
iHN5xhvKFtpPdJJcCVwjjCvRiYZfibRgI74YK+NRD1CYIIf8bh9uROzgjnXUTa4s
|
||||
38GxrwhEF2v5dOyEjohuLdD/yO5e6m424JWytEFB4dldpgH0DNVcsOe7Xj6I6I1c
|
||||
oh+WCgwWqoAXTBNdPMYHWZybQXqhBBIVVtRddzo1ViLsaaDxmaijNKac6JsutNQN
|
||||
f0Zm/uw67lLMfMUtf/jwU9SCWgWSF4S66pohmGfONbGytjk8Str9p+lN0B+rL7IE
|
||||
xM5i9883HpZkFJ1LXvyfz/qJ5KrFOTixgXE/P5+iH7/4PyiAXlCbXpDbwd/ycEGm
|
||||
W5DVThwPtvaXB7g1/WMXgLIlH0/p2yBYqtEAUDpKpFq11uu/D6DctzvzgamTsvND
|
||||
CCDGNK58N6Cfp2IjjzM1sjpJQSDKJvQWnb+bt0MO5zqqi8L7ejEbeSF3imS3JfzY
|
||||
RqA7XR+T8SwdiPqMxR5mXL0Mfk2z95G6znH8DOf2CGxc3X/MLfAW0jvUaPZa
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -0,0 +1,52 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDI6Sqb8P5wucXp
|
||||
LkUKXGkA8liEUeMvlHf9HRBuAp/WumQvLMFYgt2JT+D9za9qr999NdN8r6YXI93e
|
||||
3W4cavcdtIGmcTdE5ACTij7G0KxCZk1C22dfX8pa7iNjuXzOBq0m9XQoLoSsgl/r
|
||||
DHQP4wMC8sUiNqZT9OtRVumXnApvpZO2yVh8xG294nV4mGAAjCPaeYgdYTCPtrtU
|
||||
VWp98/w6luX58QUEId7WU1r9G8aDqlkOG6sLg0+5AQqbKU2V4hzmisyEaSFdPqzx
|
||||
8x4fR02NJIvAIE5Sn0+xfQjC1n9XIhldiXytSiEjtV/fG+c5q3sLIgYzEgEtxP9N
|
||||
357SXApcBPXZB7fjOYveXT36mDPurg7M/86qt0z+Lc7ZlgCpHgkqtl2vSgjP6J4I
|
||||
KTGCPKDDv1cD2mE7bWV7Q/FvBrozEht6n/hflU1HG1sa1D79l3Ap6BfbCbC/PI4g
|
||||
PSny1lvtv0MmOvEhaKn5b+D0RnjzqUjL4LRfdwtWxEDnbyWakRpBedBjK2pw1nzd
|
||||
9XTBg6yM7xZTDJ1kHeNshba4h9bLLRpqgiDfbg3p8z/G8l+S1MG/iX0rSNeo5yHo
|
||||
AFrLdApwoRoKKsVQeIg8AlT5o2VVW1epdlzXONLDiGYFCn1S3ZgDobrx3B0+LyIR
|
||||
c4I4FIelFcMCwZLWNSvd1+QHKxPvtQIDAQABAoICAQCr522Qzkw3EY04bmGecuFZ
|
||||
cQKx/QrhbCyagyLKri4rYYJVJvssC5UYZyOAplxAcclM7iBNoFEBnau6hEYxxIg6
|
||||
f3crfdWneVrQ4snB/UxW6AeVe/tgDKss0HOxYUVbVzUSj5RaySq2HDuL9zTbXwb1
|
||||
n9ly48W/MmGiUDZAhcAcNVVFYdP3tW6cuUZ/8Ai8jywiRDhlwwH1BYoVp5wdtwSK
|
||||
8RBHoqUDGyP6yImi5gAeKkRWoO/iQvGUv0Je7qE27KiDziEd7oIgsX7y6m1MoArI
|
||||
CIwW0M2TPkLG/8/ePf/pAwEnGnt2HmZqkkc8tDhNDN+T8AHT8sTVb6hu7jaLkTs+
|
||||
aZ5iw8uUBLPTPNMX5Oz0SW/Pijxsh2+9kKCjf/5CIs6BqhcUXZlfdRm/bFGfAq1N
|
||||
ivhyP//U2yt+MHhZoTMj5vYBeIw7Ee5bMBmicFOb2wMVZINOXaU1p+gG9CqWxPS4
|
||||
din+YwIX4tpESjRK7LX+969wikEqo8cLfelW6lmH3Bh80YgfcJb7D3lKp7B/sqND
|
||||
BliHMRC1461XMTT+4iWHzJ6UjP1twD8ebL3vxsBOfgKWEuMz6AcAYIrYyTuq8b4j
|
||||
MuPcgL18BFFlt+qB+x7991VzOGWrW2TgP/D52rT9Px37x3WA0RDiuCROKfpWtsfQ
|
||||
r73mN24FWu8vqqO2teSWQQKCAQEA9aKnIzQx2OVu5v30KbkLW+DgRBYNKsfjKEcL
|
||||
jJgoIIhUaatjr/Tot2NJVDLXV+yUyfByFWO/hGNwNMHnLEnl7NkE2gvnU3bD+PzJ
|
||||
pWGJPgdi9IBdnoqG5brBngQUrtgV75UFVLPFffsIC5B4mMuPRjhGp5xvvbiTNrgD
|
||||
hQ2Bh3fQKWBkcz7ijHkcOTXvn5RbqKIZSsHR9pC5JRPpLOWXTQzHz5YmUDaxsPFB
|
||||
XIOL7tXRrXlS0YSzdYVqxkuiUEWU06URXu3fmTM/rPvmwKBpEwOimaK0fvCagQB1
|
||||
XDUZzfkeHFnIhNpsX9WADuXi7lqoPQZa8ZBjKwzHtB4iRQpBRQKCAQEA0WNmZuz1
|
||||
86wXk58vkcxJW8si0X90RkgGtXaMH9o3VB9jaSYPe5LRjhwfnJ9Ba2gVTN9EJLce
|
||||
lzD+7fBHHVb/+kJjvNS6ME9L1R/GQGjKp1gTTJNfX9tNSMeWUU+349T9VFweh6vs
|
||||
HMhNd6/aGSZVVipoxfwpWiWl8UPJMe+692rXkWp2Q3OOlp55hXJ9BEC05R+gvSkS
|
||||
Z7vosXt2DEQowgsxO6pvWgjzg+BudFFXOTAhRsKLVFqq8KBeQV3AdIdtkYAYgj1Y
|
||||
KnKgyve5Ngbo3b6XqAs6/roxTCm71oRW043FxZSMIuAZpkCSzpVA0uSSDout0/+i
|
||||
MLf8OSaRUGUDsQKCAQA6dFap/gXOw+q8dbrhIvQdDUrRaR4BDEh2kVGiR6Nk+ox8
|
||||
CRlUCkhHPA17SA4PEnHmDJ5ZkL9G1hMhuvM0ivF4h7yr1yFZr227lwy1mpx6cm+O
|
||||
F+4viG/Jw8PHwtjZMvslZKU8HvvkmxSzC9JnKioSX9oQkR3WXFJMN0Y/J5OnlU+o
|
||||
SRQeiNyI6VlaFAfORhP58XlrXOyGbLJirHZVBN4Yq+3w7J55gEqQ/Ri812E5mRCo
|
||||
47JdweKjGPjr75vU1nowU5vqp1kKsDN7CwdC1+mpaLgNL7ccbk2WXXGQW+KkLaCI
|
||||
xqT9WK1psPkkkniKmHBo9VY3HlE7MXNk3bbyDxqxAoIBACeboupDVr8SRZ9yFECD
|
||||
ITlQ8rQoZOlKhKJc22LHF4I9McPZJEKe4i78mOo6odhcZvMUpMJBNXMqHH8L3Zfq
|
||||
Nh+z4UP+BX5P8atOCGV0rSj8myH4Gql6RWNIBeI5rzJUvtrvVgMZ/V7wcN78D8iE
|
||||
HM5g1VLmQThBOOOri+p7S6WzuzVRqy9VM5rAPYKFxqpARze0ROajV0zyGbFBBnKJ
|
||||
jiAul9COi+O/H7lJgftUy6gQt6q38D0zrXQ5EbtRra8dUxeb4Ib6bawR5OKf+5QB
|
||||
uJkBjZSHE1DODbc3icWpYPdBsTCPyfZq588wFdUoHIwIGqzPtUEN8TNACmERL5nC
|
||||
kfECggEAQ8Y/NxDGju89NcgjPaeoZ9caxMmpXl9+77IESFfWeeUP+cLXhyvf3X23
|
||||
KjYlfF9Ok7ZLh/r04FxA/W0e2+Gyjlvyk6sE3opgizk9wV7XwwDH5v2C0F9jABrZ
|
||||
EkxuVjqR1utj3/WuWkpVl9GNprcX5GzGtDjlRNy/ZSX7u5kB7uwFircdvlqzF6Jp
|
||||
9nqsizR29dYj7QSPKyiBcqZaoxolNQkOh8aXNso6HDIXyFr0/tGnZh8IC0o/LZdC
|
||||
Ksv281tFsACnU7eOPIkCbsuetiag7BDvRIOXXmTaMt9/VI4X94x3uPgzXA+NsCAL
|
||||
7Ftk0PrOk+MsXS+8K9hR2j8Bx2Y18w==
|
||||
-----END PRIVATE KEY-----
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIE+TCCAuGgAwIBAgIRAOuskmCCGswzOJ0Cwzibjg8wDQYJKoZIhvcNAQELBQAw
|
||||
LjEVMBMGA1UEBhMMUGxhdGZvcm0gS2V5MRUwEwYDVQQDEwxQbGF0Zm9ybSBLZXkw
|
||||
HhcNMjIxMTIzMTI1NjUxWhcNMjcxMTIzMTI1NjUxWjAuMRUwEwYDVQQGEwxQbGF0
|
||||
Zm9ybSBLZXkxFTATBgNVBAMTDFBsYXRmb3JtIEtleTCCAiIwDQYJKoZIhvcNAQEB
|
||||
BQADggIPADCCAgoCggIBAMjpKpvw/nC5xekuRQpcaQDyWIRR4y+Ud/0dEG4Cn9a6
|
||||
ZC8swViC3YlP4P3Nr2qv330103yvphcj3d7dbhxq9x20gaZxN0TkAJOKPsbQrEJm
|
||||
TULbZ19fylruI2O5fM4GrSb1dCguhKyCX+sMdA/jAwLyxSI2plP061FW6ZecCm+l
|
||||
k7bJWHzEbb3idXiYYACMI9p5iB1hMI+2u1RVan3z/DqW5fnxBQQh3tZTWv0bxoOq
|
||||
WQ4bqwuDT7kBCpspTZXiHOaKzIRpIV0+rPHzHh9HTY0ki8AgTlKfT7F9CMLWf1ci
|
||||
GV2JfK1KISO1X98b5zmrewsiBjMSAS3E/03fntJcClwE9dkHt+M5i95dPfqYM+6u
|
||||
Dsz/zqq3TP4tztmWAKkeCSq2Xa9KCM/onggpMYI8oMO/VwPaYTttZXtD8W8GujMS
|
||||
G3qf+F+VTUcbWxrUPv2XcCnoF9sJsL88jiA9KfLWW+2/QyY68SFoqflv4PRGePOp
|
||||
SMvgtF93C1bEQOdvJZqRGkF50GMranDWfN31dMGDrIzvFlMMnWQd42yFtriH1sst
|
||||
GmqCIN9uDenzP8byX5LUwb+JfStI16jnIegAWst0CnChGgoqxVB4iDwCVPmjZVVb
|
||||
V6l2XNc40sOIZgUKfVLdmAOhuvHcHT4vIhFzgjgUh6UVwwLBktY1K93X5AcrE++1
|
||||
AgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEATfQK
|
||||
DfqXHnd/n4bdoLqAnXb6hvqKmjtDLBPVWp8Jzj6Ew6y2FULLUYkH3DEx0kfedQjO
|
||||
kD4h3LoYuHoqkcQ0dNI8RZ1v2oTBljadOTdZyjvtQJvBTtHzSTyrDl+e4CpME0zf
|
||||
Y8/7tXoXvhxxOiU0CcHeBlVJBdUmgmbGIb4CYlHFLv9L3CKc4RY1r9tIynLXtMWB
|
||||
FLNT8CE71BtF65pQkNpyPpTzLYyaDpvX8hy95gov7O+5jxl6MRCbL/h/BMBEBRbm
|
||||
qq20gYwpElPJ9TlNi0ynsAVG1K1miI89ejdHywLTt72q0VL0MOHpKFmAGKvuBVIA
|
||||
9RFD6tjMIA0P86gbDS+EgFJShuO/SAPftpuLAo/ZxF6lToPllox9wn3V9EWCMh94
|
||||
W/GfHI+PmxE+kEOnRgW1qMl1a+s8d7w3FwKqr4LaNIw4jX/Kmdjii5BGoVBYDt8X
|
||||
5jUliJBr5Fc2J7GfQFt03FpRp+h9d+Fra0ftRM7V4moCEMTHpR30xbxbt67Mgayi
|
||||
SY9UU0WSopaqTh4ye4gj8NbhNVJ8IQlgJhYwzfvrMuaIOoDL1OoTY/ruqYYert8Y
|
||||
BVi8EjEvVKTGfLEnuKBK+irrU9YuGmJjw2D6GQ4aJV7DN5dTZZmTvAhK5kevhFQF
|
||||
jN+7vSSp9LYMiJ+y5sL/sToVe5oaP3Wv04mu7CM=
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -0,0 +1,52 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCuLZZ9CwqagpEH
|
||||
iqjdXXa8X31h/oTTcAN63uNE0Vk1Kd5aMEzEzhrpJH1acqj6cfGMsRLsVi+a9MU8
|
||||
cXzKZhjs9rUufypMwClSBZ5H9S11mJDF0vO2WBT+6pbeU/gH/XJc44CFbY5ISQJx
|
||||
f4JiQ86pKrGPjFq0SspqcEl/Cveexb5LjSK3qIR21m+j+Av+7ILWARFhgCzjteZy
|
||||
KHhmU+HBp6eNDHM/+sWgJwHwTDhtKgP2yMVZZa5ISHHNwYUoUYZlS/F2R18XEtdX
|
||||
OIVJswLXTSq4ZdpdwNwLHSW7lbDfagDDGdfvQZEE/9Kus/XKDom/vGgO/dFihRfm
|
||||
21Q0YK+oGjCtdjKhmt1JChX9aQspR8SzWj7cTxVNdYNSCtM+Ozk8Uyfd4x9Md4Nb
|
||||
spXPM0bPCm5q8tj0sBENwhJ6Cgw+MoraN334Yd6ccklC+3hzRQj4FcugVGrx5vQy
|
||||
jH8gdNIgBn+bvakkhs38uH3E1zK7drG1v92HzlyyrX9DslE8eU2WWr3KhlNdASxi
|
||||
taRt7r3Z9drX/ChlF6McfAv9DVrUEilZHSLao7yjT8dVIKSx2djbbXxgtEz+L6aY
|
||||
aY99PZvgO/yLUvFKLuXZ7J33BOionstownfpmRxL6QtdxeTuniKzkyol7uIenrco
|
||||
eqmF/sKhRvHsPMrydqFYcOD5GcNNcwIDAQABAoICAEvsNTfGU1XsaflmmJr9fZ84
|
||||
5HeNsSpVHj813s0FkCQbXv/jI+N5j8Nmk3mUl1Grz0WrffskylV6MmtZcLLs9Bp+
|
||||
o5Vj+vU/ogNNzaPCHJGw8hI5FOC73lMLwL2izm/1Kx+QT1pZ2fZqVLVShmv88J1O
|
||||
rd1LqdIC896XmYHWLv+3ZG6cU7DItQz0Be/sVJZHU/SivIfKjkan6I6EU48PK031
|
||||
nZRfA/G0huZ7el3ba5EyCk5NT7DbILADXA/7NebQOov3IYaUL7/oB5POYFMyw59D
|
||||
1MZSJ3BMe94gU21EH7gTBcgFgNmas/MA7D4Y1Z/A3IyGPLmkK9wM9dE8c6TtLEOb
|
||||
JdOe5tQeuFQPzSxcqPeIUsvFQqTh/dtOhTi8UdHcBEljxNkqrp3HJalEeRJF+sbB
|
||||
TxKIypniG2fQMyfvivvbTjtRkJbKhjnQtIbtxFrLfQbwMzCaqlxkT4xJMAf3FXvK
|
||||
KAdq+YSd2JZ+rJcFG5H/V7LIuAyHY/dMCIkTFjoPQla1JSEZwKDcp7Mr3c01QG7T
|
||||
j4UT+E7DVD+Ec4a6KK8wKoQYOjK6yFrxgyrmhWgwtkk0ayn+mm25CwHbaxEJ+qI1
|
||||
fSs0N2dnAkFtZAdU8AxK9r536RX8oBGktPW7okyRQbksCyNncfxKTBKbQ25QKgZC
|
||||
A2/FxFa1A4Fkin+Rl2sZAoIBAQDVF1pKyVjQT9Ko6so0Cosf2qmYKI0rCU6eKVpw
|
||||
hulknUcDwln4yOQuR8sv688dyAMBS3eoufAogXY/Fnw2JuUQnmtqeM8kZjf0Bku7
|
||||
DR2TwMOgdLrwlVyqEyHhOc54s5ZVf0PJZYvwJJLqw7AIRtNgYnjoBlQBhlIwNqCo
|
||||
X8YTnuZZbcDDyP1YEVH9rBBs4JzSOeuf6fbUZqJJouYqsuSkf5WwZPsZEsYy80fk
|
||||
Py0S2tEvK6aFBPq7TBjZlX91RTOW+US5i499dgg5P9JeN7NaEL5CEFvutFXI8nyj
|
||||
8o1MjRe0wuPiDMrC2G+93UHLfr8bBVpJ3QlCMQyNPS87kmvfAoIBAQDRQEzPNmR1
|
||||
hd14YGuVqnz4I1q0tD5OPUoWLMysPiu5lPuORHvz8jJuJATq6va1u8ODPKvCzY/D
|
||||
54D35RgNKzm6rblxLPt5KXUk4vc7KAnjt+VWEm7L1ysqL62TjBGtSCxxQrcmpULM
|
||||
QgyxQ8aYkwkaB/5VbVJBhzb9PGdS0tAvmxSOeVIv2p4OYd7skJd6YC6TtKHzFBl5
|
||||
JdnoQS7HfYbgj0xNpuodw5OPCAGSLBZz3Ls05MQGwQ1TYxD3UehNPSjdwwsVSsbe
|
||||
MWrF965evKH45caAA6KDLn1YhYqRuM91SLLI/edmg/FO1RkUEEc3BFfshBvvQRGC
|
||||
j+iYu4a6eJDtAoIBAF5YMIncC45vSP2wtkXERUSdM2lCyv266SvtczVPBhad68sm
|
||||
SV900lILR1K4PMMawvnXx+rUKBhG+WuFMQlovxJUkYpaYpvjBfLstqria633MqXg
|
||||
CMRr3NMQFXf6eAfIu06vQfvxEbwI9WMrsMx5TyzlbFKOOrNSHSFrjkX94VzehW4i
|
||||
wa3tVv2e7YY6oCsUZ1pMep4aoEX6CvA/R1iwS7rpIgUvMF0xir8UJ0hPEE3Aw8z2
|
||||
rotGYRx73KS5I+1v7h9xzZO4zpblo051i1ZbovTFZPcq9wkAntqRQc30ncq+zTgi
|
||||
8XIr57nMyexuAatvOn1kKU16p5a+0KfX5wmhElECggEBAJcWLl+Pjoms1nSMaiHu
|
||||
r70bCetgGXy0lEHepwnW+gtNnzTiDf3d6rvMFiDo9qnRoSGpNPu7IQr6pQxYxjz7
|
||||
8PrxZOxq5khdvs+bcZetGTbrGRREyuszuV8EffgDMuBDNJOy8DtfKBQDvNZhcYvI
|
||||
3tGE5AcaoEHgN7wxWQlcXiWBfB5DSyxyVZ1c3XFCFZ2uxPKxgh3ZbWskAWrJZdV0
|
||||
tWZ/EUEgO/qxtGGaDkhUvQF7Z1CRvViDG/QRm7Z31ZuvhUpaAi6lh2H3nHjElYqh
|
||||
+PGWNvVHqpe9gZPhGGSPZHvyueSWL/a9Xgblpu3tsv3ujO2hlenyuYnkDrX48RbC
|
||||
5yECggEBAJVglEc0odkzt5uYcxorFWw0r+gnMS/iyX9zJyLMCvZ4+/NLmAGQ6Qbs
|
||||
yJK9ryzS1obexq/+7SrTa/iHIBQLvM9eaCSJaAC+w6jRJQC4VRDwtO5c8e8ek3gF
|
||||
7DzQisGsIqhxrlZLEv8YyPaf9SgAMaLuM0w8xXD54jgcbLZlfNmdHyYHIcM0ZDPK
|
||||
+4QhtV2YE1MKEIplMhXdxmCpeHqBMEfX5MYUUZb09Ffl7hRzCZc30NWpLnZ73iNq
|
||||
+px6CR5rq1lnfLu+bIZvVeDBtWM0/vIeFZDKceEa1hkOIS8Z5hzA52OFP7pZKt+O
|
||||
3cEKjh9NywA7eLWDxRxEf/vq3vdWeFY=
|
||||
-----END PRIVATE KEY-----
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIE+TCCAuGgAwIBAgIRAPmrvtqrYB4tl9V5HFxxLYowDQYJKoZIhvcNAQELBQAw
|
||||
LjEVMBMGA1UEBhMMRGF0YWJhc2UgS2V5MRUwEwYDVQQDEwxEYXRhYmFzZSBLZXkw
|
||||
HhcNMjIxMTIzMTI1NjU1WhcNMjcxMTIzMTI1NjU1WjAuMRUwEwYDVQQGEwxEYXRh
|
||||
YmFzZSBLZXkxFTATBgNVBAMTDERhdGFiYXNlIEtleTCCAiIwDQYJKoZIhvcNAQEB
|
||||
BQADggIPADCCAgoCggIBAK4tln0LCpqCkQeKqN1ddrxffWH+hNNwA3re40TRWTUp
|
||||
3lowTMTOGukkfVpyqPpx8YyxEuxWL5r0xTxxfMpmGOz2tS5/KkzAKVIFnkf1LXWY
|
||||
kMXS87ZYFP7qlt5T+Af9clzjgIVtjkhJAnF/gmJDzqkqsY+MWrRKympwSX8K957F
|
||||
vkuNIreohHbWb6P4C/7sgtYBEWGALOO15nIoeGZT4cGnp40Mcz/6xaAnAfBMOG0q
|
||||
A/bIxVllrkhIcc3BhShRhmVL8XZHXxcS11c4hUmzAtdNKrhl2l3A3AsdJbuVsN9q
|
||||
AMMZ1+9BkQT/0q6z9coOib+8aA790WKFF+bbVDRgr6gaMK12MqGa3UkKFf1pCylH
|
||||
xLNaPtxPFU11g1IK0z47OTxTJ93jH0x3g1uylc8zRs8Kbmry2PSwEQ3CEnoKDD4y
|
||||
ito3ffhh3pxySUL7eHNFCPgVy6BUavHm9DKMfyB00iAGf5u9qSSGzfy4fcTXMrt2
|
||||
sbW/3YfOXLKtf0OyUTx5TZZavcqGU10BLGK1pG3uvdn12tf8KGUXoxx8C/0NWtQS
|
||||
KVkdItqjvKNPx1UgpLHZ2NttfGC0TP4vpphpj309m+A7/ItS8Uou5dnsnfcE6Kie
|
||||
y2jCd+mZHEvpC13F5O6eIrOTKiXu4h6etyh6qYX+wqFG8ew8yvJ2oVhw4PkZw01z
|
||||
AgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAbh22
|
||||
GBG/orDJrOClvt8qABL60ojnilLh4J5BwGDwBcXE/wETvXb+o3GsjTqqHdXYCQx0
|
||||
e3SpR/xQCfKzuaE4ysaszKFcNbhaezLmo/pzD2v0UA6Jr56re/jkYMtLQL4+LAUP
|
||||
kCH66vc6qETQwtAzV3CYQ5TirwLLD6z3luPhm2FzyXTU9eydbsRp7FuSKq8mVXKP
|
||||
cskrVJSjWD7fOsy/sZq3S+xmA3w1C8XRAgz+xlfIQkuu0mAa3jJ3JGjDyu1lAZ6N
|
||||
oUc897npQ2tpYyGRQ/zOmKSE9oUlcEqXLPk2nDgenhG0oAdM/jJ54rnuR2x3zhBx
|
||||
gyPEvWVzjzX8E//9Kc6VocisnI/tckibUPHlMJFHFBXiU8m6vO28cCRl4tRsH/K9
|
||||
jOnm+ztraiXI7mqBfTchR7Ga0EmnWFf38y3/YkrbVYbjK6o/+/T72Sje0MfCAvTl
|
||||
KLOtvaQWQm36KP/2PH3DZ/k/v8+U76oeUBoI/DDH8E4rR1cUORvUYH8MZyPIKM4e
|
||||
GN3+/zjr5gw70iLC/p8C+8rCzxwoernIMcFlL+SaeybnzXvH3VqO/XAFA/lxMu4V
|
||||
K7Gzrtr5n+FiSTXytdIu18o6Av65XN5hzwQvVeWIx/E5Jry/JlSQgho8CnqLK8g5
|
||||
USdRgvRJN7xJM3szP93f7aNgIYSys2cCxtZxunU=
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -70,6 +70,7 @@ fn install(
|
|||
) -> Result<()> {
|
||||
let lanzaboote_stub = std::env::var("LANZABOOTE_STUB")?;
|
||||
let initrd_stub = std::env::var("LANZABOOTE_INITRD_STUB")?;
|
||||
let sbsigntool = std::env::var("SBSIGNTOOL")?;
|
||||
|
||||
install::install(
|
||||
public_key,
|
||||
|
|
@ -77,7 +78,8 @@ fn install(
|
|||
pki_bundle,
|
||||
auto_enroll,
|
||||
bootspec,
|
||||
Path::new(&sbsigntool),
|
||||
Path::new(&lanzaboote_stub),
|
||||
Path::new(&initrd_stub),
|
||||
Path::new(&initrd_stub)
|
||||
)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
use std::fs;
|
||||
use std::str::from_utf8;
|
||||
|
||||
use std::path::Path;
|
||||
|
||||
use anyhow::{Context, Result};
|
||||
|
|
@ -7,12 +9,15 @@ use crate::bootspec::Bootspec;
|
|||
use crate::esp::EspPaths;
|
||||
use crate::pe;
|
||||
|
||||
use crate::signer::Signer;
|
||||
|
||||
pub fn install(
|
||||
_public_key: &Path,
|
||||
_private_key: &Path,
|
||||
public_key: &Path,
|
||||
private_key: &Path,
|
||||
_pki_bundle: &Path,
|
||||
_auto_enroll: bool,
|
||||
bootspec: &Path,
|
||||
sbsigntool: &Path,
|
||||
lanzaboote_stub: &Path,
|
||||
initrd_stub: &Path,
|
||||
) -> Result<()> {
|
||||
|
|
@ -23,6 +28,7 @@ pub fn install(
|
|||
.context("Failed to parse bootspec json")?;
|
||||
|
||||
let esp_paths = EspPaths::new(&bootspec_doc.extension.esp);
|
||||
let signer = Signer::new(&sbsigntool, &public_key, &private_key);
|
||||
|
||||
println!("Assembling lanzaboote image...");
|
||||
let mut kernel_cmdline: Vec<String> = vec![bootspec_doc
|
||||
|
|
@ -38,6 +44,7 @@ pub fn install(
|
|||
&kernel_cmdline,
|
||||
&esp_paths.kernel,
|
||||
&esp_paths.initrd,
|
||||
&esp_paths.esp
|
||||
)
|
||||
.context("Failed to assemble stub")?;
|
||||
|
||||
|
|
@ -54,17 +61,28 @@ pub fn install(
|
|||
.join("lib/systemd/boot/efi/systemd-bootx64.efi");
|
||||
|
||||
let files_to_copy = [
|
||||
(bootspec_doc.kernel, esp_paths.kernel),
|
||||
(wrapped_initrd, esp_paths.initrd),
|
||||
(lanzaboote_image, esp_paths.lanzaboote_image),
|
||||
(systemd_boot.clone(), esp_paths.efi_fallback),
|
||||
(systemd_boot, esp_paths.systemd_boot),
|
||||
(bootspec_doc.kernel, &esp_paths.kernel),
|
||||
(wrapped_initrd, &esp_paths.initrd),
|
||||
(lanzaboote_image, &esp_paths.lanzaboote_image),
|
||||
(systemd_boot.clone(), &esp_paths.efi_fallback),
|
||||
(systemd_boot, &esp_paths.systemd_boot),
|
||||
];
|
||||
|
||||
for (source, target) in files_to_copy {
|
||||
copy(&source, &target)?;
|
||||
}
|
||||
|
||||
// Sign:
|
||||
// - systemd-boot & fallback EFI
|
||||
// - stub
|
||||
// - kernel
|
||||
// - initrd
|
||||
signer.sign_file(&esp_paths.efi_fallback)?;
|
||||
signer.sign_file(&esp_paths.systemd_boot)?;
|
||||
signer.sign_file(&esp_paths.lanzaboote_image)?;
|
||||
signer.sign_file(&esp_paths.kernel)?;
|
||||
signer.sign_file(&esp_paths.initrd)?;
|
||||
|
||||
println!(
|
||||
"Succesfully installed lanzaboote to '{}'",
|
||||
esp_paths.esp.display()
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ mod cli;
|
|||
mod esp;
|
||||
mod install;
|
||||
mod pe;
|
||||
mod signer;
|
||||
|
||||
use anyhow::Result;
|
||||
use clap::Parser;
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ pub fn assemble_image(
|
|||
kernel_cmdline: &[String],
|
||||
kernel_path: &Path,
|
||||
initrd_path: &Path,
|
||||
esp_mountpoint: &Path
|
||||
) -> Result<PathBuf> {
|
||||
// objcopy copies files into the PE binary. That's why we have to write the contents
|
||||
// of some bootspec properties to disk
|
||||
|
|
@ -20,8 +21,8 @@ pub fn assemble_image(
|
|||
let initrd_path_file = Path::new("/tmp/initrd_path");
|
||||
|
||||
fs::write(kernel_cmdline_file, kernel_cmdline.join(" "))?;
|
||||
fs::write(kernel_path_file, efi_relative_path_string(kernel_path))?;
|
||||
fs::write(initrd_path_file, efi_relative_path_string(initrd_path))?;
|
||||
fs::write(kernel_path_file, efi_relative_path_string(esp_mountpoint, kernel_path))?;
|
||||
fs::write(initrd_path_file, efi_relative_path_string(esp_mountpoint, initrd_path))?;
|
||||
|
||||
let os_release_offs = stub_offset(lanzaboote_stub)?;
|
||||
|
||||
|
|
@ -63,9 +64,9 @@ pub fn assemble_image(
|
|||
Ok(lanzaboote_image)
|
||||
}
|
||||
|
||||
fn efi_relative_path_string(path: &Path) -> String {
|
||||
fn efi_relative_path_string(esp_mountpoint: &Path, path: &Path) -> String {
|
||||
let relative_path = path
|
||||
.strip_prefix("esp")
|
||||
.strip_prefix(esp_mountpoint)
|
||||
.expect("Failed to make path relative to esp")
|
||||
.to_owned();
|
||||
let relative_path_string = relative_path
|
||||
|
|
|
|||
|
|
@ -0,0 +1,44 @@
|
|||
use anyhow::Result;
|
||||
|
||||
use std::process::Command;
|
||||
use std::path::{Path, PathBuf};
|
||||
|
||||
pub struct Signer<'a> {
|
||||
pub sbsigntool: PathBuf,
|
||||
pub private_key: &'a Path,
|
||||
pub public_key: &'a Path
|
||||
}
|
||||
|
||||
impl<'a> Signer<'a> {
|
||||
pub fn new(signer: &Path, public_key: &'a Path, private_key: &'a Path) -> Self {
|
||||
Self {
|
||||
sbsigntool: signer.to_path_buf(),
|
||||
public_key: public_key,
|
||||
private_key: private_key
|
||||
}
|
||||
}
|
||||
|
||||
pub fn sign_file(&self, filepath: &Path) -> Result<()> {
|
||||
let args = vec![
|
||||
String::from("--key"),
|
||||
String::from(self.private_key.to_str().unwrap()),
|
||||
String::from("--cert"),
|
||||
String::from(self.public_key.to_str().unwrap()),
|
||||
String::from(filepath.to_str().unwrap())
|
||||
];
|
||||
|
||||
let status = Command::new(&self.sbsigntool)
|
||||
.args(&args)
|
||||
.status()?;
|
||||
|
||||
if !status.success() {
|
||||
return Err(anyhow::anyhow!(
|
||||
"Failed success run `{}` with args `{:?}`",
|
||||
&self.sbsigntool.display(),
|
||||
&args
|
||||
).into());
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue