diff --git a/flake.nix b/flake.nix index 6a8217c..6175eda 100644 --- a/flake.nix +++ b/flake.nix @@ -89,11 +89,10 @@ # Clean PATH to only contain what we need to do objcopy. Also # tell lanzatool where to find our UEFI binaries. makeWrapper ${lanzatoolBin}/bin/lanzatool $out/bin/lanzatool \ - --set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped ]} \ + --set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped pkgs.sbsigntool ]} \ --set RUST_BACKTRACE full \ --set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi \ --set LANZABOOTE_INITRD_STUB ${initrd-stub}/bin/initrd-stub.efi \ - --set SBSIGNTOOL "${pkgs.sbsigntool}/bin/sbsign" ''; # A script that takes an initrd and turns it into a PE image. diff --git a/rust/lanzatool/src/cli.rs b/rust/lanzatool/src/cli.rs index 6176383..3dcd471 100644 --- a/rust/lanzatool/src/cli.rs +++ b/rust/lanzatool/src/cli.rs @@ -70,7 +70,6 @@ fn install( ) -> Result<()> { let lanzaboote_stub = std::env::var("LANZABOOTE_STUB")?; let initrd_stub = std::env::var("LANZABOOTE_INITRD_STUB")?; - let sbsigntool = std::env::var("SBSIGNTOOL")?; install::install( public_key, @@ -78,8 +77,7 @@ fn install( pki_bundle, auto_enroll, bootspec, - Path::new(&sbsigntool), Path::new(&lanzaboote_stub), - Path::new(&initrd_stub) + Path::new(&initrd_stub), ) } diff --git a/rust/lanzatool/src/install.rs b/rust/lanzatool/src/install.rs index e56c7d5..6ab7338 100644 --- a/rust/lanzatool/src/install.rs +++ b/rust/lanzatool/src/install.rs @@ -1,13 +1,11 @@ use std::fs; - -use std::path::Path; +use std::path::{Path, PathBuf}; use anyhow::{Context, Result}; use crate::bootspec::Bootspec; use crate::esp::EspPaths; use crate::pe; - use crate::signer::Signer; pub fn install( @@ -16,7 +14,6 @@ pub fn install( _pki_bundle: &Path, _auto_enroll: bool, bootspec: &Path, - sbsigntool: &Path, lanzaboote_stub: &Path, initrd_stub: &Path, ) -> Result<()> { @@ -27,16 +24,10 @@ pub fn install( .context("Failed to parse bootspec json")?; let esp_paths = EspPaths::new(&bootspec_doc.extension.esp); - let signer = Signer::new(&sbsigntool, &public_key, &private_key); println!("Assembling lanzaboote image..."); - let init_string = bootspec_doc - .init - .into_os_string() - .into_string() - .expect("Failed to convert init to string"); - let mut kernel_cmdline: Vec = vec![format!("init={}", init_string)]; - kernel_cmdline.extend(bootspec_doc.kernel_params); + + let kernel_cmdline = assemble_kernel_cmdline(bootspec_doc.init, bootspec_doc.kernel_params); let lanzaboote_image = pe::assemble_image( lanzaboote_stub, @@ -72,24 +63,42 @@ pub fn install( copy(&source, &target)?; } - // Sign: - // - systemd-boot & fallback EFI - // - stub - // - kernel - // - initrd - signer.sign_file(&esp_paths.efi_fallback)?; - signer.sign_file(&esp_paths.systemd_boot)?; - signer.sign_file(&esp_paths.lanzaboote_image)?; - signer.sign_file(&esp_paths.kernel)?; - signer.sign_file(&esp_paths.initrd)?; + println!("Signing files..."); + + let signer = Signer::new(&public_key, &private_key); + + let files_to_sign = [ + &esp_paths.efi_fallback, + &esp_paths.systemd_boot, + &esp_paths.lanzaboote_image, + &esp_paths.kernel, + &esp_paths.initrd, + ]; + + for file in files_to_sign { + signer + .sign_file(&file) + .with_context(|| format!("Failed to sign file {}", &file.display()))?; + } println!( "Succesfully installed lanzaboote to '{}'", esp_paths.esp.display() ); + Ok(()) } +fn assemble_kernel_cmdline(init: PathBuf, kernel_params: Vec) -> Vec { + let init_string = init + .into_os_string() + .into_string() + .expect("Failed to convert init path to string"); + let mut kernel_cmdline: Vec = vec![format!("init={}", init_string)]; + kernel_cmdline.extend(kernel_params); + kernel_cmdline +} + fn copy(from: &Path, to: &Path) -> Result<()> { match to.parent() { Some(parent) => fs::create_dir_all(parent).unwrap_or(()), diff --git a/rust/lanzatool/src/signer.rs b/rust/lanzatool/src/signer.rs index d47b85c..767bc3b 100644 --- a/rust/lanzatool/src/signer.rs +++ b/rust/lanzatool/src/signer.rs @@ -1,20 +1,18 @@ use anyhow::Result; -use std::process::Command; use std::path::{Path, PathBuf}; +use std::process::Command; -pub struct Signer<'a> { - pub sbsigntool: PathBuf, - pub private_key: &'a Path, - pub public_key: &'a Path +pub struct Signer { + pub private_key: PathBuf, + pub public_key: PathBuf, } -impl<'a> Signer<'a> { - pub fn new(signer: &Path, public_key: &'a Path, private_key: &'a Path) -> Self { +impl Signer { + pub fn new(public_key: &Path, private_key: &Path) -> Self { Self { - sbsigntool: signer.to_path_buf(), - public_key, - private_key + public_key: public_key.into(), + private_key: private_key.into(), } } @@ -26,19 +24,15 @@ impl<'a> Signer<'a> { String::from(self.public_key.to_str().unwrap()), String::from(filepath.to_str().unwrap()), String::from("--output"), - String::from(filepath.to_str().unwrap()) + String::from(filepath.to_str().unwrap()), ]; - let status = Command::new(&self.sbsigntool) - .args(&args) - .status()?; + let status = Command::new("sbsign").args(&args).status()?; if !status.success() { - return Err(anyhow::anyhow!( - "Failed success run `{}` with args `{:?}`", - &self.sbsigntool.display(), - &args - ).into()); + return Err( + anyhow::anyhow!("Failed to sign with sbsign with args `{:?}`", &args).into(), + ); } Ok(())