lanzatool: improve signer code

flake.nix

@@ -89,11 +89,10 @@
         # Clean PATH to only contain what we need to do objcopy. Also
         # tell lanzatool where to find our UEFI binaries.
         makeWrapper ${lanzatoolBin}/bin/lanzatool $out/bin/lanzatool \
-          --set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped ]} \
+          --set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped pkgs.sbsigntool ]} \
           --set RUST_BACKTRACE full \
           --set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi \
           --set LANZABOOTE_INITRD_STUB ${initrd-stub}/bin/initrd-stub.efi \
-          --set SBSIGNTOOL "${pkgs.sbsigntool}/bin/sbsign"
       '';
 
       # A script that takes an initrd and turns it into a PE image.

rust/lanzatool/src/cli.rs

@@ -70,7 +70,6 @@ fn install(
 ) -> Result<()> {
     let lanzaboote_stub = std::env::var("LANZABOOTE_STUB")?;
     let initrd_stub = std::env::var("LANZABOOTE_INITRD_STUB")?;
-    let sbsigntool = std::env::var("SBSIGNTOOL")?;
 
     install::install(
         public_key,
@@ -78,8 +77,7 @@ fn install(
         pki_bundle,
         auto_enroll,
         bootspec,
-        Path::new(&sbsigntool),
         Path::new(&lanzaboote_stub),
-        Path::new(&initrd_stub)
+        Path::new(&initrd_stub),
     )
 }

rust/lanzatool/src/install.rs

@@ -1,13 +1,11 @@
 use std::fs;
-
+use std::path::{Path, PathBuf};
-use std::path::Path;
 
 use anyhow::{Context, Result};
 
 use crate::bootspec::Bootspec;
 use crate::esp::EspPaths;
 use crate::pe;
-
 use crate::signer::Signer;
 
 pub fn install(
@@ -16,7 +14,6 @@ pub fn install(
     _pki_bundle: &Path,
     _auto_enroll: bool,
     bootspec: &Path,
-    sbsigntool: &Path,
     lanzaboote_stub: &Path,
     initrd_stub: &Path,
 ) -> Result<()> {
@@ -27,16 +24,10 @@ pub fn install(
             .context("Failed to parse bootspec json")?;
 
     let esp_paths = EspPaths::new(&bootspec_doc.extension.esp);
-    let signer = Signer::new(&sbsigntool, &public_key, &private_key);
 
     println!("Assembling lanzaboote image...");
-    let init_string = bootspec_doc
+
-        .init
+    let kernel_cmdline = assemble_kernel_cmdline(bootspec_doc.init, bootspec_doc.kernel_params);
-        .into_os_string()
-        .into_string()
-        .expect("Failed to convert init to string");
-    let mut kernel_cmdline: Vec<String> = vec![format!("init={}", init_string)];
-    kernel_cmdline.extend(bootspec_doc.kernel_params);
 
     let lanzaboote_image = pe::assemble_image(
         lanzaboote_stub,
@@ -72,24 +63,42 @@ pub fn install(
         copy(&source, &target)?;
     }
 
-    // Sign:
+    println!("Signing files...");
-    //  - systemd-boot & fallback EFI
+
-    //  - stub
+    let signer = Signer::new(&public_key, &private_key);
-    //  - kernel
+
-    //  - initrd
+    let files_to_sign = [
-    signer.sign_file(&esp_paths.efi_fallback)?;
+        &esp_paths.efi_fallback,
-    signer.sign_file(&esp_paths.systemd_boot)?;
+        &esp_paths.systemd_boot,
-    signer.sign_file(&esp_paths.lanzaboote_image)?;
+        &esp_paths.lanzaboote_image,
-    signer.sign_file(&esp_paths.kernel)?;
+        &esp_paths.kernel,
-    signer.sign_file(&esp_paths.initrd)?;
+        &esp_paths.initrd,
+    ];
+
+    for file in files_to_sign {
+        signer
+            .sign_file(&file)
+            .with_context(|| format!("Failed to sign file {}", &file.display()))?;
+    }
 
     println!(
         "Succesfully installed lanzaboote to '{}'",
         esp_paths.esp.display()
     );
+
     Ok(())
 }
 
+fn assemble_kernel_cmdline(init: PathBuf, kernel_params: Vec<String>) -> Vec<String> {
+    let init_string = init
+        .into_os_string()
+        .into_string()
+        .expect("Failed to convert init path to string");
+    let mut kernel_cmdline: Vec<String> = vec![format!("init={}", init_string)];
+    kernel_cmdline.extend(kernel_params);
+    kernel_cmdline
+}
+
 fn copy(from: &Path, to: &Path) -> Result<()> {
     match to.parent() {
         Some(parent) => fs::create_dir_all(parent).unwrap_or(()),

rust/lanzatool/src/signer.rs

@@ -1,20 +1,18 @@
 use anyhow::Result;
 
-use std::process::Command;
 use std::path::{Path, PathBuf};
+use std::process::Command;
 
-pub struct Signer<'a> {
+pub struct Signer {
-    pub sbsigntool: PathBuf,
+    pub private_key: PathBuf,
-    pub private_key: &'a Path,
+    pub public_key: PathBuf,
-    pub public_key: &'a Path
 }
 
-impl<'a> Signer<'a> {
+impl Signer {
-    pub fn new(signer: &Path, public_key: &'a Path, private_key: &'a Path) -> Self {
+    pub fn new(public_key: &Path, private_key: &Path) -> Self {
         Self {
-            sbsigntool: signer.to_path_buf(),
+            public_key: public_key.into(),
-            public_key,
+            private_key: private_key.into(),
-            private_key
         }
     }
 
@@ -26,19 +24,15 @@ impl<'a> Signer<'a> {
             String::from(self.public_key.to_str().unwrap()),
             String::from(filepath.to_str().unwrap()),
             String::from("--output"),
-            String::from(filepath.to_str().unwrap())
+            String::from(filepath.to_str().unwrap()),
         ];
 
-        let status = Command::new(&self.sbsigntool)
+        let status = Command::new("sbsign").args(&args).status()?;
-            .args(&args)
-            .status()?;
 
         if !status.success() {
-            return Err(anyhow::anyhow!(
+            return Err(
-                    "Failed success run `{}` with args `{:?}`",
+                anyhow::anyhow!("Failed to sign with  sbsign with args `{:?}`", &args).into(),
-                    &self.sbsigntool.display(),
+            );
-                    &args
-            ).into());
         }
 
         Ok(())