lanzatool: improve signer code

2022-11-25 13:07:04 +01:00 · 2022-11-25 13:07:04 +01:00 · cd2ef6181d
parent a99646bb01
commit cd2ef6181d
4 changed files with 46 additions and 46 deletions
--- a/flake.nix
+++ b/flake.nix
@ -89,11 +89,10 @@
        # Clean PATH to only contain what we need to do objcopy. Also
        # tell lanzatool where to find our UEFI binaries.
        makeWrapper ${lanzatoolBin}/bin/lanzatool $out/bin/lanzatool \
-          --set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped ]} \
+          --set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped pkgs.sbsigntool ]} \
          --set RUST_BACKTRACE full \
          --set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi \
          --set LANZABOOTE_INITRD_STUB ${initrd-stub}/bin/initrd-stub.efi \
-          --set SBSIGNTOOL "${pkgs.sbsigntool}/bin/sbsign"
      '';

      # A script that takes an initrd and turns it into a PE image.
--- a/rust/lanzatool/src/cli.rs
+++ b/rust/lanzatool/src/cli.rs
@ -70,7 +70,6 @@ fn install(
 ) -> Result<()> {
    let lanzaboote_stub = std::env::var("LANZABOOTE_STUB")?;
    let initrd_stub = std::env::var("LANZABOOTE_INITRD_STUB")?;
-    let sbsigntool = std::env::var("SBSIGNTOOL")?;

    install::install(
        public_key,
@ -78,8 +77,7 @@ fn install(
        pki_bundle,
        auto_enroll,
        bootspec,
-        Path::new(&sbsigntool),
        Path::new(&lanzaboote_stub),
-        Path::new(&initrd_stub)
+        Path::new(&initrd_stub),
    )
 }
--- a/rust/lanzatool/src/install.rs
+++ b/rust/lanzatool/src/install.rs
@ -1,13 +1,11 @@
 use std::fs;
-
-use std::path::Path;
+use std::path::{Path, PathBuf};

 use anyhow::{Context, Result};

 use crate::bootspec::Bootspec;
 use crate::esp::EspPaths;
 use crate::pe;
-
 use crate::signer::Signer;

 pub fn install(
@ -16,7 +14,6 @@ pub fn install(
    _pki_bundle: &Path,
    _auto_enroll: bool,
    bootspec: &Path,
-    sbsigntool: &Path,
    lanzaboote_stub: &Path,
    initrd_stub: &Path,
 ) -> Result<()> {
@ -27,16 +24,10 @@ pub fn install(
            .context("Failed to parse bootspec json")?;

    let esp_paths = EspPaths::new(&bootspec_doc.extension.esp);
-    let signer = Signer::new(&sbsigntool, &public_key, &private_key);

    println!("Assembling lanzaboote image...");
-    let init_string = bootspec_doc
-        .init
-        .into_os_string()
-        .into_string()
-        .expect("Failed to convert init to string");
-    let mut kernel_cmdline: Vec<String> = vec![format!("init={}", init_string)];
-    kernel_cmdline.extend(bootspec_doc.kernel_params);
+
+    let kernel_cmdline = assemble_kernel_cmdline(bootspec_doc.init, bootspec_doc.kernel_params);

    let lanzaboote_image = pe::assemble_image(
        lanzaboote_stub,
@ -72,24 +63,42 @@ pub fn install(
        copy(&source, &target)?;
    }

-    // Sign:
-    //  - systemd-boot & fallback EFI
-    //  - stub
-    //  - kernel
-    //  - initrd
-    signer.sign_file(&esp_paths.efi_fallback)?;
-    signer.sign_file(&esp_paths.systemd_boot)?;
-    signer.sign_file(&esp_paths.lanzaboote_image)?;
-    signer.sign_file(&esp_paths.kernel)?;
-    signer.sign_file(&esp_paths.initrd)?;
+    println!("Signing files...");
+
+    let signer = Signer::new(&public_key, &private_key);
+
+    let files_to_sign = [
+        &esp_paths.efi_fallback,
+        &esp_paths.systemd_boot,
+        &esp_paths.lanzaboote_image,
+        &esp_paths.kernel,
+        &esp_paths.initrd,
+    ];
+
+    for file in files_to_sign {
+        signer
+            .sign_file(&file)
+            .with_context(|| format!("Failed to sign file {}", &file.display()))?;
+    }

    println!(
        "Succesfully installed lanzaboote to '{}'",
        esp_paths.esp.display()
    );
+
    Ok(())
 }

+fn assemble_kernel_cmdline(init: PathBuf, kernel_params: Vec<String>) -> Vec<String> {
+    let init_string = init
+        .into_os_string()
+        .into_string()
+        .expect("Failed to convert init path to string");
+    let mut kernel_cmdline: Vec<String> = vec![format!("init={}", init_string)];
+    kernel_cmdline.extend(kernel_params);
+    kernel_cmdline
+}
+
 fn copy(from: &Path, to: &Path) -> Result<()> {
    match to.parent() {
        Some(parent) => fs::create_dir_all(parent).unwrap_or(()),
--- a/rust/lanzatool/src/signer.rs
+++ b/rust/lanzatool/src/signer.rs
@ -1,20 +1,18 @@
 use anyhow::Result;

-use std::process::Command;
 use std::path::{Path, PathBuf};
+use std::process::Command;

-pub struct Signer<'a> {
-    pub sbsigntool: PathBuf,
-    pub private_key: &'a Path,
-    pub public_key: &'a Path
+pub struct Signer {
+    pub private_key: PathBuf,
+    pub public_key: PathBuf,
 }

-impl<'a> Signer<'a> {
-    pub fn new(signer: &Path, public_key: &'a Path, private_key: &'a Path) -> Self {
+impl Signer {
+    pub fn new(public_key: &Path, private_key: &Path) -> Self {
        Self {
-            sbsigntool: signer.to_path_buf(),
-            public_key,
-            private_key
+            public_key: public_key.into(),
+            private_key: private_key.into(),
        }
    }

@ -26,19 +24,15 @@ impl<'a> Signer<'a> {
            String::from(self.public_key.to_str().unwrap()),
            String::from(filepath.to_str().unwrap()),
            String::from("--output"),
-            String::from(filepath.to_str().unwrap())
+            String::from(filepath.to_str().unwrap()),
        ];

-        let status = Command::new(&self.sbsigntool)
-            .args(&args)
-            .status()?;
+        let status = Command::new("sbsign").args(&args).status()?;

        if !status.success() {
-            return Err(anyhow::anyhow!(
-                    "Failed success run `{}` with args `{:?}`",
-                    &self.sbsigntool.display(),
-                    &args
-            ).into());
+            return Err(
+                anyhow::anyhow!("Failed to sign with  sbsign with args `{:?}`", &args).into(),
+            );
        }

        Ok(())