From eda254b6cd5de31e9edc5b68a4cc01120fcc77e0 Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Fri, 25 Nov 2022 17:59:15 +0100 Subject: [PATCH] nixpkgs: integrate the whole thing (#7) * nixos: add a lanzaboote module * nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys * nixos: actually enable sb * nixos: disable it and adapt it * lanzatool: fix init * nixos: secureboot reached * nixos: enrollment is optional Co-authored-by: nikstur@outlook.com --- flake.lock | 35 ++++++++++++++++------ flake.nix | 56 +++++++++++++++++++++++++++++++++-- nix/lanzaboote.nix | 50 +++++++++++++++++++++++++++++++ pki/GUID | 1 + pki/keys/KEK/KEK.key | 52 ++++++++++++++++++++++++++++++++ pki/keys/KEK/KEK.pem | 29 ++++++++++++++++++ pki/keys/PK/PK.key | 52 ++++++++++++++++++++++++++++++++ pki/keys/PK/PK.pem | 29 ++++++++++++++++++ pki/keys/db/db.key | 52 ++++++++++++++++++++++++++++++++ pki/keys/db/db.pem | 29 ++++++++++++++++++ rust/lanzatool/src/cli.rs | 4 ++- rust/lanzatool/src/install.rs | 36 ++++++++++++++++------ rust/lanzatool/src/main.rs | 1 + rust/lanzatool/src/pe.rs | 9 +++--- rust/lanzatool/src/signer.rs | 46 ++++++++++++++++++++++++++++ 15 files changed, 456 insertions(+), 25 deletions(-) create mode 100644 nix/lanzaboote.nix create mode 100644 pki/GUID create mode 100644 pki/keys/KEK/KEK.key create mode 100644 pki/keys/KEK/KEK.pem create mode 100644 pki/keys/PK/PK.key create mode 100644 pki/keys/PK/PK.pem create mode 100644 pki/keys/db/db.key create mode 100644 pki/keys/db/db.pem create mode 100644 rust/lanzatool/src/signer.rs diff --git a/flake.lock b/flake.lock index 665aedc..cddde5e 100644 --- a/flake.lock +++ b/flake.lock @@ -35,11 +35,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1669001258, - "narHash": "sha256-fi0hCUCalMwd+RUi6zUBzNb0ShowaJk+o+p8qtF/Iv4=", + "lastModified": 1669207345, + "narHash": "sha256-KwfRW0f70Y19EkbB6D9wy7AoYqCYPuIL/2taiJPvuxg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c6e5939c8fa2ab2230baf1378a34746e8db1aed7", + "rev": "3ea5616c21dd186129f90a86c66352359a45cb07", "type": "github" }, "original": { @@ -47,13 +47,29 @@ "type": "indirect" } }, + "nixpkgs-test": { + "locked": { + "lastModified": 1669288333, + "narHash": "sha256-PMP3JiUBIYu40gmWAIw+DG2UVsx7m5exGaGxdSQE3ew=", + "owner": "RaitoBezarius", + "repo": "nixpkgs", + "rev": "308e09c57da1df2abeccc236431a2675a2b38555", + "type": "github" + }, + "original": { + "owner": "RaitoBezarius", + "ref": "experimental-secureboot", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { - "lastModified": 1669001258, - "narHash": "sha256-fi0hCUCalMwd+RUi6zUBzNb0ShowaJk+o+p8qtF/Iv4=", + "lastModified": 1669207345, + "narHash": "sha256-KwfRW0f70Y19EkbB6D9wy7AoYqCYPuIL/2taiJPvuxg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c6e5939c8fa2ab2230baf1378a34746e8db1aed7", + "rev": "3ea5616c21dd186129f90a86c66352359a45cb07", "type": "github" }, "original": { @@ -83,6 +99,7 @@ "inputs": { "naersk": "naersk", "nixpkgs": "nixpkgs_2", + "nixpkgs-test": "nixpkgs-test", "rust-overlay": "rust-overlay" } }, @@ -92,11 +109,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1668998422, - "narHash": "sha256-G/BklIplCHZEeDIabaaxqgITdIXtMolRGlwxn9jG2/Q=", + "lastModified": 1669257187, + "narHash": "sha256-NURtNyepbHLrJs2kwsQ9u2SUKhuGU1T9mPkXasG9hpk=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "68ab029c93f8f8eed4cf3ce9a89a9fd4504b2d6e", + "rev": "018df6d3f900fc53d567045bd86208f5c00d8956", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index e2aa5fb..6a8217c 100644 --- a/flake.nix +++ b/flake.nix @@ -3,11 +3,12 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + nixpkgs-test.url = "github:RaitoBezarius/nixpkgs/experimental-secureboot"; rust-overlay.url = "github:oxalica/rust-overlay"; naersk.url = "github:nix-community/naersk"; }; - outputs = { self, nixpkgs, rust-overlay, naersk }: + outputs = { self, nixpkgs, nixpkgs-test, rust-overlay, naersk }: let pkgs = import nixpkgs { system = "x86_64-linux"; @@ -89,8 +90,10 @@ # tell lanzatool where to find our UEFI binaries. makeWrapper ${lanzatoolBin}/bin/lanzatool $out/bin/lanzatool \ --set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped ]} \ + --set RUST_BACKTRACE full \ --set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi \ - --set LANZABOOTE_INITRD_STUB ${initrd-stub}/bin/initrd-stub.efi + --set LANZABOOTE_INITRD_STUB ${initrd-stub}/bin/initrd-stub.efi \ + --set SBSIGNTOOL "${pkgs.sbsigntool}/bin/sbsign" ''; # A script that takes an initrd and turns it into a PE image. @@ -127,6 +130,13 @@ add-sections ${lanzaboote}/bin/lanzaboote.efi ${osrel} ${cmdline} $out/bin/lanzaboote.efi ''; in { + overlays.default = final: prev: { + inherit lanzaboote; + lanzatool = lanzatoolBin; + }; + + nixosModules.lanzaboote = import ./nix/lanzaboote.nix; + packages.x86_64-linux = { inherit qemuUefi uefi-run initrd-stub lanzaboote lanzaboote-uki lanzatool wrapInitrd; default = lanzaboote-uki; @@ -139,6 +149,13 @@ lanzatool pkgs.openssl wrapInitrd + (pkgs.sbctl.override { + databasePath = "pki"; + }) + pkgs.sbsigntool + pkgs.efitools + pkgs.python39Packages.ovmfvartool + pkgs.qemu ]; inputsFrom = [ @@ -146,5 +163,40 @@ lanzaboote ]; }; + + checks.x86_64-linux = { + lanzaboote-boot = + let test = import ("${nixpkgs-test}/nixos/lib/testing-python.nix") { system = "x86_64-linux"; }; + in + test.makeTest + { + name = "stub-boot"; + nodes.machine = { ... }: { + imports = [ self.nixosModules.lanzaboote ]; + nixpkgs.overlays = [ self.overlays.default ]; + + virtualisation = { + useBootLoader = true; + useEFIBoot = true; + useSecureBoot = true; + }; + + boot.loader.efi = { + enable = true; + canTouchEfiVariables = true; + }; + boot.lanzaboote = { + enable = true; + enrollKeys = true; + pkiBundle = ./pki; + package = lanzatool; + }; + }; + testScript = '' + machine.start() + print(machine.succeed("bootctl status")) + ''; + }; + }; }; } diff --git a/nix/lanzaboote.nix b/nix/lanzaboote.nix new file mode 100644 index 0000000..2149bd9 --- /dev/null +++ b/nix/lanzaboote.nix @@ -0,0 +1,50 @@ +{ lib, config, pkgs, ... }: +with lib; +let + cfg = config.boot.lanzaboote; + sbctlWithPki = pkgs.sbctl.override { + databasePath = "/tmp/pki"; + }; +in +{ + options.boot.lanzaboote = { + enable = mkEnableOption "Enable the LANZABOOTE"; + enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl"; + pkiBundle = mkOption { + type = types.nullOr types.path; + default = null; + description = "PKI bundle containg db, PK, KEK"; + }; + publicKeyFile = mkOption { + type = types.path; + default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/keys/db/db.pem" else null; + description = "Public key to sign your boot files"; + }; + privateKeyFile = mkOption { + type = types.path; + default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/keys/db/db.key" else null; + description = "Private key to sign your boot files"; + }; + package = mkOption { + type = types.package; + default = pkgs.lanzatool; + description = "Lanzatool package"; + }; + }; + + config = mkIf cfg.enable { + boot.loader.external = { + enable = true; + passBootspec = true; + installHook = "${pkgs.writeShellScriptBin "bootinstall" '' + ${optionalString cfg.enrollKeys '' + mkdir -p /tmp/pki + cp -r ${cfg.pkiBundle}/* /tmp/pki + ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine + ''} + ${cfg.package}/bin/lanzatool install --pki-bundle ${cfg.pkiBundle} --public-key ${cfg.publicKeyFile} --private-key ${cfg.privateKeyFile} "$@" + ''}/bin/bootinstall"; + # ${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--auto-enroll"} --pki-bundle ${cfg.pkiBundle} + }; + }; +} diff --git a/pki/GUID b/pki/GUID new file mode 100644 index 0000000..2a99d42 --- /dev/null +++ b/pki/GUID @@ -0,0 +1 @@ +22af0913-4926-41c2-a2be-5bc9f3dfc3e4 \ No newline at end of file diff --git a/pki/keys/KEK/KEK.key b/pki/keys/KEK/KEK.key new file mode 100644 index 0000000..05952df --- /dev/null +++ b/pki/keys/KEK/KEK.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDadlSw2a35+y4k +oQHp2Un/DUM6e/hIT37jIchplGzlVAPQMGJ2IPW+b9OAn/dRc7D5/w57fYvB02d9 +J+0K0jc5Po3WMaYnptVtJ03ks/qmlgQm52uZszSeIBiPIdUNQaPxrOPAckR6z6hN +gnvB2V3ornI6cpWSZ6LR7cJoNWcPTaVDqWq0mC5XstKt17rnQkkLGfx/4qIb/eUA +QXVJx+UJ7zyAN58hAy+Altz41Mn9DMf40B3O3sQJosbXOsiSojUkD5GMQKT0NG0o +YRHnGVwZvCHZRRMlw8zMj/lA+tuU4+lBjPIdFhwFu9iBXNSLcJRvvLVF1W0idvYR +S+GNce/3PAvkjU+a1LWpfTs0UNyfFoBxry8JbJACNJt8EVY6io2EsoY5upppJWIw +x+LsRmx+g+67cVZ5OZuuoI3EXhduBbPxQ3VutygpwrBV7uMABE1Y529CLnbS13yy +QR+8k1hUjmJaEyH/Yrqr62P/m4cXqVjvVwXbRVPiVl7DOBUGkwPptzuwHWGUThUB +jisQNTx88FGfcDFiJ7iBDIIUbW2YGs4X+baD4mrJrCkfIqrm3hLkQFxuXqA69t67 +0s+O2LQpiMuXSX2TDxow5RI5U+dV7YiK1aCRSPYd1nTuKJ6kiGwfwlWxidchESSO +qzK/1ZbegE8RW/9+Eur8oKTuTewnkwIDAQABAoICAQCKJZgKuay1zuvwB8zw9xI+ +8kEYI7ru5y5jLULR2SU/o/BBX8dz0gX0pjyGMyIvZMx+Wpbq6opNSIVB9NSGKkb3 +sSH6WC0tF+gQ/XDZdiLD40u+2ksFx/g3Ii7FnGxg1Kh6tIzVbqz1SImychgWjoE/ +GclsQndpPJYO0J5GTbbdS4l9jw3GJBHyLUfi3O/5O8Z6+bTdnhBLSTPeBIbJ4Flq +/dkxb3r2YlBQrZYQ2Gbe2Y0/P0QKRH6NZVz+T9L0PxUBt8KfgWWOc/SvOysaC8Rd +FcYF4hNopzfECCtjtv7SWYlwhVO5pviTe6U+sNhLUSbcveWXwo4f5EBY0bZRPsKy +VmsEkW9if/+nthYPsonVfWoiBl5mn+06+zPn8NMWVhlLRMLTYDnYyz22eGqjvS3m +FPSroNK/A2D2lNSfuORJ4fAHhYoB9K8F5wBPFRrndlXn5tHiofYaKywSQPgymOGN +YCtzXPAnYvEsiIlD0HDBEI6F/6aRNlEgjPreGOInuiQD1o81yv/N4o4JFtsD3T8Y +LEngIdAzn2D9qEHsg0H4qoUJum6Z9Gw2IZYEH+CRM56jp50QrrYnLD++eGF8wPsP +PNgU1I/gNq/JbH5fYGMX1QAMopbDMnib4uPKG/wxUTEUFkVV7rtCFhKGg9WnGdjn +y2IDWEIowGwLsp8ARrNS2QKCAQEA3ABLBY4BkWLbfIGIjseLTDPvSxB4UErrIIJ3 +qpxHdp3ORr66BIqQ117g26TuCQL0iAiiNgK1WLqohOpSvlaEh2UTXux4Poh02Hiy +p7t/BdAXU/Zz937p767fa319Sn4UG8Lf4p6BNu4mgVAgZ0yelwpkgHmNtJqcnywn +JtYBhPNgr7VSHQ12iiQw+lEgw+D7pV7FmIi33E0Te52YSBOPBRYqOWMJXI2e4nHH +wqSP99xx0SQ6WAnx9Uvj7RrpEHexYTOSkjqaAl5eS1ATnuCtgs1dNWryw7SgLjnG +tt+UfBPBAfwy7Bfs0hSdCrw/14paE5dRrkwqIV4SJr+WagQvDwKCAQEA/jWS2AQw +WQXZ+DbtMGcyP45XwNRqkBxtLeNXzP7H1ixZ+r/CD0oh6tqjK+2QyCD31ufE2tmb +TltgBiJuMt5kELtj87vVtZ4ER2YCXEMB3EpONDDG7Tb6T589LiMno09YKeApRcKH +XLM0R3ffKzTMl0j5KTtlOXzfdVDSV2ef5vI8hyUJpqBZbBPHmLyeyTi7MfF1X3MD +jqEoHVnx7kxBNRzUwW4E+9i9qdwSjlfPPD/HbKbNrYHbp9UVL7CTdTQ4tBdhj46A +mqETKzHWWcSXgNcG8MT+DhZXV+SX80eNI7YAdHK+3UpHG/2jJmOK7EChSFd3kI9K +UOJArJ5OfyP/PQKCAQEAkmavhfbGHFXI8cXRdhJcJE27RByls+jnJy8rKyHsfIbv +Kizp5PPBB1FgGUpcDSsmRxBXwdFzlKRCWJEGlxtD/kXI6jY6noJ4H0XSvcQL93ZO +z9UFvwF588JPc1yC7/uOrhq0mj4YhtFcVllX9uYJ80E7ODOrlS/+Yf4j37gyMqMz +CDqFdkfrRmpnHWy3fSJO0/GJVMRGdhfkizKIkA5T8nKZjq7VH/4uaUqGQIT6OVs9 +covFN6kGltH1z2dFCWxdYe3L7/uHWWQrI7saE3Q4gv7etBmDi7C7l4djMXb/fMI4 +gnWt/Wa+dd650tcLNQgggUEFXhPZRXMwaRC9q7c1CQKCAQBYivqByTu51kLspN0K +zfb/kinYnWQcm/ofUJ9lZJzgaYRRxXbncm/L6KmLBG04d9s7fHDhtYfVzBfvKxDt +IO8DsPGIlLVEVCyzXcGWtzQvsaX5ob+4Ij0ffJyHtHD6/gj8VPqrNK2HSVf9SLBv +0S0tyJoYlXqVgnwm1abeENbuTxNsEyeAZTugXGdaOOCpv9vb8nlqbJohlNpvFsQg +t2jDAi7MzPBpdD3jqya/c7BYEPL6UkMzmxaSJ7MAcGV8HltdxwMRSJZcxZvyoKJD +lCkdFEhzlnnTGE8F6zZN428ysBMKfGkklNmd00N/fI6H6Z8Dnoujy3UcJSJXvbAj +srsVAoIBABWmstJYCh294LL2q9Io746NkWsgAcXPK9Klg5+Tgl3UQkH4FejZ07rO +mchehpzwZ0hbSb++IJP+5DVGpxdIJ6N36742bANNLt3SSXTpj21X0uFpF9cD5GMt +pZd/4PjrL2Jfj4Hl8di+v0u9WUd5+++CLoMNm+CYUF85eLJtQxGTR0qJZMSPUBBW +WaNyfguwx0WNJ0UadoWU+tXsOm1eVS5TTepOOU7kkqos5n0+VAnHgzsPOtwLRrrF +8XJ8gBBU7M5LY1uoEwSjtkll9uAsfffsBMt+FKM4sHHV75Sxg2AYLwGy3eUZfNAQ +k+GbSvCxlZqSnyXYt1dMWTcDQXDN1H8= +-----END PRIVATE KEY----- diff --git a/pki/keys/KEK/KEK.pem b/pki/keys/KEK/KEK.pem new file mode 100644 index 0000000..175efc3 --- /dev/null +++ b/pki/keys/KEK/KEK.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIFCTCCAvGgAwIBAgIRALFOG3w2ptEQcQqzvAg6PzwwDQYJKoZIhvcNAQELBQAw +NjEZMBcGA1UEBhMQS2V5IEV4Y2hhbmdlIEtleTEZMBcGA1UEAxMQS2V5IEV4Y2hh +bmdlIEtleTAeFw0yMjExMjMxMjU2NTNaFw0yNzExMjMxMjU2NTNaMDYxGTAXBgNV +BAYTEEtleSBFeGNoYW5nZSBLZXkxGTAXBgNVBAMTEEtleSBFeGNoYW5nZSBLZXkw +ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDadlSw2a35+y4koQHp2Un/ +DUM6e/hIT37jIchplGzlVAPQMGJ2IPW+b9OAn/dRc7D5/w57fYvB02d9J+0K0jc5 +Po3WMaYnptVtJ03ks/qmlgQm52uZszSeIBiPIdUNQaPxrOPAckR6z6hNgnvB2V3o +rnI6cpWSZ6LR7cJoNWcPTaVDqWq0mC5XstKt17rnQkkLGfx/4qIb/eUAQXVJx+UJ +7zyAN58hAy+Altz41Mn9DMf40B3O3sQJosbXOsiSojUkD5GMQKT0NG0oYRHnGVwZ +vCHZRRMlw8zMj/lA+tuU4+lBjPIdFhwFu9iBXNSLcJRvvLVF1W0idvYRS+GNce/3 +PAvkjU+a1LWpfTs0UNyfFoBxry8JbJACNJt8EVY6io2EsoY5upppJWIwx+LsRmx+ +g+67cVZ5OZuuoI3EXhduBbPxQ3VutygpwrBV7uMABE1Y529CLnbS13yyQR+8k1hU +jmJaEyH/Yrqr62P/m4cXqVjvVwXbRVPiVl7DOBUGkwPptzuwHWGUThUBjisQNTx8 +8FGfcDFiJ7iBDIIUbW2YGs4X+baD4mrJrCkfIqrm3hLkQFxuXqA69t670s+O2LQp +iMuXSX2TDxow5RI5U+dV7YiK1aCRSPYd1nTuKJ6kiGwfwlWxidchESSOqzK/1Zbe +gE8RW/9+Eur8oKTuTewnkwIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZI +hvcNAQELBQADggIBACYvqkZYAIPnFZ5hwZDYfZeBJ99uIv+yft7DR7l4g3scBheg +eZTn7SKIKAqRnJXuvdOANb40eLyzEuU59bzBCIonp7BsKSoNPWJvfZu5EjdybaWv +owUmBKfmQcnM9LSkKnr6qsvj0PBw9m69l8d4sWz4eRGlQc7mY2Fgsik4swmjkj9J +iHN5xhvKFtpPdJJcCVwjjCvRiYZfibRgI74YK+NRD1CYIIf8bh9uROzgjnXUTa4s +38GxrwhEF2v5dOyEjohuLdD/yO5e6m424JWytEFB4dldpgH0DNVcsOe7Xj6I6I1c +oh+WCgwWqoAXTBNdPMYHWZybQXqhBBIVVtRddzo1ViLsaaDxmaijNKac6JsutNQN +f0Zm/uw67lLMfMUtf/jwU9SCWgWSF4S66pohmGfONbGytjk8Str9p+lN0B+rL7IE +xM5i9883HpZkFJ1LXvyfz/qJ5KrFOTixgXE/P5+iH7/4PyiAXlCbXpDbwd/ycEGm +W5DVThwPtvaXB7g1/WMXgLIlH0/p2yBYqtEAUDpKpFq11uu/D6DctzvzgamTsvND +CCDGNK58N6Cfp2IjjzM1sjpJQSDKJvQWnb+bt0MO5zqqi8L7ejEbeSF3imS3JfzY +RqA7XR+T8SwdiPqMxR5mXL0Mfk2z95G6znH8DOf2CGxc3X/MLfAW0jvUaPZa +-----END CERTIFICATE----- diff --git a/pki/keys/PK/PK.key b/pki/keys/PK/PK.key new file mode 100644 index 0000000..bfd9125 --- /dev/null +++ b/pki/keys/PK/PK.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDI6Sqb8P5wucXp +LkUKXGkA8liEUeMvlHf9HRBuAp/WumQvLMFYgt2JT+D9za9qr999NdN8r6YXI93e +3W4cavcdtIGmcTdE5ACTij7G0KxCZk1C22dfX8pa7iNjuXzOBq0m9XQoLoSsgl/r +DHQP4wMC8sUiNqZT9OtRVumXnApvpZO2yVh8xG294nV4mGAAjCPaeYgdYTCPtrtU +VWp98/w6luX58QUEId7WU1r9G8aDqlkOG6sLg0+5AQqbKU2V4hzmisyEaSFdPqzx +8x4fR02NJIvAIE5Sn0+xfQjC1n9XIhldiXytSiEjtV/fG+c5q3sLIgYzEgEtxP9N +357SXApcBPXZB7fjOYveXT36mDPurg7M/86qt0z+Lc7ZlgCpHgkqtl2vSgjP6J4I +KTGCPKDDv1cD2mE7bWV7Q/FvBrozEht6n/hflU1HG1sa1D79l3Ap6BfbCbC/PI4g +PSny1lvtv0MmOvEhaKn5b+D0RnjzqUjL4LRfdwtWxEDnbyWakRpBedBjK2pw1nzd +9XTBg6yM7xZTDJ1kHeNshba4h9bLLRpqgiDfbg3p8z/G8l+S1MG/iX0rSNeo5yHo +AFrLdApwoRoKKsVQeIg8AlT5o2VVW1epdlzXONLDiGYFCn1S3ZgDobrx3B0+LyIR +c4I4FIelFcMCwZLWNSvd1+QHKxPvtQIDAQABAoICAQCr522Qzkw3EY04bmGecuFZ +cQKx/QrhbCyagyLKri4rYYJVJvssC5UYZyOAplxAcclM7iBNoFEBnau6hEYxxIg6 +f3crfdWneVrQ4snB/UxW6AeVe/tgDKss0HOxYUVbVzUSj5RaySq2HDuL9zTbXwb1 +n9ly48W/MmGiUDZAhcAcNVVFYdP3tW6cuUZ/8Ai8jywiRDhlwwH1BYoVp5wdtwSK +8RBHoqUDGyP6yImi5gAeKkRWoO/iQvGUv0Je7qE27KiDziEd7oIgsX7y6m1MoArI +CIwW0M2TPkLG/8/ePf/pAwEnGnt2HmZqkkc8tDhNDN+T8AHT8sTVb6hu7jaLkTs+ +aZ5iw8uUBLPTPNMX5Oz0SW/Pijxsh2+9kKCjf/5CIs6BqhcUXZlfdRm/bFGfAq1N +ivhyP//U2yt+MHhZoTMj5vYBeIw7Ee5bMBmicFOb2wMVZINOXaU1p+gG9CqWxPS4 +din+YwIX4tpESjRK7LX+969wikEqo8cLfelW6lmH3Bh80YgfcJb7D3lKp7B/sqND +BliHMRC1461XMTT+4iWHzJ6UjP1twD8ebL3vxsBOfgKWEuMz6AcAYIrYyTuq8b4j +MuPcgL18BFFlt+qB+x7991VzOGWrW2TgP/D52rT9Px37x3WA0RDiuCROKfpWtsfQ +r73mN24FWu8vqqO2teSWQQKCAQEA9aKnIzQx2OVu5v30KbkLW+DgRBYNKsfjKEcL +jJgoIIhUaatjr/Tot2NJVDLXV+yUyfByFWO/hGNwNMHnLEnl7NkE2gvnU3bD+PzJ +pWGJPgdi9IBdnoqG5brBngQUrtgV75UFVLPFffsIC5B4mMuPRjhGp5xvvbiTNrgD +hQ2Bh3fQKWBkcz7ijHkcOTXvn5RbqKIZSsHR9pC5JRPpLOWXTQzHz5YmUDaxsPFB +XIOL7tXRrXlS0YSzdYVqxkuiUEWU06URXu3fmTM/rPvmwKBpEwOimaK0fvCagQB1 +XDUZzfkeHFnIhNpsX9WADuXi7lqoPQZa8ZBjKwzHtB4iRQpBRQKCAQEA0WNmZuz1 +86wXk58vkcxJW8si0X90RkgGtXaMH9o3VB9jaSYPe5LRjhwfnJ9Ba2gVTN9EJLce +lzD+7fBHHVb/+kJjvNS6ME9L1R/GQGjKp1gTTJNfX9tNSMeWUU+349T9VFweh6vs +HMhNd6/aGSZVVipoxfwpWiWl8UPJMe+692rXkWp2Q3OOlp55hXJ9BEC05R+gvSkS +Z7vosXt2DEQowgsxO6pvWgjzg+BudFFXOTAhRsKLVFqq8KBeQV3AdIdtkYAYgj1Y +KnKgyve5Ngbo3b6XqAs6/roxTCm71oRW043FxZSMIuAZpkCSzpVA0uSSDout0/+i +MLf8OSaRUGUDsQKCAQA6dFap/gXOw+q8dbrhIvQdDUrRaR4BDEh2kVGiR6Nk+ox8 +CRlUCkhHPA17SA4PEnHmDJ5ZkL9G1hMhuvM0ivF4h7yr1yFZr227lwy1mpx6cm+O +F+4viG/Jw8PHwtjZMvslZKU8HvvkmxSzC9JnKioSX9oQkR3WXFJMN0Y/J5OnlU+o +SRQeiNyI6VlaFAfORhP58XlrXOyGbLJirHZVBN4Yq+3w7J55gEqQ/Ri812E5mRCo +47JdweKjGPjr75vU1nowU5vqp1kKsDN7CwdC1+mpaLgNL7ccbk2WXXGQW+KkLaCI +xqT9WK1psPkkkniKmHBo9VY3HlE7MXNk3bbyDxqxAoIBACeboupDVr8SRZ9yFECD +ITlQ8rQoZOlKhKJc22LHF4I9McPZJEKe4i78mOo6odhcZvMUpMJBNXMqHH8L3Zfq +Nh+z4UP+BX5P8atOCGV0rSj8myH4Gql6RWNIBeI5rzJUvtrvVgMZ/V7wcN78D8iE +HM5g1VLmQThBOOOri+p7S6WzuzVRqy9VM5rAPYKFxqpARze0ROajV0zyGbFBBnKJ +jiAul9COi+O/H7lJgftUy6gQt6q38D0zrXQ5EbtRra8dUxeb4Ib6bawR5OKf+5QB +uJkBjZSHE1DODbc3icWpYPdBsTCPyfZq588wFdUoHIwIGqzPtUEN8TNACmERL5nC +kfECggEAQ8Y/NxDGju89NcgjPaeoZ9caxMmpXl9+77IESFfWeeUP+cLXhyvf3X23 +KjYlfF9Ok7ZLh/r04FxA/W0e2+Gyjlvyk6sE3opgizk9wV7XwwDH5v2C0F9jABrZ +EkxuVjqR1utj3/WuWkpVl9GNprcX5GzGtDjlRNy/ZSX7u5kB7uwFircdvlqzF6Jp +9nqsizR29dYj7QSPKyiBcqZaoxolNQkOh8aXNso6HDIXyFr0/tGnZh8IC0o/LZdC +Ksv281tFsACnU7eOPIkCbsuetiag7BDvRIOXXmTaMt9/VI4X94x3uPgzXA+NsCAL +7Ftk0PrOk+MsXS+8K9hR2j8Bx2Y18w== +-----END PRIVATE KEY----- diff --git a/pki/keys/PK/PK.pem b/pki/keys/PK/PK.pem new file mode 100644 index 0000000..50330b8 --- /dev/null +++ b/pki/keys/PK/PK.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE+TCCAuGgAwIBAgIRAOuskmCCGswzOJ0Cwzibjg8wDQYJKoZIhvcNAQELBQAw +LjEVMBMGA1UEBhMMUGxhdGZvcm0gS2V5MRUwEwYDVQQDEwxQbGF0Zm9ybSBLZXkw +HhcNMjIxMTIzMTI1NjUxWhcNMjcxMTIzMTI1NjUxWjAuMRUwEwYDVQQGEwxQbGF0 +Zm9ybSBLZXkxFTATBgNVBAMTDFBsYXRmb3JtIEtleTCCAiIwDQYJKoZIhvcNAQEB +BQADggIPADCCAgoCggIBAMjpKpvw/nC5xekuRQpcaQDyWIRR4y+Ud/0dEG4Cn9a6 +ZC8swViC3YlP4P3Nr2qv330103yvphcj3d7dbhxq9x20gaZxN0TkAJOKPsbQrEJm +TULbZ19fylruI2O5fM4GrSb1dCguhKyCX+sMdA/jAwLyxSI2plP061FW6ZecCm+l +k7bJWHzEbb3idXiYYACMI9p5iB1hMI+2u1RVan3z/DqW5fnxBQQh3tZTWv0bxoOq +WQ4bqwuDT7kBCpspTZXiHOaKzIRpIV0+rPHzHh9HTY0ki8AgTlKfT7F9CMLWf1ci +GV2JfK1KISO1X98b5zmrewsiBjMSAS3E/03fntJcClwE9dkHt+M5i95dPfqYM+6u +Dsz/zqq3TP4tztmWAKkeCSq2Xa9KCM/onggpMYI8oMO/VwPaYTttZXtD8W8GujMS +G3qf+F+VTUcbWxrUPv2XcCnoF9sJsL88jiA9KfLWW+2/QyY68SFoqflv4PRGePOp +SMvgtF93C1bEQOdvJZqRGkF50GMranDWfN31dMGDrIzvFlMMnWQd42yFtriH1sst +GmqCIN9uDenzP8byX5LUwb+JfStI16jnIegAWst0CnChGgoqxVB4iDwCVPmjZVVb +V6l2XNc40sOIZgUKfVLdmAOhuvHcHT4vIhFzgjgUh6UVwwLBktY1K93X5AcrE++1 +AgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEATfQK +DfqXHnd/n4bdoLqAnXb6hvqKmjtDLBPVWp8Jzj6Ew6y2FULLUYkH3DEx0kfedQjO +kD4h3LoYuHoqkcQ0dNI8RZ1v2oTBljadOTdZyjvtQJvBTtHzSTyrDl+e4CpME0zf +Y8/7tXoXvhxxOiU0CcHeBlVJBdUmgmbGIb4CYlHFLv9L3CKc4RY1r9tIynLXtMWB +FLNT8CE71BtF65pQkNpyPpTzLYyaDpvX8hy95gov7O+5jxl6MRCbL/h/BMBEBRbm +qq20gYwpElPJ9TlNi0ynsAVG1K1miI89ejdHywLTt72q0VL0MOHpKFmAGKvuBVIA +9RFD6tjMIA0P86gbDS+EgFJShuO/SAPftpuLAo/ZxF6lToPllox9wn3V9EWCMh94 +W/GfHI+PmxE+kEOnRgW1qMl1a+s8d7w3FwKqr4LaNIw4jX/Kmdjii5BGoVBYDt8X +5jUliJBr5Fc2J7GfQFt03FpRp+h9d+Fra0ftRM7V4moCEMTHpR30xbxbt67Mgayi +SY9UU0WSopaqTh4ye4gj8NbhNVJ8IQlgJhYwzfvrMuaIOoDL1OoTY/ruqYYert8Y +BVi8EjEvVKTGfLEnuKBK+irrU9YuGmJjw2D6GQ4aJV7DN5dTZZmTvAhK5kevhFQF +jN+7vSSp9LYMiJ+y5sL/sToVe5oaP3Wv04mu7CM= +-----END CERTIFICATE----- diff --git a/pki/keys/db/db.key b/pki/keys/db/db.key new file mode 100644 index 0000000..c2a5ab4 --- /dev/null +++ b/pki/keys/db/db.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCuLZZ9CwqagpEH +iqjdXXa8X31h/oTTcAN63uNE0Vk1Kd5aMEzEzhrpJH1acqj6cfGMsRLsVi+a9MU8 +cXzKZhjs9rUufypMwClSBZ5H9S11mJDF0vO2WBT+6pbeU/gH/XJc44CFbY5ISQJx +f4JiQ86pKrGPjFq0SspqcEl/Cveexb5LjSK3qIR21m+j+Av+7ILWARFhgCzjteZy +KHhmU+HBp6eNDHM/+sWgJwHwTDhtKgP2yMVZZa5ISHHNwYUoUYZlS/F2R18XEtdX +OIVJswLXTSq4ZdpdwNwLHSW7lbDfagDDGdfvQZEE/9Kus/XKDom/vGgO/dFihRfm +21Q0YK+oGjCtdjKhmt1JChX9aQspR8SzWj7cTxVNdYNSCtM+Ozk8Uyfd4x9Md4Nb +spXPM0bPCm5q8tj0sBENwhJ6Cgw+MoraN334Yd6ccklC+3hzRQj4FcugVGrx5vQy +jH8gdNIgBn+bvakkhs38uH3E1zK7drG1v92HzlyyrX9DslE8eU2WWr3KhlNdASxi +taRt7r3Z9drX/ChlF6McfAv9DVrUEilZHSLao7yjT8dVIKSx2djbbXxgtEz+L6aY +aY99PZvgO/yLUvFKLuXZ7J33BOionstownfpmRxL6QtdxeTuniKzkyol7uIenrco +eqmF/sKhRvHsPMrydqFYcOD5GcNNcwIDAQABAoICAEvsNTfGU1XsaflmmJr9fZ84 +5HeNsSpVHj813s0FkCQbXv/jI+N5j8Nmk3mUl1Grz0WrffskylV6MmtZcLLs9Bp+ +o5Vj+vU/ogNNzaPCHJGw8hI5FOC73lMLwL2izm/1Kx+QT1pZ2fZqVLVShmv88J1O +rd1LqdIC896XmYHWLv+3ZG6cU7DItQz0Be/sVJZHU/SivIfKjkan6I6EU48PK031 +nZRfA/G0huZ7el3ba5EyCk5NT7DbILADXA/7NebQOov3IYaUL7/oB5POYFMyw59D +1MZSJ3BMe94gU21EH7gTBcgFgNmas/MA7D4Y1Z/A3IyGPLmkK9wM9dE8c6TtLEOb +JdOe5tQeuFQPzSxcqPeIUsvFQqTh/dtOhTi8UdHcBEljxNkqrp3HJalEeRJF+sbB +TxKIypniG2fQMyfvivvbTjtRkJbKhjnQtIbtxFrLfQbwMzCaqlxkT4xJMAf3FXvK +KAdq+YSd2JZ+rJcFG5H/V7LIuAyHY/dMCIkTFjoPQla1JSEZwKDcp7Mr3c01QG7T +j4UT+E7DVD+Ec4a6KK8wKoQYOjK6yFrxgyrmhWgwtkk0ayn+mm25CwHbaxEJ+qI1 +fSs0N2dnAkFtZAdU8AxK9r536RX8oBGktPW7okyRQbksCyNncfxKTBKbQ25QKgZC +A2/FxFa1A4Fkin+Rl2sZAoIBAQDVF1pKyVjQT9Ko6so0Cosf2qmYKI0rCU6eKVpw +hulknUcDwln4yOQuR8sv688dyAMBS3eoufAogXY/Fnw2JuUQnmtqeM8kZjf0Bku7 +DR2TwMOgdLrwlVyqEyHhOc54s5ZVf0PJZYvwJJLqw7AIRtNgYnjoBlQBhlIwNqCo +X8YTnuZZbcDDyP1YEVH9rBBs4JzSOeuf6fbUZqJJouYqsuSkf5WwZPsZEsYy80fk +Py0S2tEvK6aFBPq7TBjZlX91RTOW+US5i499dgg5P9JeN7NaEL5CEFvutFXI8nyj +8o1MjRe0wuPiDMrC2G+93UHLfr8bBVpJ3QlCMQyNPS87kmvfAoIBAQDRQEzPNmR1 +hd14YGuVqnz4I1q0tD5OPUoWLMysPiu5lPuORHvz8jJuJATq6va1u8ODPKvCzY/D +54D35RgNKzm6rblxLPt5KXUk4vc7KAnjt+VWEm7L1ysqL62TjBGtSCxxQrcmpULM +QgyxQ8aYkwkaB/5VbVJBhzb9PGdS0tAvmxSOeVIv2p4OYd7skJd6YC6TtKHzFBl5 +JdnoQS7HfYbgj0xNpuodw5OPCAGSLBZz3Ls05MQGwQ1TYxD3UehNPSjdwwsVSsbe +MWrF965evKH45caAA6KDLn1YhYqRuM91SLLI/edmg/FO1RkUEEc3BFfshBvvQRGC +j+iYu4a6eJDtAoIBAF5YMIncC45vSP2wtkXERUSdM2lCyv266SvtczVPBhad68sm +SV900lILR1K4PMMawvnXx+rUKBhG+WuFMQlovxJUkYpaYpvjBfLstqria633MqXg +CMRr3NMQFXf6eAfIu06vQfvxEbwI9WMrsMx5TyzlbFKOOrNSHSFrjkX94VzehW4i +wa3tVv2e7YY6oCsUZ1pMep4aoEX6CvA/R1iwS7rpIgUvMF0xir8UJ0hPEE3Aw8z2 +rotGYRx73KS5I+1v7h9xzZO4zpblo051i1ZbovTFZPcq9wkAntqRQc30ncq+zTgi +8XIr57nMyexuAatvOn1kKU16p5a+0KfX5wmhElECggEBAJcWLl+Pjoms1nSMaiHu +r70bCetgGXy0lEHepwnW+gtNnzTiDf3d6rvMFiDo9qnRoSGpNPu7IQr6pQxYxjz7 +8PrxZOxq5khdvs+bcZetGTbrGRREyuszuV8EffgDMuBDNJOy8DtfKBQDvNZhcYvI +3tGE5AcaoEHgN7wxWQlcXiWBfB5DSyxyVZ1c3XFCFZ2uxPKxgh3ZbWskAWrJZdV0 +tWZ/EUEgO/qxtGGaDkhUvQF7Z1CRvViDG/QRm7Z31ZuvhUpaAi6lh2H3nHjElYqh ++PGWNvVHqpe9gZPhGGSPZHvyueSWL/a9Xgblpu3tsv3ujO2hlenyuYnkDrX48RbC +5yECggEBAJVglEc0odkzt5uYcxorFWw0r+gnMS/iyX9zJyLMCvZ4+/NLmAGQ6Qbs +yJK9ryzS1obexq/+7SrTa/iHIBQLvM9eaCSJaAC+w6jRJQC4VRDwtO5c8e8ek3gF +7DzQisGsIqhxrlZLEv8YyPaf9SgAMaLuM0w8xXD54jgcbLZlfNmdHyYHIcM0ZDPK ++4QhtV2YE1MKEIplMhXdxmCpeHqBMEfX5MYUUZb09Ffl7hRzCZc30NWpLnZ73iNq ++px6CR5rq1lnfLu+bIZvVeDBtWM0/vIeFZDKceEa1hkOIS8Z5hzA52OFP7pZKt+O +3cEKjh9NywA7eLWDxRxEf/vq3vdWeFY= +-----END PRIVATE KEY----- diff --git a/pki/keys/db/db.pem b/pki/keys/db/db.pem new file mode 100644 index 0000000..d383ba0 --- /dev/null +++ b/pki/keys/db/db.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE+TCCAuGgAwIBAgIRAPmrvtqrYB4tl9V5HFxxLYowDQYJKoZIhvcNAQELBQAw +LjEVMBMGA1UEBhMMRGF0YWJhc2UgS2V5MRUwEwYDVQQDEwxEYXRhYmFzZSBLZXkw +HhcNMjIxMTIzMTI1NjU1WhcNMjcxMTIzMTI1NjU1WjAuMRUwEwYDVQQGEwxEYXRh +YmFzZSBLZXkxFTATBgNVBAMTDERhdGFiYXNlIEtleTCCAiIwDQYJKoZIhvcNAQEB +BQADggIPADCCAgoCggIBAK4tln0LCpqCkQeKqN1ddrxffWH+hNNwA3re40TRWTUp +3lowTMTOGukkfVpyqPpx8YyxEuxWL5r0xTxxfMpmGOz2tS5/KkzAKVIFnkf1LXWY +kMXS87ZYFP7qlt5T+Af9clzjgIVtjkhJAnF/gmJDzqkqsY+MWrRKympwSX8K957F +vkuNIreohHbWb6P4C/7sgtYBEWGALOO15nIoeGZT4cGnp40Mcz/6xaAnAfBMOG0q +A/bIxVllrkhIcc3BhShRhmVL8XZHXxcS11c4hUmzAtdNKrhl2l3A3AsdJbuVsN9q +AMMZ1+9BkQT/0q6z9coOib+8aA790WKFF+bbVDRgr6gaMK12MqGa3UkKFf1pCylH +xLNaPtxPFU11g1IK0z47OTxTJ93jH0x3g1uylc8zRs8Kbmry2PSwEQ3CEnoKDD4y +ito3ffhh3pxySUL7eHNFCPgVy6BUavHm9DKMfyB00iAGf5u9qSSGzfy4fcTXMrt2 +sbW/3YfOXLKtf0OyUTx5TZZavcqGU10BLGK1pG3uvdn12tf8KGUXoxx8C/0NWtQS +KVkdItqjvKNPx1UgpLHZ2NttfGC0TP4vpphpj309m+A7/ItS8Uou5dnsnfcE6Kie +y2jCd+mZHEvpC13F5O6eIrOTKiXu4h6etyh6qYX+wqFG8ew8yvJ2oVhw4PkZw01z +AgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAbh22 +GBG/orDJrOClvt8qABL60ojnilLh4J5BwGDwBcXE/wETvXb+o3GsjTqqHdXYCQx0 +e3SpR/xQCfKzuaE4ysaszKFcNbhaezLmo/pzD2v0UA6Jr56re/jkYMtLQL4+LAUP +kCH66vc6qETQwtAzV3CYQ5TirwLLD6z3luPhm2FzyXTU9eydbsRp7FuSKq8mVXKP +cskrVJSjWD7fOsy/sZq3S+xmA3w1C8XRAgz+xlfIQkuu0mAa3jJ3JGjDyu1lAZ6N +oUc897npQ2tpYyGRQ/zOmKSE9oUlcEqXLPk2nDgenhG0oAdM/jJ54rnuR2x3zhBx +gyPEvWVzjzX8E//9Kc6VocisnI/tckibUPHlMJFHFBXiU8m6vO28cCRl4tRsH/K9 +jOnm+ztraiXI7mqBfTchR7Ga0EmnWFf38y3/YkrbVYbjK6o/+/T72Sje0MfCAvTl +KLOtvaQWQm36KP/2PH3DZ/k/v8+U76oeUBoI/DDH8E4rR1cUORvUYH8MZyPIKM4e +GN3+/zjr5gw70iLC/p8C+8rCzxwoernIMcFlL+SaeybnzXvH3VqO/XAFA/lxMu4V +K7Gzrtr5n+FiSTXytdIu18o6Av65XN5hzwQvVeWIx/E5Jry/JlSQgho8CnqLK8g5 +USdRgvRJN7xJM3szP93f7aNgIYSys2cCxtZxunU= +-----END CERTIFICATE----- diff --git a/rust/lanzatool/src/cli.rs b/rust/lanzatool/src/cli.rs index 3dcd471..6176383 100644 --- a/rust/lanzatool/src/cli.rs +++ b/rust/lanzatool/src/cli.rs @@ -70,6 +70,7 @@ fn install( ) -> Result<()> { let lanzaboote_stub = std::env::var("LANZABOOTE_STUB")?; let initrd_stub = std::env::var("LANZABOOTE_INITRD_STUB")?; + let sbsigntool = std::env::var("SBSIGNTOOL")?; install::install( public_key, @@ -77,7 +78,8 @@ fn install( pki_bundle, auto_enroll, bootspec, + Path::new(&sbsigntool), Path::new(&lanzaboote_stub), - Path::new(&initrd_stub), + Path::new(&initrd_stub) ) } diff --git a/rust/lanzatool/src/install.rs b/rust/lanzatool/src/install.rs index cf0cd1f..e56c7d5 100644 --- a/rust/lanzatool/src/install.rs +++ b/rust/lanzatool/src/install.rs @@ -1,4 +1,5 @@ use std::fs; + use std::path::Path; use anyhow::{Context, Result}; @@ -7,12 +8,15 @@ use crate::bootspec::Bootspec; use crate::esp::EspPaths; use crate::pe; +use crate::signer::Signer; + pub fn install( - _public_key: &Path, - _private_key: &Path, + public_key: &Path, + private_key: &Path, _pki_bundle: &Path, _auto_enroll: bool, bootspec: &Path, + sbsigntool: &Path, lanzaboote_stub: &Path, initrd_stub: &Path, ) -> Result<()> { @@ -23,13 +27,15 @@ pub fn install( .context("Failed to parse bootspec json")?; let esp_paths = EspPaths::new(&bootspec_doc.extension.esp); + let signer = Signer::new(&sbsigntool, &public_key, &private_key); println!("Assembling lanzaboote image..."); - let mut kernel_cmdline: Vec = vec![bootspec_doc + let init_string = bootspec_doc .init .into_os_string() .into_string() - .expect("Failed to convert init to string")]; + .expect("Failed to convert init to string"); + let mut kernel_cmdline: Vec = vec![format!("init={}", init_string)]; kernel_cmdline.extend(bootspec_doc.kernel_params); let lanzaboote_image = pe::assemble_image( @@ -38,6 +44,7 @@ pub fn install( &kernel_cmdline, &esp_paths.kernel, &esp_paths.initrd, + &esp_paths.esp, ) .context("Failed to assemble stub")?; @@ -54,17 +61,28 @@ pub fn install( .join("lib/systemd/boot/efi/systemd-bootx64.efi"); let files_to_copy = [ - (bootspec_doc.kernel, esp_paths.kernel), - (wrapped_initrd, esp_paths.initrd), - (lanzaboote_image, esp_paths.lanzaboote_image), - (systemd_boot.clone(), esp_paths.efi_fallback), - (systemd_boot, esp_paths.systemd_boot), + (bootspec_doc.kernel, &esp_paths.kernel), + (wrapped_initrd, &esp_paths.initrd), + (lanzaboote_image, &esp_paths.lanzaboote_image), + (systemd_boot.clone(), &esp_paths.efi_fallback), + (systemd_boot, &esp_paths.systemd_boot), ]; for (source, target) in files_to_copy { copy(&source, &target)?; } + // Sign: + // - systemd-boot & fallback EFI + // - stub + // - kernel + // - initrd + signer.sign_file(&esp_paths.efi_fallback)?; + signer.sign_file(&esp_paths.systemd_boot)?; + signer.sign_file(&esp_paths.lanzaboote_image)?; + signer.sign_file(&esp_paths.kernel)?; + signer.sign_file(&esp_paths.initrd)?; + println!( "Succesfully installed lanzaboote to '{}'", esp_paths.esp.display() diff --git a/rust/lanzatool/src/main.rs b/rust/lanzatool/src/main.rs index b75dad1..d5af7c0 100644 --- a/rust/lanzatool/src/main.rs +++ b/rust/lanzatool/src/main.rs @@ -3,6 +3,7 @@ mod cli; mod esp; mod install; mod pe; +mod signer; use anyhow::Result; use clap::Parser; diff --git a/rust/lanzatool/src/pe.rs b/rust/lanzatool/src/pe.rs index 6ae8479..79312d6 100644 --- a/rust/lanzatool/src/pe.rs +++ b/rust/lanzatool/src/pe.rs @@ -12,6 +12,7 @@ pub fn assemble_image( kernel_cmdline: &[String], kernel_path: &Path, initrd_path: &Path, + esp_mountpoint: &Path ) -> Result { // objcopy copies files into the PE binary. That's why we have to write the contents // of some bootspec properties to disk @@ -20,8 +21,8 @@ pub fn assemble_image( let initrd_path_file = Path::new("/tmp/initrd_path"); fs::write(kernel_cmdline_file, kernel_cmdline.join(" "))?; - fs::write(kernel_path_file, efi_relative_path_string(kernel_path))?; - fs::write(initrd_path_file, efi_relative_path_string(initrd_path))?; + fs::write(kernel_path_file, efi_relative_path_string(esp_mountpoint, kernel_path))?; + fs::write(initrd_path_file, efi_relative_path_string(esp_mountpoint, initrd_path))?; let os_release_offs = stub_offset(lanzaboote_stub)?; @@ -63,9 +64,9 @@ pub fn assemble_image( Ok(lanzaboote_image) } -fn efi_relative_path_string(path: &Path) -> String { +fn efi_relative_path_string(esp_mountpoint: &Path, path: &Path) -> String { let relative_path = path - .strip_prefix("esp") + .strip_prefix(esp_mountpoint) .expect("Failed to make path relative to esp") .to_owned(); let relative_path_string = relative_path diff --git a/rust/lanzatool/src/signer.rs b/rust/lanzatool/src/signer.rs new file mode 100644 index 0000000..d47b85c --- /dev/null +++ b/rust/lanzatool/src/signer.rs @@ -0,0 +1,46 @@ +use anyhow::Result; + +use std::process::Command; +use std::path::{Path, PathBuf}; + +pub struct Signer<'a> { + pub sbsigntool: PathBuf, + pub private_key: &'a Path, + pub public_key: &'a Path +} + +impl<'a> Signer<'a> { + pub fn new(signer: &Path, public_key: &'a Path, private_key: &'a Path) -> Self { + Self { + sbsigntool: signer.to_path_buf(), + public_key, + private_key + } + } + + pub fn sign_file(&self, filepath: &Path) -> Result<()> { + let args = vec![ + String::from("--key"), + String::from(self.private_key.to_str().unwrap()), + String::from("--cert"), + String::from(self.public_key.to_str().unwrap()), + String::from(filepath.to_str().unwrap()), + String::from("--output"), + String::from(filepath.to_str().unwrap()) + ]; + + let status = Command::new(&self.sbsigntool) + .args(&args) + .status()?; + + if !status.success() { + return Err(anyhow::anyhow!( + "Failed success run `{}` with args `{:?}`", + &self.sbsigntool.display(), + &args + ).into()); + } + + Ok(()) + } +}