diff --git a/Dockerfile b/Dockerfile index 336f6730b..254f2be00 100644 --- a/Dockerfile +++ b/Dockerfile @@ -712,15 +712,11 @@ COPY --from=rootfs / / LABEL org.opencontainers.image.source https://github.com/siderolabs/talos ENTRYPOINT ["/sbin/init"] -FROM --platform=${BUILDPLATFORM} tools AS ukify-tools -# base has the talos source with the non-abrev version of TAG -COPY --from=base /src/pkg /go/src/github.com/pkg -COPY ./hack/ukify /go/src/github.com/siderolabs/ukify -RUN --mount=type=cache,target=/.cache \ - cd /go/src/github.com/siderolabs/ukify \ - && go test ./... \ - && go build -o ukify . \ - && mv ukify /toolchain/go/bin/ +FROM base AS ukify-tools +WORKDIR /src/cmd/ukify +ARG GO_BUILDFLAGS +ARG GO_LDFLAGS +RUN --mount=type=cache,target=/.cache go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /toolchain/bin/ukify FROM base AS gen-uki-certs ARG TARGETOS @@ -742,7 +738,7 @@ COPY _out/uki-certs _out/uki-certs RUN ukify FROM scratch AS uki-amd64 -COPY --from=uki-build-amd64 /build/_out/systemd-bootx64.efi.signed /systemd-boot.efi.signed +COPY --from=uki-build-amd64 /build/_out/systemd-boot.efi.signed /systemd-boot.efi.signed COPY --from=uki-build-amd64 /build/_out/vmlinuz.efi.signed /vmlinuz.efi.signed COPY --from=uki-build-amd64 /build/_out/uki-certs/PK.auth /PK.auth COPY --from=uki-build-amd64 /build/_out/uki-certs/KEK.auth /KEK.auth @@ -761,7 +757,7 @@ RUN ukify \ -initrd _out/initramfs-arm64.xz FROM scratch AS uki-arm64 -COPY --from=uki-build-arm64 /build/_out/systemd-bootaa64.efi.signed /systemd-boot.efi.signed +COPY --from=uki-build-arm64 /build/_out/systemd-boot.efi.signed /systemd-boot.efi.signed COPY --from=uki-build-arm64 /build/_out/vmlinuz.efi.signed /vmlinuz.efi.signed COPY --from=uki-build-amd64 /build/_out/uki-certs/PK.auth /PK.auth COPY --from=uki-build-amd64 /build/_out/uki-certs/KEK.auth /KEK.auth @@ -1121,10 +1117,9 @@ COPY ./hack/docgen ./hack/docgen COPY ./hack/gotagsrewrite ./hack/gotagsrewrite COPY ./hack/module-sig-verify ./hack/module-sig-verify COPY ./hack/structprotogen ./hack/structprotogen -COPY ./hack/ukify ./hack/ukify # fail always to get the output back RUN --mount=type=cache,target=/.cache <>>> ${project}:" && \ (cd "${project}" && go list -u -m -json all | go-mod-outdated -update -direct) done diff --git a/cmd/talosctl/cmd/mgmt/gen/secureboot.go b/cmd/talosctl/cmd/mgmt/gen/secureboot.go index 4fdf039a3..ef8b5b42a 100644 --- a/cmd/talosctl/cmd/mgmt/gen/secureboot.go +++ b/cmd/talosctl/cmd/mgmt/gen/secureboot.go @@ -43,22 +43,18 @@ var genSecurebootUKICmd = &cobra.Command{ Long: ``, Args: cobra.NoArgs, RunE: func(cmd *cobra.Command, args []string) error { - return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "uki", genSecurebootUKICmdFlags.commonName, 4096) + return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "uki", genSecurebootUKICmdFlags.commonName, 4096, true) }, } -var genSecurebootPCRCmdFlags struct { - commonName string -} - // genSecurebootPCRCmd represents the `gen secureboot pcr` command. var genSecurebootPCRCmd = &cobra.Command{ Use: "pcr", - Short: "Generates a certificate which is used to sign TPM PCR values", + Short: "Generates a key which is used to sign TPM PCR values", Long: ``, Args: cobra.NoArgs, RunE: func(cmd *cobra.Command, args []string) error { - return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "pcr", genSecurebootPCRCmdFlags.commonName, 2048) + return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "pcr", "dummy", 2048, false) }, } @@ -99,7 +95,7 @@ func checkedWrite(path string, data []byte, perm fs.FileMode) error { //nolint:u return os.WriteFile(path, data, perm) } -func generateSigningCerts(path, prefix, commonName string, rsaBits int) error { +func generateSigningCerts(path, prefix, commonName string, rsaBits int, outputCert bool) error { currentTime := time.Now() opts := []x509.Option{ @@ -116,24 +112,32 @@ func generateSigningCerts(path, prefix, commonName string, rsaBits int) error { return err } - if err = checkedWrite(filepath.Join(path, prefix+"-signing-cert.pem"), signingKey.CrtPEM, 0o600); err != nil { - return err + if outputCert { + if err = checkedWrite(filepath.Join(path, prefix+"-signing-cert.pem"), signingKey.CrtPEM, 0o600); err != nil { + return err + } } if err = checkedWrite(filepath.Join(path, prefix+"-signing-key.pem"), signingKey.KeyPEM, 0o600); err != nil { return err } - pemKey := x509.PEMEncodedKey{ - Key: signingKey.KeyPEM, + if !outputCert { + pemKey := x509.PEMEncodedKey{ + Key: signingKey.KeyPEM, + } + + privKey, err := pemKey.GetRSAKey() + if err != nil { + return err + } + + if err = checkedWrite(filepath.Join(path, prefix+"-signing-public-key.pem"), privKey.PublicKeyPEM, 0o600); err != nil { + return err + } } - privKey, err := pemKey.GetRSAKey() - if err != nil { - return err - } - - return checkedWrite(filepath.Join(path, prefix+"-signing-public-key.pem"), privKey.PublicKeyPEM, 0o600) + return nil } // generateSecureBootDatabase generates a UEFI database to enroll the signing certificate. @@ -216,7 +220,6 @@ func init() { genSecurebootUKICmd.Flags().StringVar(&genSecurebootUKICmdFlags.commonName, "common-name", "Test UKI Signing Key", "common name for the certificate") genSecurebootCmd.AddCommand(genSecurebootUKICmd) - genSecurebootPCRCmd.Flags().StringVar(&genSecurebootPCRCmdFlags.commonName, "common-name", "Test PCR Signing Key", "common name for the certificate") genSecurebootCmd.AddCommand(genSecurebootPCRCmd) genSecurebootDatabaseCmd.Flags().StringVar( diff --git a/cmd/ukify/main.go b/cmd/ukify/main.go new file mode 100644 index 000000000..efeafef81 --- /dev/null +++ b/cmd/ukify/main.go @@ -0,0 +1,64 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Package main provides the ukfiy implementation. +package main + +import ( + "flag" + "fmt" + "log" + + "github.com/siderolabs/go-procfs/procfs" + + "github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/platform" + "github.com/siderolabs/talos/internal/pkg/secureboot/uki" + "github.com/siderolabs/talos/pkg/machinery/constants" + kernelpkg "github.com/siderolabs/talos/pkg/machinery/kernel" +) + +// NOTE: this is temporary implementation, it will be moved to the imager +// in the next round of refactoring. + +func run() error { + metal, err := platform.NewPlatform("metal") + if err != nil { + return fmt.Errorf("failed to create platform: %w", err) + } + + defaultCmdline := procfs.NewCmdline("") + defaultCmdline.Append(constants.KernelParamPlatform, "metal") + + if err := defaultCmdline.AppendAll(kernelpkg.DefaultArgs); err != nil { + return err + } + + if err := defaultCmdline.AppendAll(metal.KernelArgs().Strings()); err != nil { + return err + } + + var builder uki.Builder + + flag.StringVar(&builder.SdStubPath, "sd-stub", "_out/linuxx64.efi.stub", "path to sd-stub") + flag.StringVar(&builder.SdBootPath, "sd-boot", "_out/systemd-bootx64.efi", "path to sd-boot") + flag.StringVar(&builder.KernelPath, "kernel", "_out/vmlinuz-amd64", "path to kernel image") + flag.StringVar(&builder.InitrdPath, "initrd", "_out/initramfs-amd64.xz", "path to initrd image") + flag.StringVar(&builder.Cmdline, "cmdline", defaultCmdline.String(), "kernel cmdline") + flag.StringVar(&builder.SigningKeyPath, "signing-key-path", "_out/uki-certs/uki-signing-key.pem", "path to signing key") + flag.StringVar(&builder.SigningCertPath, "signing-cert-path", "_out/uki-certs/uki-signing-cert.pem", "path to signing cert") + flag.StringVar(&builder.PCRSigningKeyPath, "pcr-signing-key-path", "_out/uki-certs/pcr-signing-key.pem", "path to PCR signing key") + flag.StringVar(&builder.PCRPublicKeyPath, "pcr-public-key-path", "_out/uki-certs/pcr-signing-public-key.pem", "path to PCR public key") + + flag.StringVar(&builder.OutUKIPath, "output", "_out/vmlinuz.efi.signed", "output path") + flag.StringVar(&builder.OutSdBootPath, "sdboot-output", "_out/systemd-boot.efi.signed", "output path") + flag.Parse() + + return builder.Build() +} + +func main() { + if err := run(); err != nil { + log.Fatal(err) + } +} diff --git a/go.mod b/go.mod index 20acde17a..2100de0d4 100644 --- a/go.mod +++ b/go.mod @@ -76,6 +76,7 @@ require ( github.com/mdlayher/netlink v1.7.2 github.com/mdlayher/netx v0.0.0-20230430222610-7e21880baee8 github.com/nberlee/go-netstat v0.1.2 + github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc4 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 github.com/packethost/packngo v0.30.0 @@ -89,7 +90,7 @@ require ( github.com/ryanuber/go-glob v1.0.0 github.com/safchain/ethtool v0.3.0 github.com/scaleway/scaleway-sdk-go v1.0.0-beta.18 - github.com/siderolabs/crypto v0.4.0 + github.com/siderolabs/crypto v0.4.1 github.com/siderolabs/discovery-api v0.1.3 github.com/siderolabs/discovery-client v0.1.5 github.com/siderolabs/gen v0.4.5 @@ -241,7 +242,6 @@ require ( github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/nsf/termbox-go v0.0.0-20190121233118-02980233997d // indirect - github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/runc v1.1.5 // indirect github.com/opencontainers/selinux v1.11.0 // indirect github.com/pelletier/go-toml/v2 v2.0.6 // indirect diff --git a/go.sum b/go.sum index 6aebcbe4d..4f307b5d7 100644 --- a/go.sum +++ b/go.sum @@ -1143,8 +1143,8 @@ github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sethgrid/pester v1.2.0 h1:adC9RS29rRUef3rIKWPOuP1Jm3/MmB6ke+OhE5giENI= github.com/sethgrid/pester v1.2.0/go.mod h1:hEUINb4RqvDxtoCaU0BNT/HV4ig5kfgOasrf1xcvr0A= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/siderolabs/crypto v0.4.0 h1:o1KIR1KyevUcY9nbJlSyQAj7+p+rveGGF8LjAAFMtjc= -github.com/siderolabs/crypto v0.4.0/go.mod h1:itZpBsJ9i0aH8jiHAuSlKCal7hni7X1aDYo6vGVl5LY= +github.com/siderolabs/crypto v0.4.1 h1:PP84WSDDyCCbjYKePcc0IaMSPXDndz8V3cQ9hMRSvpA= +github.com/siderolabs/crypto v0.4.1/go.mod h1:nJmvkqWy1Hngbzw3eg2TdtJ/ZYHHofQK1NbmmYywW8k= github.com/siderolabs/discovery-api v0.1.3 h1:37ue+0w2A7Q2FrhyuDbfdhL4VPvDTpCzUYGvibhMwv0= github.com/siderolabs/discovery-api v0.1.3/go.mod h1:fC6DOJwYQy2QsMCLLTvoScKmBCMNza+VwK2/RHLsoHU= github.com/siderolabs/discovery-client v0.1.5 h1:CyaOOynanZdB29v46lyEOaNfPoBnKjjEBwdYbyCZEh4= diff --git a/go.work b/go.work index 0b2fb749f..2acb29f8c 100644 --- a/go.work +++ b/go.work @@ -7,6 +7,5 @@ use ( ./hack/gotagsrewrite ./hack/module-sig-verify ./hack/structprotogen - ./hack/ukify ./pkg/machinery ) diff --git a/hack/ukify/go.mod b/hack/ukify/go.mod deleted file mode 100644 index 246ea30d5..000000000 --- a/hack/ukify/go.mod +++ /dev/null @@ -1,31 +0,0 @@ -module github.com/siderolabs/ukify - -go 1.20 - -replace github.com/siderolabs/talos/pkg/machinery => ../../pkg/machinery - -require ( - github.com/foxboron/go-uefi v0.0.0-20230218004016-d1bb9a12f92c - github.com/google/go-tpm v0.9.0 - github.com/saferwall/pe v1.4.4 - github.com/siderolabs/crypto v0.4.0 - github.com/siderolabs/go-procfs v0.1.1 - github.com/siderolabs/talos v1.4.5 - github.com/siderolabs/talos/pkg/machinery v1.5.0-alpha.0 -) - -require ( - github.com/containerd/go-cni v1.1.9 // indirect - github.com/containernetworking/cni v1.1.2 // indirect - github.com/edsrzf/mmap-go v1.1.0 // indirect - github.com/golang/protobuf v1.5.3 // indirect - github.com/pkg/errors v0.9.1 // indirect - github.com/spf13/afero v1.9.3 // indirect - go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect - golang.org/x/net v0.10.0 // indirect - golang.org/x/sys v0.9.0 // indirect - golang.org/x/text v0.9.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529 // indirect - google.golang.org/grpc v1.56.1 // indirect - google.golang.org/protobuf v1.30.0 // indirect -) diff --git a/hack/ukify/go.sum b/hack/ukify/go.sum deleted file mode 100644 index f4506e269..000000000 --- a/hack/ukify/go.sum +++ /dev/null @@ -1,524 +0,0 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= -cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= -cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= -cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= -cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= -cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= -cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= -cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= -cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= -cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= -cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= -cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= -cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= -cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= -cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= -cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= -cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY= -cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= -cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= -cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= -cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= -cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= -cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= -cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= -cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= -cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= -cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= -cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= -cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= -cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= -cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= -cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= -cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= -cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo= -dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= -github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= -github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/containerd/go-cni v1.1.9 h1:ORi7P1dYzCwVM6XPN4n3CbkuOx/NZ2DOqy+SHRdo9rU= -github.com/containerd/go-cni v1.1.9/go.mod h1:XYrZJ1d5W6E2VOvjffL3IZq0Dz6bsVlERHbekNK90PM= -github.com/containernetworking/cni v1.1.2 h1:wtRGZVv7olUHMOqouPpn3cXJWpJgM6+EUl31EQbXALQ= -github.com/containernetworking/cni v1.1.2/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/edsrzf/mmap-go v1.1.0 h1:6EUwBLQ/Mcr1EYLE4Tn1VdW1A4ckqCQWZBw8Hr0kjpQ= -github.com/edsrzf/mmap-go v1.1.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q= -github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= -github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/foxboron/go-uefi v0.0.0-20230218004016-d1bb9a12f92c h1:6DovecV+FAekIm7XGpB4J3x+cpk1onzGitYNALBNgpM= -github.com/foxboron/go-uefi v0.0.0-20230218004016-d1bb9a12f92c/go.mod h1:VdozURTQHi5Rs54l+4Szi3yIJQDMfXXYrRLAjKKowWI= -github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= -github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= -github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= -github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk= -github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU= -github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= -github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= -github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= -github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= -github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= -github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= -github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= -github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= -github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= -github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI= -github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= -github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= -github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/saferwall/pe v1.4.4 h1:Ml++7/2/Z1iKwV4zCsd1nIqTEAdUQKAetwbbcCarhOg= -github.com/saferwall/pe v1.4.4/go.mod h1:SNzv3cdgk8SBI0UwHfyTcdjawfdnN+nbydnEL7GZ25s= -github.com/siderolabs/crypto v0.4.0 h1:o1KIR1KyevUcY9nbJlSyQAj7+p+rveGGF8LjAAFMtjc= -github.com/siderolabs/crypto v0.4.0/go.mod h1:itZpBsJ9i0aH8jiHAuSlKCal7hni7X1aDYo6vGVl5LY= -github.com/siderolabs/go-procfs v0.1.1 h1:GkKjnDfFkupcuLN0w6A/Oy58/8FPAHcmlgiHIaw6M+g= -github.com/siderolabs/go-procfs v0.1.1/go.mod h1:byGwc3MfF65wg1mz8t3qQ1zlrYhMngEYh1eDzaFAYq0= -github.com/siderolabs/talos v1.4.5 h1:zFOZwZ6a2wOnLPyWYWXQggnfkAB8syJQzOia7Tg0FMg= -github.com/siderolabs/talos v1.4.5/go.mod h1:v3RBzw5NlopKUgeRBeRMGWSowQDiOJck63JEb67U/NY= -github.com/spf13/afero v1.9.3 h1:41FoI0fD7OR7mGcKE/aOiLkGreyf8ifIOQmJANWogMk= -github.com/spf13/afero v1.9.3/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4= -github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak= -go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= -go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= -go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= -go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= -golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= -golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= -golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= -golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= -golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= -golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= -golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= -golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= -golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= -golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= -golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s= -golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= -golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= -golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= -google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= -google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= -google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= -google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= -google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= -google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= -google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= -google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= -google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= -google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= -google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= -google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529 h1:DEH99RbiLZhMxrpEJCZ0A+wdTe0EOgou/poSLx9vWf4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= -google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= -google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= -google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= -google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= -google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= -google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= -google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.56.1 h1:z0dNfjIl0VpaZ9iSVjA6daGatAYwPGstTjt5vkRMFkQ= -google.golang.org/grpc v1.56.1/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= -google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= -gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= -honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= -rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= -rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/hack/ukify/main.go b/hack/ukify/main.go deleted file mode 100644 index 703f8a453..000000000 --- a/hack/ukify/main.go +++ /dev/null @@ -1,398 +0,0 @@ -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. - -// ukify is a tool to generate UKI bundles from kernel/initramfs... -package main - -import ( - "bytes" - "encoding/json" - "flag" - "fmt" - "html/template" - "log" - "os" - "os/exec" - "path/filepath" - "strings" - - _ "embed" - - "github.com/foxboron/go-uefi/efi" - "github.com/saferwall/pe" - "github.com/siderolabs/crypto/x509" - "github.com/siderolabs/go-procfs/procfs" - - "github.com/siderolabs/ukify/constants" - "github.com/siderolabs/ukify/measure" - - talosconstants "github.com/siderolabs/talos/pkg/machinery/constants" - kernelpkg "github.com/siderolabs/talos/pkg/machinery/kernel" - "github.com/siderolabs/talos/pkg/version" -) - -//go:embed assets/sidero.bmp -var splashBMP []byte - -var ( - sdStub string - sdBoot string - kernel string - initrd string - cmdline string - signingKey string - signingCert string - pcrSigningKey string - pcrPublicKey string - pcrSigningCert string - output string -) - -func sign(input string) (string, error) { - out := input + ".signed" - - if err := os.RemoveAll(out); err != nil { - return "", err - } - - pem, err := x509.NewCertificateAndKeyFromFiles(signingCert, signingKey) - if err != nil { - return "", err - } - cert, err := pem.GetCert() - if err != nil { - return "", err - } - key, err := pem.GetRSAKey() - if err != nil { - return "", err - } - - unsigned, err := os.ReadFile(input) - if err != nil { - return "", err - } - - signed, err := efi.SignEFIExecutable(key, cert, unsigned) - if err != nil { - return "", err - } - - err = os.WriteFile(out, signed, 0o600) - - return out, err -} - -type section struct { - name constants.Section - file string - measure bool - append bool - size uint64 - vma uint64 -} - -func buildUKI(source, output string, sections []section) error { - peFile, err := pe.New(source, &pe.Options{Fast: true}) - if err != nil { - return err - } - - defer peFile.Close() //nolint: errcheck - - if err = peFile.Parse(); err != nil { - return err - } - - // find the first VMA address - lastSection := peFile.Sections[len(peFile.Sections)-1] - - // align the VMA to 512 bytes - // https://github.com/saferwall/pe/blob/main/helper.go#L22-L26 - const alignment = 0x1ff - - header, ok := peFile.NtHeader.OptionalHeader.(pe.ImageOptionalHeader64) - if !ok { - return fmt.Errorf("failed to get optional header") - } - - baseVMA := header.ImageBase + uint64(lastSection.Header.VirtualAddress) + uint64(lastSection.Header.VirtualSize) - baseVMA = (baseVMA + alignment) &^ alignment - - // calculate sections size and VMA - for i := range sections { - if !sections[i].append { - continue - } - - st, err := os.Stat(sections[i].file) - if err != nil { - return err - } - - sections[i].size = uint64(st.Size()) - sections[i].vma = baseVMA - - baseVMA += sections[i].size - baseVMA = (baseVMA + alignment) &^ alignment - } - - // create the output file - args := []string{} - - for _, section := range sections { - if !section.append { - continue - } - - args = append(args, "--add-section", fmt.Sprintf("%s=%s", section.name, section.file), "--change-section-vma", fmt.Sprintf("%s=0x%x", section.name, section.vma)) - } - - args = append(args, source, output) - - cmd := exec.Command("objcopy", args...) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - - return cmd.Run() -} - -func Measure(tempDir, signingKey string, sections []section) ([]section, error) { - sectionsData := measure.SectionsData{} - - for _, section := range sections { - if !section.measure { - continue - } - - sectionsData[section.name] = section.file - } - - pcrpsigFile := filepath.Join(tempDir, "pcrpsig") - - pcrData, err := measure.GenerateSignedPCR(sectionsData, signingKey) - if err != nil { - return nil, err - } - - pcrSignatureData, err := json.Marshal(&pcrData) - if err != nil { - return nil, err - } - - if err = os.WriteFile(pcrpsigFile, pcrSignatureData, 0o644); err != nil { - return nil, err - } - - sections = append(sections, section{ - name: constants.PCRSig, - file: pcrpsigFile, - measure: false, - append: true, - }) - - return sections, nil -} - -func run() error { - defaultCmdline := procfs.NewCmdline("") - defaultCmdline.Append(talosconstants.KernelParamPlatform, "metal") - - if err := defaultCmdline.AppendAll(kernelpkg.DefaultArgs); err != nil { - return err - } - - defaultCmdline.Append("console", "ttyS0") - defaultCmdline.Append("console", "tty0") - - flag.StringVar(&sdStub, "sd-stub", "_out/linuxx64.efi.stub", "path to sd-stub") - flag.StringVar(&sdBoot, "sd-boot", "_out/systemd-bootx64.efi", "path to sd-boot") - flag.StringVar(&output, "output", "_out/vmlinuz.efi", "output path") - flag.StringVar(&kernel, "kernel", "_out/vmlinuz-amd64", "path to kernel image") - flag.StringVar(&initrd, "initrd", "_out/initramfs-amd64.xz", "path to initrd image") - flag.StringVar(&cmdline, "cmdline", defaultCmdline.String(), "kernel cmdline") - flag.StringVar(&signingKey, "signing-key-path", "_out/uki-certs/uki-signing-key.pem", "path to signing key") - flag.StringVar(&signingCert, "signing-cert-path", "_out/uki-certs/uki-signing-cert.pem", "path to signing cert") - flag.StringVar(&pcrSigningKey, "pcr-signing-key-path", "_out/uki-certs/pcr-signing-key.pem", "path to PCR signing key") - flag.StringVar(&pcrPublicKey, "pcr-public-key-path", "_out/uki-certs/pcr-signing-public-key.pem", "path to PCR public key") - flag.StringVar(&pcrSigningCert, "prc-signing-cert-path", "_out/uki-certs/pcr-signing-cert.pem", "path to PCR signing cert") - flag.Parse() - - _, err := sign(sdBoot) - if err != nil { - return fmt.Errorf("failed to sign sd-boot: %w", err) - } - - signedKernel, err := sign(kernel) - if err != nil { - return fmt.Errorf("failed to sign kernel: %w", err) - } - - tempDir, err := os.MkdirTemp("", "ukify") - if err != nil { - return err - } - - defer func() { - if err = os.RemoveAll(tempDir); err != nil { - log.Printf("failed to remove temp dir: %v", err) - } - }() - - cmdlineFile := filepath.Join(tempDir, "cmdline") - - if err = os.WriteFile(cmdlineFile, []byte(cmdline), 0o644); err != nil { - return err - } - - unameFile := filepath.Join(tempDir, "uname") - - if err = os.WriteFile(unameFile, []byte(talosconstants.DefaultKernelVersion), 0o644); err != nil { - return err - } - - osReleaseFile := filepath.Join(tempDir, "os-release") - - var buf bytes.Buffer - - tmpl, err := template.New("").Parse(talosconstants.OSReleaseTemplate) - if err != nil { - return err - } - - if err = tmpl.Execute(&buf, struct { - Name string - ID string - Version string - }{ - Name: version.Name, - ID: strings.ToLower(version.Name), - Version: version.Tag, - }); err != nil { - return err - } - - if err = os.WriteFile(osReleaseFile, buf.Bytes(), 0o644); err != nil { - return err - } - - splashFile := filepath.Join(tempDir, "splash.bmp") - - if err = os.WriteFile(splashFile, splashBMP, 0o644); err != nil { - return err - } - - sbat, closeFunc, err := parseSBATFromStub() - if err != nil { - return err - } - - defer closeFunc() //nolint:errcheck - - sbatFile := filepath.Join(tempDir, "sbat") - - if err = os.WriteFile(sbatFile, sbat, 0o644); err != nil { - return err - } - - sections := []section{ - { - name: constants.OSRel, - file: osReleaseFile, - measure: true, - append: true, - }, - { - name: constants.CMDLine, - file: cmdlineFile, - measure: true, - append: true, - }, - { - name: constants.Initrd, - file: initrd, - measure: true, - append: true, - }, - { - name: constants.Splash, - file: splashFile, - measure: true, - append: true, - }, - { - name: constants.Uname, - file: unameFile, - measure: true, - append: true, - }, - { - name: constants.SBAT, - file: sbatFile, - measure: true, - }, - { - name: constants.PCRPKey, - file: pcrPublicKey, - measure: true, - append: true, - }, - } - - // kernel is added last to account for decompression - sections = append(sections, - section{ - name: constants.Linux, - file: signedKernel, - measure: true, - append: true, - }, - ) - - // systemd-measure - if sections, err = Measure(tempDir, pcrSigningKey, sections); err != nil { - return err - } - - if err = os.RemoveAll(output); err != nil { - return err - } - - if err := buildUKI(sdStub, output, sections); err != nil { - return err - } - - _, err = sign(output) - - return err -} - -func parseSBATFromStub() ([]byte, func() error, error) { - pefile, err := pe.New(sdStub, &pe.Options{Fast: true}) - if err != nil { - return nil, pefile.Close, err - } - - if err := pefile.Parse(); err != nil { - return nil, pefile.Close, err - } - - var sbatData []byte - - for _, section := range pefile.Sections { - if section.String() == string(constants.SBAT) { - sbatData = section.Data(section.Header.VirtualAddress, section.Header.VirtualSize, pefile) - - break - } - } - - return sbatData, pefile.Close, nil -} - -func main() { - if err := run(); err != nil { - log.Fatal(err) - } -} diff --git a/hack/ukify/measure/extend/extend.go b/hack/ukify/measure/extend/extend.go deleted file mode 100644 index 3658ea815..000000000 --- a/hack/ukify/measure/extend/extend.go +++ /dev/null @@ -1,41 +0,0 @@ -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. - -package extend - -import ( - "bytes" - "crypto" -) - -type digest struct { - alg crypto.Hash - hash []byte -} - -func New(alg crypto.Hash) *digest { - return &digest{ - alg: alg, - hash: bytes.Repeat([]byte{0x00}, alg.Size()), - } -} - -func (d *digest) Hash() []byte { - return d.hash -} - -func (d *digest) Extend(data []byte) { - // create hash of incoming data - hash := d.alg.New() - hash.Write(data) - hashSum := hash.Sum(nil) - - // extend hash with previous data and hashed incoming data - newHash := d.alg.New() - newHash.Write(d.hash) - newHash.Write(hashSum) - - // set sum as new hash - d.hash = newHash.Sum(nil) -} diff --git a/hack/ukify/measure/measure.go b/hack/ukify/measure/measure.go deleted file mode 100644 index 4873fca0e..000000000 --- a/hack/ukify/measure/measure.go +++ /dev/null @@ -1,226 +0,0 @@ -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. - -package measure - -import ( - "bytes" - "crypto" - "crypto/rsa" - "crypto/sha256" - "crypto/x509" - "encoding/base64" - "encoding/binary" - "encoding/hex" - "encoding/pem" - "fmt" - "os" - - "github.com/google/go-tpm/tpm2" - "github.com/google/go-tpm/tpmutil" - - "github.com/siderolabs/ukify/constants" - "github.com/siderolabs/ukify/measure/extend" -) - -type PCRData struct { - SHA1 []bankData `json:"sha1,omitempty"` - SHA256 []bankData `json:"sha256,omitempty"` - SHA384 []bankData `json:"sha384,omitempty"` - SHA512 []bankData `json:"sha512,omitempty"` -} - -type bankData struct { - // list of PCR banks - PCRS []int `json:"pcrs"` - // Public key of the TPM - PKFP string `json:"pkfp"` - // Policy digest - POL string `json:"pol"` - // Signature of the policy digest in base64 - SIG string `json:"sig"` -} - -// signatureData returns the hashed signature digest and base64 encoded signature -type signatureData struct { - Digest string - SignatureBase64 string -} - -// SectionData holds a map of Section to file path to the corresponding section -type SectionsData map[constants.Section]string - -func calculatePCRBankData(pcr int, alg tpm2.TPMAlgID, sectionData SectionsData, privateKeyFile string) ([]bankData, error) { - rsaKey, err := parseRSAKey(privateKeyFile) - if err != nil { - return nil, err - } - - // get fingerprint of public key - pubKeyFingerprint := sha256.Sum256(x509.MarshalPKCS1PublicKey(&rsaKey.PublicKey)) - - hashAlg, err := alg.Hash() - if err != nil { - return nil, err - } - - pcrSelector, err := createPCRSelection([]int{constants.UKIPCR}) - if err != nil { - return nil, fmt.Errorf("failed to create PCR selection: %v", err) - } - - pcrSelection := tpm2.TPMLPCRSelection{ - PCRSelections: []tpm2.TPMSPCRSelection{ - { - Hash: alg, - PCRSelect: pcrSelector, - }, - }, - } - - hashData := extend.New(hashAlg) - - for _, section := range constants.OrderedSections() { - if file, ok := sectionData[section]; ok && file != "" { - hashData.Extend(append([]byte(section), 0)) - - sectionData, err := os.ReadFile(file) - if err != nil { - return nil, err - } - - hashData.Extend(sectionData) - } - } - - banks := make([]bankData, 0) - - for _, phaseInfo := range constants.OrderedPhases() { - // extend always, but only calculate signature if requested - hashData.Extend([]byte(phaseInfo.Phase)) - - if !phaseInfo.CalculateSignature { - continue - } - - hash := hashData.Hash() - - policyPCR := calculatePolicyPCR(hash, pcrSelection) - - sigData, err := calculateSignature(policyPCR, hashAlg, rsaKey) - if err != nil { - return nil, err - } - - banks = append(banks, bankData{ - PCRS: []int{pcr}, - PKFP: hex.EncodeToString(pubKeyFingerprint[:]), - SIG: sigData.SignatureBase64, - POL: sigData.Digest, - }) - } - - return banks, nil -} - -func calculatePolicyPCR(pcrValue []byte, pcrSelection tpm2.TPMLPCRSelection) []byte { - initial := bytes.Repeat([]byte{0x00}, sha256.Size) - pcrHash := sha256.Sum256(pcrValue) - - policyPCRCommandValue := make([]byte, 4) - binary.BigEndian.PutUint32(policyPCRCommandValue, uint32(tpm2.TPMCCPolicyPCR)) - - pcrSelectionMarshalled := tpm2.Marshal(pcrSelection) - - commandWithPCRSelectionMarshalled := append(policyPCRCommandValue, pcrSelectionMarshalled...) - - toHash := append(initial[:], append(commandWithPCRSelectionMarshalled, pcrHash[:]...)...) - - hashed := sha256.Sum256(toHash) - - return hashed[:] -} - -func parseRSAKey(key string) (*rsa.PrivateKey, error) { - keyData, err := os.ReadFile(key) - if err != nil { - return nil, err - } - - // convert private key to rsa.PrivateKey - rsaPrivateKeyBlock, _ := pem.Decode(keyData) - if rsaPrivateKeyBlock == nil { - return nil, err - } - - rsaKey, err := x509.ParsePKCS1PrivateKey(rsaPrivateKeyBlock.Bytes) - if err != nil { - return nil, fmt.Errorf("parse private key failed: %v", err) - } - - return rsaKey, nil -} - -func calculateSignature(digest []byte, hash crypto.Hash, rsaKey *rsa.PrivateKey) (*signatureData, error) { - digestToHash := hash.New() - digestToHash.Write(digest) - digestHashed := digestToHash.Sum(nil) - - // sign policy digest - signedData, err := rsaKey.Sign(nil, digestHashed[:], hash) - if err != nil { - return nil, fmt.Errorf("signing failed: %v", err) - } - - return &signatureData{ - Digest: hex.EncodeToString(digest), - SignatureBase64: base64.StdEncoding.EncodeToString(signedData), - }, nil -} - -func GenerateSignedPCR(sectionsData SectionsData, rsaKey string) (*PCRData, error) { - sha1BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.TPMAlgSHA1, sectionsData, rsaKey) - if err != nil { - return nil, err - } - - sha256BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.TPMAlgSHA256, sectionsData, rsaKey) - if err != nil { - return nil, err - } - - sha384BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.TPMAlgSHA384, sectionsData, rsaKey) - if err != nil { - return nil, err - } - - sha512BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.TPMAlgSHA512, sectionsData, rsaKey) - if err != nil { - return nil, err - } - - return &PCRData{ - SHA1: sha1BankData, - SHA256: sha256BankData, - SHA384: sha384BankData, - SHA512: sha512BankData, - }, nil -} - -func createPCRSelection(s []int) ([]byte, error) { - const sizeOfPCRSelect = 3 - - PCRs := make(tpmutil.RawBytes, sizeOfPCRSelect) - - for _, n := range s { - if n >= 8*sizeOfPCRSelect { - return nil, fmt.Errorf("PCR index %d is out of range (exceeds maximum value %d)", n, 8*sizeOfPCRSelect-1) - } - byteNum := n / 8 - bytePos := byte(1 << (n % 8)) - PCRs[byteNum] |= bytePos - } - - return PCRs, nil -} diff --git a/internal/app/init/main.go b/internal/app/init/main.go index 9eb77a2ad..fc67e73d8 100644 --- a/internal/app/init/main.go +++ b/internal/app/init/main.go @@ -25,6 +25,7 @@ import ( "github.com/siderolabs/talos/internal/pkg/mount" "github.com/siderolabs/talos/internal/pkg/mount/switchroot" "github.com/siderolabs/talos/internal/pkg/rng" + "github.com/siderolabs/talos/internal/pkg/secureboot" "github.com/siderolabs/talos/internal/pkg/tpm2" "github.com/siderolabs/talos/pkg/machinery/constants" "github.com/siderolabs/talos/pkg/machinery/extensions" @@ -60,7 +61,7 @@ func run() (err error) { } // extend PCR 11 with enter-initrd - if err = tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(tpm2.EnterInitrd)); err != nil { + if err = tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(secureboot.EnterInitrd)); err != nil { return fmt.Errorf("failed to extend PCR %d with enter-initrd: %v", constants.UKIMeasuredPCR, err) } diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go index d571124e8..e91c0eb49 100644 --- a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go +++ b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go @@ -19,7 +19,6 @@ import ( "path/filepath" "strings" "syscall" - "text/template" "time" "github.com/containerd/cgroups" @@ -62,6 +61,7 @@ import ( "github.com/siderolabs/talos/internal/pkg/meta" "github.com/siderolabs/talos/internal/pkg/mount" "github.com/siderolabs/talos/internal/pkg/partition" + "github.com/siderolabs/talos/internal/pkg/secureboot" "github.com/siderolabs/talos/internal/pkg/tpm2" "github.com/siderolabs/talos/pkg/conditions" "github.com/siderolabs/talos/pkg/images" @@ -380,43 +380,12 @@ func OSRelease() (err error) { return err } - var ( - v string - tmpl *template.Template - ) - - switch version.Tag { - case "none": - v = version.SHA - default: - v = version.Tag - } - - data := struct { - Name string - ID string - Version string - }{ - Name: version.Name, - ID: strings.ToLower(version.Name), - Version: v, - } - - tmpl, err = template.New("").Parse(constants.OSReleaseTemplate) + contents, err := version.OSRelease() if err != nil { return err } - var buf []byte - - writer := bytes.NewBuffer(buf) - - err = tmpl.Execute(writer, data) - if err != nil { - return err - } - - return os.WriteFile(filepath.Join(constants.SystemEtcPath, "os-release"), writer.Bytes(), 0o644) + return os.WriteFile(filepath.Join(constants.SystemEtcPath, "os-release"), contents, 0o644) } // createBindMount creates a common way to create a writable source file with a @@ -863,7 +832,7 @@ func WriteUdevRules(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) { // StartMachined represents the task to start machined. func StartMachined(_ runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string) { return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) error { - if err := tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(tpm2.EnterMachined)); err != nil { + if err := tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(secureboot.EnterMachined)); err != nil { return err } @@ -920,7 +889,7 @@ func StartUdevd(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) { // ExtendPCRStartAll represents the task to extend the PCR with the StartTheWorld PCR phase. func ExtendPCRStartAll(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) { return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) { - return tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(tpm2.StartTheWorld)) + return tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(secureboot.StartTheWorld)) }, "extendPCRStartAll" } diff --git a/internal/pkg/mount/switchroot/switchroot.go b/internal/pkg/mount/switchroot/switchroot.go index 4cf3e49da..c4f9bf839 100644 --- a/internal/pkg/mount/switchroot/switchroot.go +++ b/internal/pkg/mount/switchroot/switchroot.go @@ -14,6 +14,7 @@ import ( "golang.org/x/sys/unix" "github.com/siderolabs/talos/internal/pkg/mount" + "github.com/siderolabs/talos/internal/pkg/secureboot" "github.com/siderolabs/talos/internal/pkg/tpm2" "github.com/siderolabs/talos/pkg/machinery/constants" ) @@ -68,7 +69,7 @@ func Switch(prefix string, mountpoints *mount.Points) (err error) { } // extend PCR 11 with leave-initrd - if err = tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(tpm2.LeaveInitrd)); err != nil { + if err = tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(secureboot.LeaveInitrd)); err != nil { return fmt.Errorf("failed to extend PCR %d with leave-initrd: %v", constants.UKIMeasuredPCR, err) } diff --git a/internal/pkg/secureboot/measure/internal/pcr/bank_data.go b/internal/pkg/secureboot/measure/internal/pcr/bank_data.go new file mode 100644 index 000000000..0b9ddcdc5 --- /dev/null +++ b/internal/pkg/secureboot/measure/internal/pcr/bank_data.go @@ -0,0 +1,90 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package pcr + +import ( + "crypto/rsa" + "crypto/sha256" + "crypto/x509" + "encoding/hex" + "fmt" + "os" + + "github.com/google/go-tpm/tpm2" + + "github.com/siderolabs/talos/internal/pkg/secureboot" + talostpm2 "github.com/siderolabs/talos/internal/pkg/tpm2" +) + +// CalculateBankData calculates the PCR bank data for a given set of UKI file sections. +// +// This mimics the process happening happening in the TPM when the UKI is being loaded. +func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureboot.Section]string, rsaKey *rsa.PrivateKey) ([]talostpm2.BankData, error) { + // get fingerprint of public key + pubKeyFingerprint := sha256.Sum256(x509.MarshalPKCS1PublicKey(&rsaKey.PublicKey)) + + hashAlg, err := alg.Hash() + if err != nil { + return nil, err + } + + pcrSelector, err := CreateSelector([]int{secureboot.UKIPCR}) + if err != nil { + return nil, fmt.Errorf("failed to create PCR selection: %v", err) + } + + pcrSelection := tpm2.TPMLPCRSelection{ + PCRSelections: []tpm2.TPMSPCRSelection{ + { + Hash: alg, + PCRSelect: pcrSelector, + }, + }, + } + + hashData := NewDigest(hashAlg) + + for _, section := range secureboot.OrderedSections() { + if file := sectionData[section]; file != "" { + hashData.Extend(append([]byte(section), 0)) + + sectionData, err := os.ReadFile(file) + if err != nil { + return nil, err + } + + hashData.Extend(sectionData) + } + } + + banks := make([]talostpm2.BankData, 0) + + for _, phaseInfo := range secureboot.OrderedPhases() { + // extend always, but only calculate signature if requested + hashData.Extend([]byte(phaseInfo.Phase)) + + if !phaseInfo.CalculateSignature { + continue + } + + hash := hashData.Hash() + + policyPCR := CalculatePolicy(hash, pcrSelection) + + sigData, err := Sign(policyPCR, hashAlg, rsaKey) + if err != nil { + return nil, err + } + + banks = append(banks, talostpm2.BankData{ + PCRs: []int{pcrNumber}, + PKFP: hex.EncodeToString(pubKeyFingerprint[:]), + Sig: sigData.SignatureBase64, + Pol: sigData.Digest, + }) + } + + return banks, nil +} diff --git a/internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go b/internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go new file mode 100644 index 000000000..15cab198b --- /dev/null +++ b/internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go @@ -0,0 +1,51 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package pcr_test + +import ( + "crypto/x509" + "encoding/pem" + "os" + "testing" + + "github.com/google/go-tpm/tpm2" + "github.com/stretchr/testify/require" + + "github.com/siderolabs/talos/internal/pkg/secureboot" + "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" + talostpm2 "github.com/siderolabs/talos/internal/pkg/tpm2" +) + +func TestCalculateBankData(t *testing.T) { + t.Parallel() + + pemKey, err := os.ReadFile("../../testdata/pcr-signing-key.pem") + require.NoError(t, err) + + block, _ := pem.Decode(pemKey) + require.NotNil(t, block) + + key, err := x509.ParsePKCS1PrivateKey(block.Bytes) + require.NoError(t, err) + + bankData, err := pcr.CalculateBankData(15, tpm2.TPMAlgSHA256, + map[secureboot.Section]string{ + secureboot.Initrd: "testdata/a", + secureboot.Linux: "testdata/b", + secureboot.DTB: "testdata/c", + }, + key) + require.NoError(t, err) + + require.Equal(t, + []talostpm2.BankData{ + { + PCRs: []int{15}, + PKFP: "58f58f625bd8a8b6681e4b40688cf99b26419b6b2c5f6e14a2c7c67a3b0b1620", + Pol: "a1c9d366451c82969238eb82a5282f84b6a3d499e540430ecf792083155225dd", + Sig: "bO4F/T6bio7jLJFpi4GsJHjZDj+H5Pq4stjKA5WhkzBNCmE1gQECeOALUfNJ1RW/HKhwSp7KhGFqqnjyg/eXR3c0pVuYUKuAjZz9NMXS4dAQlSLxtNWMmlX3XDst/UKfxB6Z+m2KluJpF3KeAw03tP9lru6nfzaickOs1UL83IO5QgLkCHpUcSloZcya0xS9ETCNBd5gm8K+c9gc7+CmpFLTo1uTxbBK0Mea+3fn7GAZROHPMBLosvTM5D9vplsWIXXAXSaHr/sj5bxOIR+orCQZOdYY+/8ra4oFVXzHc9kkPP3A6mWzoADKryWWIVKPx/DGLi0ExT2fpCNdUoMOacvD+dqDqjVBhcOwoAZkNqve/W/poqaLlKyFTqlmGmv+08WavtShYmCURa4Mn3UFf49BTVkktxoQ+jTMroyit1uK/ppMSjaPwQp2Dd1pRCY4hcFfLwqryy1zRMT/XmZ2e91MYe40Pr9Tom2ZH0YAigDosBPuP6RHt7IypFIgary3louW1dqNLXW8p38Y91nYDKBWI9x0tVn5ufqtk5wkHnExTjUYkTWU98+p5J7urDIhLuX1mSi57Ekq02f+lVLMs85SHfmMfzZl7l7Xi4npYbW+5xHKiAxLnaXVJCHdW0xiAD0VTLer5Oe5nf7FrjSzS39rXoryKfcHFOIxRT1XQOA=", //nolint:lll + }, + }, bankData) +} diff --git a/internal/pkg/secureboot/measure/internal/pcr/extend.go b/internal/pkg/secureboot/measure/internal/pcr/extend.go new file mode 100644 index 000000000..75ee2c7fa --- /dev/null +++ b/internal/pkg/secureboot/measure/internal/pcr/extend.go @@ -0,0 +1,49 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package pcr + +import ( + "crypto" +) + +// Digest implements the PCR extension algorithm. +// +// Each time `Extend` is called, the hash of the previous data is +// prepended to the hash of new data and hashed together. +// +// The initial hash value is all zeroes. +type Digest struct { + alg crypto.Hash + hash []byte +} + +// NewDigest creates a new Digest with the speified hash algorithm. +func NewDigest(alg crypto.Hash) *Digest { + return &Digest{ + alg: alg, + hash: make([]byte, alg.Size()), + } +} + +// Hash returns the current hash value. +func (d *Digest) Hash() []byte { + return d.hash +} + +// Extend extends the current hash with the specified data. +func (d *Digest) Extend(data []byte) { + // create hash of incoming data + hash := d.alg.New() + hash.Write(data) + hashSum := hash.Sum(nil) + + // extend hash with previous data and hashed incoming data + hash.Reset() + hash.Write(d.hash) + hash.Write(hashSum) + + // set sum as new hash + d.hash = hash.Sum(nil) +} diff --git a/internal/pkg/secureboot/measure/internal/pcr/extend_test.go b/internal/pkg/secureboot/measure/internal/pcr/extend_test.go new file mode 100644 index 000000000..3c061164d --- /dev/null +++ b/internal/pkg/secureboot/measure/internal/pcr/extend_test.go @@ -0,0 +1,36 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package pcr_test + +import ( + "crypto" + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" +) + +func TestExtend(t *testing.T) { + t.Parallel() + + hash := pcr.NewDigest(crypto.SHA256) + + assert.Equal(t, make([]byte, 32), hash.Hash()) + + hash.Extend([]byte("foo")) + + assert.Equal(t, + []byte{0x42, 0x48, 0x16, 0xd0, 0x20, 0xcf, 0x3d, 0x79, 0x3a, 0xc0, 0x21, 0xda, 0x47, 0x37, 0x9b, 0xdf, 0x60, 0x80, 0x80, 0xa8, 0x3e, 0xb9, 0x36, 0x4a, 0x7f, 0xbe, 0xb, 0xdf, 0xa8, 0x71, 0x11, 0xd7}, + hash.Hash(), + ) + + hash.Extend([]byte("bar")) + + assert.Equal(t, + []byte{0x63, 0x5c, 0x18, 0xb1, 0x5e, 0xf5, 0xc5, 0xd6, 0xc0, 0x20, 0xe7, 0x23, 0x39, 0xdd, 0xef, 0xd8, 0xb0, 0x5c, 0x4c, 0x4a, 0x44, 0xb3, 0x4e, 0xff, 0x8c, 0xef, 0x22, 0x6f, 0x89, 0x2, 0x77, 0x2}, + hash.Hash(), + ) +} diff --git a/internal/pkg/secureboot/measure/internal/pcr/pcr.go b/internal/pkg/secureboot/measure/internal/pcr/pcr.go new file mode 100644 index 000000000..998ac5e74 --- /dev/null +++ b/internal/pkg/secureboot/measure/internal/pcr/pcr.go @@ -0,0 +1,25 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Package pcr contains code that handles PCR operations. +package pcr + +import "fmt" + +// CreateSelector converts PCR numbers into a bitmask. +func CreateSelector(pcrs []int) ([]byte, error) { + const sizeOfPCRSelect = 3 + + mask := make([]byte, sizeOfPCRSelect) + + for _, n := range pcrs { + if n >= 8*sizeOfPCRSelect { + return nil, fmt.Errorf("PCR index %d is out of range (exceeds maximum value %d)", n, 8*sizeOfPCRSelect-1) + } + + mask[n>>3] |= 1 << (n & 0x7) + } + + return mask, nil +} diff --git a/internal/pkg/secureboot/measure/internal/pcr/pcr_test.go b/internal/pkg/secureboot/measure/internal/pcr/pcr_test.go new file mode 100644 index 000000000..3331294ca --- /dev/null +++ b/internal/pkg/secureboot/measure/internal/pcr/pcr_test.go @@ -0,0 +1,49 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package pcr_test + +import ( + "testing" + + "github.com/stretchr/testify/require" + + "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" +) + +func TestGetSelection(t *testing.T) { + t.Parallel() + + for _, tt := range []struct { + name string + pcrs []int + expected []byte + }{ + { + name: "empty", + expected: []byte{0, 0, 0}, + }, + { + name: "1, 3, 5", + pcrs: []int{1, 3, 5}, + expected: []byte{42, 0, 0}, + }, + { + name: "21, 22, 23", + pcrs: []int{21, 22, 23}, + expected: []byte{0, 0, 0xe0}, + }, + } { + tt := tt + + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + actual, err := pcr.CreateSelector(tt.pcrs) + require.NoError(t, err) + + require.Equal(t, tt.expected, actual) + }) + } +} diff --git a/internal/pkg/secureboot/measure/internal/pcr/policy.go b/internal/pkg/secureboot/measure/internal/pcr/policy.go new file mode 100644 index 000000000..65c433805 --- /dev/null +++ b/internal/pkg/secureboot/measure/internal/pcr/policy.go @@ -0,0 +1,31 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package pcr + +import ( + "crypto/sha256" + "encoding/binary" + + "github.com/google/go-tpm/tpm2" +) + +// CalculatePolicy calculates the policy hash for a given PCR value and PCR selection. +func CalculatePolicy(pcrValue []byte, pcrSelection tpm2.TPMLPCRSelection) []byte { + initial := make([]byte, sha256.Size) + pcrHash := sha256.Sum256(pcrValue) + + policyPCRCommandValue := make([]byte, 4) + binary.BigEndian.PutUint32(policyPCRCommandValue, uint32(tpm2.TPMCCPolicyPCR)) + + pcrSelectionMarshalled := tpm2.Marshal(pcrSelection) + + hasher := sha256.New() + hasher.Write(initial) + hasher.Write(policyPCRCommandValue) + hasher.Write(pcrSelectionMarshalled) + hasher.Write(pcrHash[:]) + + return hasher.Sum(nil) +} diff --git a/internal/pkg/secureboot/measure/internal/pcr/policy_test.go b/internal/pkg/secureboot/measure/internal/pcr/policy_test.go new file mode 100644 index 000000000..349b7c89a --- /dev/null +++ b/internal/pkg/secureboot/measure/internal/pcr/policy_test.go @@ -0,0 +1,31 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package pcr_test + +import ( + "testing" + + "github.com/google/go-tpm/tpm2" + "github.com/stretchr/testify/require" + + "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" +) + +func TestCalculatePolicy(t *testing.T) { + t.Parallel() + + policy := pcr.CalculatePolicy([]byte{1, 3, 5}, tpm2.TPMLPCRSelection{ + PCRSelections: []tpm2.TPMSPCRSelection{ + { + Hash: tpm2.TPMAlgSHA256, + PCRSelect: []byte{10, 11, 12}, + }, + }, + }) + require.Equal(t, + []byte{0x84, 0xd6, 0x51, 0x47, 0xb0, 0x53, 0x94, 0xd0, 0xfa, 0xc4, 0x5e, 0x36, 0x0, 0x20, 0x3e, 0x3a, 0x11, 0x1, 0x27, 0xfb, 0xe2, 0x6f, 0xc1, 0xe3, 0x3, 0x3, 0x10, 0x21, 0x33, 0xf9, 0x15, 0xe3}, + policy, + ) +} diff --git a/internal/pkg/secureboot/measure/internal/pcr/sign.go b/internal/pkg/secureboot/measure/internal/pcr/sign.go new file mode 100644 index 000000000..75ad45e0f --- /dev/null +++ b/internal/pkg/secureboot/measure/internal/pcr/sign.go @@ -0,0 +1,37 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Package pcr contains code that handles PCR operations. +package pcr + +import ( + "crypto" + "encoding/base64" + "encoding/hex" + "fmt" +) + +// Signature returns the hashed signature digest and base64 encoded signature. +type Signature struct { + Digest string + SignatureBase64 string +} + +// Sign the digest using specified hash and key. +func Sign(digest []byte, hash crypto.Hash, key crypto.Signer) (*Signature, error) { + digestToHash := hash.New() + digestToHash.Write(digest) + digestHashed := digestToHash.Sum(nil) + + // sign policy digest + signedData, err := key.Sign(nil, digestHashed, hash) + if err != nil { + return nil, fmt.Errorf("signing failed: %v", err) + } + + return &Signature{ + Digest: hex.EncodeToString(digest), + SignatureBase64: base64.StdEncoding.EncodeToString(signedData), + }, nil +} diff --git a/internal/pkg/secureboot/measure/internal/pcr/sign_test.go b/internal/pkg/secureboot/measure/internal/pcr/sign_test.go new file mode 100644 index 000000000..4e29c5bf1 --- /dev/null +++ b/internal/pkg/secureboot/measure/internal/pcr/sign_test.go @@ -0,0 +1,45 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package pcr_test + +import ( + "crypto" + "crypto/x509" + "encoding/hex" + "encoding/pem" + "os" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" +) + +func TestSign(t *testing.T) { + t.Parallel() + + pemKey, err := os.ReadFile("../../testdata/pcr-signing-key.pem") + require.NoError(t, err) + + block, _ := pem.Decode(pemKey) + require.NotNil(t, block) + + key, err := x509.ParsePKCS1PrivateKey(block.Bytes) + require.NoError(t, err) + + digest, err := hex.DecodeString("e9590019f04a00029bb5ac512c3d3dfff0ec0e66418cfb5035e22313af891d81") + require.NoError(t, err) + + signature, err := pcr.Sign(digest, crypto.SHA256, key) + require.NoError(t, err) + + require.Equal(t, + &pcr.Signature{ + Digest: "e9590019f04a00029bb5ac512c3d3dfff0ec0e66418cfb5035e22313af891d81", + SignatureBase64: "Ylam12MOrPQs2m0AsHzRYBjZwYB1B5W0N4Qq62bNjiV4KgQVpwGTnIA0Rgmdaa1bTL+9+7oZ84H1xR0Q248Yd+2P1ZU5KaSysdoi3nlvotRYUq93HQeVjSLe1WUnoZ56EovP47tPuvLqIHmjPYq3V/EVLS6fD3+mXKZr/Q7sdlUjmGtYO5H0rV39C6Oq4Pwk9WJ4oRRKWwCp4KbxOujJ2ANqJl2QdJJA4WSle8+OML+SomelSDCjwt+s+T+0ZUhCY11Els1PtKO55ySU9N67m7wMIAy7aMwF6vbqyRajFDZN8ad7huhXDpwBGBMaEX5ajm2FseUj+h0EYbAm030FwduqZ9WlTMwp9KUx6dK2uOjckKgItBQfVXFoOo8dl4Al9PDktcmuytogI7o1OdzmJAcrb8BiPLLppmNsEgKR+5+poAsSA3Z0dcREiLbvKm10m7mXHGwRg84knZGSrsbHkD9I3ngeOM3JiPLGGCp4nYjBNzKP4jiygTEgEuZ2ueV9PikwlnM5qaDdByIH+0u3LAJubzN2XyI6TGugNRzdvKRIxtl5dSwRoIptiXInN81q6pw2i27YmzvR16tCTxXFRIcHjxpq5Q4KpVohbYhh4kHiWexbqJMpUPoLVEaw+m+Kh7gMvZlud67I6ldRIjDoy/LSdnsXcjpQFkNoF0ZKhX8=", //nolint:lll + }, + signature, + ) +} diff --git a/internal/pkg/secureboot/measure/internal/pcr/testdata/a b/internal/pkg/secureboot/measure/internal/pcr/testdata/a new file mode 100644 index 000000000..5d308e1d0 --- /dev/null +++ b/internal/pkg/secureboot/measure/internal/pcr/testdata/a @@ -0,0 +1 @@ +aaaa diff --git a/internal/pkg/secureboot/measure/internal/pcr/testdata/b b/internal/pkg/secureboot/measure/internal/pcr/testdata/b new file mode 100644 index 000000000..b43365601 --- /dev/null +++ b/internal/pkg/secureboot/measure/internal/pcr/testdata/b @@ -0,0 +1 @@ +bbbb diff --git a/internal/pkg/secureboot/measure/internal/pcr/testdata/c b/internal/pkg/secureboot/measure/internal/pcr/testdata/c new file mode 100644 index 000000000..28924d0f9 --- /dev/null +++ b/internal/pkg/secureboot/measure/internal/pcr/testdata/c @@ -0,0 +1 @@ +cccc diff --git a/internal/pkg/secureboot/measure/measure.go b/internal/pkg/secureboot/measure/measure.go new file mode 100644 index 000000000..eb9fa5a20 --- /dev/null +++ b/internal/pkg/secureboot/measure/measure.go @@ -0,0 +1,86 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Package measure contains Go implementation of 'systemd-measure' command. +// +// This implements TPM PCR emulation, UKI signature measurement, signing the measured values. +package measure + +import ( + "crypto/rsa" + "crypto/x509" + "encoding/pem" + "fmt" + "os" + + "github.com/google/go-tpm/tpm2" + + "github.com/siderolabs/talos/internal/pkg/secureboot" + "github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr" + talostpm2 "github.com/siderolabs/talos/internal/pkg/tpm2" +) + +// SectionsData holds a map of Section to file path to the corresponding section. +type SectionsData map[secureboot.Section]string + +func loadRSAKey(path string) (*rsa.PrivateKey, error) { + keyData, err := os.ReadFile(path) + if err != nil { + return nil, err + } + + // convert private key to rsa.PrivateKey + rsaPrivateKeyBlock, _ := pem.Decode(keyData) + if rsaPrivateKeyBlock == nil { + return nil, err + } + + rsaKey, err := x509.ParsePKCS1PrivateKey(rsaPrivateKeyBlock.Bytes) + if err != nil { + return nil, fmt.Errorf("parse private key failed: %v", err) + } + + return rsaKey, nil +} + +// GenerateSignedPCR generates the PCR signed data for a given set of UKI file sections. +func GenerateSignedPCR(sectionsData SectionsData, rsaKeyPath string) (*talostpm2.PCRData, error) { + rsaKey, err := loadRSAKey(rsaKeyPath) + if err != nil { + return nil, err + } + + data := &talostpm2.PCRData{} + + for _, algo := range []struct { + alg tpm2.TPMAlgID + bankDataSetter *[]talostpm2.BankData + }{ + { + alg: tpm2.TPMAlgSHA1, + bankDataSetter: &data.SHA1, + }, + { + alg: tpm2.TPMAlgSHA256, + bankDataSetter: &data.SHA256, + }, + { + alg: tpm2.TPMAlgSHA384, + bankDataSetter: &data.SHA384, + }, + { + alg: tpm2.TPMAlgSHA512, + bankDataSetter: &data.SHA512, + }, + } { + bankData, err := pcr.CalculateBankData(secureboot.UKIPCR, algo.alg, sectionsData, rsaKey) + if err != nil { + return nil, err + } + + *algo.bankDataSetter = bankData + } + + return data, nil +} diff --git a/hack/ukify/measure/measure_test.go b/internal/pkg/secureboot/measure/measure_test.go similarity index 72% rename from hack/ukify/measure/measure_test.go rename to internal/pkg/secureboot/measure/measure_test.go index 331a84577..d52327acb 100644 --- a/hack/ukify/measure/measure_test.go +++ b/internal/pkg/secureboot/measure/measure_test.go @@ -16,20 +16,15 @@ import ( "strings" "testing" - _ "embed" - - "github.com/siderolabs/ukify/constants" - "github.com/siderolabs/ukify/measure" + "github.com/siderolabs/talos/internal/pkg/secureboot" + "github.com/siderolabs/talos/internal/pkg/secureboot/measure" ) const ( - // ExpectedSignatureHex is output of `go test go test -v ./...` when systemd-measure binary is available + // ExpectedSignatureHex is output of `go test go test -v ./...` when systemd-measure binary is available. ExpectedSignatureHex = "e5fbb57a24951ad4c1621c7b1aa3071d0220d71cb8b498ff7f68ef431d70ee82ab12e6355259253366c839e2ec3dbb92caedb3398f5ceb6aa973666317d4a7f7" ) -//go:embed testdata/pcr-signing-key.pem -var pcrSigningKeyPEM []byte - func TestMeasureMatchesExpectedOutput(t *testing.T) { expectedSignatureHex := ExpectedSignatureHex @@ -42,7 +37,7 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) { sectionsData := measure.SectionsData{} // create temporary files with the ordered section name and data as the section name - for _, section := range constants.OrderedSections() { + for _, section := range secureboot.OrderedSections() { sectionFile := filepath.Join(tmpDir, string(section)) if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil { @@ -52,13 +47,7 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) { sectionsData[section] = sectionFile } - signingKey := filepath.Join(tmpDir, "pcr-signing-key.pem") - - if err := os.WriteFile(signingKey, pcrSigningKeyPEM, 0o644); err != nil { - t.Fatal(err) - } - - pcrData, err := measure.GenerateSignedPCR(sectionsData, signingKey) + pcrData, err := measure.GenerateSignedPCR(sectionsData, "testdata/pcr-signing-key.pem") if err != nil { t.Fatal(err) } @@ -76,17 +65,12 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) { } func getSignatureUsingSDMeasure(t *testing.T) string { - tmpDir, err := os.MkdirTemp("", "measure-testdata-gen") - if err != nil { - t.Error(err) - } + tmpDir := t.TempDir() - defer os.RemoveAll(tmpDir) - - sdMeasureArgs := make([]string, len(constants.OrderedSections())) + sdMeasureArgs := make([]string, len(secureboot.OrderedSections())) // create temporary files with the ordered section name and data as the section name - for i, section := range constants.OrderedSections() { + for i, section := range secureboot.OrderedSections() { sectionFile := filepath.Join(tmpDir, string(section)) if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil { @@ -96,12 +80,6 @@ func getSignatureUsingSDMeasure(t *testing.T) string { sdMeasureArgs[i] = fmt.Sprintf("--%s=%s", strings.TrimPrefix(string(section), "."), sectionFile) } - signingKey := filepath.Join(tmpDir, "pcr-signing-key.pem") - - if err := os.WriteFile(signingKey, pcrSigningKeyPEM, 0o644); err != nil { - t.Error(err) - } - var signature bytes.Buffer sdCmd := exec.Command( @@ -109,7 +87,7 @@ func getSignatureUsingSDMeasure(t *testing.T) string { append([]string{ "sign", "--private-key", - signingKey, + "testdata/pcr-signing-key.pem", "--phase=enter-initrd:leave-initrd:enter-machined", "--json=short", }, diff --git a/hack/ukify/measure/testdata/pcr-signing-key.pem b/internal/pkg/secureboot/measure/testdata/pcr-signing-key.pem similarity index 100% rename from hack/ukify/measure/testdata/pcr-signing-key.pem rename to internal/pkg/secureboot/measure/testdata/pcr-signing-key.pem diff --git a/internal/pkg/secureboot/pesign/pesign.go b/internal/pkg/secureboot/pesign/pesign.go new file mode 100644 index 000000000..dd9e4de18 --- /dev/null +++ b/internal/pkg/secureboot/pesign/pesign.go @@ -0,0 +1,64 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Package pesign implements the PE (portable executable) signing. +package pesign + +import ( + "crypto" + "crypto/x509" + "fmt" + "os" + + "github.com/foxboron/go-uefi/efi" + siderox509 "github.com/siderolabs/crypto/x509" +) + +// Signer sigs PE (portable executable) files. +type Signer struct { + key crypto.Signer + cert *x509.Certificate +} + +// NewSigner creates a new Signer. +func NewSigner(certFile, keyFile string) (*Signer, error) { + pem, err := siderox509.NewCertificateAndKeyFromFiles(certFile, keyFile) + if err != nil { + return nil, err + } + + cert, err := pem.GetCert() + if err != nil { + return nil, err + } + + key, err := pem.GetKey() + if err != nil { + return nil, err + } + + if signer, ok := key.(crypto.Signer); ok { + return &Signer{ + key: signer, + cert: cert, + }, nil + } + + return nil, fmt.Errorf("key is not a crypto.Signer") +} + +// Sign signs the input file and writes the output to the output file. +func (s *Signer) Sign(input, output string) error { + unsigned, err := os.ReadFile(input) + if err != nil { + return err + } + + signed, err := efi.SignEFIExecutable(s.key, s.cert, unsigned) + if err != nil { + return err + } + + return os.WriteFile(output, signed, 0o600) +} diff --git a/internal/pkg/secureboot/pesign/pesign_test.go b/internal/pkg/secureboot/pesign/pesign_test.go new file mode 100644 index 000000000..ad8ad1b96 --- /dev/null +++ b/internal/pkg/secureboot/pesign/pesign_test.go @@ -0,0 +1,52 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package pesign_test + +import ( + "os" + "path/filepath" + "testing" + "time" + + "github.com/siderolabs/crypto/x509" + "github.com/stretchr/testify/require" + + "github.com/siderolabs/talos/internal/pkg/secureboot/pesign" + "github.com/siderolabs/talos/pkg/machinery/config/generate/secrets" +) + +func TestSign(t *testing.T) { + currentTime := time.Now() + + opts := []x509.Option{ + x509.RSA(true), + x509.Bits(2048), + x509.CommonName("test-sign"), + x509.NotAfter(currentTime.Add(secrets.CAValidityTime)), + x509.NotBefore(currentTime), + x509.Organization("test-sign"), + } + + signingKey, err := x509.NewSelfSignedCertificateAuthority(opts...) + require.NoError(t, err) + + tmpDir := t.TempDir() + + require.NoError(t, os.WriteFile(filepath.Join(tmpDir, "test-sign.key"), signingKey.KeyPEM, 0o600)) + require.NoError(t, os.WriteFile(filepath.Join(tmpDir, "test-sign.crt"), signingKey.CrtPEM, 0o600)) + + signer, err := pesign.NewSigner(filepath.Join(tmpDir, "test-sign.crt"), filepath.Join(tmpDir, "test-sign.key")) + require.NoError(t, err) + + require.NoError(t, signer.Sign("testdata/systemd-bootx64.efi", filepath.Join(tmpDir, "boot.efi"))) + + unsigned, err := os.Stat("testdata/systemd-bootx64.efi") + require.NoError(t, err) + + signed, err := os.Stat(filepath.Join(tmpDir, "boot.efi")) + require.NoError(t, err) + + require.Greater(t, signed.Size(), unsigned.Size()) +} diff --git a/internal/pkg/secureboot/pesign/testdata/systemd-bootx64.efi b/internal/pkg/secureboot/pesign/testdata/systemd-bootx64.efi new file mode 100644 index 000000000..216f5963d Binary files /dev/null and b/internal/pkg/secureboot/pesign/testdata/systemd-bootx64.efi differ diff --git a/hack/ukify/constants/constants.go b/internal/pkg/secureboot/secureboot.go similarity index 73% rename from hack/ukify/constants/constants.go rename to internal/pkg/secureboot/secureboot.go index 147b5e3ca..ed6b301b4 100644 --- a/hack/ukify/constants/constants.go +++ b/internal/pkg/secureboot/secureboot.go @@ -2,10 +2,13 @@ // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at http://mozilla.org/MPL/2.0/. -package constants +// Package secureboot contains base definitions for the Secure Boot process. +package secureboot +// Section is a name of a PE file section (UEFI binary). type Section string +// List of well-known section names. const ( Linux Section = ".linux" OSRel Section = ".osrel" @@ -19,14 +22,16 @@ const ( PCRPKey Section = ".pcrpkey" ) -// derived from https://github.com/systemd/systemd/blob/main/src/fundamental/tpm-pcr.h#L23-L36 -// OrderedSections returns the sections that are measured into PCR -// .pcrsig section is omitted here since that's what we are calulating here +// OrderedSections returns the sections that are measured into PCR. +// +// Derived from https://github.com/systemd/systemd/blob/main/src/fundamental/tpm-pcr.h#L23-L36 +// .pcrsig section is omitted here since that's what we are calulating here. func OrderedSections() []Section { // DO NOT REARRANGE return []Section{Linux, OSRel, CMDLine, Initrd, Splash, DTB, Uname, SBAT, PCRPKey} } +// Phase is the phase value extended to the PCR. type Phase string const ( @@ -35,22 +40,26 @@ const ( // LeaveInitrd is the phase value extended to the PCR just before switching to machined. LeaveInitrd Phase = "leave-initrd" // EnterMachined is the phase value extended to the PCR before starting machined. - // The should be only a signed signature for the enter-machined phase. + // There should be only a signed signature for the enter-machined phase. EnterMachined Phase = "enter-machined" // StartTheWorld is the phase value extended to the PCR before starting all services. StartTheWorld Phase = "start-the-world" ) +// PhaseInfo describes which phase extensions are signed/measured. type PhaseInfo struct { Phase Phase CalculateSignature bool } -// derived from https://github.com/systemd/systemd/blob/v253/src/boot/measure.c#L295-L308 +// OrderedPhases returns the phases that are measured, in order. +// +// Derived from https://github.com/systemd/systemd/blob/v253/src/boot/measure.c#L295-L308 // ref: https://www.freedesktop.org/software/systemd/man/systemd-pcrphase.service.html#Description +// // In the case of Talos disk decryption, happens in machined, so we need to only sign EnterMachined // so that machined can only decrypt the disk if the system booted with the correct kernel/initrd/cmdline -// OrderedPhases returns the phases that are measured +// OrderedPhases returns the phases that are measured. func OrderedPhases() []PhaseInfo { // DO NOT REARRANGE return []PhaseInfo{ @@ -69,7 +78,5 @@ func OrderedPhases() []PhaseInfo { } } -const ( - // UKI sections except `.pcrsig` are measured into PCR 11 by sd-stub - UKIPCR = 11 -) +// UKIPCR is the PCR number where sections except `.pcrsig` are measured. +const UKIPCR = 11 diff --git a/internal/pkg/secureboot/uki/assemble.go b/internal/pkg/secureboot/uki/assemble.go new file mode 100644 index 000000000..24a346948 --- /dev/null +++ b/internal/pkg/secureboot/uki/assemble.go @@ -0,0 +1,77 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package uki + +import ( + "debug/pe" + "fmt" + "os" + "os/exec" + "path/filepath" +) + +// assemble the UKI file out of sections. +func (builder *Builder) assemble() error { + peFile, err := pe.Open(builder.SdStubPath) + if err != nil { + return err + } + + defer peFile.Close() //nolint: errcheck + + // find the first VMA address + lastSection := peFile.Sections[len(peFile.Sections)-1] + + // align the VMA to 512 bytes + // https://github.com/saferwall/pe/blob/main/helper.go#L22-L26 + const alignment = 0x1ff + + header, ok := peFile.OptionalHeader.(*pe.OptionalHeader64) + if !ok { + return fmt.Errorf("failed to get optional header") + } + + baseVMA := header.ImageBase + uint64(lastSection.VirtualAddress) + uint64(lastSection.VirtualSize) + baseVMA = (baseVMA + alignment) &^ alignment + + // calculate sections size and VMA + for i := range builder.sections { + if !builder.sections[i].Append { + continue + } + + st, err := os.Stat(builder.sections[i].Path) + if err != nil { + return err + } + + builder.sections[i].Size = uint64(st.Size()) + builder.sections[i].VMA = baseVMA + + baseVMA += builder.sections[i].Size + baseVMA = (baseVMA + alignment) &^ alignment + } + + // create the output file + args := []string{} + + for _, section := range builder.sections { + if !section.Append { + continue + } + + args = append(args, "--add-section", fmt.Sprintf("%s=%s", section.Name, section.Path), "--change-section-vma", fmt.Sprintf("%s=0x%x", section.Name, section.VMA)) + } + + builder.unsignedUKIPath = filepath.Join(builder.scratchDir, "unsigned.uki") + + args = append(args, builder.SdStubPath, builder.unsignedUKIPath) + + cmd := exec.Command("objcopy", args...) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + + return cmd.Run() +} diff --git a/internal/pkg/secureboot/uki/generate.go b/internal/pkg/secureboot/uki/generate.go new file mode 100644 index 000000000..5a0caa09b --- /dev/null +++ b/internal/pkg/secureboot/uki/generate.go @@ -0,0 +1,206 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package uki + +import ( + "encoding/json" + "os" + "path/filepath" + + "github.com/siderolabs/gen/slices" + + "github.com/siderolabs/talos/internal/pkg/secureboot" + "github.com/siderolabs/talos/internal/pkg/secureboot/measure" + "github.com/siderolabs/talos/pkg/machinery/constants" + "github.com/siderolabs/talos/pkg/splash" + "github.com/siderolabs/talos/pkg/version" +) + +func (builder *Builder) generateOSRel() error { + osRelease, err := version.OSRelease() + if err != nil { + return err + } + + path := filepath.Join(builder.scratchDir, "os-release") + + if err = os.WriteFile(path, osRelease, 0o600); err != nil { + return err + } + + builder.sections = append(builder.sections, + section{ + Name: secureboot.OSRel, + Path: path, + Measure: true, + Append: true, + }, + ) + + return nil +} + +func (builder *Builder) generateCmdline() error { + path := filepath.Join(builder.scratchDir, "cmdline") + + if err := os.WriteFile(path, []byte(builder.Cmdline), 0o600); err != nil { + return err + } + + builder.sections = append(builder.sections, + section{ + Name: secureboot.CMDLine, + Path: path, + Measure: true, + Append: true, + }, + ) + + return nil +} + +func (builder *Builder) generateInitrd() error { + builder.sections = append(builder.sections, + section{ + Name: secureboot.Initrd, + Path: builder.InitrdPath, + Measure: true, + Append: true, + }, + ) + + return nil +} + +func (builder *Builder) generateSplash() error { + path := filepath.Join(builder.scratchDir, "splash.bmp") + + if err := os.WriteFile(path, splash.GetBootImage(), 0o600); err != nil { + return err + } + + builder.sections = append(builder.sections, + section{ + Name: secureboot.Splash, + Path: path, + Measure: true, + Append: true, + }, + ) + + return nil +} + +func (builder *Builder) generateUname() error { + path := filepath.Join(builder.scratchDir, "uname") + + if err := os.WriteFile(path, []byte(constants.DefaultKernelVersion), 0o600); err != nil { + return err + } + + builder.sections = append(builder.sections, + section{ + Name: secureboot.Uname, + Path: path, + Measure: true, + Append: true, + }, + ) + + return nil +} + +func (builder *Builder) generateSBAT() error { + sbat, err := GetSBAT(builder.SdStubPath) + if err != nil { + return err + } + + path := filepath.Join(builder.scratchDir, "sbat") + + if err = os.WriteFile(path, sbat, 0o600); err != nil { + return err + } + + builder.sections = append(builder.sections, + section{ + Name: secureboot.SBAT, + Path: path, + Measure: true, + }, + ) + + return nil +} + +func (builder *Builder) generatePCRPublicKey() error { + builder.sections = append(builder.sections, + section{ + Name: secureboot.PCRPKey, + Path: builder.PCRPublicKeyPath, + Append: true, + Measure: true, + }, + ) + + return nil +} + +func (builder *Builder) generateKernel() error { + path := filepath.Join(builder.scratchDir, "kernel") + + if err := builder.peSigner.Sign(builder.KernelPath, path); err != nil { + return err + } + + builder.sections = append(builder.sections, + section{ + Name: secureboot.Linux, + Path: path, + Append: true, + Measure: true, + }, + ) + + return nil +} + +func (builder *Builder) generatePCRSig() error { + sectionsData := slices.ToMap( + slices.Filter(builder.sections, + func(s section) bool { + return s.Measure + }, + ), + func(s section) (secureboot.Section, string) { + return s.Name, s.Path + }) + + pcrData, err := measure.GenerateSignedPCR(sectionsData, builder.PCRSigningKeyPath) + if err != nil { + return err + } + + pcrSignatureData, err := json.Marshal(pcrData) + if err != nil { + return err + } + + path := filepath.Join(builder.scratchDir, "pcrpsig") + + if err = os.WriteFile(path, pcrSignatureData, 0o600); err != nil { + return err + } + + builder.sections = append(builder.sections, + section{ + Name: secureboot.PCRSig, + Path: path, + Append: true, + }, + ) + + return nil +} diff --git a/internal/pkg/secureboot/uki/sbat.go b/internal/pkg/secureboot/uki/sbat.go new file mode 100644 index 000000000..e526f8b2c --- /dev/null +++ b/internal/pkg/secureboot/uki/sbat.go @@ -0,0 +1,38 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package uki + +import ( + "debug/pe" + "fmt" + "log" + + "github.com/siderolabs/talos/internal/pkg/secureboot" +) + +// GetSBAT returns the SBAT section from the PE file. +func GetSBAT(path string) ([]byte, error) { + pefile, err := pe.Open(path) + if err != nil { + return nil, err + } + + defer pefile.Close() //nolint:errcheck + + for _, section := range pefile.Sections { + if section.Name == string(secureboot.SBAT) { + log.Printf("section size: %d", section.Size) + + data, err := section.Data() + if err != nil { + return nil, err + } + + return data[:section.VirtualSize], nil + } + } + + return nil, fmt.Errorf("could not find SBAT section") +} diff --git a/internal/pkg/secureboot/uki/sbat_test.go b/internal/pkg/secureboot/uki/sbat_test.go new file mode 100644 index 000000000..13f7f8023 --- /dev/null +++ b/internal/pkg/secureboot/uki/sbat_test.go @@ -0,0 +1,25 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package uki_test + +import ( + "testing" + + "github.com/stretchr/testify/require" + + "github.com/siderolabs/talos/internal/pkg/secureboot/uki" +) + +func TestGetSBAT(t *testing.T) { + t.Parallel() + + data, err := uki.GetSBAT("../pesign/testdata/systemd-bootx64.efi") + require.NoError(t, err) + + require.Equal(t, + "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\nsystemd,1,The systemd Developers,systemd,254,https://systemd.io/\nsystemd.talos,1,Talos Linux,systemd,254,https://github.com/siderolabs/tools/issues\n\x00", //nolint:lll + string(data), + ) +} diff --git a/internal/pkg/secureboot/uki/uki.go b/internal/pkg/secureboot/uki/uki.go new file mode 100644 index 000000000..27c817cda --- /dev/null +++ b/internal/pkg/secureboot/uki/uki.go @@ -0,0 +1,126 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Package uki creates the UKI file out of the sd-stub and other sections. +package uki + +import ( + "fmt" + "log" + "os" + + "github.com/siderolabs/talos/internal/pkg/secureboot" + "github.com/siderolabs/talos/internal/pkg/secureboot/pesign" +) + +// section is a UKI file section. +type section struct { + // Section name. + Name secureboot.Section + // Path to the contents of the section. + Path string + // Should the section be measured to the TPM? + Measure bool + // Should the section be appended, or is it already in the PE file. + Append bool + // Size & VMA of the section. + Size uint64 + VMA uint64 +} + +// Builder is a UKI file builder. +type Builder struct { + // Source options. + // + // Path to the sd-stub. + SdStubPath string + // Path to the sd-boot. + SdBootPath string + // Path to the kernel image. + KernelPath string + // Path to the initrd image. + InitrdPath string + // Kernel cmdline. + Cmdline string + // SecureBoot signing key path. + SigningKeyPath string + // SecureBoot signing cert path. + SigningCertPath string + // PCR signing key path. + PCRSigningKeyPath string + // PCR signing public key path. + PCRPublicKeyPath string + + // Output options: + // + // Path to the signed sd-boot. + OutSdBootPath string + // Path to the output UKI file. + OutUKIPath string + + // fields initialized during build + sections []section + scratchDir string + peSigner *pesign.Signer + unsignedUKIPath string +} + +// Build the UKI file. +// +// Build process is as follows: +// - sign the sd-boot EFI binary, and write it to the OutSdBootPath +// - build ephemeral sections (uname, os-release), and other proposed sections +// - measure sections, generate signature, and append to the list of sections +// - assemble the final UKI file starting from sd-stub and appending generated section. +func (builder *Builder) Build() error { + var err error + + builder.scratchDir, err = os.MkdirTemp("", "talos-uki") + if err != nil { + return err + } + + defer func() { + if err = os.RemoveAll(builder.scratchDir); err != nil { + log.Printf("failed to remove scratch dir: %v", err) + } + }() + + builder.peSigner, err = pesign.NewSigner(builder.SigningCertPath, builder.SigningKeyPath) + if err != nil { + return fmt.Errorf("error initilazing signer: %w", err) + } + + // sign sd-boot + if err = builder.peSigner.Sign(builder.SdBootPath, builder.OutSdBootPath); err != nil { + return fmt.Errorf("error signing sd-boot: %w", err) + } + + // generate and build list of all sections + for _, generateSection := range []func() error{ + builder.generateOSRel, + builder.generateCmdline, + builder.generateInitrd, + builder.generateSplash, + builder.generateUname, + builder.generateSBAT, + builder.generatePCRPublicKey, + // append kernel last to account for decompression + builder.generateKernel, + // measure sections last + builder.generatePCRSig, + } { + if err = generateSection(); err != nil { + return fmt.Errorf("error generating sections: %w", err) + } + } + + // assemble the final UKI file + if err = builder.assemble(); err != nil { + return fmt.Errorf("error assembling UKI: %w", err) + } + + // sign the UKI file + return builder.peSigner.Sign(builder.unsignedUKIPath, builder.OutUKIPath) +} diff --git a/internal/pkg/tpm2/constants.go b/internal/pkg/tpm2/constants.go deleted file mode 100644 index af6f958b5..000000000 --- a/internal/pkg/tpm2/constants.go +++ /dev/null @@ -1,22 +0,0 @@ -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. - -// Package tpm2 provides TPM2.0 related functionality helpers. -package tpm2 - -// Phase is the phase value extended to the PCR. -// TODO: once ukify is part of installer refer from here. -type Phase string - -const ( - // EnterInitrd is the phase value extended to the PCR during the initrd. - EnterInitrd Phase = "enter-initrd" - // LeaveInitrd is the phase value extended to the PCR just before switching to machined. - LeaveInitrd Phase = "leave-initrd" - // EnterMachined is the phase value extended to the PCR before starting machined. - // There should be only a signed signature for the enter-machined phase. - EnterMachined Phase = "enter-machined" - // StartTheWorld is the phase value extended to the PCR before starting all services. - StartTheWorld Phase = "start-the-world" -) diff --git a/internal/pkg/tpm2/tpm2.go b/internal/pkg/tpm2/tpm2.go index 316798e1a..2cf6aff65 100644 --- a/internal/pkg/tpm2/tpm2.go +++ b/internal/pkg/tpm2/tpm2.go @@ -28,23 +28,23 @@ import ( ) // PCRData is the data structure for PCR signature json. -// TODO: this is copied from measure, once measure/ukify is part of installer, we should refer from here. type PCRData struct { - SHA1 []bankData `json:"sha1,omitempty"` - SHA256 []bankData `json:"sha256,omitempty"` - SHA384 []bankData `json:"sha384,omitempty"` - SHA512 []bankData `json:"sha512,omitempty"` + SHA1 []BankData `json:"sha1,omitempty"` + SHA256 []BankData `json:"sha256,omitempty"` + SHA384 []BankData `json:"sha384,omitempty"` + SHA512 []BankData `json:"sha512,omitempty"` } -type bankData struct { +// BankData constains data for a specific PCR bank. +type BankData struct { // list of PCR banks - PCRS []int `json:"pcrs"` + PCRs []int `json:"pcrs"` // Public key of the TPM PKFP string `json:"pkfp"` // Policy digest - POL string `json:"pol"` + Pol string `json:"pol"` // Signature of the policy digest in base64 - SIG string `json:"sig"` + Sig string `json:"sig"` } // SealedResponse is the response from the TPM2.0 Seal operation. @@ -306,13 +306,13 @@ func Unseal(sealed SealedResponse) ([]byte, error) { // TODO: maybe we should use the highest supported algorithm of the TPM // fallback to the next one if the signature is not found for _, bank := range sigJSON.SHA256 { - digest, decodeErr := hex.DecodeString(bank.POL) + digest, decodeErr := hex.DecodeString(bank.Pol) if decodeErr != nil { return nil, decodeErr } if bytes.Equal(digest, policyGetDigestResp.PolicyDigest.Buffer) { - signature = bank.SIG + signature = bank.Sig if hex.EncodeToString(pubKeyFingerprint[:]) != bank.PKFP { return nil, fmt.Errorf("certificate fingerprint does not match") diff --git a/pkg/machinery/go.mod b/pkg/machinery/go.mod index 184ad9184..7ff78ec28 100644 --- a/pkg/machinery/go.mod +++ b/pkg/machinery/go.mod @@ -18,7 +18,7 @@ require ( github.com/mdlayher/ethtool v0.1.0 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 - github.com/siderolabs/crypto v0.4.0 + github.com/siderolabs/crypto v0.4.1 github.com/siderolabs/gen v0.4.5 github.com/siderolabs/go-api-signature v0.2.4 github.com/siderolabs/go-blockdevice v0.4.6 diff --git a/pkg/machinery/go.sum b/pkg/machinery/go.sum index 7f86138a4..186f1d313 100644 --- a/pkg/machinery/go.sum +++ b/pkg/machinery/go.sum @@ -107,8 +107,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= -github.com/siderolabs/crypto v0.4.0 h1:o1KIR1KyevUcY9nbJlSyQAj7+p+rveGGF8LjAAFMtjc= -github.com/siderolabs/crypto v0.4.0/go.mod h1:itZpBsJ9i0aH8jiHAuSlKCal7hni7X1aDYo6vGVl5LY= +github.com/siderolabs/crypto v0.4.1 h1:PP84WSDDyCCbjYKePcc0IaMSPXDndz8V3cQ9hMRSvpA= +github.com/siderolabs/crypto v0.4.1/go.mod h1:nJmvkqWy1Hngbzw3eg2TdtJ/ZYHHofQK1NbmmYywW8k= github.com/siderolabs/gen v0.4.5 h1:rwXUVJlL7hYza1LrSVXfT905ZC9Rgei37jMKKs/+eP0= github.com/siderolabs/gen v0.4.5/go.mod h1:wS8tFq7sn5vqKAuyS30vJUig3tX5v6q79VG4KfUnILM= github.com/siderolabs/go-api-signature v0.2.4 h1:s+K0GtaPHql4LdZzL72QvwPMzffY+KB0mszORDK+5/w= diff --git a/hack/ukify/assets/sidero.bmp b/pkg/splash/sidero.bmp similarity index 100% rename from hack/ukify/assets/sidero.bmp rename to pkg/splash/sidero.bmp diff --git a/pkg/splash/splash.go b/pkg/splash/splash.go new file mode 100644 index 000000000..de0ffcc63 --- /dev/null +++ b/pkg/splash/splash.go @@ -0,0 +1,18 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Package splash contains boot splash images. +package splash + +import ( + _ "embed" +) + +//go:embed sidero.bmp +var sideroBMP []byte + +// GetBootImage returns boot splash image. +func GetBootImage() []byte { + return sideroBMP +} diff --git a/pkg/version/osrelease.go b/pkg/version/osrelease.go new file mode 100644 index 000000000..767ec1dcc --- /dev/null +++ b/pkg/version/osrelease.go @@ -0,0 +1,52 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package version + +import ( + "bytes" + "strings" + "text/template" + + "github.com/siderolabs/talos/pkg/machinery/constants" +) + +// OSRelease returns the contents of /etc/os-release. +func OSRelease() ([]byte, error) { + var ( + v string + tmpl *template.Template + ) + + switch Tag { + case "none": + v = SHA + default: + v = Tag + } + + data := struct { + Name string + ID string + Version string + }{ + Name: Name, + ID: strings.ToLower(Name), + Version: v, + } + + tmpl, err := template.New("").Parse(constants.OSReleaseTemplate) + if err != nil { + return nil, err + } + + var writer bytes.Buffer + + err = tmpl.Execute(&writer, data) + if err != nil { + return nil, err + } + + return writer.Bytes(), nil +} diff --git a/pkg/version/osrelease_test.go b/pkg/version/osrelease_test.go new file mode 100644 index 000000000..8b943ed05 --- /dev/null +++ b/pkg/version/osrelease_test.go @@ -0,0 +1,21 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package version_test + +import ( + "testing" + + "github.com/stretchr/testify/require" + + "github.com/siderolabs/talos/pkg/version" +) + +func TestOSRelease(t *testing.T) { + t.Parallel() + + // simply verify generation without errors + _, err := version.OSRelease() + require.NoError(t, err) +} diff --git a/pkg/version/version_test.go b/pkg/version/version_test.go deleted file mode 100644 index 5a27bec2d..000000000 --- a/pkg/version/version_test.go +++ /dev/null @@ -1,14 +0,0 @@ -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. - -package version_test - -import "testing" - -func TestEmpty(t *testing.T) { - // added for accurate coverage estimation - // - // please remove it once any unit-test is added - // for this package -} diff --git a/website/content/v1.5/reference/cli.md b/website/content/v1.5/reference/cli.md index 6856e78d1..f839a0b96 100644 --- a/website/content/v1.5/reference/cli.md +++ b/website/content/v1.5/reference/cli.md @@ -1552,7 +1552,7 @@ talosctl gen secureboot database [flags] ## talosctl gen secureboot pcr -Generates a certificate which is used to sign TPM PCR values +Generates a key which is used to sign TPM PCR values ``` talosctl gen secureboot pcr [flags] @@ -1561,8 +1561,7 @@ talosctl gen secureboot pcr [flags] ### Options ``` - --common-name string common name for the certificate (default "Test PCR Signing Key") - -h, --help help for pcr + -h, --help help for pcr ``` ### Options inherited from parent commands @@ -1638,7 +1637,7 @@ Generates secrets for the SecureBoot process * [talosctl gen](#talosctl-gen) - Generate CAs, certificates, and private keys * [talosctl gen secureboot database](#talosctl-gen-secureboot-database) - Generates a UEFI database to enroll the signing certificate -* [talosctl gen secureboot pcr](#talosctl-gen-secureboot-pcr) - Generates a certificate which is used to sign TPM PCR values +* [talosctl gen secureboot pcr](#talosctl-gen-secureboot-pcr) - Generates a key which is used to sign TPM PCR values * [talosctl gen secureboot uki](#talosctl-gen-secureboot-uki) - Generates a certificate which is used to sign boot assets (UKI) ## talosctl gen