Support different providers, not only static file paths.
Drop `pcr-signing-key-public.pem` file, as we generate it on the fly
now.
See https://github.com/siderolabs/image-factory/issues/19
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The previous flow was using TPM PCR 11 values to bound the policy which
means TPM cannot unseal when UKI changes. Now it's fixed to use PCR 7
which is bound to the SecureBoot state (SecureBoot status and
Certificates). This provides a full chain of trust bound to SecureBoot
state and signed PCR signature.
Also the code has been refactored to use PolicyCalculator from the TPM
library.
Signed-off-by: Noel Georgi <git@frezbo.dev>
This is intemediate step to move parts of the `ukify` down to the main
Talos source tree, and call it from `talosctl` binary.
The next step will be to integrate it into the imager and move `.uki`
build out of the Dockerfile.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
