mirror of
https://github.com/siderolabs/talos.git
synced 2025-12-17 15:31:34 +01:00
59582496d5
Bring in parity with systemd 257 by supporting more UKI sections. The output of `sd-measure` and our measure code will be different until https://github.com/systemd/systemd/pull/35765 is fixed upstream. Fixes: #10075 Signed-off-by: Noel Georgi <git@frezbo.dev>
106 lines
3.2 KiB
Go
106 lines
3.2 KiB
Go
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
// Package secureboot contains base definitions for the Secure Boot process.
|
|
package secureboot
|
|
|
|
// Section is a name of a PE file section (UEFI binary).
|
|
type Section string
|
|
|
|
// List of well-known section names.
|
|
const (
|
|
Linux Section = ".linux"
|
|
OSRel Section = ".osrel"
|
|
CMDLine Section = ".cmdline"
|
|
Initrd Section = ".initrd"
|
|
Ucode Section = ".ucode"
|
|
Splash Section = ".splash"
|
|
DTB Section = ".dtb"
|
|
Uname Section = ".uname"
|
|
SBAT Section = ".sbat"
|
|
PCRSig Section = ".pcrsig"
|
|
PCRPKey Section = ".pcrpkey"
|
|
Profile Section = ".profile"
|
|
DTBAuto Section = ".dtbauto"
|
|
HWIDS Section = ".hwids"
|
|
)
|
|
|
|
// OrderedSections returns the sections that are measured into PCR.
|
|
//
|
|
// Derived from https://github.com/systemd/systemd/blob/v257.1/src/fundamental/uki.h#L6
|
|
// .pcrsig section is omitted here since that's what we are calulating here.
|
|
func OrderedSections() []Section {
|
|
// DO NOT REARRANGE
|
|
return []Section{
|
|
Linux,
|
|
OSRel,
|
|
CMDLine,
|
|
Initrd,
|
|
Ucode,
|
|
Splash,
|
|
DTB,
|
|
Uname,
|
|
SBAT,
|
|
PCRPKey,
|
|
Profile,
|
|
DTBAuto,
|
|
HWIDS,
|
|
}
|
|
}
|
|
|
|
// Phase is the phase value extended to the PCR.
|
|
type Phase string
|
|
|
|
const (
|
|
// EnterInitrd is the phase value extended to the PCR during the initrd.
|
|
EnterInitrd Phase = "enter-initrd"
|
|
// LeaveInitrd is the phase value extended to the PCR just before switching to machined.
|
|
LeaveInitrd Phase = "leave-initrd"
|
|
// EnterMachined is the phase value extended to the PCR before starting machined.
|
|
// There should be only a signed signature for the enter-machined phase.
|
|
EnterMachined Phase = "enter-machined"
|
|
// StartTheWorld is the phase value extended to the PCR before starting all services.
|
|
StartTheWorld Phase = "start-the-world"
|
|
)
|
|
|
|
// PhaseInfo describes which phase extensions are signed/measured.
|
|
type PhaseInfo struct {
|
|
Phase Phase
|
|
CalculateSignature bool
|
|
}
|
|
|
|
// OrderedPhases returns the phases that are measured, in order.
|
|
//
|
|
// Derived from https://github.com/systemd/systemd/blob/v253/src/boot/measure.c#L295-L308
|
|
// ref: https://www.freedesktop.org/software/systemd/man/systemd-pcrphase.service.html#Description
|
|
//
|
|
// In the case of Talos disk decryption, happens in machined, so we need to only sign EnterMachined
|
|
// so that machined can only decrypt the disk if the system booted with the correct kernel/initrd/cmdline
|
|
// OrderedPhases returns the phases that are measured.
|
|
func OrderedPhases() []PhaseInfo {
|
|
// DO NOT REARRANGE
|
|
return []PhaseInfo{
|
|
{
|
|
Phase: EnterInitrd,
|
|
CalculateSignature: false,
|
|
},
|
|
{
|
|
Phase: LeaveInitrd,
|
|
CalculateSignature: false,
|
|
},
|
|
{
|
|
Phase: EnterMachined,
|
|
CalculateSignature: true,
|
|
},
|
|
}
|
|
}
|
|
|
|
const (
|
|
// UKIPCR is the PCR number where sections except `.pcrsig` are measured.
|
|
UKIPCR = 11
|
|
// SecureBootStatePCR is the PCR number where the secure boot state and the signature are measured.
|
|
// PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated.
|
|
SecureBootStatePCR = 7
|
|
)
|