Documentation ¶
Index ¶
- Constants
- Variables
- func AddChecked(path string)
- func BundleIter(fn func(s *Bundle) error) error
- func CanVerifyFiles() error
- func CheckEventlogOprom(eventlog string) error
- func CheckIfKeysInitialized(output string) bool
- func CheckImmutable() error
- func CheckMSDos(r io.Reader) (bool, error)
- func CheckSbctlInstallation(path string) bool
- func ChecksumFile(file string) (string, error)
- func CombineFiles(microcode, initramfs string) (afero.File, error)
- func CopyDirectory(src, dst string) error
- func CopyFile(src, dst string) error
- func CreateBundle(bundle Bundle) error
- func CreateDirectory(path string) error
- func CreateGUID(output string) ([]byte, error)
- func CreateKey(name string) ([]byte, []byte, error)
- func CreateUUID() []byte
- func DetectTPMEventlog(sb *signature.SignatureDatabase) bool
- func Enroll(sigdb *signature.SignatureDatabase, signerKey, signerPem []byte, efivar string) error
- func EnrollCustom(customBytes []byte, efivar string) error
- func GenerateBundle(bundle *Bundle) (bool, error)
- func GetAttr(f *os.File) (int32, error)
- func GetESP() (string, error)
- func GetEfistub() (string, error)
- func GetEnrolledVendorCerts() []string
- func GetEventlogChecksums(eventlog string) (*signature.SignatureDatabase, error)
- func GetEventlogEvents(eventlog string) ([]attest.Event, error)
- func GetGUID() (uuid.UUID, error)
- func InChecked(path string) bool
- func InitializeSecureBootKeys(output string) error
- func IsImmutable(file string) error
- func ReadOrCreateFile(filePath string) ([]byte, error)
- func SaveKey(k []byte, file string) error
- func SetAttr(f *os.File, attr int32) error
- func Sign(file, output string, enroll bool) error
- func SignDatabase(sigdb *signature.SignatureDatabase, signerKey, signerPem []byte, efivar string) ([]byte, error)
- func SignFile(key, cert, file, output, checksum string) error
- func SigningEntryIter(fn func(s *SigningEntry) error) error
- func VerifyFile(cert, file string) (bool, error)
- func WriteBundleDatabase(dbpath string, bundles Bundles) error
- func WriteFileDatabase(dbpath string, files SigningEntries) error
- type Bundle
- type Bundles
- type LsblkEntry
- type LsblkRoot
- type SigningEntries
- type SigningEntry
Constants ¶
View Source
const ( // from /usr/include/linux/fs.h FS_SECRM_FL = 0x00000001 /* Secure deletion */ FS_UNRM_FL = 0x00000002 /* Undelete */ FS_COMPR_FL = 0x00000004 /* Compress file */ FS_SYNC_FL = 0x00000008 /* Synchronous updates */ FS_IMMUTABLE_FL = 0x00000010 /* Immutable file */ FS_APPEND_FL = 0x00000020 /* writes to file may only append */ FS_NODUMP_FL = 0x00000040 /* do not dump file */ FS_NOATIME_FL = 0x00000080 /* do not update atime */ FS_DIRTY_FL = 0x00000100 FS_COMPRBLK_FL = 0x00000200 /* One or more compressed clusters */ FS_NOCOMP_FL = 0x00000400 /* Don't compress */ FS_ECOMPR_FL = 0x00000800 /* Compression error */ FS_BTREE_FL = 0x00001000 /* btree format dir */ FS_INDEX_FL = 0x00001000 /* hash-indexed directory */ FS_IMAGIC_FL = 0x00002000 /* AFS directory */ FS_JOURNAL_DATA_FL = 0x00004000 /* Reserved for ext3 */ FS_NOTAIL_FL = 0x00008000 /* file tail should not be merged */ FS_DIRSYNC_FL = 0x00010000 /* dirsync behaviour (directories only) */ FS_TOPDIR_FL = 0x00020000 /* Top of directory hierarchies*/ FS_EXTENT_FL = 0x00080000 /* Extents */ FS_DIRECTIO_FL = 0x00100000 /* Use direct i/o */ FS_NOCOW_FL = 0x00800000 /* Do not cow file */ FS_PROJINHERIT_FL = 0x20000000 /* Create with parents projid */ FS_RESERVED_FL = 0x80000000 /* reserved for ext2 lib */ )
Variables ¶
View Source
var ( DatabasePath = "/usr/share/secureboot/" KeysPath = filepath.Join(DatabasePath, "keys") PKKey = filepath.Join(KeysPath, "PK", "PK.key") PKCert = filepath.Join(KeysPath, "PK", "PK.pem") KEKKey = filepath.Join(KeysPath, "KEK", "KEK.key") KEKCert = filepath.Join(KeysPath, "KEK", "KEK.pem") DBKey = filepath.Join(KeysPath, "db", "db.key") DBCert = filepath.Join(KeysPath, "db", "db.pem") DBPath = filepath.Join(DatabasePath, "files.db") GUIDPath = filepath.Join(DatabasePath, "GUID") )
View Source
var ( ErrOprom = errors.New("uefi has oprom") ErrNoEventlog = errors.New("no eventlog found") )
View Source
var BundleDBPath = filepath.Join(DatabasePath, "bundles.db")
View Source
var EfivarFSFiles = []string{
"/sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c",
"/sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c",
"/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f",
}
View Source
var ErrAlreadySigned = errors.New("already signed file")
View Source
var ErrImmutable = errors.New("file is immutable")
View Source
var ErrNoESP = errors.New("failed to find EFI system partition")
View Source
var ErrNotImmutable = errors.New("file is not immutable")
View Source
var Immutable = false
View Source
var RSAKeySize = 4096
View Source
var SecureBootKeys = []struct { Key string Description string }{ { Key: "PK", Description: "Platform Key", }, { Key: "KEK", Description: "Key Exchange Key", }, { Key: "db", Description: "Database Key", }, }
Map up our default keys in a struct
Functions ¶
func AddChecked ¶
func AddChecked(path string)
func BundleIter ¶
func CanVerifyFiles ¶
func CanVerifyFiles() error
Check if we can access the db certificate to verify files
func CheckEventlogOprom ¶
func CheckIfKeysInitialized ¶
Check if we have already intialized keys in the given output directory
func CheckImmutable ¶
func CheckImmutable() error
Check if any files in efivarfs has the immutable bit set
func CheckSbctlInstallation ¶
Checks if sbctl is setup on this computer
func ChecksumFile ¶
func CopyDirectory ¶
CopyDirectory moves files and creates directories
func CreateBundle ¶
func CreateDirectory ¶
func CreateGUID ¶
func CreateUUID ¶
func CreateUUID() []byte
func DetectTPMEventlog ¶
func DetectTPMEventlog(sb *signature.SignatureDatabase) bool
func Enroll ¶
func Enroll(sigdb *signature.SignatureDatabase, signerKey, signerPem []byte, efivar string) error
func EnrollCustom ¶
func GenerateBundle ¶
func GetEfistub ¶
func GetEnrolledVendorCerts ¶
func GetEnrolledVendorCerts() []string
func GetEventlogChecksums ¶
func GetEventlogChecksums(eventlog string) (*signature.SignatureDatabase, error)
func InitializeSecureBootKeys ¶
Initialize the secure boot keys needed to setup secure boot. It creates the following keys:
- Platform Key (PK)
- Key Exchange Key (KEK)
- db (database)
- dbx (forbidden database)
func IsImmutable ¶
Check if a given file has the immutable bit set
func ReadOrCreateFile ¶
func SignDatabase ¶
func SigningEntryIter ¶
func SigningEntryIter(fn func(s *SigningEntry) error) error
func VerifyFile ¶
func WriteBundleDatabase ¶
func WriteFileDatabase ¶
func WriteFileDatabase(dbpath string, files SigningEntries) error
Types ¶
type Bundle ¶
type Bundle struct { Output string `json:"output"` IntelMicrocode string `json:"intel_microcode"` AMDMicrocode string `json:"amd_microcode"` KernelImage string `json:"kernel_image"` Initramfs string `json:"initramfs"` Cmdline string `json:"cmdline"` Splash string `json:"splash"` OSRelease string `json:"os_release"` EFIStub string `json:"efi_stub"` ESP string `json:"esp"` }
type Bundles ¶
func ReadBundleDatabase ¶
type LsblkEntry ¶
type LsblkRoot ¶
type LsblkRoot struct {
Blockdevices []LsblkEntry `json:"blockdevices"`
}
type SigningEntries ¶
type SigningEntries map[string]*SigningEntry
func ReadFileDatabase ¶
func ReadFileDatabase(dbpath string) (SigningEntries, error)
type SigningEntry ¶
Source Files ¶
Click to show internal directories.
Click to hide internal directories.