Documentation ¶
Overview ¶
Package hsskey provides functionality for generating a key for unlocking drives based on the following procedure:
- Via BMC, read a 32-byte secret seed known as the Host Secret Seed (HSS) using the OpenBMC IPMI blob transfer protocol
- Via EEPROM, read a 32-byte secret seed from EEPROM
- Compute a password as follows: We get the deterministically computed 32-byte HDKF-SHA256 using: - salt: "SKM PROD_V2 ACCESS" (default) - hss: 32-byte HSS - device identity: strings formed by concatenating the assembly serial number, the _ character, and the assembly part number.
Index ¶
- Constants
- func GenPassword(hss []byte, salt string, identifiers ...string) ([]byte, error)
- func GetAllHss(warnings io.Writer, verboseDangerous bool, eepromPattern string, ...) ([][]uint8, error)
- func GetHssFromFile(warnings io.Writer, verboseDangerous bool, filePaths []string, ...) ([][]byte, error)
- func ReadHssFromFile(filePath string, minHssPerFile int) ([][]byte, error)
- func WriteHssToFile(warnings io.Writer, verboseDangerous bool, file *os.File, hss [][]byte) error
- func WriteHssToTempFile(warnings io.Writer, verboseDangerous bool, hss [][]byte) (string, error)
Constants ¶
const (
DefaultPasswordSalt = "SKM PROD_V2 ACCESS"
)
Variables ¶
This section is empty.
Functions ¶
func GenPassword ¶
GenPassword computes the password deterministically as the 32-byte HDKF-SHA256 of the HSS plus the device identity.
func GetAllHss ¶
func GetAllHss(warnings io.Writer, verboseDangerous bool, eepromPattern string, hssFiles string) ([][]uint8, error)
GetAllHss reads all host secret seeds from IPMI or EEPROM.
- eepromPattern: A string pattern to find EEPROMs in sysfs paths. The glob string used for searching will be in the format: "/sys/bus/i2c/devices/{eepromPattern}/eeprom". For example, 0-005* An empty string "" will skip the attempt to read from EEPROM.
func GetHssFromFile ¶ added in v0.12.0
func GetHssFromFile(warnings io.Writer, verboseDangerous bool, filePaths []string, minHssPerFile int) ([][]byte, error)
GetHssFromFile reads HSS keys from the specified files. Each HSS key is 64 bytes long and has a checksum for validation. Duplicate HSS are removed.
func ReadHssFromFile ¶ added in v0.12.0
ReadHssFromFile reads HSS keys from the specified file. Each HSS key is 64 bytes long and has a checksum for validation.
func WriteHssToFile ¶ added in v0.12.0
WriteHssToFile writes a list of HSS to an open file. Each HSS key is expected to be 64 bytes long and has a checksum for validation. HSS that fail to validate are not written to the file. Function returns error if no HSS are written or writing can no longer continue.
Types ¶
This section is empty.