Generate bootkit artifacts for snakeoil as well

Also, simply do nothing if not on amd64, since we don't have arm64 artifacts. Signed-off-by: Serge Hallyn <[email protected]>
project-machine · Aug 24, 2023 · f9f56e5 · f9f56e5
1 parent 5cc5a70
commit f9f56e5
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 17 deletions.
diff --git a/cmd/trust/keyset.go b/cmd/trust/keyset.go
@@ -231,11 +231,6 @@ func initkeyset(keysetName string, Org []string) error {
 		return fmt.Errorf("Failed to add the pcr7data to keyset %q: (%w)", keysetName, err)
 	}
 
-	// Now create the bootkit artifacts
-	if err = trust.SetupBootkit(keysetName); err != nil {
-		return fmt.Errorf("Failed creating bootkit artifacts for keyset %q: (%w)", keysetName, err)
-	}
-
 	return nil
 }
 
@@ -336,17 +331,26 @@ func doAddKeyset(ctx *cli.Context) error {
 		return fmt.Errorf("%s keyset already exists", keysetName)
 	}
 
-	// git clone if keyset is snakeoil
-	if keysetName == "snakeoil" {
+	switch keysetName {
+	case keysetName:
+		// git clone if keyset is snakeoil
 		_, err = git.PlainClone(keysetPath, false, &git.CloneOptions{URL: "https://github.com/project-machine/keys.git"})
-		if err != nil {
-			os.Remove(keysetPath)
-			return err
-		}
-		return nil
+
+	default:
+		// Otherwise, generate a new keyset
+		err = initkeyset(keysetName, Org)
 	}
-	// Otherwise, generate a new keyset
-	return initkeyset(keysetName, Org)
+	if err != nil {
+		os.Remove(keysetPath)
+		return errors.Wrapf(err, "Failed creating keyset %q", keysetName)
+	}
+
+	// Now create the bootkit artifacts
+	if err = trust.SetupBootkit(keysetName); err != nil {
+		return fmt.Errorf("Failed creating bootkit artifacts for keyset %q: (%w)", keysetName, err)
+	}
+
+	return nil
 }
 
 func doListKeysets(ctx *cli.Context) error {

diff --git a/pkg/trust/artifacts.go b/pkg/trust/artifacts.go
@@ -4,9 +4,11 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strconv"
 	"strings"
 
+	"github.com/apex/log"
 	efi "github.com/canonical/go-efilib"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
@@ -162,6 +164,16 @@ func UpdateShim(inShim, newShim, keysetPath string) error {
 }
 
 func SetupBootkit(keysetName string) error {
+	// TODO - we have to fix this by
+	// a. having bootkit generate arm64
+	// b. changing the bootkit layer naming to reflect arch
+	// c. using the bootkit api here instead of doing it ourselves
+	// for now, we just do nothing on arm64
+	if runtime.GOARCH != "amd64" {
+		log.Warnf("Running on %q, so not building bootkit artifacts (only amd64 supported).", runtime.GOARCH)
+		return nil
+	}
+
 	tmpdir, err := os.MkdirTemp("", "trust-bootkit")
 	if err != nil {
 		return errors.Wrapf(err, "Failed creating temporary directory")
@@ -244,17 +256,17 @@ func SetupBootkit(keysetName string) error {
 	if err != nil {
 		return errors.Wrapf(err, "failed reading uefi-pk guid")
 	}
-	pkGuid := string(pkGuidBytes)
+	pkGuid := strings.TrimSpace(string(pkGuidBytes))
 	kekGuidBytes, err := os.ReadFile(filepath.Join(keysetPath, "uefi-kek", "guid"))
 	if err != nil {
 		return errors.Wrapf(err, "failed reading uefi-kek guid")
 	}
-	kekGuid := string(kekGuidBytes)
+	kekGuid := strings.TrimSpace(string(kekGuidBytes))
 	dbGuidBytes, err := os.ReadFile(filepath.Join(keysetPath, "uefi-db", "guid"))
 	if err != nil {
 		return errors.Wrapf(err, "failed reading uefi-db guid")
 	}
-	dbGuid := string(dbGuidBytes)
+	dbGuid := strings.TrimSpace(string(dbGuidBytes))
 
 	outFile := filepath.Join(destDir, "ovmf-vars.fd")
 	cmd = []string{