diff --git a/cmd/trust/keyset.go b/cmd/trust/keyset.go index 8a37c0e..b630b25 100644 --- a/cmd/trust/keyset.go +++ b/cmd/trust/keyset.go @@ -231,11 +231,6 @@ func initkeyset(keysetName string, Org []string) error { return fmt.Errorf("Failed to add the pcr7data to keyset %q: (%w)", keysetName, err) } - // Now create the bootkit artifacts - if err = trust.SetupBootkit(keysetName); err != nil { - return fmt.Errorf("Failed creating bootkit artifacts for keyset %q: (%w)", keysetName, err) - } - return nil } @@ -336,17 +331,26 @@ func doAddKeyset(ctx *cli.Context) error { return fmt.Errorf("%s keyset already exists", keysetName) } - // git clone if keyset is snakeoil - if keysetName == "snakeoil" { + switch keysetName { + case keysetName: + // git clone if keyset is snakeoil _, err = git.PlainClone(keysetPath, false, &git.CloneOptions{URL: "https://github.com/project-machine/keys.git"}) - if err != nil { - os.Remove(keysetPath) - return err - } - return nil + + default: + // Otherwise, generate a new keyset + err = initkeyset(keysetName, Org) } - // Otherwise, generate a new keyset - return initkeyset(keysetName, Org) + if err != nil { + os.Remove(keysetPath) + return errors.Wrapf(err, "Failed creating keyset %q", keysetName) + } + + // Now create the bootkit artifacts + if err = trust.SetupBootkit(keysetName); err != nil { + return fmt.Errorf("Failed creating bootkit artifacts for keyset %q: (%w)", keysetName, err) + } + + return nil } func doListKeysets(ctx *cli.Context) error { diff --git a/pkg/trust/artifacts.go b/pkg/trust/artifacts.go index c68d460..11d01a3 100644 --- a/pkg/trust/artifacts.go +++ b/pkg/trust/artifacts.go @@ -4,9 +4,11 @@ import ( "fmt" "os" "path/filepath" + "runtime" "strconv" "strings" + "github.com/apex/log" efi "github.com/canonical/go-efilib" ispec "github.com/opencontainers/image-spec/specs-go/v1" rspec "github.com/opencontainers/runtime-spec/specs-go" @@ -162,6 +164,16 @@ func UpdateShim(inShim, newShim, keysetPath string) error { } func SetupBootkit(keysetName string) error { + // TODO - we have to fix this by + // a. having bootkit generate arm64 + // b. changing the bootkit layer naming to reflect arch + // c. using the bootkit api here instead of doing it ourselves + // for now, we just do nothing on arm64 + if runtime.GOARCH != "amd64" { + log.Warnf("Running on %q, so not building bootkit artifacts (only amd64 supported).", runtime.GOARCH) + return nil + } + tmpdir, err := os.MkdirTemp("", "trust-bootkit") if err != nil { return errors.Wrapf(err, "Failed creating temporary directory") @@ -244,17 +256,17 @@ func SetupBootkit(keysetName string) error { if err != nil { return errors.Wrapf(err, "failed reading uefi-pk guid") } - pkGuid := string(pkGuidBytes) + pkGuid := strings.TrimSpace(string(pkGuidBytes)) kekGuidBytes, err := os.ReadFile(filepath.Join(keysetPath, "uefi-kek", "guid")) if err != nil { return errors.Wrapf(err, "failed reading uefi-kek guid") } - kekGuid := string(kekGuidBytes) + kekGuid := strings.TrimSpace(string(kekGuidBytes)) dbGuidBytes, err := os.ReadFile(filepath.Join(keysetPath, "uefi-db", "guid")) if err != nil { return errors.Wrapf(err, "failed reading uefi-db guid") } - dbGuid := string(dbGuidBytes) + dbGuid := strings.TrimSpace(string(dbGuidBytes)) outFile := filepath.Join(destDir, "ovmf-vars.fd") cmd = []string{