Skip to content
This repository has been archived by the owner on Sep 6, 2023. It is now read-only.

Fix/gofmt and read cert cleanup #64

Merged
merged 3 commits into from
Aug 25, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ jobs:
libdevmapper-dev libacl1-dev libarchive-tools pip squashfs-tools \
sbsigntool
pip install virt-firmware
- name: lint
run: |
make gofmt
- name: build
run: |
make
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
.made-gofmt
12 changes: 11 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,20 @@ ifeq ($(MAIN_VERSION),$(filter $(MAIN_VERSION), "", no-git))
$(error "Bad value for MAIN_VERSION: '$(MAIN_VERSION)'")
endif

GO_SRC_DIRS := pkg/ cmd/
GO_SRC := $(shell find $(GO_SRC_DIRS) -name "*.go")

VERSION_LDFLAGS=-X github.com/project-machine/trust/pkg/trust.Version=$(MAIN_VERSION)
trust: cmd/trust/*.go pkg/trust/*.go pkg/printdirtree/*.go
trust: .made-gofmt $(GO_SRC)
go build -buildvcs=false -ldflags "$(VERSION_LDFLAGS)" -o trust ./cmd/trust/

.PHONY: gofmt
gofmt: .made-gofmt
.made-gofmt: $(GO_SRC)
o=$$(gofmt -l -w $(GO_SRC_DIRS) 2>&1) && [ -z "$$o" ] || \
{ echo "gofmt made changes: $$o" 1>&2; exit 1; }
@touch $@

clean:
rm -f trust

Expand Down
2 changes: 1 addition & 1 deletion cmd/trust/computepcr.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ import (
"errors"
"fmt"

"github.com/urfave/cli"
"github.com/project-machine/trust/pkg/trust"
"github.com/urfave/cli"
)

var computePCR7Cmd = cli.Command{
Expand Down
2 changes: 1 addition & 1 deletion cmd/trust/extendpcr.go
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
package main

import (
"github.com/urfave/cli"
"github.com/project-machine/trust/pkg/trust"
"github.com/urfave/cli"
)

var extendPCR7Cmd = cli.Command{
Expand Down
1 change: 0 additions & 1 deletion cmd/trust/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ func main() {

// verify
verifyCmd,

}
app.Flags = []cli.Flag{
cli.BoolFlag{
Expand Down
4 changes: 2 additions & 2 deletions cmd/trust/policygen.go
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
package main

import (
"os"
"errors"
"os"

"github.com/urfave/cli"
"github.com/project-machine/trust/pkg/trust"
"github.com/urfave/cli"
)

var tpmPolicyGenCmd = cli.Command{
Expand Down
2 changes: 1 addition & 1 deletion cmd/trust/project.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ func doListProjects(ctx *cli.Context) error {
return nil
}

dirs, err := os.ReadDir(keysetPath)
dirs, err := os.ReadDir(keysetPath)
if err != nil {
return fmt.Errorf("Failed reading keys directory %q: %w", trustDir, err)
}
Expand Down
14 changes: 7 additions & 7 deletions cmd/trust/sign.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,25 +9,25 @@ import (
)

var signCmd = cli.Command{
Name: "sign",
Name: "sign",
Usage: "Create Digital Signature",
Subcommands: []cli.Command{
cli.Command{
Name: "efi",
Action: doSignEFI,
Usage: "sign an efi binary",
Name: "efi",
Action: doSignEFI,
Usage: "sign an efi binary",
ArgsUsage: "<efi-file>",
Flags: []cli.Flag{
cli.StringFlag{
Name: "key",
Name: "key",
Usage: "The private key to sign the efi binary.",
},
cli.StringFlag{
Name: "cert",
Name: "cert",
Usage: "The X509 certificate for creating signature.",
},
cli.StringFlag{
Name: "output",
Name: "output",
Usage: "PathName for the signed efi binary.",
},
},
Expand Down
8 changes: 4 additions & 4 deletions cmd/trust/sudi.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,9 @@ var sudiCmd = cli.Command{
}

// ~/.local/share/machine/trust/keys/
// keyset1/manifest/project-name/{uuid,privkey.pem,cert.pem}
// keyset1/manifest/project-name/sudi/host-serial/{uuid,privkey.pem,cert.pem}
//
// keyset1/manifest/project-name/{uuid,privkey.pem,cert.pem}
// keyset1/manifest/project-name/sudi/host-serial/{uuid,privkey.pem,cert.pem}
func doGenSudi(ctx *cli.Context) error {
args := ctx.Args()
if len(args) != 2 && len(args) != 3 {
Expand Down Expand Up @@ -90,7 +91,6 @@ func doGenSudi(ctx *cli.Context) error {
return errors.Wrapf(err, "Failed creating new SUDI directory")
}


if err := SignCert(&certTmpl, caCert, caKey, snPath); err != nil {
os.RemoveAll(snPath)
return errors.Wrapf(err, "Failed creating new SUDI keypair")
Expand Down Expand Up @@ -134,7 +134,7 @@ func doListSudi(ctx *cli.Context) error {
}

dir := filepath.Join(projPath, "sudi")
serials, err := os.ReadDir(dir)
serials, err := os.ReadDir(dir)
if err != nil {
return fmt.Errorf("Failed reading sudi directory %q: %w", dir, err)
}
Expand Down
34 changes: 13 additions & 21 deletions cmd/trust/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,16 @@ import (
"crypto/sha1"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"encoding/hex"
"encoding/json"
"encoding/pem"
"fmt"
"io"
"math/big"
"os"
"path/filepath"
"time"
"strings"
"time"

"github.com/google/uuid"
"github.com/pkg/errors"
Expand Down Expand Up @@ -438,15 +438,7 @@ func createPCR7Index(pcr7Val []byte) (string, error) {
}

func extractPubkey(certPath string) (*rsa.PublicKey, error) {
certPEM, err := os.ReadFile(certPath)
if err != nil {
return nil, err
}
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
return nil, fmt.Errorf("Failed to decode the certificate (%q)", certPath)
}
parsedCert, err := x509.ParseCertificate(block.Bytes)
parsedCert, err := readCertificateFromFile(certPath)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -490,9 +482,9 @@ func addPcr7data(keysetName string, pdata pcr7Data) error {
var tpmpolAdminpubkey, tpmpolLukspubkey *rsa.PublicKey
var jsonInfo []byte
type PCR7info struct {
Key string `json:"key"`
Key string `json:"key"`
KeyType string `json:"key_type"`
Date string `json:"est_date"`
Date string `json:"est_date"`
Comment string `json:"comment"`
}

Expand Down Expand Up @@ -522,7 +514,7 @@ func addPcr7data(keysetName string, pdata pcr7Data) error {
pcr7dataPath := filepath.Join(keysetPath, "pcr7data/policy-2")
if !PathExists(pcr7dataPath) {
err = os.MkdirAll(keysetPath, 0750)
if err != nil {
if err != nil {
return err
}
} else {
Expand Down Expand Up @@ -554,7 +546,7 @@ func addPcr7data(keysetName string, pdata pcr7Data) error {
}
tpmpolLukspubkey, err = extractPubkey(filepath.Join(keysetPath, "tpmpol-luks/cert.pem"))
if err != nil {
return err
return err
}
err = savePubkeytoFile(tpmpolLukspubkey, filepath.Join(pcr7dataPubkeys, "luks-snakeoil.pem"))
if err != nil {
Expand Down Expand Up @@ -589,18 +581,18 @@ func addPcr7data(keysetName string, pdata pcr7Data) error {
date := time.Now()
formatted := date.Format("2006-01-02")
timestamp := strings.ReplaceAll(formatted, "-", "")
info := &PCR7info{Key: keysetName, KeyType: pcr, Date: timestamp, Comment: "mos"+" "+keysetName}
info := &PCR7info{Key: keysetName, KeyType: pcr, Date: timestamp, Comment: "mos" + " " + keysetName}
jsonInfo, err = json.Marshal(info)
if err != nil {
return err
}
if err = os.WriteFile(jsonFile, jsonInfo, 0644); err != nil {
return err
return err
}

// write out info
switch pcr {
case "limited" :
case "limited":
pcrFile := filepath.Join(indexdir, "pcr_limited.bin")
if err = os.WriteFile(pcrFile, pdata.limited, 0644); err != nil {
return err
Expand All @@ -613,7 +605,7 @@ func addPcr7data(keysetName string, pdata pcr7Data) error {
if err = os.WriteFile(pcrFile, pdata.production, 0644); err != nil {
return err
}
case "tpm" :
case "tpm":
// Create policy file and Sign the policy
policyFile := filepath.Join(indexdir, "tpm_passwd.policy.signed")
if err = os.WriteFile(policyFile, pdata.passwdPolicyDigest, 0644); err != nil {
Expand All @@ -623,7 +615,7 @@ func addPcr7data(keysetName string, pdata pcr7Data) error {
if err = trust.Sign(policyFile, policyFile, signingKey); err != nil {
return err
}
case "production" :
case "production":
// Sign the policy
policyFile := filepath.Join(indexdir, "tpm_luks.policy.signed")
if err = os.WriteFile(policyFile, pdata.luksPolicyDigest, 0644); err != nil {
Expand All @@ -633,7 +625,7 @@ func addPcr7data(keysetName string, pdata pcr7Data) error {
if err = trust.Sign(policyFile, policyFile, signingKey); err != nil {
return err
}
default :
default:
return errors.New("Unrecognized uki key")
}
}
Expand Down
10 changes: 5 additions & 5 deletions cmd/trust/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,17 +9,17 @@ import (
)

var verifyCmd = cli.Command{
Name: "verify",
Name: "verify",
Usage: "Verify a digital Signature",
Subcommands: []cli.Command{
cli.Command{
Name: "efi",
Action: doVerifyEFI,
Usage: "verify a signed efi binary",
Name: "efi",
Action: doVerifyEFI,
Usage: "verify a signed efi binary",
ArgsUsage: "<signed-efi-file>",
Flags: []cli.Flag{
cli.StringFlag{
Name: "cert",
Name: "cert",
Usage: "The X509 certificate to verify signature.",
},
},
Expand Down
4 changes: 2 additions & 2 deletions pkg/trust/artifacts.go
Original file line number Diff line number Diff line change
Expand Up @@ -307,7 +307,7 @@ func findSection(lines []string, which string) (int64, int64, bool) {
}

func extractObj(objdump []string, dir string, piece string) error {
outName := filepath.Join(dir, piece + ".out")
outName := filepath.Join(dir, piece+".out")
offset, size, found := findSection(objdump, piece)
if !found {
return fmt.Errorf("Symbol %s not found", piece)
Expand Down Expand Up @@ -387,7 +387,7 @@ func ReplaceManifestCert(dir, newCert string) (string, error) {
}

err := RunCommand("objcopy",
"--add-section=.initrd=" + initrdgz,
"--add-section=.initrd="+initrdgz,
"--change-section-vma=.initrd=0x3000000",
k2, kret)
if err != nil {
Expand Down
4 changes: 2 additions & 2 deletions pkg/trust/cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ import (
"os"

"github.com/foxboron/go-uefi/efi/pecoff"
"github.com/foxboron/go-uefi/efi/util"
"github.com/foxboron/go-uefi/efi/pkcs7"
"github.com/foxboron/go-uefi/efi/util"
)

// VerifyCert checks that the product cert was signed by the
Expand Down Expand Up @@ -145,7 +145,7 @@ func SignEFI(sourcePath, signedPath, keyPath, certPath string) error {
// Get the key to use for signing
privkey, err := util.ReadKeyFromFile(keyPath)
if err != nil {
return fmt.Errorf("Failed reading (%q): %w", keyPath, err)
return fmt.Errorf("Failed reading (%q): %w", keyPath, err)
}
cert, err := util.ReadCertFromFile(certPath)
if err != nil {
Expand Down
11 changes: 6 additions & 5 deletions pkg/trust/computepcr7.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
const ShimLockGUID = "605dab50-e046-4300-abb6-3dd810dd8b23"
const ShimVendordbGUID = "00000000-0000-0000-0000-000000000000"
const SBAT = "sbat,1,2021030218\012"

// Using DBX data from current ovmf_vars.fd in bootkit.
// Revisit if ovmf or dbx changes. We need to eventually manage dbx.
const DBX = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
Expand Down Expand Up @@ -49,7 +50,7 @@ func getCertGUID(guidfile string) (efi.GUID, error) {
return efi.GUID{}, fmt.Errorf("Failed to read %q: (%w)", guidfile, err)
}
certGuid, err := efi.DecodeGUIDString(string(cGuid))
if err != nil {
if err != nil {
return efi.GUID{}, fmt.Errorf("Failed to decode the guid in %q: (%w)", guidfile, err)
}

Expand Down Expand Up @@ -183,14 +184,14 @@ func getHash(unicodeName string, varGuid efi.GUID, keysetPath string) ([]byte, e

func ComputePCR7(keysetName string) ([]byte, []byte, []byte, error) {
var pcr7Val = []byte{00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
00, 00, 00, 00, 00, 00, 00, 00, 00, 00}
00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
00, 00, 00, 00, 00, 00, 00, 00, 00, 00}

// List of uefi Secure boot vars that get measured.
// It includes certs that get measured at boot. UKI certs are measured
// separately since we have 3 possible. Also measured in this order.
var uefiMeasured = []string{"SecureBoot", "PK", "KEK", "db", "dbx","separator",
"shim-cert", "SbatLevel", "MokListTrusted" }
var uefiMeasured = []string{"SecureBoot", "PK", "KEK", "db", "dbx", "separator",
"shim-cert", "SbatLevel", "MokListTrusted"}

shimLockGuid, err := efi.DecodeGUIDString(ShimLockGUID)
if err != nil {
Expand Down
Loading
Loading