forked from Foxboron/sbctl
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsiglist.go
107 lines (95 loc) · 2.49 KB
/
siglist.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
package sbctl
import (
"errors"
"os"
"github.com/foxboron/go-uefi/efi/signature"
"github.com/foxboron/go-uefi/efivar"
"github.com/foxboron/go-uefi/efivarfs"
"github.com/foxboron/sbctl/backend"
)
type EFIVariables struct {
fs *efivarfs.Efivarfs
PK *signature.SignatureDatabase
KEK *signature.SignatureDatabase
Db *signature.SignatureDatabase
Dbx *signature.SignatureDatabase
}
func (e *EFIVariables) GetSiglist(ev efivar.Efivar) *signature.SignatureDatabase {
switch ev {
case efivar.PK:
return e.PK
case efivar.KEK:
return e.KEK
case efivar.Db:
return e.Db
case efivar.Dbx:
return e.Dbx
}
return nil
}
func (e *EFIVariables) EnrollKey(ev efivar.Efivar, hier *backend.KeyHierarchy) error {
// Ensure we are using the correct signer for the backend
var signer backend.KeyBackend
switch ev {
case efivar.PK:
signer = hier.GetKeyBackend(efivar.PK)
case efivar.KEK:
signer = hier.GetKeyBackend(efivar.PK)
case efivar.Db:
signer = hier.GetKeyBackend(efivar.KEK)
}
// fmt.Printf("%s is signed by %s\n", ev.Name, signer.Certificate().SerialNumber.String())
return e.fs.WriteSignedUpdate(ev, e.GetSiglist(ev), signer.Signer(), signer.Certificate())
}
func (e *EFIVariables) EnrollAllKeys(hier *backend.KeyHierarchy) error {
if err := e.EnrollKey(efivar.Db, hier); err != nil {
return err
}
if err := e.EnrollKey(efivar.KEK, hier); err != nil {
return err
}
if err := e.EnrollKey(efivar.PK, hier); err != nil {
return err
}
return nil
}
func NewEFIVariables(fs *efivarfs.Efivarfs) *EFIVariables {
return &EFIVariables{
fs: fs,
PK: signature.NewSignatureDatabase(),
KEK: signature.NewSignatureDatabase(),
Db: signature.NewSignatureDatabase(),
Dbx: signature.NewSignatureDatabase(),
}
}
func SystemEFIVariables(fs *efivarfs.Efivarfs) (*EFIVariables, error) {
var sigpk *signature.SignatureDatabase
var sigkek *signature.SignatureDatabase
var sigdb *signature.SignatureDatabase
var err error
sigdb, err = fs.Getdb()
if errors.Is(err, os.ErrNotExist) {
sigdb = signature.NewSignatureDatabase()
} else if err != nil {
return nil, err
}
sigkek, err = fs.GetKEK()
if errors.Is(err, os.ErrNotExist) {
sigkek = signature.NewSignatureDatabase()
} else if err != nil {
return nil, err
}
sigpk, err = fs.GetPK()
if errors.Is(err, os.ErrNotExist) {
sigpk = signature.NewSignatureDatabase()
} else if err != nil {
return nil, err
}
return &EFIVariables{
fs: fs,
PK: sigpk,
KEK: sigkek,
Db: sigdb,
Dbx: signature.NewSignatureDatabase(),
}, nil
}