Documentation ¶
Index ¶
- Constants
- Variables
- func GetSupportedSignatures(f io.Reader) ([]util.EFIGUID, error)
- func WriteEFIVariableAuthencation2(b *bytes.Buffer, e EFIVariableAuthentication2)
- func WriteSignatureData(b io.Writer, s SignatureData)
- func WriteSignatureDatabase(b io.Writer, sigdb SignatureDatabase)
- func WriteSignatureList(b io.Writer, s SignatureList)
- func WriteWinCertificate(b *bytes.Buffer, w *WINCertificate)
- func WriteWinCertificateUEFIGUID(b *bytes.Buffer, w *WinCertificateUEFIGUID)
- type CertType
- type EFIVariableAuthentication
- type EFIVariableAuthentication2
- type EFIVariableAuthentication3
- type SignatureData
- type SignatureDatabase
- func (sd *SignatureDatabase) Append(certtype util.EFIGUID, owner util.EFIGUID, data []byte) error
- func (sd *SignatureDatabase) AppendDatabase(s *SignatureDatabase)
- func (sd *SignatureDatabase) AppendList(sl *SignatureList)
- func (sd *SignatureDatabase) AppendSignature(certtype util.EFIGUID, sl *SignatureData) error
- func (sd *SignatureDatabase) Bytes() []byte
- func (sd *SignatureDatabase) BytesExists(certtype util.EFIGUID, owner util.EFIGUID, data []byte) bool
- func (sd *SignatureDatabase) Exists(certtype util.EFIGUID, siglist *SignatureList) bool
- func (sd *SignatureDatabase) Marshal(b *bytes.Buffer)
- func (sd *SignatureDatabase) Remove(certtype util.EFIGUID, owner util.EFIGUID, data []byte) error
- func (sd *SignatureDatabase) RemoveList(sl *SignatureList) error
- func (sd *SignatureDatabase) RemoveSignature(certtype util.EFIGUID, sl *SignatureData) error
- func (sd *SignatureDatabase) SigDataExists(certtype util.EFIGUID, sigdata *SignatureData) bool
- func (sd *SignatureDatabase) Unmarshal(b *bytes.Buffer) error
- type SignatureList
- func (sl *SignatureList) AppendBytes(owner util.EFIGUID, data []byte) error
- func (sl *SignatureList) AppendSignature(s SignatureData) error
- func (sl *SignatureList) Bytes() []byte
- func (sl *SignatureList) CmpHeader(siglist *SignatureList) bool
- func (sl *SignatureList) Exists(sigdata *SignatureData) (bool, int)
- func (sl *SignatureList) ExistsInList(siglist *SignatureList) bool
- func (sl *SignatureList) RemoveBytes(owner util.EFIGUID, data []byte) error
- func (sl *SignatureList) RemoveSignature(s SignatureData) error
- type WINCertType
- type WINCertificate
- type WinCertificateUEFIGUID
Constants ¶
const ( CERT_SHA256 CertType = "SHA256" CERT_RSA2048 = "RSA2048" CERT_RSA2048_SHA256 = "RSA2048 SHA256" CERT_SHA1 = "SHA1" CERT_RSA2048_SHA1 = "RSA2048 SHA1" CERT_X509 = "X509" CERT_SHA224 = "SHA224" CERT_SHA384 = "SHA238" CERT_SHA512 = "SHA512" CERT_X509_SHA256 = "X509 SHA256" )
const SizeofSignatureList uint32 = util.SizeofEFIGUID + 4 + 4 + 4
SignatureSize + sizeof(SignatureType) + sizeof(uint32)*3
const SizeofWINCertificate = 4 + 2 + 2
const SizeofWinCertificateUEFIGUID = SizeofWINCertificate + util.SizeofEFIGUID
Variables ¶
var ( CERT_SHA256_GUID = util.EFIGUID{0xc1c41626, 0x504c, 0x4092, [8]uint8{0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28}} CERT_RSA2048_GUID = util.EFIGUID{0x3c5766e8, 0x269c, 0x4e34, [8]uint8{0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6}} CERT_RSA2048_SHA256_GUID = util.EFIGUID{0xe2b36190, 0x879b, 0x4a3d, [8]uint8{0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84}} CERT_SHA1_GUID = util.EFIGUID{0x826ca512, 0xcf10, 0x4ac9, [8]uint8{0xb1, 0x87, 0xbe, 0x01, 0x49, 0x66, 0x31, 0xbd}} CERT_RSA2048_SHA1_GUID = util.EFIGUID{0x67f8444f, 0x8743, 0x48f1, [8]uint8{0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80}} CERT_X509_GUID = util.EFIGUID{0xa5c059a1, 0x94e4, 0x4aa7, [8]uint8{0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72}} CERT_SHA224_GUID = util.EFIGUID{0xb6e5233, 0xa65c, 0x44c9, [8]uint8{0x94, 0x07, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd}} CERT_SHA384_GUID = util.EFIGUID{0xff3e5307, 0x9fd0, 0x48c9, [8]uint8{0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x01}} CERT_SHA512_GUID = util.EFIGUID{0x93e0fae, 0xa6c4, 0x4f50, [8]uint8{0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a}} CERT_X509_SHA256_GUID = util.EFIGUID{0x3bd2a492, 0x96c0, 0x4079, [8]uint8{0xb4, 0x20, 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed}} CERT_EXTERNAL_MANAGEMENT_GUID = util.EFIGUID{0x452e8ced, 0xdfff, 0x4b8c, [8]uint8{0xae, 0x01, 0x51, 0x18, 0x86, 0x2e, 0x68, 0x2c}} )
Section 32.4.1 Signature Database Page 1714 -> Page 1717
var ( EFI_CERT_TYPE_RSA2048_SHA256_GUID = util.EFIGUID{0xa7717414, 0xc616, 0x4977, [8]uint8{0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf}} EFI_CERT_TYPE_PKCS7_GUID = util.EFIGUID{0x4aafd29d, 0x68df, 0x49ee, [8]uint8{0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7}} )
var ErrNoSuchSignatureScheme = errors.New("no such signature scheme")
var ErrNotFoundSigData = errors.New("signature data not found")
var ErrNotFoundSigList = errors.New("signature list not found")
var ErrParse = errors.New("could not parse struct")
var ErrSigDataExists = errors.New("signature data exists already")
var ValidEFISignatureSchemes = map[util.EFIGUID]CertType{ CERT_SHA256_GUID: "SHA256", CERT_RSA2048_GUID: "RSA2048", CERT_RSA2048_SHA256_GUID: "RSA2048 SHA256", CERT_SHA1_GUID: "SHA1", CERT_RSA2048_SHA1_GUID: "RSA2048 SHA1", CERT_X509_GUID: "X509", CERT_SHA224_GUID: "SHA224", CERT_SHA384_GUID: "SHA238", CERT_SHA512_GUID: "SHA512", CERT_X509_SHA256_GUID: "X509 SHA256", CERT_EXTERNAL_MANAGEMENT_GUID: "EXTERNAL MANAGEMENT", }
Quick access list Maybe a map[string]EFIGUID?
var WINCertTypeString = map[WINCertType]string{
0x0002: "WIN_CERT_TYPE_PKCS_SIGNED_DATA",
0x0EF0: "WIN_CERT_TYPE_EFI_PKCS1_15",
0x0EF1: "WIN_CERT_TYPE_EFI_GUID",
}
var WIN_CERTIFICATE_REVISION uint16 = 0x0200
According to page 1705 UEFI Spec February 2020
Functions ¶
func GetSupportedSignatures ¶
Section 3.3 - Globally Defined Variables Array of GUIDs representing the type of signatures supported by the platform firmware. Should be treated as read-only
func WriteEFIVariableAuthencation2 ¶
func WriteEFIVariableAuthencation2(b *bytes.Buffer, e EFIVariableAuthentication2)
func WriteSignatureData ¶
func WriteSignatureData(b io.Writer, s SignatureData)
func WriteSignatureDatabase ¶
func WriteSignatureDatabase(b io.Writer, sigdb SignatureDatabase)
Write a signature database which contains a slice of SignautureLists
func WriteSignatureList ¶
func WriteSignatureList(b io.Writer, s SignatureList)
Writes a signature list
func WriteWinCertificate ¶
func WriteWinCertificate(b *bytes.Buffer, w *WINCertificate)
func WriteWinCertificateUEFIGUID ¶
func WriteWinCertificateUEFIGUID(b *bytes.Buffer, w *WinCertificateUEFIGUID)
Types ¶
type EFIVariableAuthentication ¶
type EFIVariableAuthentication struct { MonotonicCount uint64 AuthInfo util.EFIGUID // WIN_CERTIFICATE_UEFI_GUID }
Page. 237 Deprecated. But defined because #reasons
type EFIVariableAuthentication2 ¶
type EFIVariableAuthentication2 struct { Time util.EFITime AuthInfo WinCertificateUEFIGUID }
Page. 238 Only accepts the CertType EFI_CERT_TYPE_PKCS7_GUID
func NewEFIVariableAuthentication2 ¶
func NewEFIVariableAuthentication2() *EFIVariableAuthentication2
Returns an EFIVariableAuthencation2 struct no SignedData
func ReadEFIVariableAuthencation2 ¶
func ReadEFIVariableAuthencation2(f io.Reader) (*EFIVariableAuthentication2, error)
func SignEFIVariable ¶
func SignEFIVariable(v efivar.Efivar, m efivar.Marshallable, key crypto.Signer, cert *x509.Certificate) (*EFIVariableAuthentication2, efivar.Marshallable, error)
func (*EFIVariableAuthentication2) Marshal ¶
func (e *EFIVariableAuthentication2) Marshal(b *bytes.Buffer)
func (*EFIVariableAuthentication2) Unmarshal ¶
func (e *EFIVariableAuthentication2) Unmarshal(b *bytes.Buffer) error
func (*EFIVariableAuthentication2) Verify ¶
func (e *EFIVariableAuthentication2) Verify(cert *x509.Certificate) (bool, error)
type EFIVariableAuthentication3 ¶
type EFIVariableAuthentication3 struct { Version uint8 Type uint8 MetadataSize uint32 Flags uint32 }
Page. 238 Only used when EFI_VARIABLE_ENHANCED_AUTHENTICATED_ACCESS is set
type SignatureData ¶
Section 32.4.1 - Signature Database Page 1712
func ReadSignatureData ¶
func ReadSignatureData(f io.Reader, size uint32) (*SignatureData, error)
func (*SignatureData) Bytes ¶
func (sd *SignatureData) Bytes() []byte
type SignatureDatabase ¶
type SignatureDatabase []*SignatureList
SignatureDatabase is a list of EFI signature lists
func NewSignatureDatabase ¶
func NewSignatureDatabase() *SignatureDatabase
func ReadSignatureDatabase ¶
func ReadSignatureDatabase(f io.Reader) (SignatureDatabase, error)
Reads several signature lists from a io.Reader. It assumes io.EOF means there are no more signatures to read as opposed to an actual issue
func (*SignatureDatabase) AppendDatabase ¶
func (sd *SignatureDatabase) AppendDatabase(s *SignatureDatabase)
Appends a signature database
func (*SignatureDatabase) AppendList ¶
func (sd *SignatureDatabase) AppendList(sl *SignatureList)
Appends a signature list to the database TODO: Should merge towards a fitting list?
func (*SignatureDatabase) AppendSignature ¶
func (sd *SignatureDatabase) AppendSignature(certtype util.EFIGUID, sl *SignatureData) error
Appends a signaure to the database. It will scan the database for the appropriate list to append itself to.
func (*SignatureDatabase) Bytes ¶
func (sd *SignatureDatabase) Bytes() []byte
Serialize the Signature Database into bytes
func (*SignatureDatabase) BytesExists ¶
func (sd *SignatureDatabase) BytesExists(certtype util.EFIGUID, owner util.EFIGUID, data []byte) bool
Checks if the bytes in a list is present in the signature database
func (*SignatureDatabase) Exists ¶
func (sd *SignatureDatabase) Exists(certtype util.EFIGUID, siglist *SignatureList) bool
Checks if all signatures in a list is present in the signature database
func (*SignatureDatabase) Marshal ¶
func (sd *SignatureDatabase) Marshal(b *bytes.Buffer)
func (*SignatureDatabase) RemoveList ¶
func (sd *SignatureDatabase) RemoveList(sl *SignatureList) error
Removes a signature list from the database
func (*SignatureDatabase) RemoveSignature ¶
func (sd *SignatureDatabase) RemoveSignature(certtype util.EFIGUID, sl *SignatureData) error
Removes a signaure to the database. It will scan available lists for something to remove
func (*SignatureDatabase) SigDataExists ¶
func (sd *SignatureDatabase) SigDataExists(certtype util.EFIGUID, sigdata *SignatureData) bool
Checks if all signatures in a list is present in the signature database
type SignatureList ¶
type SignatureList struct { SignatureType util.EFIGUID ListSize uint32 // Total size of the signature list, including this header HeaderSize uint32 // Size of SignatureHead Size uint32 // Size of each signature. At least the size of EFI_SIGNATURE_DATA SignatureHeader []uint8 // SignatureType defines the content of this header Signatures []SignatureData // SignatureData List }
Section 32.4.1 - Signature Database Page 1713
func NewSignatureList ¶
func NewSignatureList(certtype util.EFIGUID) *SignatureList
func ReadSignatureList ¶
func ReadSignatureList(f io.Reader) (*SignatureList, error)
Read an EFI_SIGNATURE_LIST from io.Reader. It will read until io.EOF. io.EOF should be somewhat expected if we are trying to read multiple lists as they should be either at the end of the file, or the entire file.
func (*SignatureList) AppendBytes ¶
func (sl *SignatureList) AppendBytes(owner util.EFIGUID, data []byte) error
func (*SignatureList) AppendSignature ¶
func (sl *SignatureList) AppendSignature(s SignatureData) error
func (*SignatureList) Bytes ¶
func (sl *SignatureList) Bytes() []byte
func (*SignatureList) CmpHeader ¶
func (sl *SignatureList) CmpHeader(siglist *SignatureList) bool
Compare the signature lists header to see if they are the same type of list This is usefull if you wonder if you can merge the lists or not
func (*SignatureList) Exists ¶
func (sl *SignatureList) Exists(sigdata *SignatureData) (bool, int)
Check if signature exists in the signature list Return true if it does along with the index
func (*SignatureList) ExistsInList ¶
func (sl *SignatureList) ExistsInList(siglist *SignatureList) bool
func (*SignatureList) RemoveBytes ¶
func (sl *SignatureList) RemoveBytes(owner util.EFIGUID, data []byte) error
func (*SignatureList) RemoveSignature ¶
func (sl *SignatureList) RemoveSignature(s SignatureData) error
type WINCertType ¶
type WINCertType uint16
var ( WIN_CERT_TYPE_PKCS_SIGNED_DATA WINCertType = 0x0002 WIN_CERT_TYPE_EFI_PKCS1_15 WINCertType = 0x0EF0 WIN_CERT_TYPE_EFI_GUID WINCertType = 0x0EF1 )
Page 1705 0x0EF0 to 0x0EFF is the reserved range
type WINCertificate ¶
type WINCertificate struct { Length uint32 Revision uint16 CertType WINCertType Certificate []uint8 }
PE/COFF structure for signing Page 1705
func ReadWinCertificate ¶
func ReadWinCertificate(f io.Reader) (WINCertificate, error)
type WinCertificateUEFIGUID ¶
type WinCertificateUEFIGUID struct { Header WINCertificate CertType util.EFIGUID // One of the EFI_CERT types CertData []uint8 }
Should implement an interface Page 1707
func ReadWinCertificateUEFIGUID ¶
func ReadWinCertificateUEFIGUID(f io.Reader) (WinCertificateUEFIGUID, error)