secureboot

package
v1.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 17, 2023 License: MPL-2.0 Imports: 0 Imported by: 0

Documentation

Overview

Package secureboot contains base definitions for the Secure Boot process.

Index

Constants

View Source
const (
	// UKIPCR is the PCR number where sections except `.pcrsig` are measured.
	UKIPCR = 11
	// SecureBootStatePCR is the PCR number where the secure boot state and the signature are measured.
	// PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated.
	SecureBootStatePCR = 7
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Phase

type Phase string

Phase is the phase value extended to the PCR.

const (
	// EnterInitrd is the phase value extended to the PCR during the initrd.
	EnterInitrd Phase = "enter-initrd"
	// LeaveInitrd is the phase value extended to the PCR just before switching to machined.
	LeaveInitrd Phase = "leave-initrd"
	// EnterMachined is the phase value extended to the PCR before starting machined.
	// There should be only a signed signature for the enter-machined phase.
	EnterMachined Phase = "enter-machined"
	// StartTheWorld is the phase value extended to the PCR before starting all services.
	StartTheWorld Phase = "start-the-world"
)

type PhaseInfo

type PhaseInfo struct {
	Phase              Phase
	CalculateSignature bool
}

PhaseInfo describes which phase extensions are signed/measured.

func OrderedPhases

func OrderedPhases() []PhaseInfo

OrderedPhases returns the phases that are measured, in order.

Derived from https://github.com/systemd/systemd/blob/v253/src/boot/measure.c#L295-L308 ref: https://www.freedesktop.org/software/systemd/man/systemd-pcrphase.service.html#Description

In the case of Talos disk decryption, happens in machined, so we need to only sign EnterMachined so that machined can only decrypt the disk if the system booted with the correct kernel/initrd/cmdline OrderedPhases returns the phases that are measured.

type Section

type Section string

Section is a name of a PE file section (UEFI binary).

const (
	Linux   Section = ".linux"
	OSRel   Section = ".osrel"
	CMDLine Section = ".cmdline"
	Initrd  Section = ".initrd"
	Splash  Section = ".splash"
	DTB     Section = ".dtb"
	Uname   Section = ".uname"
	SBAT    Section = ".sbat"
	PCRSig  Section = ".pcrsig"
	PCRPKey Section = ".pcrpkey"
)

List of well-known section names.

func OrderedSections

func OrderedSections() []Section

OrderedSections returns the sections that are measured into PCR.

Derived from https://github.com/systemd/systemd/blob/main/src/fundamental/tpm-pcr.h#L23-L36 .pcrsig section is omitted here since that's what we are calulating here.

Directories

Path Synopsis
Package measure contains Go implementation of 'systemd-measure' command.
Package measure contains Go implementation of 'systemd-measure' command.
internal/pcr
Package pcr contains code that handles PCR operations.
Package pcr contains code that handles PCR operations.
Package pesign implements the PE (portable executable) signing.
Package pesign implements the PE (portable executable) signing.
Package tpm2 provides TPM2.0 related functionality helpers.
Package tpm2 provides TPM2.0 related functionality helpers.
Package uki creates the UKI file out of the sd-stub and other sections.
Package uki creates the UKI file out of the sd-stub and other sections.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL