Skip to content

Commit

Permalink
refactor: move ukify into Talos code
Browse files Browse the repository at this point in the history 
This is intemediate step to move parts of the `ukify` down to the main
Talos source tree, and call it from `talosctl` binary.

The next step will be to integrate it into the imager and move `.uki`
build out of the Dockerfile.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
  • Loading branch information
@smira
smira committed Jul 13, 2023
1 parent d5f6fb9 commit 53873b8
Show file tree
Hide file tree
Showing 49 changed files with 1,362 additions and 1,390 deletions.
21 changes: 8 additions & 13 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -712,15 +712,11 @@ COPY --from=rootfs / /
LABEL org.opencontainers.image.source https://github.com/siderolabs/talos
ENTRYPOINT ["/sbin/init"]

FROM --platform=${BUILDPLATFORM} tools AS ukify-tools
# base has the talos source with the non-abrev version of TAG
COPY --from=base /src/pkg /go/src/github.com/pkg
COPY ./hack/ukify /go/src/github.com/siderolabs/ukify
RUN --mount=type=cache,target=/.cache \
cd /go/src/github.com/siderolabs/ukify \
&& go test ./... \
&& go build -o ukify . \
&& mv ukify /toolchain/go/bin/
FROM base AS ukify-tools
WORKDIR /src/cmd/ukify
ARG GO_BUILDFLAGS
ARG GO_LDFLAGS
RUN --mount=type=cache,target=/.cache go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /toolchain/bin/ukify

FROM base AS gen-uki-certs
ARG TARGETOS
Expand All @@ -742,7 +738,7 @@ COPY _out/uki-certs _out/uki-certs
RUN ukify

FROM scratch AS uki-amd64
COPY --from=uki-build-amd64 /build/_out/systemd-bootx64.efi.signed /systemd-boot.efi.signed
COPY --from=uki-build-amd64 /build/_out/systemd-boot.efi.signed /systemd-boot.efi.signed
COPY --from=uki-build-amd64 /build/_out/vmlinuz.efi.signed /vmlinuz.efi.signed
COPY --from=uki-build-amd64 /build/_out/uki-certs/PK.auth /PK.auth
COPY --from=uki-build-amd64 /build/_out/uki-certs/KEK.auth /KEK.auth
Expand All @@ -761,7 +757,7 @@ RUN ukify \
-initrd _out/initramfs-arm64.xz

FROM scratch AS uki-arm64
COPY --from=uki-build-arm64 /build/_out/systemd-bootaa64.efi.signed /systemd-boot.efi.signed
COPY --from=uki-build-arm64 /build/_out/systemd-boot.efi.signed /systemd-boot.efi.signed
COPY --from=uki-build-arm64 /build/_out/vmlinuz.efi.signed /vmlinuz.efi.signed
COPY --from=uki-build-amd64 /build/_out/uki-certs/PK.auth /PK.auth
COPY --from=uki-build-amd64 /build/_out/uki-certs/KEK.auth /KEK.auth
Expand Down Expand Up @@ -1121,10 +1117,9 @@ COPY ./hack/docgen ./hack/docgen
COPY ./hack/gotagsrewrite ./hack/gotagsrewrite
COPY ./hack/module-sig-verify ./hack/module-sig-verify
COPY ./hack/structprotogen ./hack/structprotogen
COPY ./hack/ukify ./hack/ukify
# fail always to get the output back
RUN --mount=type=cache,target=/.cache <<EOF
for project in pkg/machinery . hack/cloud-image-uploader hack/docgen hack/gotagsrewrite hack/module-sig-verify hack/structprotogen hack/ukify; do
for project in pkg/machinery . hack/cloud-image-uploader hack/docgen hack/gotagsrewrite hack/module-sig-verify hack/structprotogen; do
echo -e "\n>>>> ${project}:" && \
(cd "${project}" && go list -u -m -json all | go-mod-outdated -update -direct)
done
Expand Down
39 changes: 21 additions & 18 deletions cmd/talosctl/cmd/mgmt/gen/secureboot.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,22 +43,18 @@ var genSecurebootUKICmd = &cobra.Command{
Long: ``,
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "uki", genSecurebootUKICmdFlags.commonName, 4096)
return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "uki", genSecurebootUKICmdFlags.commonName, 4096, true)
},
}

var genSecurebootPCRCmdFlags struct {
commonName string
}

// genSecurebootPCRCmd represents the `gen secureboot pcr` command.
var genSecurebootPCRCmd = &cobra.Command{
Use: "pcr",
Short: "Generates a certificate which is used to sign TPM PCR values",
Short: "Generates a key which is used to sign TPM PCR values",
Long: ``,
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "pcr", genSecurebootPCRCmdFlags.commonName, 2048)
return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "pcr", "dummy", 2048, false)
},
}

Expand Down Expand Up @@ -99,7 +95,7 @@ func checkedWrite(path string, data []byte, perm fs.FileMode) error { //nolint:u
return os.WriteFile(path, data, perm)
}

func generateSigningCerts(path, prefix, commonName string, rsaBits int) error {
func generateSigningCerts(path, prefix, commonName string, rsaBits int, outputCert bool) error {
currentTime := time.Now()

opts := []x509.Option{
Expand All @@ -116,24 +112,32 @@ func generateSigningCerts(path, prefix, commonName string, rsaBits int) error {
return err
}

if err = checkedWrite(filepath.Join(path, prefix+"-signing-cert.pem"), signingKey.CrtPEM, 0o600); err != nil {
return err
if outputCert {
if err = checkedWrite(filepath.Join(path, prefix+"-signing-cert.pem"), signingKey.CrtPEM, 0o600); err != nil {
return err
}
}

if err = checkedWrite(filepath.Join(path, prefix+"-signing-key.pem"), signingKey.KeyPEM, 0o600); err != nil {
return err
}

pemKey := x509.PEMEncodedKey{
Key: signingKey.KeyPEM,
}
if !outputCert {
pemKey := x509.PEMEncodedKey{
Key: signingKey.KeyPEM,
}

privKey, err := pemKey.GetRSAKey()
if err != nil {
return err
privKey, err := pemKey.GetRSAKey()
if err != nil {
return err
}

if err = checkedWrite(filepath.Join(path, prefix+"-signing-public-key.pem"), privKey.PublicKeyPEM, 0o600); err != nil {
return err
}
}

return checkedWrite(filepath.Join(path, prefix+"-signing-public-key.pem"), privKey.PublicKeyPEM, 0o600)
return nil
}

// generateSecureBootDatabase generates a UEFI database to enroll the signing certificate.
Expand Down Expand Up @@ -216,7 +220,6 @@ func init() {
genSecurebootUKICmd.Flags().StringVar(&genSecurebootUKICmdFlags.commonName, "common-name", "Test UKI Signing Key", "common name for the certificate")
genSecurebootCmd.AddCommand(genSecurebootUKICmd)

genSecurebootPCRCmd.Flags().StringVar(&genSecurebootPCRCmdFlags.commonName, "common-name", "Test PCR Signing Key", "common name for the certificate")
genSecurebootCmd.AddCommand(genSecurebootPCRCmd)

genSecurebootDatabaseCmd.Flags().StringVar(
Expand Down
64 changes: 64 additions & 0 deletions cmd/ukify/main.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

// Package main provides the ukfiy implementation.
package main

import (
"flag"
"fmt"
"log"

"github.com/siderolabs/go-procfs/procfs"

"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/platform"
"github.com/siderolabs/talos/internal/pkg/secureboot/uki"
"github.com/siderolabs/talos/pkg/machinery/constants"
kernelpkg "github.com/siderolabs/talos/pkg/machinery/kernel"
)

// NOTE: this is temporary implementation, it will be moved to the imager
// in the next round of refactoring.

func run() error {
metal, err := platform.NewPlatform("metal")
if err != nil {
return fmt.Errorf("failed to create platform: %w", err)
}

defaultCmdline := procfs.NewCmdline("")
defaultCmdline.Append(constants.KernelParamPlatform, "metal")

if err := defaultCmdline.AppendAll(kernelpkg.DefaultArgs); err != nil {
return err
}

if err := defaultCmdline.AppendAll(metal.KernelArgs().Strings()); err != nil {
return err
}

var builder uki.Builder

flag.StringVar(&builder.SdStubPath, "sd-stub", "_out/linuxx64.efi.stub", "path to sd-stub")
flag.StringVar(&builder.SdBootPath, "sd-boot", "_out/systemd-bootx64.efi", "path to sd-boot")
flag.StringVar(&builder.KernelPath, "kernel", "_out/vmlinuz-amd64", "path to kernel image")
flag.StringVar(&builder.InitrdPath, "initrd", "_out/initramfs-amd64.xz", "path to initrd image")
flag.StringVar(&builder.Cmdline, "cmdline", defaultCmdline.String(), "kernel cmdline")
flag.StringVar(&builder.SigningKeyPath, "signing-key-path", "_out/uki-certs/uki-signing-key.pem", "path to signing key")
flag.StringVar(&builder.SigningCertPath, "signing-cert-path", "_out/uki-certs/uki-signing-cert.pem", "path to signing cert")
flag.StringVar(&builder.PCRSigningKeyPath, "pcr-signing-key-path", "_out/uki-certs/pcr-signing-key.pem", "path to PCR signing key")
flag.StringVar(&builder.PCRPublicKeyPath, "pcr-public-key-path", "_out/uki-certs/pcr-signing-public-key.pem", "path to PCR public key")

flag.StringVar(&builder.OutUKIPath, "output", "_out/vmlinuz.efi.signed", "output path")
flag.StringVar(&builder.OutSdBootPath, "sdboot-output", "_out/systemd-boot.efi.signed", "output path")
flag.Parse()

return builder.Build()
}

func main() {
if err := run(); err != nil {
log.Fatal(err)
}
}
4 changes: 2 additions & 2 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ require (
github.com/mdlayher/netlink v1.7.2
github.com/mdlayher/netx v0.0.0-20230430222610-7e21880baee8
github.com/nberlee/go-netstat v0.1.2
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0-rc4
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
github.com/packethost/packngo v0.30.0
Expand All @@ -89,7 +90,7 @@ require (
github.com/ryanuber/go-glob v1.0.0
github.com/safchain/ethtool v0.3.0
github.com/scaleway/scaleway-sdk-go v1.0.0-beta.18
github.com/siderolabs/crypto v0.4.0
github.com/siderolabs/crypto v0.4.1
github.com/siderolabs/discovery-api v0.1.3
github.com/siderolabs/discovery-client v0.1.5
github.com/siderolabs/gen v0.4.5
Expand Down Expand Up @@ -241,7 +242,6 @@ require (
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/nsf/termbox-go v0.0.0-20190121233118-02980233997d // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/runc v1.1.5 // indirect
github.com/opencontainers/selinux v1.11.0 // indirect
github.com/pelletier/go-toml/v2 v2.0.6 // indirect
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1143,8 +1143,8 @@ github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
github.com/sethgrid/pester v1.2.0 h1:adC9RS29rRUef3rIKWPOuP1Jm3/MmB6ke+OhE5giENI=
github.com/sethgrid/pester v1.2.0/go.mod h1:hEUINb4RqvDxtoCaU0BNT/HV4ig5kfgOasrf1xcvr0A=
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
github.com/siderolabs/crypto v0.4.0 h1:o1KIR1KyevUcY9nbJlSyQAj7+p+rveGGF8LjAAFMtjc=
github.com/siderolabs/crypto v0.4.0/go.mod h1:itZpBsJ9i0aH8jiHAuSlKCal7hni7X1aDYo6vGVl5LY=
github.com/siderolabs/crypto v0.4.1 h1:PP84WSDDyCCbjYKePcc0IaMSPXDndz8V3cQ9hMRSvpA=
github.com/siderolabs/crypto v0.4.1/go.mod h1:nJmvkqWy1Hngbzw3eg2TdtJ/ZYHHofQK1NbmmYywW8k=
github.com/siderolabs/discovery-api v0.1.3 h1:37ue+0w2A7Q2FrhyuDbfdhL4VPvDTpCzUYGvibhMwv0=
github.com/siderolabs/discovery-api v0.1.3/go.mod h1:fC6DOJwYQy2QsMCLLTvoScKmBCMNza+VwK2/RHLsoHU=
github.com/siderolabs/discovery-client v0.1.5 h1:CyaOOynanZdB29v46lyEOaNfPoBnKjjEBwdYbyCZEh4=
Expand Down
1 change: 0 additions & 1 deletion go.work
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,5 @@ use (
./hack/gotagsrewrite
./hack/module-sig-verify
./hack/structprotogen
./hack/ukify
./pkg/machinery
)
31 changes: 0 additions & 31 deletions hack/ukify/go.mod
View file

This file was deleted.

Loading

0 comments on commit 53873b8

Please sign in to comment.