commit 0b5d4a46eaf0cd6e2bb36a0a5b2ba46802388b52 Author: Morten Linderud Date: Sun May 3 19:41:09 2020 +0200 Init Signed-off-by: Morten Linderud diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..215353d --- /dev/null +++ b/LICENSE @@ -0,0 +1,18 @@ +Copyright 2020 Morten Linderud + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..9044f23 --- /dev/null +++ b/Makefile @@ -0,0 +1,24 @@ +PROGNM ?= sbctl +PREFIX ?= /usr/local +BINDIR ?= $(PREFIX)/bin +SHRDIR ?= $(PREFIX)/share +DOCDIR ?= $(PREFIX)/share/doc +MANDIR ?= $(PREFIX)/share/man +MANS = $(basename $(wildcard docs/*.txt)) + +all: man sbctl +man: $(MANS) +$(MANS): + +docs/sbctl.%: docs/sbctl.%.txt docs/asciidoc.conf + a2x --no-xmllint --asciidoc-opts="-f docs/asciidoc.conf" -d manpage -f manpage -D docs $< + +install: man + install -Dm755 sbctl -t $(DESTDIR)$(BINDIR) + for manfile in $(MANS); do \ + install -Dm644 $$manfile -t $(DESTDIR)$(MANDIR)/man$${manfile##*.}; \ + done; + install -Dm644 LICENSE -t $(DESTDIR)$(SHRDIR)/licenses/$(PROGNM) + +clean: + rm -f $(MANS) diff --git a/README.md b/README.md new file mode 100644 index 0000000..e468a33 --- /dev/null +++ b/README.md @@ -0,0 +1,159 @@ +sbctl - Secure Boot Manager +=========================== + +The goal of the project is to have one consisten UI to manage secure boot keys. + +# Features +* Manages secure boot keys +* Live enrollment of secure boot keys +* Signing database to help keep track of files to sign +* Verify ESP of files missing signatures +* EFI stub generation + +# Roadmap + +* Convert to use [goefi](https://github.com/Foxboron/goefi) instead of relying on `sbsigntoosl` +* Key rotation +* Customize keys +* Secure the keys + +# Usage + +``` +$ sbctl +Secure Boot key manager + +Usage: + sbctl [command] + +Available Commands: + bundle Bundle the needed files for an EFI stub image + create-keys Create a set of secure boot signing keys + enroll-keys Enroll the current keys to EFI + generate-bundles Generate all EFI stub bundles + help Help about any command + list-bundles List stored bundles + list-files List enrolled files + remove-bundle Remove bundle from database + sign Sign a file with secure boot keys + sign-all Sign all enrolled files with secure boot keys + status Show current boot status + verify-esp Find and check if files in the ESP are signed or not + +Flags: + -h, --help help for sbctl + +Use "sbctl [command] --help" for more information about a command. +``` + +## Key creation and enrollment + +``` +$ sbctl status +==> WARNING: Setup Mode: Enabled +==> WARNING: Secure Boot: Disabled + +$ sbctl create-keys +==> Creating secure boot keys... + -> Using UUID d6e9af79-c6b5-4b43-b893-dbb7e6570142... +==> Signing /usr/share/secureboot/keys/PK/PK.der.esl with /usr/share/secureboot/keys/PK/PK.key... +==> Signing /usr/share/secureboot/keys/KEK/KEK.der.esl with /usr/share/secureboot/keys/PK/PK.key... +==> Signing /usr/share/secureboot/keys/db/db.der.esl with /usr/share/secureboot/keys/KEK/KEK.key... + +$ sbctl enroll-keys +==> Syncing /usr/share/secureboot/keys to EFI variables... +==> Synced keys! + +$ sbctl status +==> Setup Mode: Disabled +==> WARNING: Secure Boot: Disabled + +# Reboot! +$ sbctl status +==> Setup Mode: Disabled +==> Secure Boot: Enabled +``` + + +## Signatures +``` +$ sbctl verify +==> Verifying file database and EFI images in /efi... + -> WARNING: /boot/vmlinuz-linux is not signed + -> WARNING: /efi/EFI/BOOT/BOOTX64.EFI is not signed + -> WARNING: /efi/EFI/BOOT/KeyTool-signed.efi is not signed + -> WARNING: /efi/EFI/Linux/linux-linux.efi is not signed + -> WARNING: /efi/EFI/arch/fwupdx64.efi is not signed + -> WARNING: /efi/EFI/systemd/systemd-bootx64.efi is not signed + +$ sbctl sign -s /efi/EFI/BOOT/BOOTX64.EFI +==> Signing /efi/EFI/BOOT/BOOTX64.EFI... + +$ sbctl sign -s /efi/EFI/arch/fwupdx64.efi +==> Signing /efi/EFI/arch/fwupdx64.efi... + +$ sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi +==> Signing /efi/EFI/systemd/systemd-bootx64.efi... + +$ sbctl sign -s /usr/lib/fwupd/efi/fwupdx64.efi -o /usr/lib/fwupd/efi/fwupdx64.efi.signed +==> Signing /usr/lib/fwupd/efi/fwupdx64.efi... + +$ sbctl verify +==> Verifying file database and EFI images in /efi... + -> /usr/lib/fwupd/efi/fwupdx64.efi.signed is signed + -> /efi/EFI/BOOT/BOOTX64.EFI is signed + -> /efi/EFI/arch/fwupdx64.efi is signed + -> /efi/EFI/systemd/systemd-bootx64.efi is signed + -> WARNING: /boot/vmlinuz-linux is not signed + -> WARNING: /efi/EFI/BOOT/KeyTool-signed.efi is not signed + -> WARNING: /efi/EFI/Linux/linux-linux.efi is not signed + +$ sbctl list-files +==> File: /efi/EFI/BOOT/BOOTX64.EFI + -> Output: /efi/EFI/BOOT/BOOTX64.EFI +==> File: /efi/EFI/arch/fwupdx64.efi + -> Output: /efi/EFI/arch/fwupdx64.efi +==> File: /efi/EFI/systemd/systemd-bootx64.efi + -> Output: /efi/EFI/systemd/systemd-bootx64.efi +==> File: /efi/vmlinuz-linux + -> Output: /efi/vmlinuz-linux +==> File: /usr/lib/fwupd/efi/fwupdx64.efi + -> Output: /usr/lib/fwupd/efi/fwupdx64.efi.signed +``` + +## Generate EFI Stub +``` +$ sbctl bundle -s -i /boot/intel-ucode.img \ + -l /usr/share/systemd/bootctl/splash-arch.bmp \ + -k /boot/vmlinuz-linux \ + -f /boot/initramfs-linux.img \ + /boot/EFI/Linux/linux-linux.efi +==> Wrote EFI bundle /boot/EFI/Linux/linux-linux.efi +==> Bundle: /boot/EFI/Linux/linux-linux.efi + -> Intel Microcode: /boot/intel-ucode.img + -> Kernel Image: /boot/vmlinuz-linux + -> Initramfs Image: /boot/initramfs-linux.img + -> Cmdline: /proc/cmdline + -> OS Relase: /usr/lib/os-release + -> EFI Stub Image: /usr/lib/systemd/boot/efi/linuxx64.efi.stub + -> ESP Location: /efi + -> Splash Image: /usr/share/systemd/bootctl/splash-arch.bmp + -> Output: /boot/EFI/Linux/linux-linux.efi + +$ sbctl list-bundles +==> Bundle: /boot/EFI/Linux/linux-linux.efi + -> Intel Microcode: /boot/intel-ucode.img + -> Kernel Image: /boot/vmlinuz-linux + -> Initramfs Image: /boot/initramfs-linux.img + -> Cmdline: /proc/cmdline + -> OS Relase: /usr/lib/os-release + -> EFI Stub Image: /usr/lib/systemd/boot/efi/linuxx64.efi.stub + -> ESP Location: /efi + -> Splash Image: /usr/share/systemd/bootctl/splash-arch.bmp + -> Output: /boot/EFI/Linux/linux-linux.efi + +$ sbctl generate-bundles +==> Generating EFI bundles.... +==> Wrote EFI bundle /boot/EFI/Linux/linux-linux.efi +``` + diff --git a/bundles.go b/bundles.go new file mode 100644 index 0000000..d28397e --- /dev/null +++ b/bundles.go @@ -0,0 +1,115 @@ +package sbctl + +import ( + "encoding/json" + "fmt" + "io/ioutil" + "log" + "os" + "os/exec" + "path/filepath" + "strings" +) + +type Bundle struct { + Output string `json:"output"` + IntelMicrocode string `json:"intel_microcode"` + AMDMicrocode string `json:"amd_microcode"` + KernelImage string `json:"kernel_image"` + Initramfs string `json:"initramfs"` + Cmdline string `json:"cmdline"` + Splash string `json:"splash"` + OSRelease string `json:"os_release"` + EFIStub string `json:"efi_stub"` + ESP string `json:"esp"` +} + +type Bundles map[string]*Bundle + +var BundleDBPath = filepath.Join(DatabasePath, "bundles.db") + +func ReadBundleDatabase(dbpath string) Bundles { + bundles := make(Bundles) + os.MkdirAll(DatabasePath, os.ModePerm) + if _, err := os.Stat(BundleDBPath); os.IsNotExist(err) { + file, err := os.Create(BundleDBPath) + if err != nil { + log.Fatal(err) + } + file.Close() + } + f, err := ioutil.ReadFile(dbpath) + if err != nil { + log.Fatal(err) + } + json.Unmarshal(f, &bundles) + return bundles +} + +func WriteBundleDatabase(dbpath string, bundles Bundles) { + data, err := json.MarshalIndent(bundles, "", " ") + if err != nil { + log.Fatal(err) + } + err = ioutil.WriteFile(dbpath, data, 0644) + if err != nil { + log.Fatal(err) + } +} + +func NewBundle() *Bundle { + esp := GetESP() + return &Bundle{ + Output: "", + IntelMicrocode: "", + AMDMicrocode: "", + KernelImage: filepath.Join(esp, "vmlinuz-linux"), + Initramfs: filepath.Join(esp, "initramfs-linux.img"), + Cmdline: "/proc/cmdline", + Splash: "", + OSRelease: "/usr/lib/os-release", + EFIStub: "/usr/lib/systemd/boot/efi/linuxx64.efi.stub", + ESP: esp, + } +} + +func GenerateBundle(bundle *Bundle) bool { + args := "" + args += fmt.Sprintf("--add-section .osrel=%s --change-section-vma .osrel=0x20000 ", bundle.OSRelease) + args += fmt.Sprintf("--add-section .cmdline=%s --change-section-vma .cmdline=0x30000 ", bundle.Cmdline) + if bundle.Splash != "" { + args += fmt.Sprintf("--add-section .splash=%s --change-section-vma .splash=0x40000 ", bundle.Splash) + } + args += fmt.Sprintf("--add-section .linux=%s --change-section-vma .linux=0x2000000 ", bundle.KernelImage) + args += fmt.Sprintf("--add-section .initrd=%s --change-section-vma .initrd=0x3000000 ", bundle.Initramfs) + args += fmt.Sprintf("%s %s", bundle.EFIStub, bundle.Output) + cmd := exec.Command("objcopy", strings.Split(args, " ")...) + cmd.Stdout = os.Stdout + if err := cmd.Run(); err != nil { + if exitError, ok := err.(*exec.ExitError); ok { + return exitError.ExitCode() == 0 + } + } + msg.Printf("Wrote EFI bundle %s", bundle.Output) + return true +} + +func FormatBundle(name string, bundle *Bundle) { + msg.Printf("Bundle: %s", name) + if bundle.AMDMicrocode != "" { + msg2.Printf("AMD Microcode: %s", bundle.AMDMicrocode) + } + if bundle.IntelMicrocode != "" { + msg2.Printf("Intel Microcode: %s", bundle.IntelMicrocode) + } + msg2.Printf("Kernel Image: %s", bundle.KernelImage) + msg2.Printf("Initramfs Image: %s", bundle.Initramfs) + msg2.Printf("Cmdline: %s", bundle.Cmdline) + msg2.Printf("OS Relase: %s", bundle.OSRelease) + msg2.Printf("EFI Stub Image: %s", bundle.EFIStub) + msg2.Printf("ESP Location: %s", bundle.ESP) + if bundle.Splash != "" { + msg2.Printf("Splash Image: %s", bundle.Splash) + } + msg2.Printf("Output: %s", bundle.Output) +} diff --git a/cmd/main.go b/cmd/main.go new file mode 100644 index 0000000..cc599e8 --- /dev/null +++ b/cmd/main.go @@ -0,0 +1,239 @@ +package main + +import ( + "fmt" + "log" + "os" + "path/filepath" + + "github.com/foxboron/sbctl" + "github.com/spf13/cobra" +) + +var rootCmd = &cobra.Command{ + Use: "sbctl", + Short: "Secure Boot key manager", +} + +func createKeysCmd() *cobra.Command { + return &cobra.Command{ + Use: "create-keys", + Short: "Create a set of secure boot signing keys", + Run: func(cmd *cobra.Command, args []string) { + sbctl.CreateKeys() + }, + } +} + +func enrollKeysCmd() *cobra.Command { + return &cobra.Command{ + Use: "enroll-keys", + Short: "Enroll the current keys to EFI", + Run: func(cmd *cobra.Command, args []string) { + sbctl.SyncKeys() + }, + } +} + +func signCmd() *cobra.Command { + var save bool + var output string + + cmd := &cobra.Command{ + Use: "sign", + Short: "Sign a file with secure boot keys", + Run: func(cmd *cobra.Command, args []string) { + if len(args) < 1 { + log.Fatalf("Requires a file to sign...\n") + } + sbctl.Sign(args[0], output, save) + }, + } + f := cmd.Flags() + f.BoolVarP(&save, "save", "s", false, "save file to the database") + f.StringVarP(&output, "output", "o", "", "output filename. Default replaces the file") + return cmd +} + +func signAllCmd() *cobra.Command { + return &cobra.Command{ + Use: "sign-all", + Short: "Sign all enrolled files with secure boot keys", + Run: func(cmd *cobra.Command, args []string) { + files := sbctl.ReadFileDatabase(sbctl.DBPath) + for _, entry := range files { + sbctl.SignFile(sbctl.DBKey, sbctl.DBCert, entry.File, entry.OutputFile) + } + }, + } +} + +func removeFileCmd() *cobra.Command { + return &cobra.Command{ + Use: "remove-file", + Short: "Remove file from database", + Run: func(cmd *cobra.Command, args []string) { + if len(args) < 1 { + log.Fatal("Need to specify file") + } + files := sbctl.ReadFileDatabase(sbctl.DBPath) + delete(files, args[0]) + sbctl.WriteFileDatabase(sbctl.DBPath, files) + }, + } +} + +func statusCmd() *cobra.Command { + return &cobra.Command{ + Use: "status", + Short: "Show current boot status", + Run: func(cmd *cobra.Command, args []string) { + sbctl.CheckStatus() + }, + } +} + +func verifyCmd() *cobra.Command { + return &cobra.Command{ + Use: "verify", + Short: "Find and check if files in the ESP are signed or not", + Run: func(cmd *cobra.Command, args []string) { + sbctl.VerifyESP() + }, + } +} + +func listFilesCmd() *cobra.Command { + return &cobra.Command{ + Use: "list-files", + Short: "List enrolled files", + Run: func(cmd *cobra.Command, args []string) { + sbctl.ListFiles() + }, + } +} + +func bundleCmd() *cobra.Command { + var amducode string + var intelucode string + var splashImg string + var osRelease string + var efiStub string + var kernelImg string + var cmdline string + var initramfs string + var espPath string + var save bool + cmd := &cobra.Command{ + Use: "bundle", + Short: "Bundle the needed files for an EFI stub image", + Run: func(cmd *cobra.Command, args []string) { + if len(args) < 1 { + log.Fatalf("Requires a file to sign...\n") + } + checkFiles := []string{amducode, intelucode, splashImg, osRelease, efiStub, kernelImg, cmdline, initramfs} + for _, path := range checkFiles { + if path == "" { + continue + } + if _, err := os.Stat(path); os.IsNotExist(err) { + log.Fatalf("%s does not exist!", path) + os.Exit(1) + } + } + bundle := sbctl.NewBundle() + bundle.Output = args[0] + bundle.IntelMicrocode = intelucode + bundle.AMDMicrocode = amducode + bundle.KernelImage = kernelImg + bundle.Initramfs = initramfs + bundle.Cmdline = cmdline + bundle.Splash = splashImg + bundle.OSRelease = osRelease + bundle.EFIStub = efiStub + bundle.ESP = espPath + sbctl.CreateBundle(*bundle) + if save { + bundles := sbctl.ReadBundleDatabase(sbctl.BundleDBPath) + bundles[bundle.Output] = bundle + sbctl.WriteBundleDatabase(sbctl.BundleDBPath, bundles) + sbctl.FormatBundle(bundle.Output, bundle) + } + }, + } + esp := sbctl.GetESP() + f := cmd.Flags() + f.StringVarP(&amducode, "amducode", "a", "", "AMD microcode location") + f.StringVarP(&intelucode, "intelucode", "i", "", "Intel microcode location") + f.StringVarP(&splashImg, "splash-img", "l", "", "Boot splash image location") + f.StringVarP(&osRelease, "os-release", "o", "/usr/lib/os-release", "OS Release file location") + f.StringVarP(&efiStub, "efi-stub", "e", "/usr/lib/systemd/boot/efi/linuxx64.efi.stub", "EFI Stub location") + f.StringVarP(&kernelImg, "kernel-img", "k", filepath.Join(esp, "vmlinuz-linux"), "Kernel image location") + f.StringVarP(&cmdline, "cmdline", "c", "/proc/cmdline", "Cmdline location") + f.StringVarP(&initramfs, "initramfs", "f", filepath.Join(esp, "initramfs-linux.img"), "Initramfs location") + f.StringVarP(&espPath, "esp", "p", esp, "ESP location") + f.BoolVarP(&save, "save", "s", false, "save bundle to the database") + return cmd +} + +func generateBundlesCmd() *cobra.Command { + var sign bool + cmd := &cobra.Command{ + Use: "generate-bundles", + Short: "Generate all EFI stub bundles", + Run: func(cmd *cobra.Command, args []string) { + sbctl.GenerateAllBundles() + }, + } + f := cmd.Flags() + f.BoolVarP(&sign, "sign", "s", false, "Sign all the generated bundles") + return cmd +} + +func listBundlesCmd() *cobra.Command { + return &cobra.Command{ + Use: "list-bundles", + Short: "List stored bundles", + Run: func(cmd *cobra.Command, args []string) { + sbctl.ListBundles() + }, + } +} + +func removeBundleCmd() *cobra.Command { + return &cobra.Command{ + Use: "remove-bundle", + Short: "Remove bundle from database", + Run: func(cmd *cobra.Command, args []string) { + if len(args) < 1 { + log.Fatal("Need to specify file") + } + bundles := sbctl.ReadBundleDatabase(sbctl.BundleDBPath) + delete(bundles, args[0]) + sbctl.WriteBundleDatabase(sbctl.BundleDBPath, bundles) + }, + } +} + +func main() { + rootCmd.PersistentPreRun = func(_ *cobra.Command, args []string) { + if os.Geteuid() != 0 { + fmt.Println("Needs to be executed as root") + os.Exit(1) + } + } + rootCmd.AddCommand(createKeysCmd()) + rootCmd.AddCommand(enrollKeysCmd()) + rootCmd.AddCommand(signCmd()) + rootCmd.AddCommand(signAllCmd()) + rootCmd.AddCommand(statusCmd()) + rootCmd.AddCommand(verifyCmd()) + rootCmd.AddCommand(listFilesCmd()) + rootCmd.AddCommand(bundleCmd()) + rootCmd.AddCommand(generateBundlesCmd()) + rootCmd.AddCommand(removeBundleCmd()) + rootCmd.AddCommand(listBundlesCmd()) + if err := rootCmd.Execute(); err != nil { + os.Exit(1) + } +} diff --git a/cmds.go b/cmds.go new file mode 100644 index 0000000..681ced5 --- /dev/null +++ b/cmds.go @@ -0,0 +1 @@ +package sbctl diff --git a/contrib/pacman/98-generate-bundles.hook b/contrib/pacman/98-generate-bundles.hook new file mode 100644 index 0000000..b760223 --- /dev/null +++ b/contrib/pacman/98-generate-bundles.hook @@ -0,0 +1,12 @@ +[Trigger] +Type = File +Operation = Install +Operation = Upgrade +Operation = Remove +Target = boot/* +Target = usr/lib/modules/*/vmlinuz + +[Action] +Description = Generating EFI Stub bundles... +When = PostTransaction +Exec = /usr/bin/sbctl generate-bundles diff --git a/contrib/pacman/99-sign-efi.hook b/contrib/pacman/99-sign-efi.hook new file mode 100644 index 0000000..ea87246 --- /dev/null +++ b/contrib/pacman/99-sign-efi.hook @@ -0,0 +1,13 @@ +[Trigger] +Type = File +Operation = Install +Operation = Upgrade +Operation = Remove +Target = boot/* +Target = boot/EFI/* +Target = usr/lib/modules/*/vmlinuz + +[Action] +Description = Signing EFI binaries... +When = PostTransaction +Exec = /usr/bin/sbctl sign-all diff --git a/database.go b/database.go new file mode 100644 index 0000000..ddbbd25 --- /dev/null +++ b/database.go @@ -0,0 +1,47 @@ +package sbctl + +import ( + "encoding/json" + "io/ioutil" + "log" + "os" + "path/filepath" +) + +type SigningEntry struct { + File string `json:"file"` + OutputFile string `json:"output_file"` +} + +type SigningEntries map[string]*SigningEntry + +var DBPath = filepath.Join(DatabasePath, "files.db") + +func ReadFileDatabase(dbpath string) SigningEntries { + files := make(SigningEntries) + os.MkdirAll(DatabasePath, os.ModePerm) + if _, err := os.Stat(DBPath); os.IsNotExist(err) { + file, err := os.Create(DBPath) + if err != nil { + log.Fatal(err) + } + file.Close() + } + f, err := ioutil.ReadFile(dbpath) + if err != nil { + log.Fatal(err) + } + json.Unmarshal(f, &files) + return files +} + +func WriteFileDatabase(dbpath string, files SigningEntries) { + data, err := json.MarshalIndent(files, "", " ") + if err != nil { + log.Fatal(err) + } + err = ioutil.WriteFile(dbpath, data, 0644) + if err != nil { + log.Fatal(err) + } +} diff --git a/docs/asciidoc.conf b/docs/asciidoc.conf new file mode 100644 index 0000000..c675a20 --- /dev/null +++ b/docs/asciidoc.conf @@ -0,0 +1,37 @@ +## linkman: macro +# Inspired by/borrowed from the GIT source tree at Documentation/asciidoc.conf +# +# Usage: linkman:command[manpage-section] +# +# Note, {0} is the manpage section, while {target} is the command. +# +# Show man link as: (
); if section is defined, else just show +# the command. + +[macros] +(?su)[\\]?(?Plinkman):(?P\S*?)\[(?P.*?)\]= + +[attributes] +asterisk=* +plus=+ +caret=^ +startsb=[ +endsb=] +backslash=\ +tilde=~ +apostrophe=' +backtick=` +litdd=-- + +ifdef::backend-docbook[] +[linkman-inlinemacro] +{0%{target}} +{0#} +{0#{target}{0}} +{0#} +endif::backend-docbook[] + +ifdef::backend-xhtml11[] +[linkman-inlinemacro] +{target}{0?({0})} +endif::backend-xhtml11[] diff --git a/docs/sbctl.8.txt b/docs/sbctl.8.txt new file mode 100644 index 0000000..5cd7386 --- /dev/null +++ b/docs/sbctl.8.txt @@ -0,0 +1,113 @@ +sbctl(8) +======== + +Name +---- +sbctl - Secure Boot manager + + +Synopsis +-------- +'sbctl' + + +Description +----------- +'sbctl' aims to provide a full integrated secure boot experience. + + +EFI signing commands +-------------------- + +**status**:: + Shows the current secure boot status of the system. It checks if you are + currently booted in UEFI with Secure Boot, and wheter or not Setup Mode + has been enabled. + +**create-keys**:: + Creates a set of signing keys used to sign EFI binaries. Currently it + will create the following keys: + * Platform Key + * Key Exchange key + * Signature Database Key + +**enroll-keys**:: + It will first attempt to use `sbkeysync` to live enroll the + required keys. This requires Setup Mode to be active. + +**sign** ...:: + Signs a EFI binary with the created key. The file will be checked for + valid signatures to avoid duplicates. + +**sign-all**:: + Signs all enrolled EFI binaries. + +**remove-file** :: + Removes the file from the signing database. + +**verify**:: + Looks for EFI binaries with the mime type application/x-dosexec and + checks if they have been signed with the Signature Database Key. + + +**help** ...:: + Displays a help message. + +EFI binary commands +------------------ + +**bundle** [FLAG] :: + Creates a bundle that should produce EFI binaries. This is usefull if + you want to sign your initramfs along with your kernel. + + * -i|--intel - Include Intel microcode + * -a|--amd - Include AMD microcode + +**remove-bundle** :: + Removes a bundle from the list. + +**generate-bundles**:: + This command generates all bundles and puts them into + **$ESP/Linux/linux-$bundlename.efi**. These are not signed and it's + expected that you enroll them yourself. + +**list-bundles**:: + List all registed bundles to generate. + +Environment Variables +--------------------- +**ESP**:: + Overrides the ESP location used for enrolling keys, and finding EFI + binaries to sign. Defaults to /boot + +**EFI_ROLLER_ROOT**:: + Override the default efi-roller location. Defaults to /var/lib/efi-roller + + +Files +---- +**/var/lib/efi-roller**:: + Default storage directory. + +**/var/lib/efi-roller/GUID**:: + Owner identification. This is a randomly generated UUID. + +**/var/lib/efi-roller/files.db**:: + Contains a list of EFI binaries to be signed by the generated key. + +**/var/lib/efi-roller/bundles.db**:: + Contains a list of EFI bundles to be generated. + +**/var/lib/efi-roller/keys/db/DB.{auth,cer,crt,esl,key}**:: + Contains the Signature Database key used for signing EFI binaries. + +**/var/lib/efi-roller/keys/kek/KEK.{auth,cer,crt,esl,key}**:: + Contains the Key Exchange Key. + +**/var/lib/efi-roller/keys/pk/PK.{auth,cer,crt,esl,key}**:: + Contains the Platform Key. + + +See Also +-------- +linkman:sbsign[1] diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..8398d65 --- /dev/null +++ b/go.mod @@ -0,0 +1,8 @@ +module github.com/foxboron/sbctl + +go 1.14 + +require ( + github.com/foxboron/goefi v0.0.0-20200425230843-adb2e3d38c9d + github.com/spf13/cobra v1.0.0 +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..8344101 --- /dev/null +++ b/go.sum @@ -0,0 +1,128 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= +github.com/foxboron/goefi v0.0.0-20200425230843-adb2e3d38c9d h1:lCRX0K9pVoRx7uXogj+Hy6Of1qhueyVnorTVnTetQh0= +github.com/foxboron/goefi v0.0.0-20200425230843-adb2e3d38c9d/go.mod h1:JOXcrLp1yt4pjXscnK6Pd/gTgtRvQXsVS2aeok+bSQo= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v1.0.0 h1:6m/oheQuQ13N9ks4hubMG6BnvwOeaJrqSPLahSnczz8= +github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/keys.go b/keys.go new file mode 100644 index 0000000..bf32c93 --- /dev/null +++ b/keys.go @@ -0,0 +1,239 @@ +package sbctl + +import ( + "bytes" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "fmt" + "io/ioutil" + "log" + "math/big" + "os" + "os/exec" + "path/filepath" + "strings" +) + +var RSAKeySize = 4096 + +var ( + DatabasePath = "/usr/share/secureboot/" + KeysPath = filepath.Join(DatabasePath, "keys") + PKKey = filepath.Join(KeysPath, "PK", "PK.key") + PKCert = filepath.Join(KeysPath, "PK", "PK.pem") + DBKey = filepath.Join(KeysPath, "db", "db.key") + DBCert = filepath.Join(KeysPath, "db", "db.pem") +) + +func CreateKey(path, name string) []byte { + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) + serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) + if err != nil { + log.Fatalf("Failed to generate serial number: %v", err) + } + c := x509.Certificate{ + SerialNumber: serialNumber, + PublicKeyAlgorithm: x509.RSA, + SignatureAlgorithm: x509.SHA256WithRSA, + Subject: pkix.Name{ + Country: []string{name}, + }, + } + priv, err := rsa.GenerateKey(rand.Reader, RSAKeySize) + if err != nil { + log.Fatal(err) + } + derBytes, err := x509.CreateCertificate(rand.Reader, &c, &c, &priv.PublicKey, priv) + if err != nil { + log.Fatalf("Failed to create certificate: %v", err) + } + keyOut, err := os.OpenFile(fmt.Sprintf("%s.key", path), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + if err != nil { + log.Fatalf("Failed to open key.pem for writing: %v", err) + } + privBytes, err := x509.MarshalPKCS8PrivateKey(priv) + if err != nil { + log.Fatalf("Unable to marshal private key: %v", err) + } + if err := pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil { + log.Fatalf("Failed to write data to key.pem: %v", err) + } + if err := keyOut.Close(); err != nil { + log.Fatalf("Error closing key.pem: %v", err) + } + return derBytes +} + +func SaveKey(k []byte, path string) { + err := ioutil.WriteFile(fmt.Sprintf("%s.der", path), k, 0644) + if err != nil { + log.Fatal(err) + } + certOut, err := os.Create(fmt.Sprintf("%s.pem", path)) + if err != nil { + log.Fatalf("Failed to open cert.pem for writing: %v", err) + } + if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: k}); err != nil { + log.Fatalf("Failed to write data to cert.pem: %v", err) + } + if err := certOut.Close(); err != nil { + log.Fatalf("Error closing cert.pem: %v", err) + } + +} + +func CreateUUID() []byte { + out, err := exec.Command("uuidgen").Output() + if err != nil { + log.Fatal(err) + } + return bytes.TrimSuffix(out, []byte("\n")) +} + +func KeyToSiglist(UUID []byte, input string) []byte { + msg.Printf("Create EFI signature list %s.esl...", input) + args := fmt.Sprintf("--owner %s --type x509 --output %s.esl %s", UUID, input, input) + fmt.Println(args) + out, err := exec.Command("/usr/bin/sbsiglist", strings.Split(args, " ")...).Output() + if err != nil { + log.Fatalf("Failed creating signature list: %s", err) + } + return out +} + +func SignEFIVariable(key, cert, varname, vardatafile, output string) []byte { + msg.Printf("Signing %s with %s...", vardatafile, key) + args := fmt.Sprintf("--key %s --cert %s --output %s %s %s", key, cert, output, varname, vardatafile) + fmt.Println(args) + out, err := exec.Command("/usr/bin/sbvarsign", strings.Split(args, " ")...).Output() + if err != nil { + log.Fatalf("Failed signing EFI variable: %s", err) + } + return out +} + +func SBKeySync(dir string) bool { + msg.Printf("Syncing %s to EFI variables...", dir) + args := fmt.Sprintf("--pk --verbose --keystore %s", dir) + cmd := exec.Command("sbkeysync", strings.Split(args, " ")...) + var out bytes.Buffer + cmd.Stdout = &out + cmd.Stderr = &out + if err := cmd.Run(); err != nil { + if exitError, ok := err.(*exec.ExitError); ok { + return exitError.ExitCode() == 0 + } + } + stdout := string(out.Bytes()) + for _, line := range strings.Split(stdout, "\n") { + if strings.Contains(line, "Operation not permitted") { + fmt.Println(stdout) + return false + } + } + return true +} + +func VerifyFile(cert, file string) bool { + args := fmt.Sprintf("--cert %s %s", cert, file) + cmd := exec.Command("sbverify", strings.Split(args, " ")...) + if err := cmd.Run(); err != nil { + if exitError, ok := err.(*exec.ExitError); ok { + return exitError.ExitCode() == 0 + } + } + return true +} + +func SignFile(key, cert, file, output string) []byte { + // Lets check if we have signed it already... + if VerifyFile(cert, file) { + msg.Printf("%s has been signed...", file) + return []byte{} + } + msg.Printf("Signing %s...", file) + args := fmt.Sprintf("--key %s --cert %s --output %s %s", key, cert, output, file) + out, err := exec.Command("sbsign", strings.Split(args, " ")...).Output() + if err != nil { + log.Fatalf("Failed signing file: %s", err) + } + return out +} + +var SecureBootKeys = []struct { + Key string + Description string + // Path to the key we sign it with + SignedWith string +}{ + { + Key: "PK", + Description: "Platform Key", + SignedWith: "PK", + }, + { + Key: "KEK", + Description: "Key Exchange Key", + SignedWith: "PK", + }, + { + Key: "db", + Description: "Database Key", + SignedWith: "KEK", + }, + // Haven't used this yet so WIP + // { + // Key: "dbx", + // Description: "Forbidden Database Key", + // SignedWith: "KEK", + // }, +} + +func CheckIfKeysInitialized(output string) bool { + for _, key := range SecureBootKeys { + path := filepath.Join(output, key.Key) + if _, err := os.Stat(path); os.IsNotExist(err) { + return false + } + } + return true +} + +func InitializeSecureBootKeys(output string) { + os.MkdirAll(output, os.ModePerm) + + var uuid []byte + guidPath := filepath.Join(output, "GUID") + if _, err := os.Stat(guidPath); os.IsNotExist(err) { + uuid = CreateUUID() + msg2.Printf("Created UUID %s...", uuid) + err := ioutil.WriteFile(guidPath, uuid, 0600) + if err != nil { + log.Fatal(err) + } + } else { + uuid, err = ioutil.ReadFile(guidPath) + if err != nil { + log.Fatal(err) + } + msg2.Printf("Using UUID %s...", uuid) + } + // Create the directories we need and keys + for _, key := range SecureBootKeys { + path := filepath.Join(output, "keys", key.Key) + os.MkdirAll(path, os.ModePerm) + keyPath := filepath.Join(path, key.Key) + pk := CreateKey(keyPath, key.Description) + SaveKey(pk, keyPath) + KeyToSiglist(uuid, fmt.Sprintf("%s.der", keyPath)) + // Confusing code + // TODO: make it cleaner + signingkeyPath := filepath.Join(output, "keys", key.SignedWith, key.SignedWith) + signingKey := fmt.Sprintf("%s.key", signingkeyPath) + signingCertificate := fmt.Sprintf("%s.pem", signingkeyPath) + SignEFIVariable(signingKey, signingCertificate, key.Key, fmt.Sprintf("%s.der.esl", keyPath), fmt.Sprintf("%s.auth", keyPath)) + } +} diff --git a/log.go b/log.go new file mode 100644 index 0000000..65ed51b --- /dev/null +++ b/log.go @@ -0,0 +1,59 @@ +package sbctl + +import ( + "bytes" + "fmt" + "log" + "os" + "os/exec" + "strings" +) + +var ( + plain *log.Logger + msg *log.Logger + msg2 *log.Logger + warning *log.Logger + warning2 *log.Logger + err *log.Logger + err2 *log.Logger +) + +func GetColor(args string) string { + out, _ := exec.Command("tput", strings.Split(args, " ")...).Output() + return string(bytes.TrimSuffix(out, []byte("\n"))) +} + +func init() { + var ( + red = GetColor("setaf 1") + green = GetColor("setaf 2") + yellow = GetColor("setaf 3") + blue = GetColor("setaf 4") + bold = GetColor("bold") + off = GetColor("sgr0") + // I didn't bother figure out how we get this to the end of the log format + // So we just clear the terminal stuff at the start of each log line + prefix = fmt.Sprintf("%s", off) + ) + plainfmt := fmt.Sprintf("%s%s ", prefix, bold) + plain = log.New(os.Stdout, plainfmt, 0) + + msgfmt := fmt.Sprintf("%s%s%s==>%s%s ", prefix, bold, green, off, bold) + msg = log.New(os.Stdout, msgfmt, 0) + + msg2fmt := fmt.Sprintf("%s%s%s ->%s%s ", prefix, bold, blue, off, bold) + msg2 = log.New(os.Stdout, msg2fmt, 0) + + warningfmt := fmt.Sprintf("%s%s%s==> WARNING:%s%s ", prefix, bold, yellow, off, bold) + warning = log.New(os.Stderr, warningfmt, 0) + + warning2fmt := fmt.Sprintf("%s%s%s -> WARNING:%s%s ", prefix, bold, yellow, off, bold) + warning2 = log.New(os.Stderr, warning2fmt, 0) + + errfmt := fmt.Sprintf("%s%s%s==> ERROR:%s%s ", prefix, bold, red, off, bold) + err = log.New(os.Stderr, errfmt, 0) + + err2fmt := fmt.Sprintf("%s%s%s -> ERROR:%s%s ", prefix, bold, red, off, bold) + err2 = log.New(os.Stderr, err2fmt, 0) +} diff --git a/sbctl.go b/sbctl.go new file mode 100644 index 0000000..981a7fd --- /dev/null +++ b/sbctl.go @@ -0,0 +1,201 @@ +package sbctl + +import ( + "bytes" + "io" + "io/ioutil" + "log" + "os" + "os/exec" + "path/filepath" + "strings" + + "github.com/foxboron/goefi/efi/attributes" +) + +// Functions that doesn't fit anywhere else + +// Veryvery simple check +func GetESP() string { + if _, err := os.Stat("/efi"); !os.IsNotExist(err) { + return "/efi" + } + out, err := exec.Command("lsblk", "-o", "PARTTYPE,MOUNTPOINT").Output() + if err != nil { + log.Fatal(err) + } + data := string(out) + for _, lines := range strings.Split(data, "\n") { + if len(lines) < 1 { + continue + } + l := strings.Split(lines, " ") + if len(l) != 2 { + continue + } + if l[0] == "c12a7328-f81f-11d2-ba4b-00a0c93ec93b" { + return l[1] + } + } + return "" +} + +func VerifyESP() { + espPath := GetESP() + files := ReadFileDatabase(DBPath) + msg.Printf("Verifying file database and EFI images in %s...", espPath) + for _, file := range files { + if VerifyFile(DBCert, file.OutputFile) { + msg2.Printf("%s is signed\n", file.OutputFile) + } else { + warning2.Printf("%s is not signed\n", file.OutputFile) + } + } + err := filepath.Walk(espPath, func(path string, info os.FileInfo, err error) error { + if err != nil { + return err + } + out, err := exec.Command("file", "-b", "--mime-type", path).Output() + if err != nil { + log.Fatal(err) + } + out = bytes.TrimSuffix(out, []byte("\n")) + if string(out) != "application/x-dosexec" { + return nil + } + if _, ok := files[path]; ok { + return nil + } + if VerifyFile(DBCert, path) { + msg2.Printf("%s is signed\n", path) + } else { + warning2.Printf("%s is not signed\n", path) + } + return nil + }) + if err != nil { + log.Println(err) + } +} + +func Sign(file, output string, enroll bool) { + file, err := filepath.Abs(file) + if err != nil { + log.Fatal(err) + } + if output == "" { + output = file + } + files := ReadFileDatabase(DBPath) + if entry, ok := files[file]; ok { + SignFile(DBKey, DBCert, entry.File, entry.OutputFile) + } else { + SignFile(DBKey, DBCert, file, output) + } + if enroll { + files[file] = &SigningEntry{File: file, OutputFile: output} + WriteFileDatabase(DBPath, files) + } +} + +func ListFiles() { + files := ReadFileDatabase(DBPath) + for path, s := range files { + msg.Printf("File: %s", path) + msg2.Printf("Output: %s", s.OutputFile) + } +} + +func CheckStatus() { + if _, err := os.Stat("/sys/firmware/efi/efivars"); os.IsNotExist(err) { + warning.Println("System is not booted with UEFI!") + os.Exit(1) + } + if sm, err := attributes.ReadEfivars("SetupMode"); err == nil { + if sm.Data[0] == 1 { + warning.Println("Setup Mode: Enabled") + } else { + msg.Println("Setup Mode: Disabled") + } + } + if sb, err := attributes.ReadEfivars("SecureBoot"); err == nil { + if sb.Data[0] == 1 { + msg.Println("Secure Boot: Enabled") + } else { + warning.Println("Secure Boot: Disabled") + } + } +} + +func CreateKeys() { + if !CheckIfKeysInitialized(KeysPath) { + msg.Printf("Creating secure boot keys...") + InitializeSecureBootKeys(DatabasePath) + } else { + msg.Printf("Secure boot keys has been created") + } +} + +func SyncKeys() { + synced := SBKeySync(KeysPath) + if !synced { + err.Println("Couldn't sync keys") + os.Exit(1) + } else { + msg.Println("Synced keys!") + } +} + +func CombineFiles(microcode, initramfs string) *os.File { + tmpFile, e := ioutil.TempFile("/var/tmp", "initramfs-") + if e != nil { + err.Println("Cannot create temporary file", e) + } + + one, _ := os.Open(microcode) + defer one.Close() + + two, _ := os.Open(initramfs) + defer two.Close() + + _, e = io.Copy(tmpFile, one) + if e != nil { + log.Fatalln("failed to append microcode file to output:", err) + } + + _, e = io.Copy(tmpFile, two) + if e != nil { + log.Fatalln("failed to append initramfs file to output:", err) + } + return tmpFile +} + +func CreateBundle(bundle Bundle) { + if bundle.IntelMicrocode != "" { + tmpFile := CombineFiles(bundle.IntelMicrocode, bundle.Initramfs) + defer os.Remove(tmpFile.Name()) + bundle.Initramfs = tmpFile.Name() + } + + if bundle.AMDMicrocode != "" { + tmpFile := CombineFiles(bundle.AMDMicrocode, bundle.Initramfs) + defer os.Remove(tmpFile.Name()) + bundle.Initramfs = tmpFile.Name() + } + GenerateBundle(&bundle) +} + +func GenerateAllBundles() { + msg.Println("Generating EFI bundles....") + bundles := ReadBundleDatabase(BundleDBPath) + for _, bundle := range bundles { + CreateBundle(*bundle) + } +} + +func ListBundles() { + bundles := ReadBundleDatabase(BundleDBPath) + for key, bundle := range bundles { + FormatBundle(key, bundle) + } +}