sbctl: include db_additions inn config file

Signed-off-by: Morten Linderud <[email protected]>
Foxboron · Jul 31, 2024 · 48a3109 · 48a3109
1 parent de3aafc
commit 48a3109
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 9 deletions.
diff --git a/cmd/sbctl/enroll-keys.go b/cmd/sbctl/enroll-keys.go
@@ -3,6 +3,7 @@ package main
 import (
 	"errors"
 	"fmt"
+	"slices"
 	"strings"
 
 	"github.com/foxboron/go-uefi/efi/signature"
@@ -294,6 +295,15 @@ func RunEnrollKeys(state *config.State) error {
 	if len(enrollKeysCmdOptions.BuiltinFirmwareCerts) >= 1 {
 		oems = append(oems, "firmware-builtin")
 	}
+
+	if len(state.Config.DbAdditions) != 0 {
+		for _, k := range state.Config.DbAdditions {
+			if !slices.Contains(oems, k) {
+				oems = append(oems, k)
+			}
+		}
+	}
+
 	if !enrollKeysCmdOptions.IgnoreImmutable && enrollKeysCmdOptions.Export.Value == "" {
 		if err := sbctl.CheckImmutable(state.Fs); err != nil {
 			return err

diff --git a/cmd/sbctl/setup.go b/cmd/sbctl/setup.go
@@ -55,6 +55,7 @@ func PrintConfig(state *config.State) error {
 			return err
 		}
 		state.Config.Keys = kh.GetConfig(state.Config.Keydir)
+		state.Config.DbAdditions = sbctl.GetEnrolledVendorCerts()
 	}
 
 	// Setup the files

diff --git a/config/config.go b/config/config.go
@@ -52,14 +52,14 @@ func (k *Keys) GetKeysConfigs() []*KeyConfig {
 // Note: Anything serialized as part of this struct will end up in a public
 // debug dump at some point, probably.
 type Config struct {
-	Landlock   bool          `json:"landlock"`
-	Keydir     string        `json:"keydir"`
-	GUID       string        `json:"guid"`
-	FilesDb    string        `json:"files_db"`
-	BundlesDb  string        `json:"bundles_db"`
-	VendorKeys []string      `json:"vendor_keys,omitempty"`
-	Files      []*FileConfig `json:"files,omitempty"`
-	Keys       *Keys         `json:"keys"`
+	Landlock    bool          `json:"landlock"`
+	Keydir      string        `json:"keydir"`
+	GUID        string        `json:"guid"`
+	FilesDb     string        `json:"files_db"`
+	BundlesDb   string        `json:"bundles_db"`
+	DbAdditions []string      `json:"db_additions,omitempty"`
+	Files       []*FileConfig `json:"files,omitempty"`
+	Keys        *Keys         `json:"keys"`
 }
 
 func (c *Config) GetGUID(vfs afero.Fs) (*util.EFIGUID, error) {

diff --git a/config/config_test.go b/config/config_test.go
@@ -11,7 +11,7 @@ keydir: /etc/sbctl/keys
 guid: /var/lib/sbctl/GUID
 files_db: /var/lib/sbctl/files.db
 bundles_db: /var/lib/sbctl/bundles.db
-vendor_keys:
+db_additions:
   - microsoft
 files:
   - path: /boot/vmlinuz-linux-lts

diff --git a/docs/sbctl.conf.5.txt b/docs/sbctl.conf.5.txt
@@ -56,6 +56,12 @@ Options
     +
     Default: true
 
+*db_additions:* [ options... ]
+    Include additional keys or checksums into the authorization database for
+    Secure Boot. These values are synonymous with the flags passed to *sbctl enroll-keys*.
+    +
+    Valid values: microsoft, tpm-eventlog, firmware-builtin, custom
+
 *files:* [ [*path:* /path/to/file *output:* /path/to/output ], ... ]::
     A list of files sbctl will sign upon setup. It will be used to seed the
     files_db during initial setup.
@@ -117,6 +123,8 @@ An example of a /etc/sbctl/sbctl.conf file with the default values.
     files_db: /var/lib/sbctl/files.json
     bundles_db: /var/lib/sbctl/bundles.json
     landlock: true
+    db_additions:
+    - microsoft
     files:
     - path: /boot/vmlinuz-linux
       output: /boot/vmlinuz-linux