From 48a3109c7fed1a097fd8d858cde86514b074839d Mon Sep 17 00:00:00 2001 From: Morten Linderud Date: Wed, 31 Jul 2024 23:40:06 +0200 Subject: [PATCH] sbctl: include `db_additions` inn config file Signed-off-by: Morten Linderud --- cmd/sbctl/enroll-keys.go | 10 ++++++++++ cmd/sbctl/setup.go | 1 + config/config.go | 16 ++++++++-------- config/config_test.go | 2 +- docs/sbctl.conf.5.txt | 8 ++++++++ 5 files changed, 28 insertions(+), 9 deletions(-) diff --git a/cmd/sbctl/enroll-keys.go b/cmd/sbctl/enroll-keys.go index f6248c1..01ceb61 100644 --- a/cmd/sbctl/enroll-keys.go +++ b/cmd/sbctl/enroll-keys.go @@ -3,6 +3,7 @@ package main import ( "errors" "fmt" + "slices" "strings" "github.com/foxboron/go-uefi/efi/signature" @@ -294,6 +295,15 @@ func RunEnrollKeys(state *config.State) error { if len(enrollKeysCmdOptions.BuiltinFirmwareCerts) >= 1 { oems = append(oems, "firmware-builtin") } + + if len(state.Config.DbAdditions) != 0 { + for _, k := range state.Config.DbAdditions { + if !slices.Contains(oems, k) { + oems = append(oems, k) + } + } + } + if !enrollKeysCmdOptions.IgnoreImmutable && enrollKeysCmdOptions.Export.Value == "" { if err := sbctl.CheckImmutable(state.Fs); err != nil { return err diff --git a/cmd/sbctl/setup.go b/cmd/sbctl/setup.go index 3442f42..b8a5c11 100644 --- a/cmd/sbctl/setup.go +++ b/cmd/sbctl/setup.go @@ -55,6 +55,7 @@ func PrintConfig(state *config.State) error { return err } state.Config.Keys = kh.GetConfig(state.Config.Keydir) + state.Config.DbAdditions = sbctl.GetEnrolledVendorCerts() } // Setup the files diff --git a/config/config.go b/config/config.go index fa3e356..78f6433 100644 --- a/config/config.go +++ b/config/config.go @@ -52,14 +52,14 @@ func (k *Keys) GetKeysConfigs() []*KeyConfig { // Note: Anything serialized as part of this struct will end up in a public // debug dump at some point, probably. type Config struct { - Landlock bool `json:"landlock"` - Keydir string `json:"keydir"` - GUID string `json:"guid"` - FilesDb string `json:"files_db"` - BundlesDb string `json:"bundles_db"` - VendorKeys []string `json:"vendor_keys,omitempty"` - Files []*FileConfig `json:"files,omitempty"` - Keys *Keys `json:"keys"` + Landlock bool `json:"landlock"` + Keydir string `json:"keydir"` + GUID string `json:"guid"` + FilesDb string `json:"files_db"` + BundlesDb string `json:"bundles_db"` + DbAdditions []string `json:"db_additions,omitempty"` + Files []*FileConfig `json:"files,omitempty"` + Keys *Keys `json:"keys"` } func (c *Config) GetGUID(vfs afero.Fs) (*util.EFIGUID, error) { diff --git a/config/config_test.go b/config/config_test.go index d166bd1..4cf339b 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -11,7 +11,7 @@ keydir: /etc/sbctl/keys guid: /var/lib/sbctl/GUID files_db: /var/lib/sbctl/files.db bundles_db: /var/lib/sbctl/bundles.db -vendor_keys: +db_additions: - microsoft files: - path: /boot/vmlinuz-linux-lts diff --git a/docs/sbctl.conf.5.txt b/docs/sbctl.conf.5.txt index 5677452..c001f00 100644 --- a/docs/sbctl.conf.5.txt +++ b/docs/sbctl.conf.5.txt @@ -56,6 +56,12 @@ Options + Default: true +*db_additions:* [ options... ] + Include additional keys or checksums into the authorization database for + Secure Boot. These values are synonymous with the flags passed to *sbctl enroll-keys*. + + + Valid values: microsoft, tpm-eventlog, firmware-builtin, custom + *files:* [ [*path:* /path/to/file *output:* /path/to/output ], ... ]:: A list of files sbctl will sign upon setup. It will be used to seed the files_db during initial setup. @@ -117,6 +123,8 @@ An example of a /etc/sbctl/sbctl.conf file with the default values. files_db: /var/lib/sbctl/files.json bundles_db: /var/lib/sbctl/bundles.json landlock: true + db_additions: + - microsoft files: - path: /boot/vmlinuz-linux output: /boot/vmlinuz-linux