mirror of
https://github.com/kairos-io/kairos-sdk.git
synced 2025-08-31 23:01:43 +00:00
Itxaka
@@ -148,9 +148,9 @@ func isValidSignature(sign util.EFIGUID) bool {
|
|||||||
return sign == signature.CERT_X509_GUID
|
return sign == signature.CERT_X509_GUID
|
||||||
}
|
}
|
||||||
|
|
||||||
// checkArtifactSignatureIsValid checks that a given efi artifact is signed properly with a signature that would allow it to
|
// CheckArtifactSignatureIsValid checks that a given efi artifact is signed properly with a signature that would allow it to
|
||||||
// boot correctly in the current node if secureboot is enabled
|
// boot correctly in the current node if secureboot is enabled
|
||||||
func checkArtifactSignatureIsValid(fs types.KairosFS, artifact string, logger types.KairosLogger) error {
|
func CheckArtifactSignatureIsValid(fs types.KairosFS, artifact string, logger types.KairosLogger) error {
|
||||||
var err error
|
var err error
|
||||||
logger.Logger.Info().Str("what", artifact).Msg("Checking artifact for valid signature")
|
logger.Logger.Info().Str("what", artifact).Msg("Checking artifact for valid signature")
|
||||||
info, err := fs.Stat(artifact)
|
info, err := fs.Stat(artifact)
|
||||||
|
|||||||
@@ -66,7 +66,7 @@ var _ = Describe("Uki utils", Label("uki", "utils"), func() {
|
|||||||
cleanup()
|
cleanup()
|
||||||
})
|
})
|
||||||
It("Fails if it cant find the file to check", func() {
|
It("Fails if it cant find the file to check", func() {
|
||||||
err := checkArtifactSignatureIsValid(fs, "/notexists.efi", logger)
|
err := CheckArtifactSignatureIsValid(fs, "/notexists.efi", logger)
|
||||||
Expect(err).To(HaveOccurred())
|
Expect(err).To(HaveOccurred())
|
||||||
Expect(err.Error()).To(ContainSubstring("does not exist"))
|
Expect(err.Error()).To(ContainSubstring("does not exist"))
|
||||||
})
|
})
|
||||||
@@ -75,7 +75,7 @@ var _ = Describe("Uki utils", Label("uki", "utils"), func() {
|
|||||||
// File needs to not be empty for the parser to try to parse it
|
// File needs to not be empty for the parser to try to parse it
|
||||||
err := fs.WriteFile("/nonefi.file", []byte(""), os.ModePerm)
|
err := fs.WriteFile("/nonefi.file", []byte(""), os.ModePerm)
|
||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
err = checkArtifactSignatureIsValid(fs, "/nonefi.file", logger)
|
err = CheckArtifactSignatureIsValid(fs, "/nonefi.file", logger)
|
||||||
Expect(err).To(HaveOccurred())
|
Expect(err).To(HaveOccurred())
|
||||||
Expect(err.Error()).To(ContainSubstring("has zero size"))
|
Expect(err.Error()).To(ContainSubstring("has zero size"))
|
||||||
})
|
})
|
||||||
@@ -84,7 +84,7 @@ var _ = Describe("Uki utils", Label("uki", "utils"), func() {
|
|||||||
// File needs to not be empty for the parser to try to parse it
|
// File needs to not be empty for the parser to try to parse it
|
||||||
err := fs.WriteFile("/nonefi.file", []byte("asdkljhfjklahsdfjk,hbasdfjkhas"), os.ModePerm)
|
err := fs.WriteFile("/nonefi.file", []byte("asdkljhfjklahsdfjk,hbasdfjkhas"), os.ModePerm)
|
||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
err = checkArtifactSignatureIsValid(fs, "/nonefi.file", logger)
|
err = CheckArtifactSignatureIsValid(fs, "/nonefi.file", logger)
|
||||||
Expect(err).To(HaveOccurred())
|
Expect(err).To(HaveOccurred())
|
||||||
Expect(err.Error()).To(ContainSubstring("not a PE file"))
|
Expect(err.Error()).To(ContainSubstring("not a PE file"))
|
||||||
})
|
})
|
||||||
@@ -95,7 +95,7 @@ var _ = Describe("Uki utils", Label("uki", "utils"), func() {
|
|||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
err = fs.WriteFile(filepath.Join("/sys/firmware/efi/efivars", dbFile), file, os.ModePerm)
|
err = fs.WriteFile(filepath.Join("/sys/firmware/efi/efivars", dbFile), file, os.ModePerm)
|
||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
err = checkArtifactSignatureIsValid(fs, "/efitest.efi", logger)
|
err = CheckArtifactSignatureIsValid(fs, "/efitest.efi", logger)
|
||||||
Expect(err).To(HaveOccurred())
|
Expect(err).To(HaveOccurred())
|
||||||
Expect(err.Error()).To(ContainSubstring("no signatures in the file"))
|
Expect(err.Error()).To(ContainSubstring("no signatures in the file"))
|
||||||
})
|
})
|
||||||
@@ -106,7 +106,7 @@ var _ = Describe("Uki utils", Label("uki", "utils"), func() {
|
|||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
err = fs.WriteFile(filepath.Join("/sys/firmware/efi/efivars", dbFile), file, os.ModePerm)
|
err = fs.WriteFile(filepath.Join("/sys/firmware/efi/efivars", dbFile), file, os.ModePerm)
|
||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
err = checkArtifactSignatureIsValid(fs, "/efitest.signed.efi", logger)
|
err = CheckArtifactSignatureIsValid(fs, "/efitest.signed.efi", logger)
|
||||||
Expect(err).To(HaveOccurred())
|
Expect(err).To(HaveOccurred())
|
||||||
Expect(err.Error()).To(ContainSubstring("could not find a signature in EFIVars DB that matches the artifact"))
|
Expect(err.Error()).To(ContainSubstring("could not find a signature in EFIVars DB that matches the artifact"))
|
||||||
})
|
})
|
||||||
@@ -117,7 +117,7 @@ var _ = Describe("Uki utils", Label("uki", "utils"), func() {
|
|||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
err = fs.WriteFile(filepath.Join("/sys/firmware/efi/efivars", dbFile), file, os.ModePerm)
|
err = fs.WriteFile(filepath.Join("/sys/firmware/efi/efivars", dbFile), file, os.ModePerm)
|
||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
err = checkArtifactSignatureIsValid(fs, "/efitest.signed.efi", logger)
|
err = CheckArtifactSignatureIsValid(fs, "/efitest.signed.efi", logger)
|
||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
})
|
})
|
||||||
|
|
||||||
@@ -132,7 +132,7 @@ var _ = Describe("Uki utils", Label("uki", "utils"), func() {
|
|||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
err = fs.WriteFile(filepath.Join("/sys/firmware/efi/efivars", dbxFile), file, os.ModePerm)
|
err = fs.WriteFile(filepath.Join("/sys/firmware/efi/efivars", dbxFile), file, os.ModePerm)
|
||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
err = checkArtifactSignatureIsValid(fs, "/efitest.signed.efi", logger)
|
err = CheckArtifactSignatureIsValid(fs, "/efitest.signed.efi", logger)
|
||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
})
|
})
|
||||||
|
|
||||||
@@ -147,7 +147,7 @@ var _ = Describe("Uki utils", Label("uki", "utils"), func() {
|
|||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
err = fs.WriteFile(filepath.Join("/sys/firmware/efi/efivars", dbxFile), file, os.ModePerm)
|
err = fs.WriteFile(filepath.Join("/sys/firmware/efi/efivars", dbxFile), file, os.ModePerm)
|
||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
err = checkArtifactSignatureIsValid(fs, "/efitest.signed.efi", logger)
|
err = CheckArtifactSignatureIsValid(fs, "/efitest.signed.efi", logger)
|
||||||
Expect(err).To(HaveOccurred())
|
Expect(err).To(HaveOccurred())
|
||||||
Expect(err.Error()).To(ContainSubstring("hash appears on DBX"))
|
Expect(err.Error()).To(ContainSubstring("hash appears on DBX"))
|
||||||
})
|
})
|
||||||
|
|||||||
Reference in New Issue
Block a user