WIP: UKI+systemdboot pcr4 predictions#78
Draft
bgartzi wants to merge 11 commits into
Draft
Conversation
Some images might boot from an UKI. By default, it will be located under /boot/EFI/Linux/uki.efi in fedora images. If the user provides another path, that will preceed over it. Now, when new rootfs are created it will check if the user-provided or the default UKI exists. If it does, it will fill the uki + addon fields of the rootfs struct. Later, we can retrieve those. uki returns an Option<String> to know if it is or not a uki image. Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
PCR computation for PCR4 with uki or without it was not so different. The only thing that changes is part related to vmlinuz or the UKI. Merge both of them, as we can know which of the cases we are dealing with easily, based on whether the UKI was found in the expected path or not. Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Admit paths to the UKI and its addons. Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Now users can pass uki and uki addons paths to the compute-pcrs binary. Now, the binary will assume that it is predicting PCRs for an UKI image. It will try to find the UKI image in the path provided by the user. If it was not provided, it will try finding it in the default path. It it was not found even there, then it will assume it is the legacy case and will compute pcr4 as it was done until now. Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Find systemd-boot efi file if any and let others know whether it exists or not. Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Not there yet. We need to figure out which TPMEG this event should really use. We need to discuss how would this behave in upgrade scenarios. Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
For a very specific case, see: https://github.com/trusted-execution-clusters/fedora-coreos-uki Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Very slightly tested. Don't rely on this at this stage by any means.
Depends on #33