preinstall: Add CheckResult and WithAutoTCGPCRProfile APIs #338
Conversation
chrisccoulson
force-pushed
the
preinstall-add-profile-and-results
branch
2 times, most recently
from
33a77f7 to
27fef9d
Compare
chrisccoulson
force-pushed
the
preinstall-add-profile-and-results
branch
5 times, most recently
from
0bec84e to
878ee98
Compare
chrisccoulson
force-pushed
the
preinstall-add-profile-and-results
branch
2 times, most recently
from
5b74975 to
42dfed0
Compare
chrisccoulson
changed the title
CheckResult is returned from RunChecks on successful completion. It is JSON serializable and intended to be supplied later on to WithAutoTCGPCRProfile along with some user customization flags (defined by PCRProfileOptionsFlags) in order to generate an option that can be supplied to secboot_efi.AddPCRProfile. Note that some user options don't work yet because of missing PCR support, although these limitations will be addressed later. Even so, some options may still fail depending on the CheckResult flags.
chrisccoulson
force-pushed
the
preinstall-add-profile-and-results
branch
from
42dfed0 to
0c76820
Compare
There was a problem hiding this comment.
did a first pass, probably a good idea for @valentindavid and maybe someone more from your side to look it, Mate?
efi/preinstall/errors.go
Outdated
| br := bufio.NewReader(r) | ||
| for { | ||
| line, err := br.ReadString('\n') | ||
| fmt.Fprintf(w, "%*s%s", n, "", line) |
There was a problem hiding this comment.
should we really do this print if line is "" and err is io.EOF ?
There was a problem hiding this comment.
I've refactored this function a bit (it uses bufio.Scanner now and it's been renamed to make it clearer what its intended use is.
efi/preinstall/result.go
Outdated
| "startup-locality-not-protected": StartupLocalityNotProtected, | ||
| } | ||
|
|
||
| type x509CertificateIdJSON struct { |
There was a problem hiding this comment.
nitpick: I would split out the x509Id types to maybe their own x509id.go file
There was a problem hiding this comment.
I've moved these types into their own file.
efi/preinstall/result.go
Outdated
| if r.Warnings != nil && len(r.Warnings.Errs) > 0 { | ||
| fmt.Fprintf(w, "- Warnings:\n") | ||
| for i := 0; i < len(r.Warnings.Errs); i++ { | ||
| fmt.Fprintf(w, "%s\n", indentLines(2, "- "+r.Warnings.Errs[i].Error())) | ||
| } | ||
| } |
There was a problem hiding this comment.
this bit of the code is not exercised
There was a problem hiding this comment.
I've added a test for this now.
efi/preinstall/errors.go
Outdated
| w := new(bytes.Buffer) | ||
| fmt.Fprintf(w, "one or more errors detected:\n") | ||
| for _, err := range e.Errs { | ||
| fmt.Fprintf(w, "%s\n", indentLines(2, "- "+err.Error())) |
There was a problem hiding this comment.
So if we have errors err1-line1\nerr1-line2 and err2-line1\nerr2-line2, the output will look like:
- err1-line1
err1-line2
- err2-line1
err2-line2
I feel like the - should not be indented so that the lines match.
There was a problem hiding this comment.
The expected formatting in the example would be:
- err1-line1
err1-line2
- err2-line1
err2-line2
In any case, I've refactored indentLines now and called it something else (makeIndentedListItem) to make its purpose clearer. I've also added some formatting tests for code that makes use of it too.
efi/preinstall/profile.go
Outdated
| // don't extend anything to the TPM, breaking the root-of-trust. This is true of the Microsoft UEFI CA 2011, | ||
| // and for now, we assume to be true of the 2023 UEFI CA unless Microsoft are more transparent about what is | ||
| // signed under this CA). It's also assumed to be true for any unrecognized CAs. | ||
| // This can be overridden with PCRProfileOptionsTrustCAsForBootCode. |
There was a problem hiding this comment.
s/PCRProfileOptionsTrustCAsForBootCode/PCRProfileOptionTrustCAsForBootCode/
(Options -> Option)
There was a problem hiding this comment.
I've fixed this now.
efi/preinstall/profile.go
Outdated
| // (ie, they may have signed code in the past that can defeat our security model. This is true of the Microsoft | ||
| // UEFI CA 2011, and for now, we assume to be true of the 2023 UEFI CA unless Microsoft are more transparent about | ||
| // what they sign under this CA). It's also assumed to be true for any unrecognized CAs. | ||
| // This can be overridden with PCRProfileOptionsTrustCAsForVARSuppliedDrivers. |
There was a problem hiding this comment.
And this one.
| {internal_efi.MSUefiCA2011, 0}, | ||
| {internal_efi.MSUefiCA2023, 0}, // be conservative here for now, but will we be able to set the authorityTrustDrivers flag for the MS2023 CA? |
There was a problem hiding this comment.
I want to make sure I understand here.
We do not really need to put anything with authorityTrust value 0 in this list, because all of those are not trusted. And any certificated not found in the authorityTrustDataSet will make trust &= certTrust be trust &= 0 which will be then distrust. The only use here for knownCAs is that maybe one day some CA certicates are trusted and we will add them in this list with a non 0 value for authorityTrust.
So here MSUefiCA2011 and MSUefiCA2023 are just explicitly distrusted, but if we removed them from the list, it would be the same.
Did I understand it correctly?
There was a problem hiding this comment.
Maybe it would be nice to have a test that uses a cert that is not in knownCAs.
There was a problem hiding this comment.
You understood correctly - these are both explicitly distrusted, as is any certificate that doesn't appear in this list. Eventually we'll get to the point where we want security features that will require our own CA, which will be added here with both trust flags set (because we know we'll never use it to sign drivers). It also remains to be seen whether Microsoft will be any more open wrt to their signing requirements with the new UEFI CA, particularly wrt the signing of option ROMs. If this improves, we might be able to change one flag for this CA, but right now, I don't think it's been used to sign anything.
Also fix the implementation of RunChecksErrors.Error().
This renames indentLines to makeIndentedListItem to make it clear that it's used to help printing out lists of things (in this context, mostly lists of errors). It also refactors it to use bufio.Scanner. Some additional test cases are added to test the formatting of RunChecksErrors, both on its own and embedded as a warning inside of CheckResult.
CheckResultis returned fromRunCheckson successful completion. It isJSON serializable and intended to be supplied later on to
WithAutoTCGPCRProfilealong with some user customization flags (definedby
PCRProfileOptionsFlags) in order to generate an option that can besupplied to secboot_efi.AddPCRProfile.
Note that some user options don't work yet because of missing PCR
support, although these limitations will be addressed later. For now,
these will appear as failures in the
CheckResultflags.