diff --git a/backend/backend.go b/backend/backend.go index 0582fa4..072bdb0 100644 --- a/backend/backend.go +++ b/backend/backend.go @@ -203,6 +203,8 @@ func createKey(state *config.State, backend string, hier hierarchy.Hierarchy, de switch backend { case "file", "": return NewFileKey(hier, desc) + case "tpm": + return NewTPMKey(state.TPM, desc) default: return NewFileKey(hier, desc) } @@ -256,6 +258,8 @@ func readKey(state *config.State, keydir string, kc *config.KeyConfig, hier hier switch t { case FileBackend: return FileKeyFromBytes(keyb, pemb) + case TPMBackend: + return TPMKeyFromBytes(state.TPM, keyb, pemb) default: return nil, fmt.Errorf("unknown key") } @@ -301,6 +305,8 @@ func GetBackendType(b []byte) (BackendType, error) { switch block.Type { case "PRIVATE KEY": return FileBackend, nil + case "TSS2 PRIVATE KEY": + return TPMBackend, nil default: return "", fmt.Errorf("unknown file type: %s", block.Type) } @@ -319,6 +325,8 @@ func InitBackendFromKeys(state *config.State, priv, pem []byte, hier hierarchy.H switch t { case "file": return FileKeyFromBytes(priv, pem) + case "tpm": + return TPMKeyFromBytes(state.TPM, priv, pem) default: return nil, fmt.Errorf("unknown key backend: %s", t) } diff --git a/backend/tpm.go b/backend/tpm.go new file mode 100644 index 0000000..91996f9 --- /dev/null +++ b/backend/tpm.go @@ -0,0 +1,144 @@ +package backend + +import ( + "bytes" + "crypto" + "crypto/rand" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "fmt" + "math/big" + "path/filepath" + "time" + + keyfile "github.com/foxboron/go-tpm-keyfiles" + "github.com/foxboron/sbctl/fs" + "github.com/foxboron/sbctl/hierarchy" + "github.com/google/go-tpm/tpm2" + "github.com/google/go-tpm/tpm2/transport" + "github.com/spf13/afero" +) + +type TPMKey struct { + *keyfile.TPMKey + keytype BackendType + cert *x509.Certificate + tpm func() transport.TPMCloser +} + +func NewTPMKey(tpmcb func() transport.TPMCloser, desc string) (*TPMKey, error) { + rwc := tpmcb() + key, err := keyfile.NewLoadableKey(rwc, tpm2.TPMAlgRSA, 2048, []byte(nil), + keyfile.WithDescription(desc), + ) + if err != nil { + return nil, err + } + + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) + serialNumber, _ := rand.Int(rand.Reader, serialNumberLimit) + c := x509.Certificate{ + SerialNumber: serialNumber, + PublicKeyAlgorithm: x509.RSA, + SignatureAlgorithm: x509.SHA256WithRSA, + NotBefore: time.Now(), + NotAfter: time.Now().AddDate(5, 0, 0), + Subject: pkix.Name{ + Country: []string{desc}, + CommonName: desc, + }, + } + + pubkey, err := key.PublicKey() + if err != nil { + return nil, err + } + + signer, err := key.Signer(rwc, []byte(nil), []byte(nil)) + if err != nil { + return nil, err + } + + derBytes, err := x509.CreateCertificate(rand.Reader, &c, &c, pubkey, signer) + if err != nil { + return nil, err + } + + cert, err := x509.ParseCertificate(derBytes) + if err != nil { + return nil, err + } + + return &TPMKey{ + TPMKey: key, + cert: cert, + tpm: tpmcb, + }, nil +} + +func (t *TPMKey) Type() BackendType { return t.keytype } +func (t *TPMKey) Certificate() *x509.Certificate { return t.cert } +func (t *TPMKey) Description() string { return t.TPMKey.Description } + +func (t *TPMKey) Signer() crypto.Signer { + s, err := t.TPMKey.Signer(t.tpm(), []byte(nil), []byte(nil)) + if err != nil { + panic(err) + } + return s +} + +func (t *TPMKey) PrivateKeyBytes() []byte { + return t.TPMKey.Bytes() +} + +func (t *TPMKey) CertificateBytes() []byte { + b := new(bytes.Buffer) + if err := pem.Encode(b, &pem.Block{Type: "CERTIFICATE", Bytes: t.cert.Raw}); err != nil { + panic("failed producing PEM encoded certificate") + } + return b.Bytes() +} + +func ReadTPMKey(vfs afero.Fs, tpmcb func() transport.TPMCloser, dir string, hier hierarchy.Hierarchy) (*TPMKey, error) { + path := filepath.Join(dir, hier.String()) + keyname := filepath.Join(path, fmt.Sprintf("%s.key", hier.String())) + certname := filepath.Join(path, fmt.Sprintf("%s.pem", hier.String())) + + // Read privatekey + keyb, err := fs.ReadFile(vfs, keyname) + if err != nil { + return nil, err + } + + // Read certificate + pemb, err := fs.ReadFile(vfs, certname) + if err != nil { + return nil, err + } + return TPMKeyFromBytes(tpmcb, keyb, pemb) +} + +func TPMKeyFromBytes(tpmcb func() transport.TPMCloser, keyb, pemb []byte) (*TPMKey, error) { + tpmkey, err := keyfile.Decode(keyb) + if err != nil { + return nil, fmt.Errorf("failed parking tpm keyfile: %v", err) + } + + block, _ := pem.Decode(pemb) + if block == nil { + return nil, fmt.Errorf("no pem block") + } + + cert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + return nil, fmt.Errorf("failed to parse cert: %w", err) + } + return &TPMKey{ + TPMKey: tpmkey, + keytype: TPMBackend, + cert: cert, + tpm: tpmcb, + }, nil +} diff --git a/cmd/sbctl/create-keys.go b/cmd/sbctl/create-keys.go index 277b373..5069ba7 100644 --- a/cmd/sbctl/create-keys.go +++ b/cmd/sbctl/create-keys.go @@ -16,7 +16,7 @@ var ( exportPath string databasePath string Keytype string - PKKeyType, KEKKeyType, DbKeyType string + PKKeytype, KEKKeytype, DbKeytype string ) var createKeysCmd = &cobra.Command{ @@ -50,6 +50,23 @@ func RunCreateKeys(state *config.State) error { return err } + // Should be own flag type + if Keytype != "" && (Keytype == "file" || Keytype == "tpm") { + state.Config.Keys.PK.Type = Keytype + state.Config.Keys.KEK.Type = Keytype + state.Config.Keys.Db.Type = Keytype + } else { + if PKKeytype != "" && (PKKeytype == "file" || PKKeytype == "tpm") { + state.Config.Keys.PK.Type = PKKeytype + } + if KEKKeytype != "" && (KEKKeytype == "file" || KEKKeytype == "tpm") { + state.Config.Keys.KEK.Type = KEKKeytype + } + if DbKeytype != "" && (DbKeytype == "file" || DbKeytype == "tpm") { + state.Config.Keys.Db.Type = DbKeytype + } + } + uuid, err := sbctl.CreateGUID(state.Fs, state.Config.GUID) if err != nil { return err @@ -80,10 +97,10 @@ func createKeysCmdFlags(cmd *cobra.Command) { f := cmd.Flags() f.StringVarP(&exportPath, "export", "e", "", "export file path") f.StringVarP(&databasePath, "database-path", "d", "", "location to create GUID file") - f.StringVarP(&Keytype, "keytype", "", "file", "key type for all keys") - f.StringVarP(&PKKeyType, "pk-type", "", "file", "PK key type (file | tpm)") - f.StringVarP(&KEKKeyType, "kek-type", "", "file", "PK key type (file | tpm)") - f.StringVarP(&DbKeyType, "db-type", "", "file", "PK key type (file | tpm)") + f.StringVarP(&Keytype, "keytype", "", "", "key type for all keys") + f.StringVarP(&PKKeytype, "pk-keytype", "", "", "PK key type (default: file)") + f.StringVarP(&KEKKeytype, "kek-keytype", "", "", "KEK key type (default: file)") + f.StringVarP(&DbKeytype, "db-keytype", "", "", "db key type (defualt: file)") } func init() { diff --git a/cmd/sbctl/main.go b/cmd/sbctl/main.go index cde7115..72a7b09 100644 --- a/cmd/sbctl/main.go +++ b/cmd/sbctl/main.go @@ -15,6 +15,7 @@ import ( "github.com/foxboron/sbctl/config" "github.com/foxboron/sbctl/logging" "github.com/foxboron/sbctl/lsm" + "github.com/google/go-tpm/tpm2/transport" "github.com/spf13/afero" "github.com/spf13/cobra" ) @@ -113,8 +114,17 @@ func main() { baseFlags(rootCmd) + // We save tpmerr and print it when we can print debug messages + rwc, tpmerr := transport.OpenTPM() + if tpmerr == nil { + defer rwc.Close() + } + state := &config.State{ - Fs: fs, + Fs: fs, + TPM: func() transport.TPMCloser { + return rwc + }, Config: conf, Efivarfs: efivarfs.NewFS(). CheckImmutable(). @@ -137,6 +147,10 @@ func main() { } logger := slog.New(slog.NewTextHandler(os.Stdout, opts)) slog.SetDefault(logger) + + if !state.HasTPM() { + slog.Debug("can't open tpm", slog.Any("err", tpmerr)) + } } ctx := context.WithValue(context.Background(), stateDataKey{}, state) diff --git a/cmd/sbctl/rotate-keys.go b/cmd/sbctl/rotate-keys.go index da0b049..527313f 100644 --- a/cmd/sbctl/rotate-keys.go +++ b/cmd/sbctl/rotate-keys.go @@ -24,6 +24,9 @@ type RotateKeysCmdOptions struct { Partial stringset.StringSet KeyFile string CertFile string + + Keytype string + PKKeytype, KEKKeytype, DbKeytype string } var ( @@ -91,10 +94,17 @@ func rotateCerts(state *config.State, hier hierarchy.Hierarchy, oldkeys *backend func RunRotateKeys(cmd *cobra.Command, args []string) error { state := cmd.Context().Value(stateDataKey{}).(*config.State) + if err := state.Fs.MkdirAll(tmpPath, 0600); err != nil { + return fmt.Errorf("can't create tmp directory: %v", err) + } + if state.Config.Landlock { lsm.RestrictAdditionalPaths( landlock.RWDirs(tmpPath), ) + if err := sbctl.LandlockFromFileDatabase(state); err != nil { + return err + } if err := lsm.Restrict(); err != nil { return err } @@ -138,6 +148,24 @@ func rotateAllKeys(state *config.State, backupDir, newKeysDir string) error { return fmt.Errorf("failed removing old keys: %v", err) } + // Should be own flag type, and deduplicated + // It should be fine to modify the state here? + if rotateKeysCmdOptions.Keytype != "" && (rotateKeysCmdOptions.Keytype == "file" || rotateKeysCmdOptions.Keytype == "tpm") { + state.Config.Keys.PK.Type = rotateKeysCmdOptions.Keytype + state.Config.Keys.KEK.Type = rotateKeysCmdOptions.Keytype + state.Config.Keys.Db.Type = rotateKeysCmdOptions.Keytype + } else { + if rotateKeysCmdOptions.PKKeytype != "" && (rotateKeysCmdOptions.PKKeytype == "file" || rotateKeysCmdOptions.PKKeytype == "tpm") { + state.Config.Keys.PK.Type = rotateKeysCmdOptions.PKKeytype + } + if rotateKeysCmdOptions.KEKKeytype != "" && (rotateKeysCmdOptions.KEKKeytype == "file" || rotateKeysCmdOptions.KEKKeytype == "tpm") { + state.Config.Keys.KEK.Type = rotateKeysCmdOptions.KEKKeytype + } + if rotateKeysCmdOptions.DbKeytype != "" && (rotateKeysCmdOptions.DbKeytype == "file" || rotateKeysCmdOptions.DbKeytype == "tpm") { + state.Config.Keys.Db.Type = rotateKeysCmdOptions.DbKeytype + } + } + var newKeyHierarchy *backend.KeyHierarchy if newKeysDir == "" { @@ -228,6 +256,24 @@ func rotateKey(state *config.State, hiera string, keyPath, certPath string) erro return fmt.Errorf("can't read efivariables: %v", err) } + // Should be own flag type, and deduplicated + // It should be fine to modify the state here? + if rotateKeysCmdOptions.Keytype != "" && (rotateKeysCmdOptions.Keytype == "file" || rotateKeysCmdOptions.Keytype == "tpm") { + state.Config.Keys.PK.Type = rotateKeysCmdOptions.Keytype + state.Config.Keys.KEK.Type = rotateKeysCmdOptions.Keytype + state.Config.Keys.Db.Type = rotateKeysCmdOptions.Keytype + } else { + if rotateKeysCmdOptions.PKKeytype != "" && (rotateKeysCmdOptions.PKKeytype == "file" || rotateKeysCmdOptions.PKKeytype == "tpm") { + state.Config.Keys.PK.Type = rotateKeysCmdOptions.PKKeytype + } + if rotateKeysCmdOptions.KEKKeytype != "" && (rotateKeysCmdOptions.KEKKeytype == "file" || rotateKeysCmdOptions.KEKKeytype == "tpm") { + state.Config.Keys.KEK.Type = rotateKeysCmdOptions.KEKKeytype + } + if rotateKeysCmdOptions.DbKeytype != "" && (rotateKeysCmdOptions.DbKeytype == "file" || rotateKeysCmdOptions.DbKeytype == "tpm") { + state.Config.Keys.Db.Type = rotateKeysCmdOptions.DbKeytype + } + } + switch hiera { case hierarchy.PK.String(): bk, err := backend.InitBackendFromKeys(state, newKey, newCert, hierarchy.PK) @@ -274,6 +320,11 @@ func rotateKeysCmdFlags(cmd *cobra.Command) { f.VarPF(&rotateKeysCmdOptions.Partial, "partial", "p", "rotate a key of a specific hierarchy") f.StringVarP(&rotateKeysCmdOptions.KeyFile, "key-file", "k", "", "key file to replace (only with partial flag)") f.StringVarP(&rotateKeysCmdOptions.CertFile, "cert-file", "c", "", "certificate file to replace (only with partial flag)") + + f.StringVarP(&rotateKeysCmdOptions.Keytype, "keytype", "", "", "key type for all keys") + f.StringVarP(&rotateKeysCmdOptions.PKKeytype, "pk-keytype", "", "", "PK key type (default: file)") + f.StringVarP(&rotateKeysCmdOptions.KEKKeytype, "kek-keytype", "", "", "KEK key type (default: file)") + f.StringVarP(&rotateKeysCmdOptions.DbKeytype, "db-keytype", "", "", "db key type (defualt: file)") } func init() { diff --git a/cmd/sbctl/setup_test.go b/cmd/sbctl/setup_test.go index f74c944..7cf0651 100644 --- a/cmd/sbctl/setup_test.go +++ b/cmd/sbctl/setup_test.go @@ -12,6 +12,8 @@ import ( "github.com/foxboron/sbctl/backend" "github.com/foxboron/sbctl/config" "github.com/foxboron/sbctl/hierarchy" + "github.com/google/go-tpm/tpm2/transport" + "github.com/google/go-tpm/tpm2/transport/simulator" ) func mustBytes(f string) []byte { @@ -110,3 +112,106 @@ func TestSetup(t *testing.T) { t.Fatalf("can't find pk cert in efivarfs") } } + +func TestSetupTPMKeys(t *testing.T) { + // Embed a TPM eventlog from out test suite for enroll-keys + mapfs := fstest.MapFS{ + systemEventlog: {Data: mustBytes("../../tests/tpm_eventlogs/t480s_eventlog")}, + "/boot/test.efi": {Data: mustBytes("../../tests/binaries/test.pecoff")}, + "/boot/something.efi": {Data: mustBytes("../../tests/binaries/test.pecoff")}, + } + + conf := config.DefaultConfig() + + // Set PK to be a TPM key + conf.Keys.PK.Type = "tpm" + conf.Keys.KEK.Type = "tpm" + conf.Keys.Db.Type = "tpm" + + // Include test file into our file config + conf.Files = []*config.FileConfig{ + {"/boot/test.efi", "/boot/new.efi"}, + {"/boot/something.efi", ""}, + } + + rwc, err := simulator.OpenSimulator() + if err != nil { + t.Fatal(err) + } + defer rwc.Close() + + state := &config.State{ + TPM: func() transport.TPMCloser { + return rwc + }, + Fs: efitest.FromMapFS(mapfs), + Efivarfs: testfs.NewTestFS(). + With(efitest.SetUpModeOn(), + mapfs, + ). + Open(), + Config: conf, + } + + // Ignore immutable in enroll-keys + enrollKeysCmdOptions.IgnoreImmutable = true + + err = SetupInstallation(state) + if err != nil { + t.Fatalf("failed running SetupInstallation: %v", err) + } + + // Check that we can sign and verify a file + kh, err := backend.GetKeyHierarchy(state.Fs, state) + if err != nil { + t.Fatalf("can't get key hierarchy: %v", err) + } + ok, err := sbctl.VerifyFile(state, kh, hierarchy.Db, "/boot/new.efi") + if err != nil { + t.Fatalf("can't verify file: %v", err) + } + if !ok { + t.Fatalf("file is not properly signed") + } + + guid, err := conf.GetGUID(state.Fs) + if err != nil { + t.Fatalf("can't get owner guid") + } + + sb, err := state.Efivarfs.Getdb() + if err != nil { + t.Fatalf("can't get db from efivarfs") + } + data := &signature.SignatureData{ + Owner: *guid, + Data: kh.Db.Certificate().Raw, + } + if !sb.SigDataExists(signature.CERT_X509_GUID, data) { + t.Fatalf("can't find db cert in efivarfs") + } + + sb, err = state.Efivarfs.GetKEK() + if err != nil { + t.Fatalf("can't get kek from efivarfs") + } + data = &signature.SignatureData{ + Owner: *guid, + Data: kh.KEK.Certificate().Raw, + } + if !sb.SigDataExists(signature.CERT_X509_GUID, data) { + t.Fatalf("can't find kek cert in efivarfs") + } + + sb, err = state.Efivarfs.GetPK() + if err != nil { + t.Fatalf("can't get pk from efivarfs") + } + data = &signature.SignatureData{ + Owner: *guid, + Data: kh.PK.Certificate().Raw, + } + if !sb.SigDataExists(signature.CERT_X509_GUID, data) { + t.Fatalf("can't find pk cert in efivarfs") + } +} diff --git a/config/config.go b/config/config.go index a9258d7..fa3e356 100644 --- a/config/config.go +++ b/config/config.go @@ -148,6 +148,10 @@ func (s *State) IsInstalled() bool { return true } +func (s *State) HasTPM() bool { + return s.TPM != nil +} + func (s *State) HasLandlock() bool { if !s.Config.Landlock { return false diff --git a/docs/sbctl.8.txt b/docs/sbctl.8.txt index 8fbdc7b..66fd73d 100644 --- a/docs/sbctl.8.txt +++ b/docs/sbctl.8.txt @@ -79,7 +79,6 @@ EFI signing commands + Default: "db,KEK" - *--yes-this-might-brick-my-machine*, **--yolo**;; Ignore the Option ROM error and continue enrolling keys into the UEFI firmware. @@ -99,15 +98,45 @@ EFI signing commands Valid values are: esl, auth. *-p*, *--partial*;; - Enroll keys only for the hierarchy specified. - + - Valid values are: db, KEK, PK. + Enroll keys only for the hierarchy specified. + + + Valid values are: db, KEK, PK. *--custom-bytes*;; - Enroll a custom bytefile provided by its path to the efivar specified by partial. + Enroll a custom bytefile provided by its path to the efivar specified by partial. *-a*, *--append*;; - Instead of replacing the currently enrolled keys, append the provided one. + Instead of replacing the currently enrolled keys, append the provided one. + + *--keytype*;; + Set the keytype for all signing keys used by sbctl. This + includes PK, KEK and db keys. + + + Default: file + + + Valid values are: file, tpm + + *--pk-keytype*;; + Set the PK key type. + + + Default: file + + + Valid values are: file, tpm + + *--kek-keytype*;; + Set the KEK key type. + + + Default: file + + + Valid values are: file, tpm + + *--db-keytype*;; + Set the db key type. + + + Default: file + + + Valid values are: file, tpm + **sign** ...:: Signs an EFI binary with the created key. The file will be checked for @@ -194,6 +223,35 @@ EFI signing commands *-c*, *--cert-file*;; Certificate file to be appended for the specified hierarchy. + *--keytype*;; + Set the keytype for all signing keys used by sbctl. This + includes PK, KEK and db keys. + + + Default: file + + + Valid values are: file, tpm + + *--pk-keytype*;; + Set the PK key type. + + + Default: file + + + Valid values are: file, tpm + + *--kek-keytype*;; + Set the KEK key type. + + + Default: file + + + Valid values are: file, tpm + + *--db-keytype*;; + Set the db key type. + + + Default: file + + + Valid values are: file, tpm + **export-enrolled-keys**:: Export already enrolled keys from the system. @@ -339,6 +397,28 @@ after each system update. Tip: systemd-boot will automatically show entries for any bundles found in *esp/EFI/Linux/+++*+++.efi*. +Supported key types +------------------- + +sbctl currently supports storing keys as plain unencrypted files, or as TPM +shielded keys. + +Plain unencrypted files (*file*) should only be used when the root partition is +encrypted. This is the default key type for historic reasons. File keys are +hardcoded to RSA 4098. + +TPM shielded keys (*tpm*) are shielded inside the TPM and available if there is +an accessible TPM on the system. TPM policies are not supported which means we +can't seal keys towards the system state. Note that TPM keys are hardcoded to +RSA 2048, which is usually the highest bit strength supported by TPMs. + +When creating a key hierarchy for Secure Boot, the user can decide which key +type each of the keys in the hierarchy gets. Because TPMs can be slow to sign, +it's generally adviced to keep PK and KEK in the TPM, while the db key can be a +standard *file* key. + +Note that password protection is currently not supported. + Landlock -------- diff --git a/go.mod b/go.mod index e2cf1bc..76b00b7 100644 --- a/go.mod +++ b/go.mod @@ -1,15 +1,15 @@ module github.com/foxboron/sbctl -go 1.21 +go 1.22.0 -toolchain go1.22.3 +toolchain go1.22.5 require ( github.com/fatih/color v1.17.0 github.com/foxboron/go-uefi v0.0.0-20240516213015-35289af04a75 github.com/goccy/go-yaml v1.11.3 github.com/google/go-attestation v0.5.1 - github.com/google/go-tpm v0.9.0 + github.com/google/go-tpm v0.9.1 github.com/google/uuid v1.4.0 github.com/hugelgupf/vmtest v0.0.0-20240110072021-f6f07acb7aa1 github.com/landlock-lsm/go-landlock v0.0.0-20240715193425-db0c8d6f1dff @@ -24,6 +24,7 @@ require ( github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 // indirect github.com/creack/pty v1.1.21 // indirect github.com/dustin/go-humanize v1.0.1 // indirect + github.com/foxboron/go-tpm-keyfiles v0.0.0-20240725205618-b7c5a84edf9d // indirect github.com/google/certificate-transparency-go v1.1.2 // indirect github.com/google/go-tspi v0.3.0 // indirect github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2 // indirect @@ -47,7 +48,7 @@ require ( github.com/ulikunitz/xz v0.5.11 // indirect github.com/vishvananda/netlink v1.2.1-beta.2 // indirect github.com/vishvananda/netns v0.0.4 // indirect - golang.org/x/crypto v0.23.0 // indirect + golang.org/x/crypto v0.25.0 // indirect golang.org/x/mod v0.17.0 // indirect golang.org/x/net v0.25.0 // indirect golang.org/x/sync v0.7.0 // indirect diff --git a/go.sum b/go.sum index 2b702d0..240c64a 100644 --- a/go.sum +++ b/go.sum @@ -215,6 +215,8 @@ github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoD github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fortytw2/leaktest v1.2.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= +github.com/foxboron/go-tpm-keyfiles v0.0.0-20240725205618-b7c5a84edf9d h1:odwhCo3olsbN0fkXxCSH3aYz2OhrkcH93oU2QKEcI9s= +github.com/foxboron/go-tpm-keyfiles v0.0.0-20240725205618-b7c5a84edf9d/go.mod h1:uAyTlAUxchYuiFjTHmuIEJ4nGSm7iOPaGcAyA81fJ80= github.com/foxboron/go-uefi v0.0.0-20240516213015-35289af04a75 h1:rB1YXZueS9hY+qWmSQMIVT61msZ1gF3d5Sw/R0qjgzY= github.com/foxboron/go-uefi v0.0.0-20240516213015-35289af04a75/go.mod h1:ffg/fkDeOYicEQLoO2yFFGt00KUTYVXI+rfnc8il6vQ= github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= @@ -331,6 +333,8 @@ github.com/google/go-replayers/grpcreplay v0.1.0/go.mod h1:8Ig2Idjpr6gifRd6pNVgg github.com/google/go-replayers/httpreplay v0.1.0/go.mod h1:YKZViNhiGgqdBlUbI2MwGpq4pXxNmhJLPHQ7cv2b5no= github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk= github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU= +github.com/google/go-tpm v0.9.1 h1:0pGc4X//bAlmZzMKf8iz6IsDo1nYTbYJ6FZN/rg4zdM= +github.com/google/go-tpm v0.9.1/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY= github.com/google/go-tpm-tools v0.4.2 h1:iyaCPKt2N5Rd0yz0G8ANa022SgCNZkMpp+db6QELtvI= github.com/google/go-tpm-tools v0.4.2/go.mod h1:fGUDZu4tw3V4hUVuFHmiYgRd0c58/IXivn9v3Ea/ck4= github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus= @@ -849,6 +853,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= +golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= diff --git a/lsm/lsm.go b/lsm/lsm.go index ab3b274..e80ef98 100644 --- a/lsm/lsm.go +++ b/lsm/lsm.go @@ -28,6 +28,8 @@ func LandlockRulesFromConfig(conf *config.Config) { conf.GUID, conf.FilesDb, conf.BundlesDb, + // Enable the TPM devices by default if they exist + "/dev/tpm0", "/dev/tpmrm0", ).IgnoreIfMissing(), ) }