-
Notifications
You must be signed in to change notification settings - Fork 72
/
verify.go
113 lines (106 loc) · 2.46 KB
/
verify.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package main
import (
"errors"
"fmt"
"os"
"github.com/foxboron/sbctl"
"github.com/foxboron/sbctl/fs"
"github.com/foxboron/sbctl/logging"
"github.com/spf13/afero"
"github.com/spf13/cobra"
)
var (
ErrInvalidHeader = errors.New("invalid pe header")
verifyCmd = &cobra.Command{
Use: "verify",
Short: "Find and check if files in the ESP are signed or not",
RunE: RunVerify,
}
)
func VerifyOneFile(f string) error {
o, err := fs.Fs.Open(f)
if errors.Is(err, os.ErrNotExist) {
logging.Warn("%s does not exist", f)
return nil
} else if errors.Is(err, os.ErrPermission) {
logging.Warn("%s permission denied. Can't read file\n", f)
return nil
}
defer o.Close()
ok, err := sbctl.CheckMSDos(o)
if err != nil {
logging.Error(fmt.Errorf("failed to read file %s: %s", f, err))
}
if !ok {
return ErrInvalidHeader
}
ok, err = sbctl.VerifyFile(sbctl.DBCert, f)
if err != nil {
return err
}
if ok {
logging.Ok("%s is signed", f)
} else {
logging.NotOk("%s is not signed", f)
}
return nil
}
func RunVerify(cmd *cobra.Command, args []string) error {
// Exit early if we can't verify files
if err := sbctl.CanVerifyFiles(); err != nil {
return err
}
espPath, err := sbctl.GetESP()
if err != nil {
return err
}
if len(args) > 0 {
for _, file := range args {
if err := VerifyOneFile(file); err != nil {
if errors.Is(ErrInvalidHeader, err) {
logging.Error(fmt.Errorf("%s is not a valid EFI binary", file))
return nil
}
return err
}
}
return nil
}
logging.Print("Verifying file database and EFI images in %s...\n", espPath)
if err := sbctl.SigningEntryIter(func(file *sbctl.SigningEntry) error {
sbctl.AddChecked(file.OutputFile)
if err := VerifyOneFile(file.OutputFile); err != nil {
return err
}
return nil
}); err != nil {
return err
}
if err := afero.Walk(fs.Fs, espPath, func(path string, info os.FileInfo, err error) error {
if err != nil {
logging.Error(fmt.Errorf("failed to read path %s: %s", path, err))
}
if fi, _ := fs.Fs.Stat(path); fi.IsDir() {
return nil
}
if sbctl.InChecked(path) {
return nil
}
if err = VerifyOneFile(path); err != nil {
// We are scanning the ESP, so ignore invalid files
if errors.Is(ErrInvalidHeader, err) {
return nil
}
logging.Error(fmt.Errorf("failed to verify file %s: %s", path, err))
}
return nil
}); err != nil {
return err
}
return nil
}
func init() {
CliCommands = append(CliCommands, cliCommand{
Cmd: verifyCmd,
})
}