chore: uki der certs in iso

Add the uki signing cert into iso. Fixes: #8131 Signed-off-by: Noel Georgi <git@frezbo.dev>
siderolabs · Feb 26, 2024 · 1cb5443 · 1cb5443
1 parent 67ac693
commit 1cb5443
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/pkg/imager/iso/uefi.go b/pkg/imager/iso/uefi.go
@@ -28,6 +28,9 @@ type UEFIOptions struct {
 	// A value in loader.conf secure-boot-enroll: off, manual, if-safe, force.
 	SDBootSecureBootEnrollKeys string
 
+	// UKISigningCertDer is the DER encoded UKI signing certificate.
+	UKISigningCertDerPath string
+
 	// optional, for auto-enrolling secureboot keys
 	PlatformKeyPath    string
 	KeyExchangeKeyPath string
@@ -116,6 +119,10 @@ func CreateUEFI(printf func(string, ...any), options UEFIOptions) error {
 		return err
 	}
 
+	if _, err := cmd.Run("mmd", "-i", efiBootImg, "::EFI/keys"); err != nil {
+		return err
+	}
+
 	if _, err := cmd.Run("mmd", "-i", efiBootImg, "::loader"); err != nil {
 		return err
 	}
@@ -149,6 +156,10 @@ func CreateUEFI(printf func(string, ...any), options UEFIOptions) error {
 		return err
 	}
 
+	if _, err := cmd.Run("mcopy", "-i", efiBootImg, options.UKISigningCertDerPath, "::EFI/keys/uki-signing-cert.der"); err != nil {
+		return err
+	}
+
 	if options.PlatformKeyPath != "" {
 		if _, err := cmd.Run("mcopy", "-i", efiBootImg, options.PlatformKeyPath, filepath.Join("::loader/keys/auto", constants.PlatformKeyAsset)); err != nil {
 			return err

diff --git a/pkg/imager/out.go b/pkg/imager/out.go
@@ -7,6 +7,7 @@ package imager
 import (
 	"context"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"log"
 	"os"
@@ -88,12 +89,34 @@ func (i *Imager) outISO(ctx context.Context, path string, report *reporter.Repor
 	if i.prof.SecureBootEnabled() {
 		isoOptions := pointer.SafeDeref(i.prof.Output.ISOOptions)
 
+		crtData, readErr := os.ReadFile(i.prof.Input.SecureBoot.SecureBootSigner.CertPath)
+		if readErr != nil {
+			return fmt.Errorf("failed to read secureboot uki certificate: %w", readErr)
+		}
+
+		block, rest := pem.Decode(crtData)
+		if block == nil {
+			return errors.New("failed to decode PEM data")
+		}
+
+		if len(rest) > 0 {
+			return errors.New("more than one PEM block found in PEM data")
+		}
+
+		derCrtPath := filepath.Join(i.tempDir, "uki.der")
+
+		if err = os.WriteFile(derCrtPath, block.Bytes, 0o600); err != nil {
+			return fmt.Errorf("failed to write uki.der: %w", err)
+		}
+
 		options := iso.UEFIOptions{
 			UKIPath:    i.ukiPath,
 			SDBootPath: i.sdBootPath,
 
 			SDBootSecureBootEnrollKeys: isoOptions.SDBootEnrollKeys.String(),
 
+			UKISigningCertDerPath: derCrtPath,
+
 			PlatformKeyPath:    i.prof.Input.SecureBoot.PlatformKeyPath,
 			KeyExchangeKeyPath: i.prof.Input.SecureBoot.KeyExchangeKeyPath,
 			SignatureKeyPath:   i.prof.Input.SecureBoot.SignatureKeyPath,