diff options
author | tpearson@raptorengineering.com <tpearson@raptorengineering.com> | 2016-08-18 04:45:47 -0500 |
---|---|---|
committer | Samuel Mendoza-Jonas <sam@mendozajonas.com> | 2016-08-26 13:23:01 +1000 |
commit | 86c9d34380b0074dab1ba89a569a94280d6999c4 (patch) | |
tree | 22cf0cccbd4022d150e231adcb360b3bcf528cda /discover/user-event.c | |
parent | 5496eee36f70631ae45403f90ed7b4dc143f27c0 (diff) | |
download | talos-petitboot-86c9d34380b0074dab1ba89a569a94280d6999c4.tar.gz talos-petitboot-86c9d34380b0074dab1ba89a569a94280d6999c4.zip |
Add support for GPG signature enforcement on booted
kernels and related blobs
This can be used to implement a form of organization-controlled secure boot,
whereby kernels may be loaded from a variety of sources but they will only
boot if a valid signature file is found for each component, and only if the
signature is listed in the /etc/pb-lockdown file.
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
(Minor build fixes and gpgme.m4, comment on secure boot in gpg.c)
Diffstat (limited to 'discover/user-event.c')
-rw-r--r-- | discover/user-event.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/discover/user-event.c b/discover/user-event.c index 7350b6c..6ea754f 100644 --- a/discover/user-event.c +++ b/discover/user-event.c @@ -82,7 +82,7 @@ static void user_event_print_event(struct event __attribute__((unused)) *event) } static struct resource *user_event_resource(struct discover_boot_option *opt, - struct event *event) + struct event *event, bool gen_boot_args_sigfile) { const char *siaddr, *boot_file; struct resource *res; @@ -101,7 +101,16 @@ static struct resource *user_event_resource(struct discover_boot_option *opt, return NULL; } - url_str = talloc_asprintf(opt, "%s%s/%s", "tftp://", siaddr, boot_file); + if (gen_boot_args_sigfile) { + char* args_sigfile_default = talloc_asprintf(opt, + "%s.cmdline.sig", boot_file); + url_str = talloc_asprintf(opt, "%s%s/%s", "tftp://", siaddr, + args_sigfile_default); + talloc_free(args_sigfile_default); + } + else + url_str = talloc_asprintf(opt, "%s%s/%s", "tftp://", siaddr, + boot_file); url = pb_url_parse(opt, url_str); talloc_free(url_str); @@ -143,12 +152,13 @@ static int parse_user_event(struct discover_context *ctx, struct event *event) opt->id = talloc_asprintf(opt, "%s#%s", dev->id, val); opt->name = talloc_strdup(opt, val); - d_opt->boot_image = user_event_resource(d_opt, event); + d_opt->boot_image = user_event_resource(d_opt, event, false); if (!d_opt->boot_image) { pb_log("%s: no boot image found for %s!\n", __func__, opt->name); goto fail_opt; } + d_opt->args_sig_file = user_event_resource(d_opt, event, true); val = event_get_param(event, "rootpath"); if (val) { |