Skip to content

Commit

Permalink
fix: generate secureboot ISO .der certificate correctly
Browse files Browse the repository at this point in the history
Previous approach relied on a field which is _only_ present if
file-based PKI is passed in, and fails for e.g. Azure KMS.

See siderolabs/image-factory#104

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
  • Loading branch information
smira committed Apr 10, 2024
1 parent b0fdc3c commit 909a580
Showing 1 changed file with 5 additions and 20 deletions.
25 changes: 5 additions & 20 deletions pkg/imager/out.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ package imager
import (
"context"
"encoding/pem"
"errors"
"fmt"
"log"
"os"
Expand Down Expand Up @@ -91,23 +90,16 @@ func (i *Imager) outISO(ctx context.Context, path string, report *reporter.Repor
if i.prof.SecureBootEnabled() {
isoOptions := pointer.SafeDeref(i.prof.Output.ISOOptions)

crtData, readErr := os.ReadFile(i.prof.Input.SecureBoot.SecureBootSigner.CertPath)
if readErr != nil {
return fmt.Errorf("failed to read secureboot uki certificate: %w", readErr)
}

block, rest := pem.Decode(crtData)
if block == nil {
return errors.New("failed to decode PEM data")
}
var signer pesign.CertificateSigner

if len(rest) > 0 {
return errors.New("more than one PEM block found in PEM data")
signer, err = i.prof.Input.SecureBoot.SecureBootSigner.GetSigner(ctx)
if err != nil {
return fmt.Errorf("failed to get SecureBoot signer: %w", err)
}

derCrtPath := filepath.Join(i.tempDir, "uki.der")

if err = os.WriteFile(derCrtPath, block.Bytes, 0o600); err != nil {
if err = os.WriteFile(derCrtPath, signer.Certificate().Raw, 0o600); err != nil {
return fmt.Errorf("failed to write uki.der: %w", err)
}

Expand All @@ -134,13 +126,6 @@ func (i *Imager) outISO(ctx context.Context, path string, report *reporter.Repor
report.Report(reporter.Update{Message: "generating SecureBoot database...", Status: reporter.StatusRunning})

// generate the database automatically from provided values
var signer pesign.CertificateSigner

signer, err = i.prof.Input.SecureBoot.SecureBootSigner.GetSigner(ctx)
if err != nil {
return fmt.Errorf("failed to get SecureBoot signer: %w", err)
}

enrolledPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: signer.Certificate().Raw,
Expand Down

0 comments on commit 909a580

Please sign in to comment.