coreboot-mirror
/
9esec-security-tooling
mirror of https://review.coreboot.org/9esec-security-tooling.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Rename bg-prov to cbnt-prov 

Signed-off-by: Christopher Meis <christopher.meis@9elements.com>
This commit is contained in:
Christopher Meis 2021-04-01 14:36:45 +02:00 committed by Christopher Meis
parent 4daa4edd2b
commit 6bcba89435
19 changed files with 171 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
.circleci/config.yml
View File

@ -19,37 +19,37 @@ jobs:
- run: golint -set_exit_status ./pkg/tools
- run: golint -set_exit_status ./pkg/hwapi
- run: golint -set_exit_status ./pkg/provisioning/txt
- run: golint -set_exit_status ./pkg/provisioning/bg
- run: golint -set_exit_status ./pkg/provisioning/cbnt
#- run: golint -set_exit_status ./pkg/intel/metadata/manifest/
#- run: golint -set_exit_status ./pkg/intel/metadata/manifest/bootpolicy
#- run: golint -set_exit_status ./pkg/intel/metadata/manifest/key
- run: golint -set_exit_status ./cmd/txt-suite
- run: golint -set_exit_status ./cmd/txt-prov
- run: golint -set_exit_status ./cmd/bg-prov
- run: golint -set_exit_status ./cmd/cbnt-prov
- run: go mod download
- run: go mod verify
- run: CGO_ENABLED=0 go build -ldflags '-X main.gitcommit=${CIRCLE_SHA1} -X main.gittag=${CIRCLE_TAG} -w -extldflags "-static"' -o txt-suite cmd/txt-suite/*.go
- run: CGO_ENABLED=0 go build -ldflags '-X main.gitcommit=${CIRCLE_SHA1} -X main.gittag=${CIRCLE_TAG} -w -extldflags "-static"' -o txt-prov cmd/txt-prov/*.go
- run: CGO_ENABLED=0 go build -ldflags '-X main.gitcommit=${CIRCLE_SHA1} -X main.gittag=${CIRCLE_TAG} -w -extldflags "-static"' -o bg-prov cmd/bg-prov/*.go
- run: CGO_ENABLED=0 go build -ldflags '-X main.gitcommit=${CIRCLE_SHA1} -X main.gittag=${CIRCLE_TAG} -w -extldflags "-static"' -o cbnt-prov cmd/cbnt-prov/*.go
- run: go test ./pkg/hwapi/
- run: go test ./pkg/tools/
- run: go test ./pkg/test/
- run: go test ./pkg/provisioning/txt
- run: go test ./pkg/provisioning/bg
- run: go test ./pkg/provisioning/cbnt
- run: mkdir out
- run: git config user.email "circleci@circleci.com"
- run: git config user.name "CI"
- run: ./txt-suite markdown > ./cmd/txt-suite/TESTPLAN.md
- run: git add ./cmd/txt-suite/TESTPLAN.md
- run: (git commit -m "Update testplan file" && git push --set-upstream origin ${CIRCLE_BRANCH}) || true
- run: cp txt-suite txt-prov bg-prov out/
- run: cp txt-suite txt-prov cbnt-prov out/
- persist_to_workspace:
root: out
paths:
- txt-suite
- txt-prov
- bg-prov
- cbnt-prov
create_deb_rpm:
docker:
@ -65,7 +65,7 @@ jobs:
- run: go build github.com/goreleaser/nfpm/cmd/nfpm
- run: cp /tmp/out/txt-suite .
- run: cp /tmp/out/txt-prov .
- run: cp /tmp/out/bg-prov .
- run: cp /tmp/out/cbnt-prov .
- run: if [ -z "$CIRCLE_TAG" ]; then echo "export CIRCLE_TAG=$(git describe --tags|cut -d'-' -f1);" >> $BASH_ENV; fi
- run: if [ -z "$CIRCLE_BUILD_NUM" ]; then echo "export CIRCLE_BUILD_NUM=$(git describe --tags|cut -d'-' -f2);" >> $BASH_ENV; fi
- run: MY_APP_VERSION=${CIRCLE_TAG} MY_APP_BUILDNUMBER=${CIRCLE_BUILD_NUM} go run github.com/goreleaser/nfpm/cmd/nfpm pkg --config ./build/package/nfpm_rpm.yaml --target golang-css-suite-${CIRCLE_TAG}-${CIRCLE_BUILD_NUM}.x86_64.rpm
@ -73,7 +73,7 @@ jobs:
- run: mkdir -p out && cp *.rpm ./out/ && cp *.deb ./out/
- run: cp txt-suite ./out/
- run: cp txt-prov ./out/
- run: cp bg-prov ./out/
- run: cp cbnt-prov ./out/
- run: cp golang-css-suite-${CIRCLE_TAG}-${CIRCLE_BUILD_NUM}.x86_64.rpm artifact.rpm
- run: cp go_css-suite-${CIRCLE_TAG}-${CIRCLE_BUILD_NUM}_amd64.deb artifact.deb
- persist_to_workspace:
@ -83,7 +83,7 @@ jobs:
- go_css-suite*.deb
- txt-suite
- txt-prov
- bg-prov
- cbnt-prov
- store_artifacts:
path: artifact.rpm
destination: golang-css-suite.rpm

4
.gitignore vendored
View File

@ -1,7 +1,7 @@
/txt-suite
/txt-prov
/bg-prov
/cbnt-prov
cmd/txt-prov/txt-prov
cmd/bg-prov/bg-prov
cmd/txt-suite/test_log.json
cmd/txt-suite/txt-suite
cmd/cbnt-prov/cbnt-prov

70
cmd/bg-prov/README.md → cmd/cbnt-prov/README.md
View File

@ -30,13 +30,13 @@ Verify all downloaded dependencies run:
To build the test suite run:
```
<GO111MODULE=on> go build -o txt-suite cmd/bg-prov/*.go
<GO111MODULE=on> go build -o txt-suite cmd/cbnt-prov/*.go
```
Commandline subcommands:
--------------
```bash
Usage of ./bg-prov:
Usage of ./cbnt-prov:
version
Prints the version of the program
show-km
@ -72,63 +72,63 @@ Usage of ./bg-prov:
Flags:
--help (-h)
Prints more information about ./bg-prov
Prints more information about ./cbnt-prov
```
Every subcommand has several required or optional arguments and flags. To learn more about them:
```bash
./bg-prov <subcommand> -h
./cbnt-prov <subcommand> -h
```
Extended documentation about subcommands:
--------------
```bash
./bg-prov show-km Prints Key Manifest binary in human-readable format
./cbnt-prov show-km Prints Key Manifest binary in human-readable format
<path> Path to binary file containing Key Manifest
```
```bash
./bg-prov show-bpm Prints Boot Policy Manifest binary in human-readable format
./cbnt-prov show-bpm Prints Boot Policy Manifest binary in human-readable format
<path> Path to binary file containing Boot Policy Manifest
```
```bash
./bg-prov show-acm Prints ACM binary in human-readable format
./cbnt-prov show-acm Prints ACM binary in human-readable format
<path> Path to binary file containing Authenticated Code Module (ACM)
```
```bash
./bg-prov show-all Prints BPM, KM, FIT and ACM from Firmware image binary in human-readable format
./cbnt-prov show-all Prints BPM, KM, FIT and ACM from Firmware image binary in human-readable format
<path> Path to full Firmaware image binary file containing Key Manifest, Boot Policy Manifest and ACM
```
```bash
./bg-prov export-acm Exports ACM binary from Firmware image into file
./cbnt-prov export-acm Exports ACM binary from Firmware image into file
<bios> Path to the full Firmware image binary file.
<out> Path to the newly generated ACM binary file.
```
```bash
./bg-prov export-km Exports KM structures from Firmware image image into file
./cbnt-prov export-km Exports KM structures from Firmware image image into file
<bios> Path to the full Firmware image binary file.
<out> Path to the newly generated Key Manifest binary file.
```
```bash
./bg-prov export-bpm Exports BPM structures from Firmware image image into file
./cbnt-prov export-bpm Exports BPM structures from Firmware image image into file
<bios> Path to the full Firmware image binary file.
<out> Path to the newly generated Boot Policy Manifest binary file.
```
```bash
./bg-prov read-config Reads config from existing BIOS file and translates it to a JSON configuration
./cbnt-prov read-config Reads config from existing BIOS file and translates it to a JSON configuration
<config> Path to the JSON config file.
<bios> Path to the full Firmware image binary file.
```
```bash
./bg-prov km-gen Generate KM file based of json configuration
./cbnt-prov km-gen Generate KM file based of json configuration
<km> Path to the newly generated Key Manifest binary file.
<key> Public Boot Policy signing key
@ -144,7 +144,7 @@ Extended documentation about subcommands:
```
```bash
./bg-prov bpm-gen Generate BPM file based of json configuration and complete firmware image
./cbnt-prov bpm-gen Generate BPM file based of json configuration and complete firmware image
<bpm> Path to the newly generated Boot Policy Manifest binary file.
<bios> Path to the firmware image binary file.
@ -176,7 +176,7 @@ Extended documentation about subcommands:
```
```bash
./bg-prov km-sign Sign key manifest with given key
./cbnt-prov km-sign Sign key manifest with given key
<km-in> Path to the generated Key Manifest binary file.
<km-out> Path to write the signed KM to
<km-keyfile> Path to the encrypted PKCS8 private key file.
@ -184,7 +184,7 @@ Extended documentation about subcommands:
```
```bash
./bg-prov bpm-sign Sign Boot Policy Manifest with given key
./cbnt-prov bpm-sign Sign Boot Policy Manifest with given key
<bpm-in> Path to the newly generated Boot Policy Manifest binary file.
<bpm-out> Path to write the signed BPM to
<bpm-keyfile> Path to the encrypted PKCS8 private key file.
@ -192,7 +192,7 @@ Extended documentation about subcommands:
```
```bash
./bg-prov stitch Stitches BPM, KM and ACM into given BIOS image file
./cbnt-prov stitch Stitches BPM, KM and ACM into given BIOS image file
<bios> Path to the full BIOS binary file.
[<acm>] Path to the ACM binary file.
[<km>] Path to the Key Manifest binary file.
@ -200,7 +200,7 @@ Extended documentation about subcommands:
```
```bash
./bg-prov key-gen Generates key for KM and BPM signing
./cbnt-prov key-gen Generates key for KM and BPM signing
<algo> Select crypto algorithm for key generation. Options: RSA2048. RSA3072, ECC224, ECC256
<password> Password for AES256 encryption of private keys
[<path>] Path to store keys.
@ -209,7 +209,7 @@ Extended documentation about subcommands:
```bash
./bg-prov template Writes template JSON configuration into file
./cbnt-prov template Writes template JSON configuration into file
<path> Path to the newly generated JSON configuration file.
--revision Platform Manufacturers BPM revision number.
@ -243,18 +243,18 @@ I. Boot Policy / Key Manifest Generation/Signing/Stitching
1. Create a template config file
```bash
./bg-prov template ./config.json
./cbnt-prov template ./config.json
```
2. Create keys for signing of Key Manifest (KM) and Boot Policy Manifest (BPM)
Algorithm: RSA, BitSize: 2048, no password for enryption of private key files
```bash
./bg-prov key-gen RSA2048 "" --path=./Keys/mykey
./cbnt-prov key-gen RSA2048 "" --path=./Keys/mykey
```
3. Generate Key Manifest (KM)
```bash
./bg-prov km-gen ./KM/km_unsigned.bin ./Keys/mykey_km_pub.pem \
./cbnt-prov km-gen ./KM/km_unsigned.bin ./Keys/mykey_km_pub.pem \
--config=./config.json \
--pkhashalg=12 \
--bpmpubkey=./Keys/mykey_bpmpub.pem \
@ -263,72 +263,72 @@ Algorithm: RSA, BitSize: 2048, no password for enryption of private key files
4. Generation of Boot Policy Manifest (BPM)
```bash
./bg-prov bpm-gen ./BPM/bpm_unsigned.bin ./firmware.rom --config=./config.json
./cbnt-prov bpm-gen ./BPM/bpm_unsigned.bin ./firmware.rom --config=./config.json
```
5. Sign Key Manifest (KM)
```bash
./bg-prov km-sign ./KM/km_unsigned.bin ./KM/km_signed.bin ./Keys/myKey_km_priv.pem ""
./cbnt-prov km-sign ./KM/km_unsigned.bin ./KM/km_signed.bin ./Keys/myKey_km_priv.pem ""
```
6. Sign Boot Policy Manifest (BPM)
```bash
./bg-prov bpm-sign ./BPM/bpm_unsigned.bin ./BPM/bpm_signed.bin ./Keys/myKey_bpm_priv.pem ""
./cbnt-prov bpm-sign ./BPM/bpm_unsigned.bin ./BPM/bpm_signed.bin ./Keys/myKey_bpm_priv.pem ""
```
7. Export ACM for stitching (Firmware image must contain an ACM)
Skip this if you already have an ACM for stitching
```bash
./bg-prov export-acm ./firmware.rom ./ACM/acm_export.bin
./cbnt-prov export-acm ./firmware.rom ./ACM/acm_export.bin
```
8. Stitch BPM, KM and ACM into firmware image
```bash
./bg-prov stitch ./firmware.rom ./ACM/acm.bin ./KM/km_signed.bin ./BPM/bpm_signed.bin
./cbnt-prov stitch ./firmware.rom ./ACM/acm.bin ./KM/km_signed.bin ./BPM/bpm_signed.bin
```
II. Read config from a CBnT enabled firmware image
-------------------------------------------
```bash
./bg-prov read-config ./config.json ./firmware.rom
./cbnt-prov read-config ./config.json ./firmware.rom
```
III Export KM, BPM and ACM from CBnT enabled firmware image
------------------------------------------------
1. Export of KM
```bash
./bg-prov export-km ./firmware.rom ./KM/km_export.bin
./cbnt-prov export-km ./firmware.rom ./KM/km_export.bin
```
2. Export BPM
```bash
./bg-prov export-km ./firmware.rom ./BPM/bpm_export.bin
./cbnt-prov export-km ./firmware.rom ./BPM/bpm_export.bin
```
3. Export ACM
```bash
./bg-prov export-acm ./firmware.rom ./ACM/acm_export.bin
./cbnt-prov export-acm ./firmware.rom ./ACM/acm_export.bin
```
IV. Show details of exported KM, BPM, ACM
--------------------------------------
1. Show details of KM
```bash
./bg-prov show-km ./KM/km_signed.bin
./cbnt-prov show-km ./KM/km_signed.bin
```
2. Show details of BPM
```bash
./bg-prov show-bpm ./BPM/bpm_signed.bin
./cbnt-prov show-bpm ./BPM/bpm_signed.bin
```
3. Show details of ACM
```bash
./bg-prov show-acm ./ACM/acm_signed.bin
./cbnt-prov show-acm ./ACM/acm_signed.bin
```
4. Show all
```bash
./bg-prov show-all ./firmware.rom
./cbnt-prov show-all ./firmware.rom
```

125
cmd/bg-prov/cmd.go → cmd/cbnt-prov/cmd.go
View File

@ -16,7 +16,7 @@ import (
"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest"
"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/bootpolicy"
"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/key"
"github.com/9elements/converged-security-suite/v2/pkg/provisioning/bg"
"github.com/9elements/converged-security-suite/v2/pkg/provisioning/cbnt"
"github.com/9elements/converged-security-suite/v2/pkg/tools"
)
@ -29,7 +29,7 @@ type versionCmd struct {
type templateCmd struct {
Path string `arg required name:"path" help:"Path to the newly generated JSON configuration file." type:"path"`
//BootGuard Manifest Header args
//CBnT Manifest Header args
Revision uint8 `flag optional name:"revision" help:"Platform Manufacturers BPM revision number."`
SVN manifest.SVN `flag optional name:"svn" help:"Boot Policy Manifest Security Version Number"`
ACMSVN manifest.SVN `flag optional name:"acmsvn" help:"Authorized ACM Security Version Number"`
@ -109,7 +109,7 @@ type generateBPMCmd struct {
BPM string `arg required name:"bpm" help:"Path to the newly generated Boot Policy Manifest binary file." type:"path"`
BIOS string `arg required name:"bios" help:"Path to the full BIOS binary file." type:"path"`
Config string `flag optional name:"config" help:"Path to the JSON config file." type:"path"`
//BootGuard Manifest Header args
//CBnT Manifest Header args
Revision uint8 `flag optional name:"revision" help:"Platform Manufacturers BPM revision number."`
SVN manifest.SVN `flag optional name:"svn" help:"Boot Policy Manifest Security Version Number"`
ACMSVN manifest.SVN `flag optional name:"acmsvn" help:"Authorized ACM Security Version Number"`
@ -199,7 +199,7 @@ func (kmp *kmPrintCmd) Run(ctx *context) error {
return err
}
reader := bytes.NewReader(data)
km, err := bg.ParseKM(reader)
km, err := cbnt.ParseKM(reader)
if err != nil {
return err
}
@ -218,7 +218,7 @@ func (bpmp *bpmPrintCmd) Run(ctx *context) error {
return err
}
reader := bytes.NewReader(data)
bpm, err := bg.ParseBPM(reader)
bpm, err := cbnt.ParseBPM(reader)
if err != nil {
return err
}
@ -255,11 +255,11 @@ func (biosp *biosPrintCmd) Run(ctx *context) error {
if err != nil {
return err
}
err = bg.PrintFIT(data)
err = cbnt.PrintFIT(data)
if err != nil {
return err
}
err = bg.PrintBootGuardStructures(data)
err = cbnt.PrintCBnTStructures(data)
if err != nil {
return err
}
@ -275,7 +275,7 @@ func (acme *acmExportCmd) Run(ctx *context) error {
if err != nil {
return err
}
err = bg.WriteBootGuardStructures(data, nil, nil, acmfile)
err = cbnt.WriteCBnTStructures(data, nil, nil, acmfile)
if err != nil {
return err
}
@ -291,7 +291,7 @@ func (kme *kmExportCmd) Run(ctx *context) error {
if err != nil {
return err
}
err = bg.WriteBootGuardStructures(data, nil, kmfile, nil)
err = cbnt.WriteCBnTStructures(data, nil, kmfile, nil)
if err != nil {
return err
}
@ -307,7 +307,7 @@ func (bpme *bpmExportCmd) Run(ctx *context) error {
if err != nil {
return err
}
err = bg.WriteBootGuardStructures(data, bpmfile, nil, nil)
err = cbnt.WriteCBnTStructures(data, bpmfile, nil, nil)
if err != nil {
return err
}
@ -315,15 +315,15 @@ func (bpme *bpmExportCmd) Run(ctx *context) error {
}
func (g *generateKMCmd) Run(ctx *context) error {
var options *bg.BootGuardOptions
var options *cbnt.Options
if g.Config != "" {
bgo, err := bg.ParseConfig(g.Config)
cbnto, err := cbnt.ParseConfig(g.Config)
if err != nil {
return err
}
options = bgo
options = cbnto
} else {
var bgo bg.BootGuardOptions
var cbnto cbnt.Options
tmpKM := key.NewManifest()
tmpKM.Revision = g.Revision
tmpKM.KMSVN = g.SVN
@ -332,17 +332,17 @@ func (g *generateKMCmd) Run(ctx *context) error {
tmpKM.Hash = g.KMHashes
// Create KM_Hash for BPM pub signing key
if g.BpmPubkey != "" {
kh, err := bg.GetBPMPubHash(g.BpmPubkey, g.BpmHashAlg)
kh, err := cbnt.GetBPMPubHash(g.BpmPubkey, g.BpmHashAlg)
if err != nil {
return err
}
tmpKM.Hash = kh
}
bgo.KeyManifest = *tmpKM
options = &bgo
cbnto.KeyManifest = tmpKM
options = &cbnto
}
key, err := bg.ReadPubKey(g.Key)
key, err := cbnt.ReadPubKey(g.Key)
if err != nil {
return err
}
@ -357,7 +357,7 @@ func (g *generateKMCmd) Run(ctx *context) error {
}
}
}
bKM, err := bg.WriteKM(&options.KeyManifest)
bKM, err := cbnt.WriteKM(options.KeyManifest)
if err != nil {
return err
}
@ -366,7 +366,7 @@ func (g *generateKMCmd) Run(ctx *context) error {
if err != nil {
return err
}
if err := bg.WriteConfig(out, options); err != nil {
if err := cbnt.WriteConfig(out, options); err != nil {
return err
}
}
@ -382,19 +382,19 @@ func (g *generateKMCmd) Run(ctx *context) error {
}
func (g *generateBPMCmd) Run(ctx *context) error {
var options *bg.BootGuardOptions
var options *cbnt.Options
if g.Config != "" {
bgo, err := bg.ParseConfig(g.Config)
cbnto, err := cbnt.ParseConfig(g.Config)
if err != nil {
return err
}
options = bgo
options = cbnto
} else {
var bgo bg.BootGuardOptions
bgo.BootPolicyManifest.BPMH.BPMRevision = g.Revision
bgo.BootPolicyManifest.BPMH.BPMSVN = g.SVN
bgo.BootPolicyManifest.BPMH.ACMSVNAuth = g.ACMSVN
bgo.BootPolicyManifest.BPMH.NEMDataStack = g.NEMS
var cbnto cbnt.Options
cbnto.BootPolicyManifest.BPMH.BPMRevision = g.Revision
cbnto.BootPolicyManifest.BPMH.BPMSVN = g.SVN
cbnto.BootPolicyManifest.BPMH.ACMSVNAuth = g.ACMSVN
cbnto.BootPolicyManifest.BPMH.NEMDataStack = g.NEMS
se := bootpolicy.NewSE()
se.PBETValue = g.PBET
@ -419,7 +419,7 @@ func (g *generateBPMCmd) Run(ctx *context) error {
seg.Flags = g.IbbSegFlag
se.IBBSegments = append(se.IBBSegments, seg)
bgo.BootPolicyManifest.SE = append(bgo.BootPolicyManifest.SE, *se)
cbnto.BootPolicyManifest.SE = append(cbnto.BootPolicyManifest.SE, *se)
txt := bootpolicy.NewTXT()
txt.SInitMinSVNAuth = g.SintMin
@ -430,12 +430,12 @@ func (g *generateBPMCmd) Run(ctx *context) error {
txt.PTTCMOSOffset0 = g.CMOSOff0
txt.PTTCMOSOffset1 = g.CMOSOff1
bgo.BootPolicyManifest.TXTE = txt
cbnto.BootPolicyManifest.TXTE = txt
options = &bgo
options = &cbnto
}
bpm, err := bg.GenerateBPM(options, g.BIOS)
bpm, err := cbnt.GenerateBPM(options, g.BIOS)
if err != nil {
return err
}
@ -449,11 +449,11 @@ func (g *generateBPMCmd) Run(ctx *context) error {
if err != nil {
return err
}
if err := bg.WriteConfig(out, options); err != nil {
if err := cbnt.WriteConfig(out, options); err != nil {
return err
}
}
bBPM, err := bg.WriteBPM(bpm)
bBPM, err := cbnt.WriteBPM(bpm)
if err != nil {
return err
}
@ -471,7 +471,7 @@ func (s *signKMCmd) Run(ctx *context) error {
if err != nil {
return err
}
privkey, err := bg.DecryptPrivKey(encKey, s.Password)
privkey, err := cbnt.DecryptPrivKey(encKey, s.Password)
if err != nil {
return err
}
@ -490,7 +490,7 @@ func (s *signKMCmd) Run(ctx *context) error {
if err = km.SetSignature(0, privkey.(crypto.Signer), unsignedKM); err != nil {
return err
}
bKMSigned, err := bg.WriteKM(&km)
bKMSigned, err := cbnt.WriteKM(&km)
if err != nil {
return err
}
@ -505,7 +505,7 @@ func (s *signBPMCmd) Run(ctx *context) error {
if err != nil {
return err
}
key, err := bg.DecryptPrivKey(encKey, s.Password)
key, err := cbnt.DecryptPrivKey(encKey, s.Password)
if err != nil {
return err
}
@ -529,7 +529,7 @@ func (s *signBPMCmd) Run(ctx *context) error {
return fmt.Errorf("Invalid key type")
}
bpm.PMSE = *kAs
bpmRaw, err = bg.WriteBPM(&bpm)
bpmRaw, err = cbnt.WriteBPM(&bpm)
if err != nil {
return err
}
@ -540,7 +540,7 @@ func (s *signBPMCmd) Run(ctx *context) error {
if err != nil {
return fmt.Errorf("unable to make a signature: %w", err)
}
bBPMSigned, err := bg.WriteBPM(&bpm)
bBPMSigned, err := cbnt.WriteBPM(&bpm)
if err != nil {
return err
}
@ -551,14 +551,14 @@ func (s *signBPMCmd) Run(ctx *context) error {
}
func (t *templateCmd) Run(ctx *context) error {
var bgo bg.BootGuardOptions
km := *key.NewManifest()
bpm := *bootpolicy.NewManifest()
var cbnto cbnt.Options
cbnto.BootPolicyManifest = bootpolicy.NewManifest()
cbnto.KeyManifest = key.NewManifest()
bpm.BPMRevision = t.Revision
bpm.BPMSVN = t.SVN
bpm.ACMSVNAuth = t.ACMSVN
bpm.NEMDataStack = t.NEMS
cbnto.BootPolicyManifest.BPMH.BPMRevision = t.Revision
cbnto.BootPolicyManifest.BPMH.BPMSVN = t.SVN
cbnto.BootPolicyManifest.BPMH.ACMSVNAuth = t.ACMSVN
cbnto.BootPolicyManifest.BPMH.NEMDataStack = t.NEMS
se := bootpolicy.NewSE()
se.PBETValue = t.PBET
@ -577,7 +577,7 @@ func (t *templateCmd) Run(ctx *context) error {
seg.Flags = t.IbbSegFlag
se.IBBSegments = append(se.IBBSegments, seg)
bpm.SE = append(bpm.SE, *se)
cbnto.BootPolicyManifest.SE = append(cbnto.BootPolicyManifest.SE, *se)
txt := bootpolicy.NewTXT()
txt.SInitMinSVNAuth = t.SintMin
@ -588,16 +588,13 @@ func (t *templateCmd) Run(ctx *context) error {
txt.PTTCMOSOffset0 = t.CMOSOff0
txt.PTTCMOSOffset1 = t.CMOSOff1
bpm.TXTE = txt
bgo.BootPolicyManifest = bpm
bgo.KeyManifest = km
cbnto.BootPolicyManifest.TXTE = txt
out, err := os.Create(t.Path)
if err != nil {
return err
}
if err := bg.WriteConfig(out, &bgo); err != nil {
if err := cbnt.WriteConfig(out, &cbnto); err != nil {
return err
}
return nil
@ -608,7 +605,7 @@ func (rc *readConfigCmd) Run(ctx *context) error {
if err != nil {
return err
}
_, err = bg.ReadConfigFromBIOSImage(rc.BIOS, f)
_, err = cbnt.ReadConfigFromBIOSImage(rc.BIOS, f)
if err != nil {
return err
}
@ -624,7 +621,7 @@ func (s *stitchingKMCmd) Run(ctx *context) error {
if err != nil {
return err
}
pub, err := bg.ReadPubKey(s.PubKey)
pub, err := cbnt.ReadPubKey(s.PubKey)
if err != nil {
return err
}
@ -632,11 +629,11 @@ func (s *stitchingKMCmd) Run(ctx *context) error {
return fmt.Errorf("loaded files are empty")
}
reader := bytes.NewReader(kmData)
km, err := bg.ParseKM(reader)
km, err := cbnt.ParseKM(reader)
if err != nil {
return err
}
kmRaw, err := bg.StitchKM(km, pub, sig)
kmRaw, err := cbnt.StitchKM(km, pub, sig)
if err != nil {
return err
}
@ -655,7 +652,7 @@ func (s *stitchingBPMCmd) Run(ctx *context) error {
if err != nil {
return err
}
pub, err := bg.ReadPubKey(s.PubKey)
pub, err := cbnt.ReadPubKey(s.PubKey)
if err != nil {
return err
}
@ -663,11 +660,11 @@ func (s *stitchingBPMCmd) Run(ctx *context) error {
return fmt.Errorf("loaded files are empty")
}
reader := bytes.NewReader(bpmData)
bpm, err := bg.ParseBPM(reader)
bpm, err := cbnt.ParseBPM(reader)
if err != nil {
return err
}
bpmRaw, err := bg.StitchBPM(bpm, pub, sig)
bpmRaw, err := cbnt.StitchBPM(bpm, pub, sig)
if err != nil {
return err
}
@ -703,7 +700,7 @@ func (s *stitchingCmd) Run(ctx *context) error {
if len(acm) == 0 && len(km) == 0 && len(bpm) == 0 && len(me) == 0 {
return fmt.Errorf("at least one optional parameter required")
}
if err := bg.StitchFITEntries(s.BIOS, acm, bpm, km); err != nil {
if err := cbnt.StitchFITEntries(s.BIOS, acm, bpm, km); err != nil {
return err
}
if len(me) != 0 {
@ -751,22 +748,22 @@ func (k *keygenCmd) Run(ctx *context) error {
switch k.Algo {
case "RSA2048":
err := bg.GenRSAKey(2048, k.Password, kmPubFile, kmPrivFile, bpmPubFile, bpmPrivFile)
err := cbnt.GenRSAKey(2048, k.Password, kmPubFile, kmPrivFile, bpmPubFile, bpmPrivFile)
if err != nil {
return err
}
case "RSA3072":
err := bg.GenRSAKey(3072, k.Password, kmPubFile, kmPrivFile, bpmPubFile, bpmPrivFile)
err := cbnt.GenRSAKey(3072, k.Password, kmPubFile, kmPrivFile, bpmPubFile, bpmPrivFile)
if err != nil {
return err
}
case "ECC224":
err := bg.GenECCKey(224, k.Password, kmPubFile, kmPrivFile, bpmPubFile, bpmPrivFile)
err := cbnt.GenECCKey(224, k.Password, kmPubFile, kmPrivFile, bpmPubFile, bpmPrivFile)
if err != nil {
return err
}
case "ECC256":
err := bg.GenECCKey(256, k.Password, kmPubFile, kmPrivFile, bpmPubFile, bpmPrivFile)
err := cbnt.GenECCKey(256, k.Password, kmPubFile, kmPrivFile, bpmPubFile, bpmPrivFile)
if err != nil {
return err
}

0
cmd/bg-prov/main.go → cmd/cbnt-prov/main.go
View File

96
pkg/provisioning/bg/config.go → pkg/provisioning/cbnt/config.go
View File

@ -1,4 +1,4 @@
package bg
package cbnt
import (
"bytes"
@ -34,34 +34,34 @@ type KeyHash struct {
Algorithm manifest.Algorithm `json:"algorithm"` //
}
// BootGuardOptions presents all available options for BootGuard configuarion file.
type BootGuardOptions struct {
BootPolicyManifest bootpolicy.Manifest
KeyManifest key.Manifest
// Options presents all available options for CBnT configuarion file.
type Options struct {
BootPolicyManifest *bootpolicy.Manifest
KeyManifest *key.Manifest
}
// ParseConfig parses a boot guard option json file
func ParseConfig(filepath string) (*BootGuardOptions, error) {
var bgo BootGuardOptions
func ParseConfig(filepath string) (*Options, error) {
var cbnto Options
data, err := ioutil.ReadFile(filepath)
if err != nil {
return nil, err
}
if err = json.Unmarshal(data, &bgo); err != nil {
if err = json.Unmarshal(data, &cbnto); err != nil {
return nil, err
}
return &bgo, nil
return &cbnto, nil
}
func setBPMHeader(bgo *BootGuardOptions, bpm *bootpolicy.Manifest) (*bootpolicy.BPMH, error) {
func setBPMHeader(cbnto *Options, bpm *bootpolicy.Manifest) (*bootpolicy.BPMH, error) {
header := bootpolicy.NewBPMH()
if err := defaults.Set(header); err != nil {
return nil, err
}
header.BPMRevision = bgo.BootPolicyManifest.BPMRevision
header.BPMSVN = manifest.SVN(bgo.BootPolicyManifest.BPMH.BPMSVN)
header.ACMSVNAuth = manifest.SVN(bgo.BootPolicyManifest.BPMH.ACMSVNAuth)
header.NEMDataStack = bootpolicy.Size4K(bgo.BootPolicyManifest.BPMH.NEMDataStack)
header.BPMRevision = cbnto.BootPolicyManifest.BPMRevision
header.BPMSVN = manifest.SVN(cbnto.BootPolicyManifest.BPMH.BPMSVN)
header.ACMSVNAuth = manifest.SVN(cbnto.BootPolicyManifest.BPMH.ACMSVNAuth)
header.NEMDataStack = bootpolicy.Size4K(cbnto.BootPolicyManifest.BPMH.NEMDataStack)
header.KeySignatureOffset = uint16(bpm.PMSEOffset() + bpm.PMSE.KeySignatureOffset())
return header, nil
@ -169,85 +169,85 @@ func getIBBsDigest(ibbs []bootpolicy.IBBSegment, image []byte, algo manifest.Alg
return hash, nil
}
func setIBBSegment(bgo *BootGuardOptions, image []byte) (*bootpolicy.SE, error) {
for iterator, item := range bgo.BootPolicyManifest.SE[0].DigestList.List {
d, err := getIBBsDigest(bgo.BootPolicyManifest.SE[0].IBBSegments, image, item.HashAlg)
func setIBBSegment(cbnto *Options, image []byte) (*bootpolicy.SE, error) {
for iterator, item := range cbnto.BootPolicyManifest.SE[0].DigestList.List {
d, err := getIBBsDigest(cbnto.BootPolicyManifest.SE[0].IBBSegments, image, item.HashAlg)
if err != nil {
return nil, err
}
bgo.BootPolicyManifest.SE[0].DigestList.List[iterator].HashBuffer = make([]byte, len(d))
copy(bgo.BootPolicyManifest.SE[0].DigestList.List[iterator].HashBuffer, d)
cbnto.BootPolicyManifest.SE[0].DigestList.List[iterator].HashBuffer = make([]byte, len(d))
copy(cbnto.BootPolicyManifest.SE[0].DigestList.List[iterator].HashBuffer, d)
}
return &bgo.BootPolicyManifest.SE[0], nil
return &cbnto.BootPolicyManifest.SE[0], nil
}
func setTXTElement(bgo *BootGuardOptions) (*bootpolicy.TXT, error) {
func setTXTElement(cbnto *Options) (*bootpolicy.TXT, error) {
txte := bootpolicy.NewTXT()
txte = bgo.BootPolicyManifest.TXTE
txte = cbnto.BootPolicyManifest.TXTE
return txte, nil
}
func setPCDElement(bgo *BootGuardOptions) (*bootpolicy.PCD, error) {
func setPCDElement(cbnto *Options) (*bootpolicy.PCD, error) {
pcde := bootpolicy.NewPCD()
if bgo.BootPolicyManifest.PCDE == nil {
if cbnto.BootPolicyManifest.PCDE == nil {
return nil, nil
}
pcde.Data = bgo.BootPolicyManifest.PCDE.Data
pcde.Data = cbnto.BootPolicyManifest.PCDE.Data
return pcde, nil
}
func setPMElement(bgo *BootGuardOptions) (*bootpolicy.PM, error) {
func setPMElement(cbnto *Options) (*bootpolicy.PM, error) {
pme := bootpolicy.NewPM()
if bgo.BootPolicyManifest.PME == nil {
if cbnto.BootPolicyManifest.PME == nil {
return nil, nil
}
pme.Data = bgo.BootPolicyManifest.PME.Data
pme.Data = cbnto.BootPolicyManifest.PME.Data
return pme, nil
}
func setPMSElement(bgo *BootGuardOptions, bpm *bootpolicy.Manifest) (*bootpolicy.Signature, error) {
func setPMSElement(cbnto *Options, bpm *bootpolicy.Manifest) (*bootpolicy.Signature, error) {
psme := bootpolicy.NewSignature()
return psme, nil
}
// SetKM takes BootGuardOptiones struct and initializes a new KM with the given configuration.
func SetKM(bgo *BootGuardOptions) (*key.Manifest, error) {
// SetKM takes Options struct and initializes a new KM with the given configuration.
func SetKM(cbnto *Options) (*key.Manifest, error) {
km := key.NewManifest()
km = &bgo.KeyManifest
km = cbnto.KeyManifest
return km, nil
}
// GenerateBPM generates a Boot Policy Manifest with the given config and firmware image
func GenerateBPM(bgo *BootGuardOptions, biosFilepath string) (*bootpolicy.Manifest, error) {
func GenerateBPM(cbnto *Options, biosFilepath string) (*bootpolicy.Manifest, error) {
bpm := bootpolicy.NewManifest()
data, err := ioutil.ReadFile(biosFilepath)
if err != nil {
return nil, err
}
se, err := setIBBSegment(bgo, data)
se, err := setIBBSegment(cbnto, data)
if err != nil {
return nil, err
}
bpm.SE = append(bpm.SE, *se)
bpm.TXTE, err = setTXTElement(bgo)
bpm.TXTE, err = setTXTElement(cbnto)
if err != nil {
return nil, err
}
bpm.PCDE, err = setPCDElement(bgo)
bpm.PCDE, err = setPCDElement(cbnto)
if err != nil {
return nil, err
}
bpm.PME, err = setPMElement(bgo)
bpm.PME, err = setPMElement(cbnto)
if err != nil {
return nil, err
}
bpmh, err := setBPMHeader(bgo, bpm)
bpmh, err := setBPMHeader(cbnto, bpm)
if err != nil {
return nil, err
}
bpm.BPMH = *bpmh
pmse, err := setPMSElement(bgo, bpm)
pmse, err := setPMSElement(cbnto, bpm)
if err != nil {
return nil, err
}
@ -256,9 +256,9 @@ func GenerateBPM(bgo *BootGuardOptions, biosFilepath string) (*bootpolicy.Manife
return bpm, nil
}
// WriteConfig writes a BootGuard config file to the given path with given options.
func WriteConfig(f *os.File, bgo *BootGuardOptions) error {
cfg, err := json.Marshal(bgo)
// WriteConfig writes a CBnT config file to the given path with given options.
func WriteConfig(f *os.File, cbnto *Options) error {
cfg, err := json.Marshal(cbnto)
if err != nil {
return err
}
@ -271,8 +271,8 @@ func WriteConfig(f *os.File, bgo *BootGuardOptions) error {
// ReadConfigFromBIOSImage reads boot guard options, boot policy manifest and key manifest from a given firmware image
// and writes that to a given file in json format
func ReadConfigFromBIOSImage(biosFilepath string, configFilepath *os.File) (*BootGuardOptions, error) {
var bgo BootGuardOptions
func ReadConfigFromBIOSImage(biosFilepath string, configFilepath *os.File) (*Options, error) {
var cbnto Options
var bpm *bootpolicy.Manifest
var km *key.Manifest
bios, err := ioutil.ReadFile(biosFilepath)
@ -296,11 +296,11 @@ func ReadConfigFromBIOSImage(biosFilepath string, configFilepath *os.File) (*Boo
/* Boot Policy Manifest */
// BPMH
bgo.BootPolicyManifest = *bpm
cbnto.BootPolicyManifest = bpm
/* Key Manifest */
bgo.KeyManifest = *km
data, err := json.Marshal(bgo)
cbnto.KeyManifest = km
data, err := json.Marshal(cbnto)
if err != nil {
return nil, err
}
@ -308,7 +308,7 @@ func ReadConfigFromBIOSImage(biosFilepath string, configFilepath *os.File) (*Boo
if _, err = configFilepath.Write(json); err != nil {
return nil, err
}
return &bgo, nil
return &cbnto, nil
}
// GetBPMPubHash takes the path to public BPM signing key and hash algorithm

12
pkg/provisioning/bg/config_test.go → pkg/provisioning/cbnt/config_test.go
View File

@ -1,4 +1,4 @@
package bg
package cbnt
import "testing"
@ -14,7 +14,7 @@ func TestSetBPMHeaderValid(T *testing.T) {
}
func TestSetBPMHeaderInvalidBadBGO(T *testing.T) {
func TestSetBPMHeaderInvalidBadCBnTO(T *testing.T) {
}
@ -26,7 +26,7 @@ func TestSetIBBSegmentValid(T *testing.T) {
}
func TestSetIBBSegmentInvalidBGO(T *testing.T) {
func TestSetIBBSegmentInvalidCBnTO(T *testing.T) {
}
@ -38,7 +38,7 @@ func TestTXTElementValid(T *testing.T) {
}
func TestTXTElementInvalidBadBGO(T *testing.T) {
func TestTXTElementInvalidBadCBnTO(T *testing.T) {
}
@ -46,7 +46,7 @@ func TestSetPCDElementValid(T *testing.T) {
}
func TestSetPCDElementInvalidBGO(T *testing.T) {
func TestSetPCDElementInvalidCBnTO(T *testing.T) {
}
@ -54,6 +54,6 @@ func TestPMElementValid(T *testing.T) {
}
func TestPMElementInvalidBGO(T *testing.T) {
func TestPMElementInvalidCBnTO(T *testing.T) {
}

2
pkg/provisioning/bg/constants.go → pkg/provisioning/cbnt/constants.go
View File

@ -1,4 +1,4 @@
package bg
package cbnt
const (
keySignatureElementMaxSize = 3072 // how this value was calculated?

2
pkg/provisioning/bg/keygen.go → pkg/provisioning/cbnt/keygen.go
View File

@ -1,4 +1,4 @@
package bg
package cbnt
import (
"crypto"

2
pkg/provisioning/bg/marshal.go → pkg/provisioning/cbnt/marshal.go
View File

@ -1,4 +1,4 @@
package bg
package cbnt
import (
"bytes"

2
pkg/provisioning/bg/structures.go → pkg/provisioning/cbnt/structures.go
View File

@ -1,4 +1,4 @@
package bg
package cbnt
// CMOSIoAddress holds information about the location of on-demand power down requests in CMOS.
// The structure is a substructure used in PowerDownRequest structure.

0
pkg/provisioning/bg/test_artifacts/km.signed → pkg/provisioning/cbnt/test_artifacts/km.signed
View File

0
pkg/provisioning/bg/test_artifacts/km.unsigned → pkg/provisioning/cbnt/test_artifacts/km.unsigned
View File

0
pkg/provisioning/bg/test_artifacts/test_bpm → pkg/provisioning/cbnt/test_artifacts/test_bpm
View File

0
pkg/provisioning/bg/test_artifacts/test_bpm.pub → pkg/provisioning/cbnt/test_artifacts/test_bpm.pub
View File

0
pkg/provisioning/bg/test_artifacts/test_km → pkg/provisioning/cbnt/test_artifacts/test_km
View File

0
pkg/provisioning/bg/test_artifacts/test_km.pub → pkg/provisioning/cbnt/test_artifacts/test_km.pub
View File

10
pkg/provisioning/bg/tools.go → pkg/provisioning/cbnt/tools.go
View File

@ -1,4 +1,4 @@
package bg
package cbnt
import (
"bytes"
@ -18,8 +18,8 @@ import (
"github.com/9elements/converged-security-suite/v2/pkg/tools"
)
// WriteBootGuardStructures takes a firmware image and extracts boot policy manifest, key manifest and acm into seperate files.
func WriteBootGuardStructures(image []byte, bpmFile, kmFile, acmFile *os.File) error {
// WriteCBnTStructures takes a firmware image and extracts boot policy manifest, key manifest and acm into seperate files.
func WriteCBnTStructures(image []byte, bpmFile, kmFile, acmFile *os.File) error {
bpm, km, acm, err := ParseFITEntries(image)
if err != nil {
return err
@ -42,8 +42,8 @@ func WriteBootGuardStructures(image []byte, bpmFile, kmFile, acmFile *os.File) e
return nil
}
// PrintBootGuardStructures takes a firmware image and prints boot policy manifest, key manifest, ACM, chipset, processor and tpm information if available.
func PrintBootGuardStructures(image []byte) error {
// PrintCBnTStructures takes a firmware image and prints boot policy manifest, key manifest, ACM, chipset, processor and tpm information if available.
func PrintCBnTStructures(image []byte) error {
var acm *tools.ACM
var chipsets *tools.Chipsets
var processors *tools.Processors

2
pkg/provisioning/bg/unmarshal.go → pkg/provisioning/cbnt/unmarshal.go
View File

@ -1,4 +1,4 @@
package bg
package cbnt
import (
"errors"