diff --git a/.goreleaser.yml b/.goreleaser.yml index 6d6dba0..b9f29fa 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -20,7 +20,7 @@ builds: - 7 main: "." hooks: - post: upx --best --ultra-brute tpmtool + post: upx --best --ultra-brute tpmtool_{{.Env.GOVERSION}}_linux* nfpm: vendor: Facebook Inc. homepage: www.tpmtool.org diff --git a/Gopkg.lock b/Gopkg.lock index 4424839..0c8438e 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -41,7 +41,7 @@ branch = "master" name = "github.com/google/go-tpm" packages = ["tpm","tpmutil"] - revision = "180f7885cb387ab49323fbef6e042890f6e7d4fc" + revision = "e965e8a65d24d3bb2e9daaf23686b645e0bf76fe" [[projects]] branch = "master" @@ -71,7 +71,7 @@ branch = "master" name = "github.com/systemboot/systemboot" packages = ["pkg/storage","pkg/tpm"] - revision = "0b3658ee78ad6407a4a153e8526776f028b98dd4" + revision = "a642c9c31e0b58c1bc22fa204cd3cc5008447927" [[projects]] name = "gopkg.in/alecthomas/kingpin.v2" @@ -88,6 +88,6 @@ [solve-meta] analyzer-name = "dep" analyzer-version = 1 - inputs-digest = "0d79601bd7b584d638b52c1f799ac875e4860584a3eade2f9f65fbaf14018eb4" + inputs-digest = "66098ff1daba504c2a19897ce0cedb6a326f8a248f47e6e28e7173a76c41780c" solver-name = "gps-cdcl" solver-version = 1 diff --git a/vendor/github.com/google/go-tpm/examples/tpm2-ekcert/main.go b/vendor/github.com/google/go-tpm/examples/tpm2-ekcert/main.go index 53f27fd..bc9c14f 100644 --- a/vendor/github.com/google/go-tpm/examples/tpm2-ekcert/main.go +++ b/vendor/github.com/google/go-tpm/examples/tpm2-ekcert/main.go @@ -2,11 +2,14 @@ package main import ( + "crypto" "crypto/x509" + "errors" "flag" "fmt" "io/ioutil" "os" + "reflect" "github.com/google/go-tpm/tpm2" "github.com/google/go-tpm/tpmutil" @@ -17,13 +20,41 @@ var ( // Default value is defined in section 7.8, "NV Memory" of the latest version pdf on: // https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/ certIndex = flag.Uint("cert-index", 0x01C00002, "NVRAM index of the certificate file") + tmplIndex = flag.Uint("template-index", 0, "NVRAM index of the EK template; if zero, default RSA EK template is used") outPath = flag.String("output", "", "File path for output; leave blank to write to stdout") + + // Default EK template defined in: + // https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf + defaultEKTemplate = tpm2.Public{ + Type: tpm2.AlgRSA, + NameAlg: tpm2.AlgSHA256, + Attributes: tpm2.FlagFixedTPM | tpm2.FlagFixedParent | tpm2.FlagSensitiveDataOrigin | + tpm2.FlagAdminWithPolicy | tpm2.FlagRestricted | tpm2.FlagDecrypt, + AuthPolicy: []byte{ + 0x83, 0x71, 0x97, 0x67, 0x44, 0x84, + 0xB3, 0xF8, 0x1A, 0x90, 0xCC, 0x8D, + 0x46, 0xA5, 0xD7, 0x24, 0xFD, 0x52, + 0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64, + 0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14, + 0x69, 0xAA, + }, + RSAParameters: &tpm2.RSAParams{ + Symmetric: &tpm2.SymScheme{ + Alg: tpm2.AlgAES, + KeyBits: 128, + Mode: tpm2.AlgCFB, + }, + KeyBits: 2048, + Exponent: 0, + ModulusRaw: make([]byte, 256), + }, + } ) func main() { flag.Parse() - cert, err := readEKCert(*tpmPath, uint32(*certIndex)) + cert, err := readEKCert(*tpmPath, uint32(*certIndex), uint32(*tmplIndex)) if err != nil { fmt.Fprintln(os.Stderr, err) os.Exit(1) @@ -38,19 +69,45 @@ func main() { } } -func readEKCert(path string, idx uint32) ([]byte, error) { +func readEKCert(path string, certIdx, tmplIdx uint32) ([]byte, error) { rwc, err := tpm2.OpenTPM(path) if err != nil { return nil, fmt.Errorf("can't open TPM at %q: %v", path, err) } defer rwc.Close() - ekCert, err := tpm2.NVRead(rwc, tpmutil.Handle(idx)) + ekCert, err := tpm2.NVRead(rwc, tpmutil.Handle(certIdx)) if err != nil { return nil, fmt.Errorf("reading EK cert: %v", err) } // Sanity-check that this is a valid certificate. - if _, err := x509.ParseCertificate(ekCert); err != nil { + cert, err := x509.ParseCertificate(ekCert) + if err != nil { return nil, fmt.Errorf("parsing EK cert: %v", err) } + + // Initialize EK and compare public key to ekCert.PublicKey. + var ekh tpmutil.Handle + var ekPub crypto.PublicKey + if tmplIdx != 0 { + ekTemplate, err := tpm2.NVRead(rwc, tpmutil.Handle(tmplIdx)) + if err != nil { + return nil, fmt.Errorf("reading EK template: %v", err) + } + ekh, ekPub, err = tpm2.CreatePrimaryRawTemplate(rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", ekTemplate) + if err != nil { + return nil, fmt.Errorf("creating EK: %v", err) + } + } else { + ekh, ekPub, err = tpm2.CreatePrimary(rwc, tpm2.HandleEndorsement, tpm2.PCRSelection{}, "", "", defaultEKTemplate) + if err != nil { + return nil, fmt.Errorf("creating EK: %v", err) + } + } + defer tpm2.FlushContext(rwc, ekh) + + if !reflect.DeepEqual(ekPub, cert.PublicKey) { + return nil, errors.New("public key in EK certificate differs from public key created via EK template") + } + return ekCert, nil } diff --git a/vendor/github.com/google/go-tpm/tpm/constants.go b/vendor/github.com/google/go-tpm/tpm/constants.go index 7ffbe80..7dd7704 100644 --- a/vendor/github.com/google/go-tpm/tpm/constants.go +++ b/vendor/github.com/google/go-tpm/tpm/constants.go @@ -158,12 +158,6 @@ const ( authPrivUseOnly byte = 0x03 ) -// maxTPMResponse is the largest possible response from the TPM. We need to know -// this because we don't always know the length of the TPM response, and -// /dev/tpm insists on giving it all back in a single value rather than -// returning a header and a body in separate responses. -const maxTPMResponse = 4096 - // fixedQuote is the fixed constant string used in quoteInfo. var fixedQuote = [4]byte{byte('Q'), byte('U'), byte('O'), byte('T')} diff --git a/vendor/github.com/google/go-tpm/tpm/tpm_linux_test.go b/vendor/github.com/google/go-tpm/tpm/tpm_linux_test.go new file mode 100644 index 0000000..1f5dffc --- /dev/null +++ b/vendor/github.com/google/go-tpm/tpm/tpm_linux_test.go @@ -0,0 +1,36 @@ +// Copyright (c) 2014, Google Inc. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package tpm + +import ( + "io" + "os" + "testing" +) + +// Skip the test if we can't open the TPM. +func openTPMOrSkip(t *testing.T) io.ReadWriteCloser { + tpmPath := os.Getenv(tpmPathEnvVar) + if tpmPath == "" { + tpmPath = "/dev/tpm0" + } + + rwc, err := OpenTPM(tpmPath) + if err != nil { + t.Skipf("Skipping test, since we can't open %s for read/write: %s\n", tpmPath, err) + } + + return rwc +} diff --git a/vendor/github.com/google/go-tpm/tpm/tpm_test.go b/vendor/github.com/google/go-tpm/tpm/tpm_test.go index 6f30f36..1184af6 100644 --- a/vendor/github.com/google/go-tpm/tpm/tpm_test.go +++ b/vendor/github.com/google/go-tpm/tpm/tpm_test.go @@ -18,7 +18,6 @@ import ( "bytes" "crypto/rand" "crypto/sha1" - "io" "io/ioutil" "os" "testing" @@ -46,21 +45,6 @@ func getAuth(name string) [20]byte { return auth } -// Skip the test if we can't open the TPM. -func openTPMOrSkip(t *testing.T) io.ReadWriteCloser { - tpmPath := os.Getenv(tpmPathEnvVar) - if tpmPath == "" { - tpmPath = "/dev/tpm0" - } - - rwc, err := OpenTPM(tpmPath) - if err != nil { - t.Skipf("Skipping test, since we can't open %s for read/write: %s\n", tpmPath, err) - } - - return rwc -} - func TestGetKeys(t *testing.T) { rwc := openTPMOrSkip(t) defer rwc.Close() diff --git a/vendor/github.com/google/go-tpm/tpm/tpm_windows_test.go b/vendor/github.com/google/go-tpm/tpm/tpm_windows_test.go new file mode 100644 index 0000000..1f9ec11 --- /dev/null +++ b/vendor/github.com/google/go-tpm/tpm/tpm_windows_test.go @@ -0,0 +1,32 @@ +// Copyright (c) 2018, Google Inc. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package tpm + +import ( + "io" + "testing" + + "github.com/google/go-tpm/tpmutil" +) + +// Skip the test if we can't open the TPM. +func openTPMOrSkip(t *testing.T) io.ReadWriteCloser { + rwc, err := OpenTPM(tpmutil.HighPriority) + if err != nil { + t.Skipf("Skipping test, since we can't access the TPM: %s\n", err) + } + + return rwc +} diff --git a/vendor/github.com/google/go-tpm/tpm2/encoding_test.go b/vendor/github.com/google/go-tpm/tpm2/encoding_test.go index 81d4cd2..ee70c32 100644 --- a/vendor/github.com/google/go-tpm/tpm2/encoding_test.go +++ b/vendor/github.com/google/go-tpm/tpm2/encoding_test.go @@ -371,3 +371,39 @@ func TestECCParamsEncodeDecode(t *testing.T) { t.Fatalf("got: %+v\nwant: %+v", got, params) } } + +func TestSignEncode(t *testing.T) { + // The expected output blobs (testCmdBytes) were recorded while successfully running Sign against a real TPM device. + t.Run("AlgNull", func(t *testing.T) { + testCmdBytes, err := hex.DecodeString("800000010000000d40000009000001000401020304000301020300108024400000070000") + if err != nil { + t.Fatal(err) + } + digest := []byte{0x01, 0x02, 0x03} + cmdBytes, err := encodeSign(tpmutil.Handle(0x80000001), defaultPassword, digest, nil) + if err != nil { + t.Fatal(err) + } + if !bytes.Equal(cmdBytes, testCmdBytes) { + t.Fatalf("encoded Sign message did not match golden value. got: %s, want: %s", hex.EncodeToString(cmdBytes), hex.EncodeToString(testCmdBytes)) + } + }) + + t.Run("AlgSHA256", func(t *testing.T) { + testCmdBytes, err := hex.DecodeString("800000010000000d4000000900000100040102030400030102030014000b8024400000070000") + if err != nil { + t.Fatal(err) + } + digest := []byte{0x01, 0x02, 0x03} + cmdBytes, err := encodeSign(tpmutil.Handle(0x80000001), defaultPassword, digest, &SigScheme{ + Alg: AlgRSASSA, + Hash: AlgSHA256, + }) + if err != nil { + t.Fatal(err) + } + if !bytes.Equal(cmdBytes, testCmdBytes) { + t.Fatalf("encoded Sign message did not match golden value. got: %s, want: %s", hex.EncodeToString(cmdBytes), hex.EncodeToString(testCmdBytes)) + } + }) +} diff --git a/vendor/github.com/google/go-tpm/tpm2/structures.go b/vendor/github.com/google/go-tpm/tpm2/structures.go index 7f84118..fc54178 100644 --- a/vendor/github.com/google/go-tpm/tpm2/structures.go +++ b/vendor/github.com/google/go-tpm/tpm2/structures.go @@ -104,13 +104,17 @@ func decodePublic(in *bytes.Buffer) (Public, error) { // RSAParams represents parameters of an RSA key pair. // // Symmetric and Sign may be nil, depending on key Attributes in Public. -// Modulus must always be non-nil. +// +// One of Modulus and ModulusRaw must always be non-nil. Modulus takes +// precedence. ModulusRaw is used for key templates where the field named +// "unique" must be a byte array of all zeroes. type RSAParams struct { - Symmetric *SymScheme - Sign *SigScheme - KeyBits uint16 - Exponent uint32 - Modulus *big.Int + Symmetric *SymScheme + Sign *SigScheme + KeyBits uint16 + Exponent uint32 + ModulusRaw []byte + Modulus *big.Int } func (p *RSAParams) encode() ([]byte, error) { @@ -125,14 +129,27 @@ func (p *RSAParams) encode() ([]byte, error) { if err != nil { return nil, err } - if p.Modulus == nil { - return nil, errors.New("RSAParams.Modulus must be set") + rest, err := tpmutil.Pack(p.KeyBits, p.Exponent) + if err != nil { + return nil, err + } + + if p.Modulus == nil && len(p.ModulusRaw) == 0 { + return nil, errors.New("RSAParams.Modulus or RSAParams.ModulusRaw must be set") + } + if p.Modulus != nil && len(p.ModulusRaw) > 0 { + return nil, errors.New("both RSAParams.Modulus and RSAParams.ModulusRaw can't be set") } - rest, err := tpmutil.Pack(p.KeyBits, p.Exponent, p.Modulus.Bytes()) + mod := p.ModulusRaw + if p.Modulus != nil { + mod = p.Modulus.Bytes() + } + unique, err := tpmutil.Pack(mod) if err != nil { return nil, err } - return concat(sym, sig, rest) + + return concat(sym, sig, rest, unique) } func decodeRSAParams(in *bytes.Buffer) (*RSAParams, error) { diff --git a/vendor/github.com/google/go-tpm/tpm2/tpm2.go b/vendor/github.com/google/go-tpm/tpm2/tpm2.go index fb429f7..e714fd2 100644 --- a/vendor/github.com/google/go-tpm/tpm2/tpm2.go +++ b/vendor/github.com/google/go-tpm/tpm2/tpm2.go @@ -251,7 +251,7 @@ func encodePasswordAuthArea(passwords ...string) ([]byte, error) { } func encodePCREvent(pcr tpmutil.Handle, eventData []byte) ([]byte, error) { - ha, err := tpmutil.Pack(pcr, HandleNull) + ha, err := tpmutil.Pack(pcr) if err != nil { return nil, err } @@ -993,12 +993,16 @@ func encodeSign(key tpmutil.Handle, password string, digest []byte, sigScheme *S if err != nil { return nil, err } + hc, err := tpmutil.Pack(tagHashCheck) + if err != nil { + return nil, err + } params, err := tpmutil.Pack(HandleNull, []byte(nil)) if err != nil { return nil, err } - return concat(ha, auth, d, s, params) + return concat(ha, auth, d, s, hc, params) } func decodeSign(buf []byte) (*Signature, error) { diff --git a/vendor/github.com/google/go-tpm/tpm2/tpm2_linux_test.go b/vendor/github.com/google/go-tpm/tpm2/tpm2_linux_test.go new file mode 100644 index 0000000..3a08a23 --- /dev/null +++ b/vendor/github.com/google/go-tpm/tpm2/tpm2_linux_test.go @@ -0,0 +1,34 @@ +// Copyright (c) 2018, Google Inc. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package tpm2 + +import ( + "flag" + "io" + "testing" +) + +var tpmPath = flag.String("tpm_path", "", "Path to TPM character device. Most Linux systems expose it under /dev/tpm0. Empty value (default) will disable all integration tests.") + +func openTPM(t *testing.T) io.ReadWriteCloser { + if *tpmPath == "" { + t.SkipNow() + } + rw, err := OpenTPM(*tpmPath) + if err != nil { + t.Fatalf("Open TPM at %s failed: %s\n", *tpmPath, err) + } + return rw +} diff --git a/vendor/github.com/google/go-tpm/tpm2/tpm2_test.go b/vendor/github.com/google/go-tpm/tpm2/tpm2_test.go index 157ca31..8d22d73 100644 --- a/vendor/github.com/google/go-tpm/tpm2/tpm2_test.go +++ b/vendor/github.com/google/go-tpm/tpm2/tpm2_test.go @@ -23,7 +23,6 @@ import ( "crypto/rsa" "crypto/sha256" "flag" - "io" "math/big" "os" "reflect" @@ -32,24 +31,11 @@ import ( "github.com/google/go-tpm/tpmutil" ) -var tpmPath = flag.String("tpm_path", "", "Path to TPM character device. Most Linux systems expose it under /dev/tpm0. Empty value (default) will disable all integration tests.") - func TestMain(m *testing.M) { flag.Parse() os.Exit(m.Run()) } -func openTPM(t *testing.T) io.ReadWriteCloser { - if *tpmPath == "" { - t.SkipNow() - } - rw, err := OpenTPM(*tpmPath) - if err != nil { - t.Fatalf("OpenTPM failed: %s", err) - } - return rw -} - var ( // PCR7 is for SecureBoot. pcrSelection = PCRSelection{Hash: AlgSHA1, PCRs: []int{7}} @@ -511,7 +497,14 @@ func TestSign(t *testing.T) { digest := sha256.Sum256([]byte("heyo")) - sig, err := Sign(rw, signerHandle, defaultPassword, digest[:], &SigScheme{Alg: AlgRSASSA, Hash: AlgSHA256}) + var scheme *SigScheme + if pub.RSAParameters != nil { + scheme = pub.RSAParameters.Sign + } + if pub.ECCParameters != nil { + scheme = pub.ECCParameters.Sign + } + sig, err := Sign(rw, signerHandle, defaultPassword, digest[:], scheme) if err != nil { t.Fatalf("Sign failed: %s", err) } @@ -558,3 +551,13 @@ func TestSign(t *testing.T) { }) }) } + +func TestPCREvent(t *testing.T) { + rw := openTPM(t) + defer rw.Close() + debugPCR := uint32(16) + arbitraryBytes := []byte{1} + if err := PCREvent(rw, tpmutil.Handle(debugPCR), arbitraryBytes); err != nil { + t.Fatal(err) + } +} diff --git a/vendor/github.com/google/go-tpm/tpm2/tpm2_windows_test.go b/vendor/github.com/google/go-tpm/tpm2/tpm2_windows_test.go new file mode 100644 index 0000000..5dc9e86 --- /dev/null +++ b/vendor/github.com/google/go-tpm/tpm2/tpm2_windows_test.go @@ -0,0 +1,36 @@ +// Copyright (c) 2018, Google Inc. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package tpm2 + +import ( + "flag" + "io" + "testing" + + "github.com/google/go-tpm/tpmutil" +) + +var runTPMTests = flag.Bool("run_tpm_tests", false, "Run the Windows TPM integration tests. Defaults to false.") + +func openTPM(t *testing.T) io.ReadWriteCloser { + if *runTPMTests == false { + t.SkipNow() + } + rw, err := OpenTPM(tpmutil.HighPriority) + if err != nil { + t.Fatalf("Open TPM failed: %s\n", err) + } + return rw +} diff --git a/vendor/github.com/google/go-tpm/tpmutil/run.go b/vendor/github.com/google/go-tpm/tpmutil/run.go index 777aad8..381c19a 100644 --- a/vendor/github.com/google/go-tpm/tpmutil/run.go +++ b/vendor/github.com/google/go-tpm/tpmutil/run.go @@ -21,43 +21,13 @@ package tpmutil import ( "errors" - "fmt" "io" - "net" - "os" ) -// OpenTPM opens a channel to the TPM at the given path. If the file is a -// device, then it treats it like a normal TPM device, and if the file is a -// Unix domain socket, then it opens a connection to the socket. -func OpenTPM(path string) (io.ReadWriteCloser, error) { - // If it's a regular file, then open it - var rwc io.ReadWriteCloser - fi, err := os.Stat(path) - if err != nil { - return nil, err - } - - if fi.Mode()&os.ModeDevice != 0 { - var f *os.File - f, err = os.OpenFile(path, os.O_RDWR, 0600) - if err != nil { - return nil, err - } - rwc = io.ReadWriteCloser(f) - } else if fi.Mode()&os.ModeSocket != 0 { - uc, err := net.DialUnix("unix", nil, &net.UnixAddr{Name: path, Net: "unix"}) - if err != nil { - return nil, err - } - rwc = io.ReadWriteCloser(uc) - } else { - return nil, fmt.Errorf("unsupported TPM file mode %s", fi.Mode().String()) - } - - return rwc, nil -} - +// maxTPMResponse is the largest possible response from the TPM. We need to know +// this because we don't always know the length of the TPM response, and +// /dev/tpm insists on giving it all back in a single value rather than +// returning a header and a body in separate responses. const maxTPMResponse = 4096 // RunCommand executes cmd with given tag and arguments. Returns TPM response diff --git a/vendor/github.com/google/go-tpm/tpmutil/run_linux.go b/vendor/github.com/google/go-tpm/tpmutil/run_linux.go new file mode 100644 index 0000000..9056f3f --- /dev/null +++ b/vendor/github.com/google/go-tpm/tpmutil/run_linux.go @@ -0,0 +1,53 @@ +// Copyright (c) 2018, Google Inc. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package tpmutil + +import ( + "fmt" + "io" + "net" + "os" +) + +// OpenTPM opens a channel to the TPM at the given path. If the file is a +// device, then it treats it like a normal TPM device, and if the file is a +// Unix domain socket, then it opens a connection to the socket. +func OpenTPM(path string) (io.ReadWriteCloser, error) { + // If it's a regular file, then open it + var rwc io.ReadWriteCloser + fi, err := os.Stat(path) + if err != nil { + return nil, err + } + + if fi.Mode()&os.ModeDevice != 0 { + var f *os.File + f, err = os.OpenFile(path, os.O_RDWR, 0600) + if err != nil { + return nil, err + } + rwc = io.ReadWriteCloser(f) + } else if fi.Mode()&os.ModeSocket != 0 { + uc, err := net.DialUnix("unix", nil, &net.UnixAddr{Name: path, Net: "unix"}) + if err != nil { + return nil, err + } + rwc = io.ReadWriteCloser(uc) + } else { + return nil, fmt.Errorf("unsupported TPM file mode %s", fi.Mode().String()) + } + + return rwc, nil +} diff --git a/vendor/github.com/google/go-tpm/tpmutil/run_windows.go b/vendor/github.com/google/go-tpm/tpmutil/run_windows.go new file mode 100644 index 0000000..a2cd10e --- /dev/null +++ b/vendor/github.com/google/go-tpm/tpmutil/run_windows.go @@ -0,0 +1,180 @@ +// Copyright (c) 2018, Google Inc. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package tpmutil + +import ( + "fmt" + "io" + "syscall" + "unsafe" +) + +// Tbs.dll provides an API for making calls to the TPM: +// https://docs.microsoft.com/en-us/windows/desktop/TBS/tpm-base-services-portal +var ( + tbsDLL = syscall.NewLazyDLL("Tbs.dll") + tbsCreateContext = tbsDLL.NewProc("Tbsi_Context_Create") + tbsSubmitCommand = tbsDLL.NewProc("Tbsip_Submit_Command") + tbsContextClose = tbsDLL.NewProc("Tbsip_Context_Close") +) + +// tbsContextParams2 specifies the version of TPM and TBS implementation: +// https://docs.microsoft.com/en-us/windows/desktop/api/Tbs/ns-tbs-tdtbs_context_params2 +type tbsContextParams2 struct { + version uint32 + flags uint32 +} + +// tbs.h contains constants used in the TBS library: +// https://github.com/tpn/winsdk-10/blob/master/Include/10.0.10240.0/shared/tbs.h +const ( + tpm2Version uint32 = 2 // value of TPM_VERSION_20 tbs.h constant + bothTPMVersionsFlag uint32 = 6 // value of union struct to include TPM 1.2 and 2.0 (see tbsContextParams2) + tbsCommandLocalityZero uintptr = 0 // value of TBS_COMMAND_LOCALITY_ZERO tbs.h constant +) + +// CommandPriority Parameter Docs: +// https://docs.microsoft.com/en-us/windows/desktop/api/Tbs/nf-tbs-tbsip_submit_command#parameters +type CommandPriority uint32 + +// CommandPriority is used to determine which pending command to submit whenever the TPM is free: +// https://docs.microsoft.com/en-us/windows/desktop/tbs/command-scheduling +const ( + LowPriority CommandPriority = 100 // For low priority application use. + NormalPriority CommandPriority = 200 // For normal priority application use. + HighPriority CommandPriority = 300 // For high priority application use. + SystemPriority CommandPriority = 400 // For system tasks that access the TPM. +) + +// TBS Error Codes: +// https://docs.microsoft.com/en-us/windows/desktop/TBS/tbs-return-codes +var errMap = map[uintptr]string{ + 0x80284001: "An internal software error occurred.", + 0x80284002: "One or more parameter values are not valid.", + 0x80284003: "A specified output pointer is bad.", + 0x80284004: "The specified context handle does not refer to a valid context.", + 0x80284005: "The specified output buffer is too small.", + 0x80284006: "An error occurred while communicating with the TPM.", + 0x80284007: "A context parameter that is not valid was passed when attempting to create a TBS context.", + 0x80284008: "The TBS service is not running and could not be started.", + 0x80284009: "A new context could not be created because there are too many open contexts.", + 0x8028400A: "A new virtual resource could not be created because there are too many open virtual resources.", + 0x8028400B: "The TBS service has been started but is not yet running.", + 0x8028400C: "The physical presence interface is not supported.", + 0x8028400D: "The command was canceled.", + 0x8028400E: "The input or output buffer is too large.", + 0x8028400F: "A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer.", + 0x80284010: "The TBS service has been disabled.", + 0x80284011: "The TBS event log is not available.", + 0x80284012: "The caller does not have the appropriate rights to perform the requested operation.", + 0x80284013: "The TPM provisioning action is not allowed by the specified flags.", + 0x80284014: "The Physical Presence Interface of this firmware does not support the requested method.", + 0x80284015: "The requested TPM OwnerAuth value was not found.", +} + +func tbsError(err uintptr) error { + if err == 0 { + return nil + } + if description, ok := errMap[err]; ok { + return fmt.Errorf("TBS Error %v: %s", err, description) + } + return fmt.Errorf("Unrecognized TBS Error %v", err) +} + +// winTPMBuffer is a ReadWriteCloser to access the TPM in Windows. +type winTPMBuffer struct { + context uintptr + outBuffer []byte + priority CommandPriority +} + +// Executes the TPM command specified by commandBuffer, returning the number of bytes in the command +// and any error code returned by executing the TPM command. Command response can be read by calling +// Read(). +func (rwc *winTPMBuffer) Write(commandBuffer []byte) (int, error) { + // TPM spec defines longest possible response to be maxTPMResponse. + outBufferLen := maxTPMResponse + rwc.outBuffer = rwc.outBuffer[:outBufferLen] + + // TBS_RESULT Tbsip_Submit_Command( + // _In_ TBS_HCONTEXT hContext, + // _In_ TBS_COMMAND_LOCALITY Locality, + // _In_ TBS_COMMAND_PRIORITY Priority, + // _In_ const PCBYTE *pabCommand, + // _In_ UINT32 cbCommand, + // _Out_ PBYTE *pabResult, + // _Inout_ UINT32 *pcbOutput + // ); + errResp, _, _ := tbsSubmitCommand.Call( + rwc.context, + tbsCommandLocalityZero, // Windows currently only supports TBS_COMMAND_LOCALITY_ZERO. + uintptr(rwc.priority), + uintptr(unsafe.Pointer(&(commandBuffer[0]))), + uintptr(len(commandBuffer)), + uintptr(unsafe.Pointer(&(rwc.outBuffer[0]))), + uintptr(unsafe.Pointer(&outBufferLen)), + ) + + if err := tbsError(errResp); err != nil { + rwc.outBuffer = rwc.outBuffer[:0] + return 0, err + } + // Shrink outBuffer so it is length of response. + rwc.outBuffer = rwc.outBuffer[:outBufferLen] + return len(commandBuffer), nil +} + +// Provides TPM response from the command called in the last Write call. +func (rwc *winTPMBuffer) Read(responseBuffer []byte) (int, error) { + if len(rwc.outBuffer) == 0 { + return 0, io.EOF + } + lenCopied := copy(responseBuffer, rwc.outBuffer) + // Implements same behavior as linux "/dev/tpm0": discard unread components after read. + rwc.outBuffer = rwc.outBuffer[:0] + return lenCopied, nil +} + +func (rwc *winTPMBuffer) Close() error { + // TBS_RESULT Tbsip_Context_Close( + // _In_ TBS_HCONTEXT hContext + // ); + errResp, _, _ := tbsContextClose.Call(rwc.context) + return tbsError(errResp) +} + +// OpenTPM creates a new instance of a ReadWriteCloser which can interact with a +// Windows TPM. OpenTPM takes in the a CommandPriority at which to run commands. +func OpenTPM(commandPriority CommandPriority) (io.ReadWriteCloser, error) { + params := tbsContextParams2{ + version: tpm2Version, + flags: bothTPMVersionsFlag, + } + + rwc := winTPMBuffer{ + outBuffer: make([]byte, 0, maxTPMResponse), + priority: commandPriority, + } + // TBS_RESULT Tbsi_Context_Create( + // _In_ PCTBS_CONTEXT_PARAMS pContextParams, + // _Out_ PTBS_HCONTEXT *phContext + // ); + errResp, _, _ := tbsCreateContext.Call( + uintptr(unsafe.Pointer(¶ms)), + uintptr(unsafe.Pointer(&rwc.context)), + ) + return &rwc, tbsError(errResp) +} diff --git a/vendor/github.com/systemboot/systemboot/localboot/main.go b/vendor/github.com/systemboot/systemboot/localboot/main.go index 39f75d9..61b5f5e 100644 --- a/vendor/github.com/systemboot/systemboot/localboot/main.go +++ b/vendor/github.com/systemboot/systemboot/localboot/main.go @@ -6,7 +6,7 @@ import ( "path" "syscall" - "github.com/insomniacslk/systemboot/pkg/storage" + "github.com/systemboot/systemboot/pkg/storage" ) // TODO backward compatibility for BIOS mode with partition type 0xee diff --git a/vendor/github.com/systemboot/systemboot/pkg/booter/bootentry.go b/vendor/github.com/systemboot/systemboot/pkg/booter/bootentry.go index b634637..8414a2c 100644 --- a/vendor/github.com/systemboot/systemboot/pkg/booter/bootentry.go +++ b/vendor/github.com/systemboot/systemboot/pkg/booter/bootentry.go @@ -4,7 +4,7 @@ import ( "fmt" "log" - "github.com/insomniacslk/systemboot/pkg/vpd" + "github.com/systemboot/systemboot/pkg/vpd" ) // Get, Set and GetAll are defined here as variables so they can be overridden diff --git a/vendor/github.com/systemboot/systemboot/pkg/crypto/ed25519.go b/vendor/github.com/systemboot/systemboot/pkg/crypto/ed25519.go new file mode 100644 index 0000000..6e68c1f --- /dev/null +++ b/vendor/github.com/systemboot/systemboot/pkg/crypto/ed25519.go @@ -0,0 +1,113 @@ +package crypto + +import ( + "crypto/rand" + "crypto/x509" + "encoding/pem" + "errors" + "io/ioutil" + "os" + + "golang.org/x/crypto/ed25519" +) + +var ( + // PubKeyIdentifier is the PEM public key identifier + PubKeyIdentifier = "PUBLIC KEY" + // PrivKeyIdentifier is the PEM private key identifier + PrivKeyIdentifier = "PRIVATE KEY" + // PEMCipher is the PEM encryption algorithm + PEMCipher = x509.PEMCipherAES256 + // PubKeyFilePermissions are the public key file perms + PubKeyFilePermissions os.FileMode = 0644 + // PrivKeyFilePermissions are the private key file perms + PrivKeyFilePermissions os.FileMode = 0600 +) + +// LoadPublicKeyFromFile loads PEM formatted ED25519 public key from file. +func LoadPublicKeyFromFile(publicKeyPath string) ([]byte, error) { + x509PEM, err := ioutil.ReadFile(publicKeyPath) + if err != nil { + return nil, err + } + + // Parse x509 PEM file + var block *pem.Block + for { + block, x509PEM = pem.Decode(x509PEM) + if block == nil { + return nil, errors.New("Can't decode PEM file") + } + if block.Type == PubKeyIdentifier { + break + } + } + + return block.Bytes, nil +} + +// LoadPrivateKeyFromFile loads PEM formatted ED25519 private key from file. +func LoadPrivateKeyFromFile(privateKeyPath string, password []byte) ([]byte, error) { + x509PEM, err := ioutil.ReadFile(privateKeyPath) + if err != nil { + return nil, err + } + + // Parse x509 PEM file + var block *pem.Block + for { + block, x509PEM = pem.Decode(x509PEM) + if block == nil { + return nil, errors.New("Can't decode PEM file") + } + if block.Type == PrivKeyIdentifier { + break + } + } + + // Check for encrypted PEM format + if x509.IsEncryptedPEMBlock(block) { + decryptedKey, err := x509.DecryptPEMBlock(block, password) + if err != nil { + return nil, err + } + return decryptedKey, nil + } + + return block.Bytes, nil +} + +// GeneratED25519Key generates a ED25519 keypair +func GeneratED25519Key(password []byte, privateKeyFilePath string, publicKeyFilePath string) error { + pubKey, privKey, err := ed25519.GenerateKey(rand.Reader) + if err != nil { + return err + } + + var privBlock = &pem.Block{ + Type: "PRIVATE KEY", + Bytes: privKey, + } + + var pubBlock = &pem.Block{ + Type: "PUBLIC KEY", + Bytes: pubKey, + } + + var privateKey []byte + if len(password) < 1 { + encrypted, err := x509.EncryptPEMBlock(rand.Reader, privBlock.Type, privBlock.Bytes, password, PEMCipher) + if err != nil { + return err + } + privateKey = pem.EncodeToMemory(encrypted) + } else { + privateKey = pem.EncodeToMemory(privBlock) + } + + if err := ioutil.WriteFile(privateKeyFilePath, privateKey, PrivKeyFilePermissions); err != nil { + return err + } + + return ioutil.WriteFile(publicKeyFilePath, pem.EncodeToMemory(pubBlock), PubKeyFilePermissions) +} diff --git a/vendor/github.com/systemboot/systemboot/pkg/crypto/ed25519_test.go b/vendor/github.com/systemboot/systemboot/pkg/crypto/ed25519_test.go new file mode 100644 index 0000000..d89a83e --- /dev/null +++ b/vendor/github.com/systemboot/systemboot/pkg/crypto/ed25519_test.go @@ -0,0 +1,106 @@ +package crypto + +import ( + "io/ioutil" + "testing" + + "github.com/stretchr/testify/require" + "golang.org/x/crypto/ed25519" +) + +const ( + // publicKeyDERFile is a RSA public key in DER format + publicKeyDERFile string = "tests/public_key.der" + // publicKeyPEMFile is a RSA public key in PEM format + publicKeyPEMFile string = "tests/public_key.pem" + // privateKeyPEMFile is a RSA public key in PEM format + privateKeyPEMFile string = "tests/private_key.pem" + // publicKeyPEMFile2 is a RSA public key in PEM format + publicKeyPEMFile2 string = "tests/public_key2.pem" + // privateKeyPEMFile2 is a RSA public key in PEM format + privateKeyPEMFile2 string = "tests/private_key2.pem" + // testDataFile which should be verified by the good signature + testDataFile string = "tests/data" + // signatureGoodFile is a good signature of testDataFile + signatureGoodFile string = "tests/verify_rsa_pkcs15_sha256.signature" + // signatureBadFile is a bad signature which does not work with testDataFile + signatureBadFile string = "tests/verify_rsa_pkcs15_sha256.signature2" +) + +var ( + // password is a PEM encrypted passphrase + password = []byte{'k', 'e', 'i', 'n', 's'} +) + +func TestLoadDERPublicKey(t *testing.T) { + _, err := LoadPublicKeyFromFile(publicKeyDERFile) + require.Error(t, err) +} + +func TestLoadPEMPublicKey(t *testing.T) { + _, err := LoadPublicKeyFromFile(publicKeyPEMFile) + require.NoError(t, err) +} + +func TestLoadPEMPrivateKey(t *testing.T) { + _, err := LoadPrivateKeyFromFile(privateKeyPEMFile, password) + require.NoError(t, err) +} + +func TestLoadBadPEMPrivateKey(t *testing.T) { + _, err := LoadPrivateKeyFromFile(privateKeyPEMFile, []byte{}) + require.Error(t, err) +} + +func TestSignVerifyData(t *testing.T) { + privateKey, err := LoadPrivateKeyFromFile(privateKeyPEMFile, password) + require.NoError(t, err) + + publicKey, err := LoadPublicKeyFromFile(publicKeyPEMFile) + require.NoError(t, err) + + testData, err := ioutil.ReadFile(testDataFile) + require.NoError(t, err) + + signature := ed25519.Sign(privateKey, testData) + verified := ed25519.Verify(publicKey, testData, signature) + require.Equal(t, true, verified) +} + +func TestGoodSignature(t *testing.T) { + publicKey, err := LoadPublicKeyFromFile(publicKeyPEMFile) + require.NoError(t, err) + + testData, err := ioutil.ReadFile(testDataFile) + require.NoError(t, err) + + signatureGood, err := ioutil.ReadFile(signatureGoodFile) + require.NoError(t, err) + + verified := ed25519.Verify(publicKey, testData, signatureGood) + require.Equal(t, true, verified) +} + +func TestBadSignature(t *testing.T) { + publicKey, err := LoadPublicKeyFromFile(publicKeyPEMFile) + require.NoError(t, err) + + testData, err := ioutil.ReadFile(testDataFile) + require.NoError(t, err) + + signatureBad, err := ioutil.ReadFile(signatureBadFile) + require.NoError(t, err) + + verified := ed25519.Verify(publicKey, testData, signatureBad) + require.Equal(t, false, verified) +} + +func TestGenerateKeys(t *testing.T) { + err := GeneratED25519Key(password, privateKeyPEMFile2, publicKeyPEMFile2) + require.NoError(t, err) +} + +func TestGenerateUnprotectedKeys(t *testing.T) { + err := GeneratED25519Key(nil, privateKeyPEMFile2, publicKeyPEMFile2) + require.NoError(t, err) +} diff --git a/vendor/github.com/systemboot/systemboot/pkg/crypto/rsa.go b/vendor/github.com/systemboot/systemboot/pkg/crypto/rsa.go deleted file mode 100644 index 7d42671..0000000 --- a/vendor/github.com/systemboot/systemboot/pkg/crypto/rsa.go +++ /dev/null @@ -1,53 +0,0 @@ -package crypto - -import ( - "crypto" - "crypto/rsa" - "crypto/sha256" - "crypto/x509" - "encoding/pem" - "errors" - "io/ioutil" -) - -const ( - pubKeyIdentifier string = "PUBLIC KEY" -) - -// LoadPublicKeyFromFile loads DER formatted RSA public key from file. -func LoadPublicKeyFromFile(publicKeyPath string) (*rsa.PublicKey, error) { - x509PEM, err := ioutil.ReadFile(publicKeyPath) - if err != nil { - return nil, err - } - - // Parse x509 PEM file - block, _ := pem.Decode(x509PEM) - if block == nil || block.Type != pubKeyIdentifier { - return nil, errors.New("Can't decode PEM file") - } - - // parse Public Key - pub, err := x509.ParsePKIXPublicKey(block.Bytes) - if err != nil { - return nil, err - } - - switch pub := pub.(type) { - case *rsa.PublicKey: - return pub, nil - default: - return nil, errors.New("Not a RSA public key") - } -} - -// VerifyRsaSha256Pkcs1v15Signature verifies a PKCSv1.5 signature made by -// a SHA-256 checksum. Public key must be a RSA key in PEM format. -func VerifyRsaSha256Pkcs1v15Signature(publicKey *rsa.PublicKey, data []byte, signature []byte) error { - if publicKey == nil { - return errors.New("Public key is nil") - } - - hash := sha256.Sum256(data) - return rsa.VerifyPKCS1v15(publicKey, crypto.SHA256, hash[:], signature) -} diff --git a/vendor/github.com/systemboot/systemboot/pkg/crypto/rsa_test.go b/vendor/github.com/systemboot/systemboot/pkg/crypto/rsa_test.go deleted file mode 100644 index ef86765..0000000 --- a/vendor/github.com/systemboot/systemboot/pkg/crypto/rsa_test.go +++ /dev/null @@ -1,59 +0,0 @@ -package crypto - -import ( - "io/ioutil" - "testing" - - "github.com/stretchr/testify/require" -) - -const ( - // publicKeyDERFile is a RSA public key in DER format - publicKeyDERFile string = "tests/public_key.der" - // publicKeyPEMFile is a RSA public key in PEM format - publicKeyPEMFile string = "tests/public_key.pem" - // testDataFile which should be verified by the good signature - testDataFile string = "tests/data" - // signatureGoodFile is a good signature of testDataFile - signatureGoodFile string = "tests/verify_rsa_pkcs15_sha256.signature" - // signatureBadFile is a bad signature which does not work with testDataFile - signatureBadFile string = "tests/verify_rsa_pkcs15_sha256.signature2" -) - -func TestLoadDERPublicKey(t *testing.T) { - _, err := LoadPublicKeyFromFile(publicKeyDERFile) - require.Error(t, err) -} - -func TestLoadPEMPublicKey(t *testing.T) { - _, err := LoadPublicKeyFromFile(publicKeyPEMFile) - require.NoError(t, err) -} - -func TestGoodSignature(t *testing.T) { - publicKey, err := LoadPublicKeyFromFile(publicKeyPEMFile) - require.NoError(t, err) - - testData, err := ioutil.ReadFile(testDataFile) - require.NoError(t, err) - - signatureGood, err := ioutil.ReadFile(signatureGoodFile) - require.NoError(t, err) - - err = VerifyRsaSha256Pkcs1v15Signature(publicKey, testData, signatureGood) - require.NoError(t, err) -} - -func TestBadSignature(t *testing.T) { - publicKey, err := LoadPublicKeyFromFile(publicKeyPEMFile) - require.NoError(t, err) - - testData, err := ioutil.ReadFile(testDataFile) - require.NoError(t, err) - - signatureBad, err := ioutil.ReadFile(signatureBadFile) - require.NoError(t, err) - - err = VerifyRsaSha256Pkcs1v15Signature(publicKey, testData, signatureBad) - require.Error(t, err) -} diff --git a/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/private_key.pem b/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/private_key.pem index 8467082..e368f0c 100644 --- a/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/private_key.pem +++ b/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/private_key.pem @@ -1,51 +1,7 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKAIBAAKCAgEA2HTN5rWaco66puxvqX43YIJIPNNztOCmF2zGeRfM/qu4GMd1 -z3aZMPr8lAxgAvetPpwe3a4AU8W1o9hvjiVIPGETIvFfd9FZ0tthAC5vJPdpCROk -57DHoJ5EdgBq2gr84RLL8GP9fDTFTQd6XQ5+nW1D4KU7bfa3+dyO/CiU3V3PaVyP -JfWs7DI1GfQOVZ0A4iKCMWbJbGI8Of6hUWqWmrIKhdwN+88vG6XIxi1w6adfY03T -yqLLOdsdVJvpvYiG42Wicx6bB8hoNYB+tCOqF4WA81E/CLPq/YH4gJzC0TpfP48w -WulbvLSv2qQ5gwvFTRO+7TeXhHnaphDAOa/I/SFo6cXQq2oAGPsXgCN6e9MGDD2V -NVpiN4vUs2P14jkzuC9Cmrw5RgNJ0d35y0sec2BFJ+zDqYLdWH70prTA3X+CwR0X -B5ujVM+orWGR/RFYjg/uKG1m2VP6sZscRxaiZ4UI8rxz+M30fDwb1i/+lctLmkKv -vV2NbpiUqw4rmwRpr4hAQ3AlKx7tKrLHro+y9C5B0mSLpjri8nMVhN13huPRQ942 -GCwiqlq5pfvjaL0iAtWZkx/BOQ2eBbWiALdjbOJ8DHIG0KSRW4nwyi88Q9k1LyeV -zaY5WJl5M4ePKmr/SCBdeFJ1JyLkLQKWY8364B9Myj0vbH4SB5/i91I6SaUCAwEA -AQKCAgB2O+c0fEIvDROblk6wEIeDKeb3grETPhq7dOk8v+lzuqzGrD0H48pt3MsW -u2O+ezegmXqqsB7xo29CXjkhNfAtOwFO9vWk5y/fY4GqrbJ8SMCQ+q/69q80Zv8S -TcwP6iyTbMcFOjj+HX0gRFNsfTxgFY0cKmU5/agkzXs09Z3LBTEEZlCy9W1NX2du -E8e4sBgJbbwb6/9eOpKXQyUu6b/2JAZnc/oXb+ZVfcsbpTqmBoyuG5byetXzdmKh -EsEsjGTR1XRU2YTpTWjOwK91Cn4gdwYm4lxCDrTvYI0zA23PB8l7WGWbYxh/DVt5 -XHclw8oz/fMudE1JSZ5LU58MY56u1BN+OyWN0NpSx0aBPQesH1ofTBA+wDaN1rpx -BxocvfaoQNaDqEYdMJ98uwRyaMgV8CPptFszthooc6wNNTkaC1utWgzZlBUYqlkg -hpHboAHM2PU/TLw4wo3AmTleEpJucmh6uZkOFcpRRdzDlLl38bAyrQi+X+/4X/y9 -Wk+IdO/HjFi1CA1/eRpRGH/6CKcQJ9SRI7NY23mH9Re4a2Ad9FCt+WHH7Sb/uZqQ -64/55ZgHQNUoX3doTJyGxI8Gpv9Z/m7swP0h+CBuu7tyw34RdJPnYBetOflfSVgk -4ST/24/J3iwS0+uKrq88emD6pR2Gl4jBIOD6EBbxqvuLnp+UQQKCAQEA/utxMrs0 -7SczWIvWMUbsa4vkEOp0pyYhLotOZs71EcB4CTI9aVqGW4p1bTAL8Yd5PA96jVfg -g3grC+S2Jgr31xW7JZrZAzJ4gR+oiBIvDxFOmkoDdV/zL4IOwgZAs3zQVlMxitrz -ewfr1ivEm/fOa00MWpsypdARDl304U6bEURiqrLVRLRILdhNE7G+X0KjpihIjcvO -Cr/QKGMtytodOTYWymZiHqis8KCONmgDEbPLmcgkUbRuc8g13m6BWeEms5pg8lgd -XnFvyYe4v+xo+sZx79Z11vAog0UUJ+P95H8SwMX9hm9XyTzQ3skDWkzpJJb0n6qk -wUlvyJ/53f5gqQKCAQEA2V+iQv3UCYoqHjlkcHxZ/c8JmC6WTegaVNFQCfzOhIVM -eyTT7bIvnBm25m6Lb/+JkKbwjK6QG3x46RjUW7D/IJjl8gjOfY/KnlvcGqFFaCxa -ZmTh+edsQFCCatQYd09KDrkX5REXo6xH+BvaPuBX4QBs4zxg5HYJZhPjyunhfxf+ -2DOWLr21Xqd+Rnlk0kcWzOsIvijzCs4UySlTbprFhzP3pJUwu4uasceqRU+mVY8a -+ukYRTvrdB0Zj+eg54cZ7szD+I2u7mec8ZwRMwG6YiJkkjBSuHRxnZSiUWVI7RSo -b+WfChtqrGiQUWqur4xpysI+hs47IvBeu0qqipgynQKCAQAyqtVLAg6Y/GumM9UU -4kXnclyYSCF7f4ak26dvo77uElVJbqTqJcYCt9hzJVOaZBTirSjsowTK3L2hlYnm -sdNk+rrB1K9BhWySLZqvwP19fzEiVYeucq3BSZZpVhjSFALMxahZMv+l+oMThIuF -fJGYni3QbHx6nIpnUqFzjs4fdnot93GQQE0AX7eiLHfsMzCXu/X/yPxhApL7FAts -AEJCts981zC1a01EXoUlpzLE9/mFzVP6sWQquyaJ2Wj4Vln85LhUMtNTjDRt1/4O -l4yeG4dV5khxujYzMS26aAR0wBUYH8IuUD8gjmftgAKcliDY1vA0NBSfHluLgtCF -ISRRAoIBAAZD9Ghb6p2vxtECNHvtiaaALjWduiVauE+TjOwMxmMZeH/gKt+iEC8+ -qn/v1cMPqYZq2WokqfCw4MdPOOe/rUriPVaBnHoQB/YSjcCSv25mQODMrZrHad5c -s7WikWX2+hp8iUzH9ld4Ysaq/tprGv1YRssx9VUAdfrkPd+eaCqCpYzTx9NnEnA9 -Aa3EV/ybofOcHq9kfMTl9cFqmIYKngDspYmv5yywtG/FYooG5rN2oX9z8ogkVwAM -yqzUL1YdFclFS6zBYLZsdCCer/w5Y4bqmN2B2RCKArBZFWilM7npq4U2KCRhb+yy -Qt6l5Y0XzgDTInw+O4QhS4m4eDvwcR0CggEBAMCQ84v2a6HqNWrm0ayrCPKMOYTn -NxmcMQ32JxhheYLGBwRq6wO6e94f7T5d6aNF0Pek73guug6lyZcKb2XMTAIT5XIE -28QbevZcvQW8ejW1++RH8AGzVqzF+f5fL7e8aLxMxf1JZz2yH9dXS8AJ4U3IMwIA -hSn4IbX1wlUmC9mLhngcPtqzLSwQXTtsQKqxG8HERTzH7q0wLZFwvLXV2I93cfyA -ghaQ/ow19s1XREffDc8aaAnOBGYyf5yPrxHgEdUYEU4xhOPN/myTVGorW/JQqKEl -aWzvN/IBqMkjF6PqvOc3431T2WVs+105vYpVvB0GkGwmd4Nvb27s2E5iWN4= ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,f85a72d194776a7e9f04f281b7a9da31 + +qRZd240FjO1XoI+8Za7RdlzEIhMQiRrf1MtK0lQi6Pt2fr9U5CptngretboGO+rL +XPFRn7H6fTfgf5swcFJpK8oyE8xM8Ogukk9NqtwI2jg= +-----END PRIVATE KEY----- diff --git a/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/private_key2.pem b/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/private_key2.pem deleted file mode 100644 index 0efc08f..0000000 --- a/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/private_key2.pem +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKgIBAAKCAgEA3mrUIRmBZA2qkTMLcgwRWP554ibNU+VI6HeCoCTKxsWtMzkn -Zqai3olBZ6yAbIHT+mKxW2TyF7tH+RaKzqcfS2Ox81d7XS9ISU7mUCjEGWAEXYyJ -xB3GzaezdqzstNLLTWAekYDPIDmayGPBQk8CJoiRG0QbP/EUFeD2fci3nOAJmhAf -tBkwHzRu3oHwyw/XWNnlCfuWtb3VSW+m1xK/ZDOB7oNWYPASW3T+MkDxj8lAspB3 -Ae8L6DcTqkJsyYoJzOS96nhDV0W1vUXMAyy8uQLZguKtaLFV8SW7R5tARR8uNVD7 -sD5TaZvQXBeaNoJOUz1hcv2HM6BJ/uJYGj38ax4DjwGEHQKoPhv0w/68QXn2p6Pm -a2GXcco2gPtv5VhyxXuZey5GHWfdPG5Sbky636O/8PpIbKmda5hVOR4S/OBTqgOi -0qOTJp03IKbazTXgZsspe0EF1EjYiiW+vMRiUir8fGLsocdqqK1e//z8dcknYVnu -rtKirvTrYJH4EdXVpNFsvzarxS+8cnEsiee6rtm6VBBDoP2LHynPiqB9jD1sYqoH -w46sWzhtn7n2lMPDg3Ugc7ob/Q5sCdlXml50+G+/+vRIIYxBxeBX8TU670VR6nRl -ncQdnGJ1vdom6emuM6LQnhVXi9F+W8xaxTx1yF/wYHmNt0hTfY5xFEYRWWcCAwEA -AQKCAgEA2ih6rYSw74ygEw+4WEMR+PKSZoqct3+cRbiDfcTYyKM4QZf716n28sQ6 -TRBcXxHw9BU91WFsPG7MJ7w+pngyL+Y3s3HJZRttkco8CcASqLkPTxr8PkrepvWp -B+yRuMNR+jEfiqSHhRo7gfampv2MJHOrsMza1ZsHknY4ECSCRPNTN7Q9BI/4LYNm -hAV8RBDjrxj6mRIXP2hV/lPvl+GhrQ0Akwxr+2U+/EoC0xP0XI6QURV2RYVNbpYn -ScchoYUuG7T5uzP/CWks29vMQgjti6MJ6mGgqaHXpFLYIWJcZfAxiMZIORTJCDt2 -4f2cm36wiOEZ5opaxP6h1cn5lLPcEvg7zdnbih7LQmkvowQrxlH8JqEO8YaUlPQB -ztqw89ggnHoF3l8wB94yTiPPVXkIjfEuZSNqAydg7e/zGTDEI1qQXmVXCGu9qteT -5OcuM7jtPmLzwXc3565liZf2Ul7Kpmfm3T94z9oPkBmLfGo8/lPq0Z/mBXZoCZmZ -Z3YpiBR/fhX9Oql/A++O+tlqU9OIbCykAoZJ11ZtLraijYoqadoBu7jTv7T9kFBU -soqqJonkl/4DSvH5wX3URZrKwHJkqnnZxGijEq17liM56b9hOuEmmz8Jt6C2e1hc -OgEqOaSThfzdh8uc+8AvSmKdHgTmpQLI14ASHYwix3OwxqycM2ECggEBAP3TS/mN -htWkZv4X/QjJvCcN83KRxdulgQTvOiSLWNepiaF2BDOB7YymlME+3+V08m/IRUqt -guj3QJY45Y+b4gKubRP7Valkk3snO9RjMHri6PduVhi78+j+lP6q4V3Fpz65GjIz -3mrf21qSvHJwpCudSwxu7lrwvLk1Sa1k13u03pSvbftuAMpE+JRdCiSll9JJsB7h -sT6h/FEFgpAfG1CJTr3VuLZQQxSFfyB8tdAGgdnPFBuMEM4OPxPAu38kL/EtCdME -U3OhCMY9X5q1e5gw6iMF6pO25ccPxOIoHpT6LXPrR0A+UcbtKn20fSujtoBu1CCy -ChbsGw9YTYWWm4kCggEBAOBSpWAImnOgWItpWVcr+kgPFZUuLoV/pV9bQdn1xE8R -O+/r0gOjPWli6BqOXK1TCneUh7uu7Tg95vPdgredWA6vvWtPyZ7XDdXd64xW/gqI -J7/jz/HoHp5zYK5MT5q23hA4Pnlu4Bp1r7q5wvLrrqFBI20Qu0fcINpwm3p4fSE0 -XZ7MViadC64SNWcRkitjyM0vF7IXi7iuGIBLRv3mAv33JoS5uvhbkDxKj+dUiuX2 -ZNTBcaGFuNDTqLOikOxXemud1j0i2VkwutAT5/5nv+w8pVYPsqNFSMyrwnONzxI5 -NgbdvPAcxg07M4ON7iZa5Cw3dSI8f9sSKXMwNzPtYW8CggEBAJJRgqNp7UcszV4+ -T9QIDtlolmT+GVOj1XsVuKumVGGFztvvnz5d8KU6xdecOg8Y2kSL6z3ARg2rsmSm -ida+IowvJpv1L41FeCrvE/M79o9wTKGNzj3V4yX108f2k5GtxdpHdA1qjxWG0/kj -S1ShEFJACyowrGBqFDCjwkQdNIaQXhrSAhGFeRkgpzdHZvh3KMzFQ6yZp8YWNNAz -3+7ar7E+ZdDS6fbWz8R9rCn7GgfAKIx5bfrvRCS0W7I0USFap/RcZSRqgvzN4LP+ -XyVc5tF1qRLlbzMVpOGaeoFwZSi2CwuenmUvR47n2q26JMnKRwNEYC4009Ig6vxu -h8mxZxkCggEAY0eQk5EbMmNb7M+CT9dR3MR4S971jfXxbeOIoHtqF4hMG6Il/6Am -lNbGXMJ29+rRrhzZedIwgPy8k1+M89C6YT2cOrtEQ31wTR/7mNADfQvHc+DSboDJ -1FzCBEIX1SRr4YfS9pGAs5U0YhLG2hY+4nVexW1rRaGCFMtTtH9Q+fogGSDcXBiT -S8YZRnV7WKLAAzd9aD+Ngf3jMByg3cwHtPjGXmWI/1Qe4OArEjnTg3VqKNM4hEEX -i6yxdFdVhpQsxSZE5CfhQ90SQPcebPTj9xzcG9u0txf54UN/Ov8fDzSs2ZsXfLlv -WfnCkc2mAemmJH+i4rUd7Qn7uFQ1ilDcFwKCAQEAhU8haYNoI6+ga+DvdooqbdFD -5qBQzXyWx8IVgf0u+RuhGGDIKlz03BVNWEBY4TGyIyvpwK0JTkIu1xWhEuoeWVk6 -gsBxo77Jwob9opRm744Tspvc6ombiKG0ihLl5kuntiu0XzfvbpNuYHzwJ6FPeWzy -orRxG9O2eEOKralrpyQwde+8XzRFNDuuXGOK8dkXRoM14Q+tyMXgQ4zeqSXaVpDv -imPKdypvMLeo4x7BgNxE0cjZLThliqIKD+TJVHVRrUFDbM8y8swF2Ta0SA3VzdAi -PjSUbl+9V8vxBR1IonD1SY/R4g3JOrxLTqKyaFYiiWL+wi6FoCXIJ8LOT/8ofA== ------END RSA PRIVATE KEY----- diff --git a/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/public_key.pem b/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/public_key.pem index 432f464..979b598 100644 --- a/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/public_key.pem +++ b/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/public_key.pem @@ -1,14 +1,3 @@ -----BEGIN PUBLIC KEY----- -MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2HTN5rWaco66puxvqX43 -YIJIPNNztOCmF2zGeRfM/qu4GMd1z3aZMPr8lAxgAvetPpwe3a4AU8W1o9hvjiVI -PGETIvFfd9FZ0tthAC5vJPdpCROk57DHoJ5EdgBq2gr84RLL8GP9fDTFTQd6XQ5+ -nW1D4KU7bfa3+dyO/CiU3V3PaVyPJfWs7DI1GfQOVZ0A4iKCMWbJbGI8Of6hUWqW -mrIKhdwN+88vG6XIxi1w6adfY03TyqLLOdsdVJvpvYiG42Wicx6bB8hoNYB+tCOq -F4WA81E/CLPq/YH4gJzC0TpfP48wWulbvLSv2qQ5gwvFTRO+7TeXhHnaphDAOa/I -/SFo6cXQq2oAGPsXgCN6e9MGDD2VNVpiN4vUs2P14jkzuC9Cmrw5RgNJ0d35y0se -c2BFJ+zDqYLdWH70prTA3X+CwR0XB5ujVM+orWGR/RFYjg/uKG1m2VP6sZscRxai -Z4UI8rxz+M30fDwb1i/+lctLmkKvvV2NbpiUqw4rmwRpr4hAQ3AlKx7tKrLHro+y -9C5B0mSLpjri8nMVhN13huPRQ942GCwiqlq5pfvjaL0iAtWZkx/BOQ2eBbWiALdj -bOJ8DHIG0KSRW4nwyi88Q9k1LyeVzaY5WJl5M4ePKmr/SCBdeFJ1JyLkLQKWY836 -4B9Myj0vbH4SB5/i91I6SaUCAwEAAQ== +TkhDNPDA4ydNTy0vQ9Lf030mReHeCfgSgJA/iIQkC1w= -----END PUBLIC KEY----- diff --git a/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/verify_rsa_pkcs15_sha256.signature b/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/verify_rsa_pkcs15_sha256.signature index f510498..f1164e5 100644 Binary files a/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/verify_rsa_pkcs15_sha256.signature and b/vendor/github.com/systemboot/systemboot/pkg/crypto/tests/verify_rsa_pkcs15_sha256.signature differ diff --git a/vendor/github.com/systemboot/systemboot/pkg/rng/entropy.go b/vendor/github.com/systemboot/systemboot/pkg/rng/entropy.go index 4790ba8..d1ebe7a 100644 --- a/vendor/github.com/systemboot/systemboot/pkg/rng/entropy.go +++ b/vendor/github.com/systemboot/systemboot/pkg/rng/entropy.go @@ -8,7 +8,7 @@ import ( "strings" "time" - "github.com/insomniacslk/systemboot/pkg/recovery" + "github.com/systemboot/systemboot/pkg/recovery" ) // The concept diff --git a/vendor/github.com/systemboot/systemboot/uinit/main.go b/vendor/github.com/systemboot/systemboot/uinit/main.go index a7c6e9e..596b901 100644 --- a/vendor/github.com/systemboot/systemboot/uinit/main.go +++ b/vendor/github.com/systemboot/systemboot/uinit/main.go @@ -6,7 +6,7 @@ import ( "os/exec" "time" - "github.com/insomniacslk/systemboot/pkg/booter" + "github.com/systemboot/systemboot/pkg/booter" ) var (