rotate-keys: ensure we use the correct hierarchy

Signed-off-by: Morten Linderud <[email protected]>
Foxboron · Jul 29, 2024 · 2661196 · 2661196
1 parent 009e248
commit 2661196
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 19 deletions.
diff --git a/cmd/sbctl/rotate-keys.go b/cmd/sbctl/rotate-keys.go
@@ -41,28 +41,45 @@ func rotateCerts(state *config.State, hier hierarchy.Hierarchy, oldkeys *backend
 		return err
 	}
 
+	// Note:
+	// PK needs to be signed by the old key hierarchy, as old PK signs new PK
+	// However db and KEK needs to be signed by new key hierarchy, as new PK -> new KEK,
+	// and new KEK -> new Db
+
 	switch hier {
 	case hierarchy.PK:
-		cert := oldkeys.PK.CertificateBytes()
-		if err := efistate.PK.Remove(signature.CERT_X509_GUID, *guid, cert); err != nil {
-			return fmt.Errorf("can't remove old key from PK siglist: %v", err)
+		// fmt.Printf("Old PK: %s\n", oldkeys.PK.Certificate().SerialNumber.String())
+		// fmt.Printf("New PK: %s\n", newkeys.PK.Certificate().SerialNumber.String())
+		cert := oldkeys.PK.Certificate().Raw
+		if efistate.PK.SigDataExists(signature.CERT_X509_GUID, &signature.SignatureData{Owner: *guid, Data: cert}) {
+			if err := efistate.PK.Remove(signature.CERT_X509_GUID, *guid, cert); err != nil {
+				return fmt.Errorf("can't remove old key from PK siglist: %v", err)
+			}
 		}
 		efistate.PK.Append(signature.CERT_X509_GUID, *guid, newkeys.PK.CertificateBytes())
 		return efistate.EnrollKey(hier.Efivar(), oldkeys)
 	case hierarchy.KEK:
-		cert := oldkeys.KEK.CertificateBytes()
-		if err := efistate.KEK.Remove(signature.CERT_X509_GUID, *guid, cert); err != nil {
-			return fmt.Errorf("can't remove old key from KEK siglist: %v", err)
+		// fmt.Printf("Old KEK: %s\n", oldkeys.KEK.Certificate().SerialNumber.String())
+		// fmt.Printf("New KEK: %s\n", newkeys.KEK.Certificate().SerialNumber.String())
+		cert := oldkeys.KEK.Certificate().Raw
+		if efistate.KEK.SigDataExists(signature.CERT_X509_GUID, &signature.SignatureData{Owner: *guid, Data: cert}) {
+			if err := efistate.KEK.Remove(signature.CERT_X509_GUID, *guid, cert); err != nil {
+				return fmt.Errorf("can't remove old key from KEK siglist: %v", err)
+			}
 		}
 		efistate.KEK.Append(signature.CERT_X509_GUID, *guid, newkeys.KEK.CertificateBytes())
-		return efistate.EnrollKey(hier.Efivar(), oldkeys)
+		return efistate.EnrollKey(hier.Efivar(), newkeys)
 	case hierarchy.Db:
-		cert := oldkeys.Db.CertificateBytes()
-		if err := efistate.Db.Remove(signature.CERT_X509_GUID, *guid, cert); err != nil {
-			return fmt.Errorf("can't remove old key from Db siglist: %v", err)
+		// fmt.Printf("Old Db: %s\n", oldkeys.Db.Certificate().SerialNumber.String())
+		// fmt.Printf("New Db: %s\n", newkeys.Db.Certificate().SerialNumber.String())
+		cert := oldkeys.Db.Certificate().Raw
+		if efistate.Db.SigDataExists(signature.CERT_X509_GUID, &signature.SignatureData{Owner: *guid, Data: cert}) {
+			if err := efistate.Db.Remove(signature.CERT_X509_GUID, *guid, cert); err != nil {
+				return fmt.Errorf("can't remove old key from Db siglist: %v", err)
+			}
 		}
 		efistate.Db.Append(signature.CERT_X509_GUID, *guid, newkeys.Db.CertificateBytes())
-		return efistate.EnrollKey(hier.Efivar(), oldkeys)
+		return efistate.EnrollKey(hier.Efivar(), newkeys)
 	default:
 		return fmt.Errorf("unknown efivar hierarchy")
 	}

diff --git a/siglist.go b/siglist.go
@@ -1,6 +1,9 @@
 package sbctl
 
 import (
+	"errors"
+	"os"
+
 	"github.com/foxboron/go-uefi/efi/signature"
 	"github.com/foxboron/go-uefi/efivar"
 	"github.com/foxboron/go-uefi/efivarfs"
@@ -30,12 +33,21 @@ func (e *EFIVariables) GetSiglist(ev efivar.Efivar) *signature.SignatureDatabase
 }
 
 func (e *EFIVariables) EnrollKey(ev efivar.Efivar, hier *backend.KeyHierarchy) error {
-	signer := hier.GetKeyBackend(ev)
+	// Ensure we are using the correct signer for the backend
+	var signer backend.KeyBackend
+	switch ev {
+	case efivar.PK:
+		signer = hier.GetKeyBackend(efivar.PK)
+	case efivar.KEK:
+		signer = hier.GetKeyBackend(efivar.PK)
+	case efivar.Db:
+		signer = hier.GetKeyBackend(efivar.KEK)
+	}
+	// fmt.Printf("%s is signed by %s\n", ev.Name, signer.Certificate().SerialNumber.String())
 	return e.fs.WriteSignedUpdate(ev, e.GetSiglist(ev), signer.Signer(), signer.Certificate())
 }
 
 func (e *EFIVariables) EnrollAllKeys(hier *backend.KeyHierarchy) error {
-	// e.EnrollKey(efivar.Dbx)
 	if err := e.EnrollKey(efivar.Db, hier); err != nil {
 		return err
 	}
@@ -59,18 +71,29 @@ func NewEFIVariables(fs *efivarfs.Efivarfs) *EFIVariables {
 }
 
 func SystemEFIVariables(fs *efivarfs.Efivarfs) (*EFIVariables, error) {
-	sigdb, err := fs.Getdb()
-	if err != nil {
+	var sigpk *signature.SignatureDatabase
+	var sigkek *signature.SignatureDatabase
+	var sigdb *signature.SignatureDatabase
+	var err error
+
+	sigdb, err = fs.Getdb()
+	if errors.Is(err, os.ErrNotExist) {
+		sigdb = signature.NewSignatureDatabase()
+	} else if err != nil {
 		return nil, err
 	}
 
-	sigkek, err := fs.GetKEK()
-	if err != nil {
+	sigkek, err = fs.GetKEK()
+	if errors.Is(err, os.ErrNotExist) {
+		sigkek = signature.NewSignatureDatabase()
+	} else if err != nil {
 		return nil, err
 	}
 
-	sigpk, err := fs.GetPK()
-	if err != nil {
+	sigpk, err = fs.GetPK()
+	if errors.Is(err, os.ErrNotExist) {
+		sigpk = signature.NewSignatureDatabase()
+	} else if err != nil {
 		return nil, err
 	}