bootguard

package
v2.8.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 15, 2025 License: BSD-3-Clause Imports: 32 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	// Intel ME Config Space access
	IntelCSMEDeviceID = 16
	IntelSPSDeviceID  = 22
	IntelBus          = 0
	IntelFunction     = 0

	// Boot Guard MSR
	BootGuardACMInfoMSR = 0x13a

	// Error Enforcement Policy
	EnforcementPolicyDoNothing               = 0
	EnforcementPolicyShutdownSomehow         = 2
	EnforcementPolicyShutdownImmediately     = 3
	EnforcementPolicyShutdownInThirtyMinutes = 1
)

Variables

This section is empty.

Functions

func DecryptPrivKey 

func DecryptPrivKey(data []byte, password string) (crypto.PrivateKey, error)

DecryptPrivKey takes the encrypted Key as byte slice and the password to decrypt the private key and returns it with it's type.

func GenECCKey 

func GenECCKey(curve int, password string, kmPubFile, kmPrivFile, bpmPubFile, bpmPrivFile *os.File) error

GenECCKey takes the required curve, two boolean to decide for KM and BPM key and a path to create a ECDSA key pair and writes its public and private keys to files.

func GenRSAKey 

func GenRSAKey(len int, password string, kmPubFile, kmPrivFile, bpmPubFile, bpmPrivFile *os.File) error

GenRSAKey takes the required keylength, two boolean to decide for KM and BPM key and a path to create a RSA key pair and writes its public and private keys to files.

func ParseFITEntries 

func ParseFITEntries(image []byte) (bpm *fit.EntryBootPolicyManifestRecord, km *fit.EntryKeyManifestRecord, acm *fit.EntrySACM, err error)

ParseFITEntries takes a firmware image and extract Boot policy manifest, key manifest and acm information.

func PrintStructures 

func PrintStructures(image []byte) error

PrintStructures takes a firmware image and prints boot policy manifest, key manifest, ACM, chipset, processor and tpm information if available.

func ReadPubKey 

func ReadPubKey(path string) (crypto.PublicKey, error)

ReadPubKey ready a pem encoded RSA/ECC public key file

func SaneMEBootGuardProvisioning 

func SaneMEBootGuardProvisioning(v bgheader.BootGuardVersion, fws *FirmwareStatus6, bgi *BGInfo) (bool, error)

SaneMEBootGuardProvisioning validates during runtime ME bootguard provisioning

func StitchFITEntries 

func StitchFITEntries(biosFilename string, acm, bpm, km []byte) error

StitchFITEntries takes a firmware filename, an acm, a boot policy manifest and a key manifest as byte slices and writes the information into the Firmware Interface Table of the firmware image.

func StrictSaneBootGuardProvisioning added in v2.8.0 

func StrictSaneBootGuardProvisioning(v bgheader.BootGuardVersion, fws *FirmwareStatus6, bgi *BGInfo) (bool, error)

func ValidTXTRegister added in v2.8.0 

func ValidTXTRegister(hw hwapi.LowLevelHardwareInterfaces) (bool, error)

func WriteCBnTStructures 

func WriteCBnTStructures(image []byte, bpmFile, kmFile, acmFile *os.File) error

WriteCBnTStructures takes a firmware image and extracts boot policy manifest, key manifest and acm into separate files.

Types

type BGInfo 

type BGInfo struct {
	NEMEnabled              bool
	TPMType                 uint64
	TPMSuccess              bool
	ForceAnchorBoot         bool
	Measured                bool
	Verified                bool
	ModuleRevoked           bool
	BootGuardCapability     bool
	ServerTXTCapability     bool
	NoResetSecretProtection bool
}

func GetBGInfo 

func GetBGInfo(hw hwapi.LowLevelHardwareInterfaces) (*BGInfo, error)

GetBGInfo reads Boot Guard msr during runtime

type BootGuard 

type BootGuard struct {
	VData   VersionedData `json:"bootguard"`
	Version bgheader.BootGuardVersion
}

BootGuard unification structure, operates on manifests and reader

func NewBPM 

func NewBPM(bpm io.ReadSeeker) (*BootGuard, error)

func NewBPMAndKM 

func NewBPMAndKM(bpm io.ReadSeeker, km io.ReadSeeker) (*BootGuard, error)

func NewBPMAndKMFromBIOS 

func NewBPMAndKMFromBIOS(biosFilepath string, jsonFilepath *os.File) (*BootGuard, error)

func NewKM 

func NewKM(km io.ReadSeeker) (*BootGuard, error)

func NewVData 

func NewVData(vdata VersionedData) (*BootGuard, error)

func (*BootGuard) BPMCryptoSecure 

func (b *BootGuard) BPMCryptoSecure() (bool, error)

BPMCryptoSecure verifies that BPM uses sane crypto algorithms

func (*BootGuard) BPMKeyMatchKMHash 

func (b *BootGuard) BPMKeyMatchKMHash() (bool, error)

BPMKeyMatchKMHash verifies that BPM pubkey hash matches KM hash of Boot Policy

func (*BootGuard) CalculateNEMSize 

func (b *BootGuard) CalculateNEMSize(image []byte, acm *tools.ACM) (uint16, error)

CalculateNEMSize calculates No Eviction Memory and returns it as count of 4K pages.

func (*BootGuard) CreateIBBDigest added in v2.8.0 

func (b *BootGuard) CreateIBBDigest(biosFilepath string) error

CreateIBBDigest generates a Boot Policy Manifest with the given config and firmware image

func (*BootGuard) CreateIBBSegments added in v2.8.0 

func (b *BootGuard) CreateIBBSegments(seElement uint8, flags uint16, imagepath string) error

CreateIBBSegments takes a firmware image, searches files for additional IBBSegment, supports coreboot and UEFI EDK2

func (*BootGuard) GetBPMPubHash 

func (b *BootGuard) GetBPMPubHash(pubkey crypto.PublicKey, hashAlgo string) error

GetBPMPubHash takes the path to public BPM signing key and hash algorithm and returns a hash with hashAlg of pub BPM singing key

func (*BootGuard) GetIBBsDigest 

func (b *BootGuard) GetIBBsDigest(image []byte, hashAlgo string) (digest []byte, err error)

func (*BootGuard) IBBsMatchBPMDigest 

func (b *BootGuard) IBBsMatchBPMDigest(image []byte) (bool, error)

IBBsMatchBPMDigest verifies that FIT measurements match final digest in BPM

func (*BootGuard) KMCryptoSecure 

func (b *BootGuard) KMCryptoSecure() (bool, error)

KMCryptoSecure verifies that KM uses sane crypto algorithms

func (*BootGuard) KMHasBPMHash 

func (b *BootGuard) KMHasBPMHash() (bool, error)

KMHasBPMHash verifies that KM has the correctly signed BPM hash

func (*BootGuard) PrintBPM 

func (b *BootGuard) PrintBPM()

PrintBPM prints the boot policy manifest in human readable

func (*BootGuard) PrintKM 

func (b *BootGuard) PrintKM()

PrintKM prints the key manifest in human readable

func (*BootGuard) ReadJSON 

func (b *BootGuard) ReadJSON(filepath string) error

ReadJSON returns the entire VData structure in JSON format

func (*BootGuard) SaneBPMSecurityProps 

func (b *BootGuard) SaneBPMSecurityProps() (bool, error)

SaneBPMSecurityProps verifies that BPM contains security properties set accordingly to spec

func (*BootGuard) SignBPM 

func (b *BootGuard) SignBPM(signAlgo, hashAlgo string, privkey crypto.PrivateKey) ([]byte, error)

SignBPM signs an unsigned KM with signAlgo and private key as input

func (*BootGuard) SignKM 

func (b *BootGuard) SignKM(signAlgo string, signer crypto.Signer) ([]byte, error)

SignKM signs an unsigned KM with signAlgo and private key as input

func (*BootGuard) StitchBPM 

func (b *BootGuard) StitchBPM(pubKey crypto.PublicKey, signature []byte) ([]byte, error)

StitchBPM returns a boot policy manifest as byte slice

func (*BootGuard) StitchKM 

func (b *BootGuard) StitchKM(pubKey crypto.PublicKey, signature []byte) ([]byte, error)

StitchKM returns a key manifest manifest as byte slice

func (*BootGuard) StrictSaneBPMSecurityProps added in v2.8.0 

func (b *BootGuard) StrictSaneBPMSecurityProps() (bool, error)

StrictSaneBPMSecurityProps verifies that BPM contains security properties more strictly

func (*BootGuard) ValidateBPM 

func (b *BootGuard) ValidateBPM() error

ValidateBPM reads from a binary, parses into the boot policy manifest structure and validates the structure

func (*BootGuard) ValidateKM 

func (b *BootGuard) ValidateKM() error

ValidateKM reads from a binary source, parses into the key manifest structure and validates the structure

func (*BootGuard) ValidateMEAgainstManifests 

func (b *BootGuard) ValidateMEAgainstManifests(fws *FirmwareStatus6) (bool, error)

ValidateMEAgainstManifests validates during runtime ME configuation with BootGuard KM & BPM manifests

func (*BootGuard) VerifyBPM 

func (b *BootGuard) VerifyBPM() error

VerifyBPM verifies a signed BPM

func (*BootGuard) VerifyKM 

func (b *BootGuard) VerifyKM() error

VerifyKM verifies a signed KM

func (*BootGuard) WriteBPM 

func (b *BootGuard) WriteBPM() ([]byte, error)

WriteBPM returns a boot policy manifest as byte slice

func (*BootGuard) WriteJSON 

func (b *BootGuard) WriteJSON(f *os.File) error

WriteJSON returns the entire VData structure in JSON format

func (*BootGuard) WriteKM 

func (b *BootGuard) WriteKM() ([]byte, error)

WriteKM returns a key manifest as bytes in format defined in #575623.

type CMOSIoAddress 

type CMOSIoAddress struct {
	MediaType            uint8
	IndexRegisterAddress uint16
	DataRegisterAddress  uint16
	BitFieldWidth        uint8
	BitFieldPosition     uint8
	IndexOffset          uint8
}

CMOSIoAddress holds information about the location of on-demand power down requests in CMOS. The structure is a substructure used in PowerDownRequest structure.

type FirmwareStatus1 added in v2.8.0 

type FirmwareStatus1 struct {
	WorkingState       uint32
	MfgMode            bool
	FPTBad             bool
	OperatingState     uint32
	FWInitComplete     bool
	FTBUPLoaded        bool
	FWUpdateInProgress bool
	ErrorCode          uint32
	OperatingMode      uint32
	ResetCount         uint32
	BootOptionPresent  bool
	BISTFinished       bool
	BISTTestState      bool
	BISTResetRequest   bool
}

func GetHFSTS1 added in v2.8.0 

func GetHFSTS1(hw hwapi.LowLevelHardwareInterfaces) (*FirmwareStatus1, error)

type FirmwareStatus6 

type FirmwareStatus6 struct {
	ForceACMBootPolicy                bool
	CPUDebugDisabled                  bool
	BSPInitDisabled                   bool
	ProtectBIOSEnvironment            bool
	BypassBootPolicy                  bool
	BootPolicyInvalid                 bool
	ErrorEnforcementPolicy            uint32
	MeasuredBootPolicy                bool
	VerifiedBootPolicy                bool
	ACMSVN                            uint32
	KMSVN                             uint32
	BPMSVN                            uint32
	KMID                              uint32
	BootPolicyManifestExecutionStatus bool
	Error                             bool
	BootGuardDisable                  bool
	FPFDisable                        bool
	FPFLock                           bool
	TXTSupported                      bool
}

func GetHFSTS6 added in v2.8.0 

func GetHFSTS6(hw hwapi.LowLevelHardwareInterfaces) (*FirmwareStatus6, error)

type IbbSegment 

type IbbSegment struct {
	Offset uint32 `json:"offset"` //
	Size   uint32 `json:"size"`   //
	Flags  uint16 `json:"flags"`  //
}

IbbSegment exports the struct of IBB Segments

type KeyHash 

type KeyHash struct {
	Usage     uint64         `json:"usage"`     //
	Hash      string         `json:"hash"`      //
	Algorithm cbnt.Algorithm `json:"algorithm"` //
}

KeyHash export for usage as cmd line argument type

type Pcr0Data 

type Pcr0Data struct {
	ACMPolicyStatus uint64
	ACMSVN          uint16
	ACMSignature    []byte
	KMSignature     []byte
	BPMSignature    []byte
	BPMIBBDigest    []byte
}

Pcr0Data represents the data hashed into PCR0 of the TPM by S-ACM

type Pcr7Data 

type Pcr7Data struct {
	ACMPolicyStatus uint64
	ACMSVN          uint16
	ACMKeyHash      [32]byte
	BPMKey          [32]byte
	BPMKeyHash      []byte
}

Pcr7Data represents the data hashed into PCR7 of the TPM by S-ACM optionally

type PowerDownRequest 

type PowerDownRequest struct {
	ID         uint64 `default:"0x5F5F504452535F5F"`
	Version    uint8  `default:"0x10"`
	SizeOfData uint16 `default:"0"`
	Reserved   uint8  `default:"0"`
	PDReqMedia []byte
}

PowerDownRequest holds information of the storage location for the on-demand power down variable. Field: PDReqMedia holds an union of 1 CMOSIoAddress or array of 1:3 TPMNvAddress

type TPMNvAddress 

type TPMNvAddress struct {
	MediaType        uint8
	NVIndex          uint32
	BitFieldWidth    uint8
	BitFieldPosition uint8
	IndexOffset      uint8
}

TPMNvAddress holds information about the location of on-demand power down requests in TPM NVRAM. The structure is a substructure used in PowerDownRequest structure.

type VersionedData 

type VersionedData struct {
	BGbpm   *bgbootpolicy.Manifest   `json:"v1-bootpolicy,omitempty"`
	BGkm    *bgkey.Manifest          `json:"v1-keymanifest,omitempty"`
	CBNTbpm *cbntbootpolicy.Manifest `json:"v2-bootpolicy,omitempty"`
	CBNTkm  *cbntkey.Manifest        `json:"v2-keymanifest,omitempty"`
}

Options contains all version bootguard options

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.