secureboot

package

v1.0.0 Latest Latest Go to latest Published: Mar 31, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/syntrex-lab/gomcp

Links

Open Source Insights

Documentation ¶

Overview ¶

Package secureboot implements SEC-007 Secure Boot Integration.

Provides a verification chain from bootloader to SOC binary:

Binary signature verification (Ed25519 or RSA)
Chain-of-trust validation
Boot attestation report generation
Integration with TPM PCR values for measured boot

Usage:

verifier := secureboot.NewVerifier(trustedKeys)
result := verifier.VerifyBinary("/usr/local/bin/soc-ingest")
if !result.Valid { ... }

Index ¶

func ExportAttestation(a BootAttestation) ([]byte, error)
func GenerateKeyPair() (ed25519.PublicKey, ed25519.PrivateKey)
func SignBinary(path string, privateKey ed25519.PrivateKey) (hash string, signature string, err error)
type BinaryRecord
type BinarySignature
type BootAttestation
type SignatureStore
type TrustedKey
type Verifier
- func NewVerifier() *Verifier
type VerifierStats
type VerifyResult

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ExportAttestation ¶

func ExportAttestation(a BootAttestation) ([]byte, error)

ExportAttestation serializes an attestation to JSON.

func GenerateKeyPair ¶

func GenerateKeyPair() (ed25519.PublicKey, ed25519.PrivateKey)

GenerateKeyPair creates a new Ed25519 key pair for binary signing.

func SignBinary ¶

func SignBinary(path string, privateKey ed25519.PrivateKey) (hash string, signature string, err error)

SignBinary signs a binary file and returns the hex-encoded signature.

Types ¶

type BinaryRecord ¶

type BinaryRecord struct {
	Name     string `json:"name"`
	Path     string `json:"path"`
	Hash     string `json:"hash"`
	Signed   bool   `json:"signed"`
	KeyID    string `json:"key_id,omitempty"`
	Verified bool   `json:"verified"`
}

BinaryRecord is a single binary in the boot chain.

type BinarySignature ¶

type BinarySignature struct {
	Hash      string `json:"hash"`
	Signature string `json:"signature"` // hex-encoded
	KeyID     string `json:"key_id"`
	SignedAt  string `json:"signed_at"`
}

BinarySignature is a stored signature for a binary.

type BootAttestation ¶

type BootAttestation struct {
	NodeID      string            `json:"node_id"`
	Timestamp   time.Time         `json:"timestamp"`
	Binaries    []BinaryRecord    `json:"binaries"`
	ChainValid  bool              `json:"chain_valid"`
	AllVerified bool              `json:"all_verified"`
	PCRValues   map[string]string `json:"pcr_values,omitempty"`
}

BootAttestation is a measured boot report.

type SignatureStore ¶

type SignatureStore struct {
	Signatures map[string]BinarySignature `json:"signatures"`
}

SignatureStore maps binary hashes to their signatures.

type TrustedKey ¶

type TrustedKey struct {
	ID        string            `json:"id"`
	Algorithm string            `json:"algorithm"` // ed25519, rsa
	PublicKey ed25519.PublicKey `json:"-"`
	PublicHex string            `json:"public_hex"`
	Purpose   string            `json:"purpose"` // binary_signing, config_signing
	AddedAt   time.Time         `json:"added_at"`
}

TrustedKey represents a public key in the trust chain.

type Verifier ¶

type Verifier struct {
	// contains filtered or unexported fields
}

Verifier validates the boot chain of SOC binaries.

func NewVerifier ¶

func NewVerifier() *Verifier

NewVerifier creates a new binary verifier with trusted keys.

func (*Verifier) AddTrustedKey ¶

func (v *Verifier) AddTrustedKey(key TrustedKey)

AddTrustedKey registers a public key for binary verification.

func (*Verifier) GenerateAttestation ¶

func (v *Verifier) GenerateAttestation(nodeID string, binaryPaths map[string]string) BootAttestation

GenerateAttestation creates a boot attestation report for all SOC binaries.

func (*Verifier) RegisterSignature ¶

func (v *Verifier) RegisterSignature(hash, signature, keyID string)

RegisterSignature stores a known-good signature for a binary hash.

func (*Verifier) Stats ¶

func (v *Verifier) Stats() VerifierStats

Stats returns verifier metrics.

func (*Verifier) VerifyBinary ¶

func (v *Verifier) VerifyBinary(path string) VerifyResult

VerifyBinary checks a binary against the trust chain.

type VerifierStats ¶

type VerifierStats struct {
	TotalVerifications int64     `json:"total_verifications"`
	Passed             int64     `json:"passed"`
	Failed             int64     `json:"failed"`
	LastVerification   time.Time `json:"last_verification"`
	StartedAt          time.Time `json:"started_at"`
	// contains filtered or unexported fields
}

VerifierStats tracks verification metrics.

type VerifyResult ¶

type VerifyResult struct {
	Valid       bool      `json:"valid"`
	BinaryPath  string    `json:"binary_path"`
	BinaryHash  string    `json:"binary_hash"` // SHA-256
	SignatureOK bool      `json:"signature_ok"`
	ChainValid  bool      `json:"chain_valid"`
	TrustedKey  string    `json:"trusted_key,omitempty"` // Key ID that signed
	Error       string    `json:"error,omitempty"`
	VerifiedAt  time.Time `json:"verified_at"`
}

VerifyResult holds the outcome of a binary verification.

Source Files ¶

View all Source files

secureboot.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL