Add method to validate signature of efi file

[Itxaka]

This seems rigth but needs testing. Also makes sense to have this in the sdk instead maybe?

Fixes kairos-io/kairos#2200

[codecov]

Codecov Report

Attention: Patch coverage is 52.68817% with 44 lines in your changes are missing coverage. Please review.

Project coverage is 54.71%. Comparing base (8646391) to head (e65d4d8).
Report is 12 commits behind head on main.

Files	Patch %	Lines
pkg/uki/common.go	58.33%	27 Missing and 8 partials ⚠️
pkg/uki/upgrade.go	0.00%	9 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #337      +/-   ##
==========================================
- Coverage   59.07%   54.71%   -4.37%     
==========================================
  Files          39       43       +4     
  Lines        4242     4670     +428     
==========================================
+ Hits         2506     2555      +49     
- Misses       1460     1831     +371     
- Partials      276      284       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Itxaka]

Seems to me like this has gottena bit big. Just to parse a couple of things, we need to bring a library for parsing pe files, so for me it makes more sense to have this in the sdk as a generic function that checks the signature validity instead of cluttering teh agent with this maybe... ?

[jimmykarily]

Some minor wording suggestions in tests. Other than that looks good. I agree that it feels better suited for the sdk (not that it makes any difference regarding library imports and such).

[Itxaka]

Seems to be working with a proper EFI:

2024-05-20T13:29:21Z INF Copying ttl.sh/kairosupgrade:latest source to /efi
2024-05-20T13:29:47Z INF Finished copying ttl.sh/kairosupgrade:latest into /efi
2024-05-20T13:29:47Z INF Checking artifact for valid signature what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:29:47Z DBG Reading artifact what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:29:47Z DBG Parsing PE artifact what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:29:47Z DBG Checking if its an EFI file what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:29:47Z DBG Getting DB certs what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:29:47Z DBG Getting signatures from artifact what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:29:47Z DBG Getting DBX certs what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:29:47Z DBG checking signature subject=ITXAKA what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:29:47Z INF verified subject=ITXAKA what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:29:48Z DBG Conf file /efi/loader/entries/passive.conf has values map[string]string{
  "efi": "/EFI/kairos/active.efi",

[Itxaka]

certs in the machine DB:

root@localhost:~# mokutil --db
[key 1]
SHA1 Fingerprint: a3:d8:33:c9:02:af:6a:a2:65:34:71:14:d5:0c:a4:9c:62:d7:87:b2
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0a:24:ee:5f:00:53:3e:94:1a:03:18:31:32:c8:2c:63:3e:0b:94:4b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=ITXAKA
        Validity
            Not Before: Apr 26 08:11:52 2024 GMT
            Not After : Apr 26 08:11:52 2025 GMT
        Subject: CN=ITXAKA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

[Itxaka]

Artifact checks out, signed by my default test key

root@localhost:~# sbverify /efi/EFI/kairos/active.efi --list
signature 1
image signature issuers:
 - /CN=ITXAKA
image signature certificates:
 - subject: /CN=ITXAKA

[Itxaka]

Now testing with an upgrade image signed with a different key (generic one created on the fly during artifact build):

$ sbverify --list EFI/kairos/norole.efi 
signature 1
image signature issuers:
 - /CN=Test
image signature certificates:
 - subject: /CN=Test
   issuer:  /CN=Test

Check fails as expected:

2024-05-20T13:38:40Z INF Copying ttl.sh/kairosupgrade2:latest source to /efi
2024-05-20T13:39:07Z INF Finished copying ttl.sh/kairosupgrade2:latest into /efi
2024-05-20T13:39:07Z INF Checking artifact for valid signature what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:39:07Z DBG Reading artifact what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:39:07Z DBG Parsing PE artifact what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:39:07Z DBG Checking if its an EFI file what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:39:07Z DBG Getting DB certs what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:39:07Z DBG Getting signatures from artifact what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:39:07Z DBG Getting DBX certs what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:39:07Z DBG checking signature subject=ITXAKA what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:39:07Z DBG checking signature subject="Microsoft Corporation UEFI CA 2011" what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:39:07Z DBG checking signature subject="Microsoft Windows Production PCA 2011" what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:39:07Z ERR Checking signature error="not ok"
2024-05-20T13:39:07Z DBG Mounting partition COS_GRUB
1 error occurred:
	* not ok

Need to fix the error message though as its pretty crude LOL

[Itxaka]

New error message a bit more extensive

2024-05-20T13:44:57Z INF Copying ttl.sh/kairosupgrade2:latest source to /efi
2024-05-20T13:45:29Z INF Finished copying ttl.sh/kairosupgrade2:latest into /efi
2024-05-20T13:45:29Z INF Checking artifact for valid signature what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:45:29Z DBG Reading artifact what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:45:29Z DBG Parsing PE artifact what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:45:29Z DBG Checking if its an EFI file what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:45:30Z DBG Getting DB certs what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:45:30Z DBG Getting signatures from artifact what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:45:30Z DBG Getting DBX certs what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:45:30Z DBG checking signature subject=ITXAKA what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:45:30Z DBG checking signature subject="Microsoft Corporation UEFI CA 2011" what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:45:30Z DBG checking signature subject="Microsoft Windows Production PCA 2011" what=/efi/EFI/Kairos/norole.efi
2024-05-20T13:45:30Z ERR Checking signature before upgrading error="could not find a signature in EFIVars DB that matches the upgrade artifact"
2024-05-20T13:45:30Z WRN Upgrade artifact signature does not match, upgrading to this source would result in an unbootable active system
Check the upgrade source and confirm that its signed with a valiod key, that key is in the machine DB and it has not been blacklisted.