sbctl: include db_additions inn config file

Foxboron · Foxboron · commit 48a3109c7fed · 2024-07-31T23:40:06.000+02:00
Signed-off-by: Morten Linderud &lt;morten@linderud.pw&gt;
diff --git a/cmd/sbctl/enroll-keys.go b/cmd/sbctl/enroll-keys.go
@@ -3,6 +3,7 @@ package main
 import (
 	"errors"
 	"fmt"
+	"slices"
 	"strings"
 
 	"github.com/foxboron/go-uefi/efi/signature"
@@ -294,6 +295,15 @@ func RunEnrollKeys(state *config.State) error {
 	if len(enrollKeysCmdOptions.BuiltinFirmwareCerts) >= 1 {
 		oems = append(oems, "firmware-builtin")
 	}
+
+	if len(state.Config.DbAdditions) != 0 {
+		for _, k := range state.Config.DbAdditions {
+			if !slices.Contains(oems, k) {
+				oems = append(oems, k)
+			}
+		}
+	}
+
 	if !enrollKeysCmdOptions.IgnoreImmutable && enrollKeysCmdOptions.Export.Value == "" {
 		if err := sbctl.CheckImmutable(state.Fs); err != nil {
 			return err
diff --git a/cmd/sbctl/setup.go b/cmd/sbctl/setup.go
@@ -55,6 +55,7 @@ func PrintConfig(state *config.State) error {
 			return err
 		}
 		state.Config.Keys = kh.GetConfig(state.Config.Keydir)
+		state.Config.DbAdditions = sbctl.GetEnrolledVendorCerts()
 	}
 
 	// Setup the files
diff --git a/config/config.go b/config/config.go
@@ -52,14 +52,14 @@ func (k *Keys) GetKeysConfigs() []*KeyConfig {
 // Note: Anything serialized as part of this struct will end up in a public
 // debug dump at some point, probably.
 type Config struct {
-	Landlock   bool          `json:"landlock"`
-	Keydir     string        `json:"keydir"`
-	GUID       string        `json:"guid"`
-	FilesDb    string        `json:"files_db"`
-	BundlesDb  string        `json:"bundles_db"`
-	VendorKeys []string      `json:"vendor_keys,omitempty"`
-	Files      []*FileConfig `json:"files,omitempty"`
-	Keys       *Keys         `json:"keys"`
+	Landlock    bool          `json:"landlock"`
+	Keydir      string        `json:"keydir"`
+	GUID        string        `json:"guid"`
+	FilesDb     string        `json:"files_db"`
+	BundlesDb   string        `json:"bundles_db"`
+	DbAdditions []string      `json:"db_additions,omitempty"`
+	Files       []*FileConfig `json:"files,omitempty"`
+	Keys        *Keys         `json:"keys"`
 }
 
 func (c *Config) GetGUID(vfs afero.Fs) (*util.EFIGUID, error) {
diff --git a/config/config_test.go b/config/config_test.go
@@ -11,7 +11,7 @@ keydir: /etc/sbctl/keys
 guid: /var/lib/sbctl/GUID
 files_db: /var/lib/sbctl/files.db
 bundles_db: /var/lib/sbctl/bundles.db
-vendor_keys:
+db_additions:
   - microsoft
 files:
   - path: /boot/vmlinuz-linux-lts
diff --git a/docs/sbctl.conf.5.txt b/docs/sbctl.conf.5.txt
@@ -56,6 +56,12 @@ Options
     +
     Default: true
 
+*db_additions:* [ options... ]
+    Include additional keys or checksums into the authorization database for
+    Secure Boot. These values are synonymous with the flags passed to *sbctl enroll-keys*.
+    +
+    Valid values: microsoft, tpm-eventlog, firmware-builtin, custom
+
 *files:* [ [*path:* /path/to/file *output:* /path/to/output ], ... ]::
     A list of files sbctl will sign upon setup. It will be used to seed the
     files_db during initial setup.
@@ -117,6 +123,8 @@ An example of a /etc/sbctl/sbctl.conf file with the default values.
     files_db: /var/lib/sbctl/files.json
     bundles_db: /var/lib/sbctl/bundles.json
     landlock: true
+    db_additions:
+    - microsoft
     files:
     - path: /boot/vmlinuz-linux
       output: /boot/vmlinuz-linux

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,7 @@ func PrintConfig(state *config.State) error {`
`55`	`55`	`return err`
`56`	`56`	`}`
`57`	`57`	`state.Config.Keys = kh.GetConfig(state.Config.Keydir)`
	`58`	`+ state.Config.DbAdditions = sbctl.GetEnrolledVendorCerts()`
`58`	`59`	`}`
`59`	`60`
`60`	`61`	`// Setup the files`