VerifiedBooter - NOT FOR MERGE

[zaolin]

• Adds verifiedbooter
• Allows booting in secure, measured or both modes.
• Makes use of boot config image format.
• Kexec support
• Seeds /dev/random for more boot entropy.

[insomniacslk]

I haven't actually reviewed pkg/verifiedbooter.go, just verifiedboot/main.go . That's because I'd split this PR in two parts, one where we implement the verifiedbooter command, and one where we implement the verified booting logic on top. I need to think more on how to plug verified booting on top of local/net booting (wrapper? embedding?) so let's speed up this PR and let's just do the verifiedboot command.

[insomniacslk]

I find counterintuitive that rebooting is a function of verbosity. I would leave Reboot: true in all cases, and add a -reboot-on-error flag that will flip this value.

Also please move the recoverer initialization outside of the if *doDebug check. Something like this:

recoverer = recovery.SecureRecoverer{
    Reboot: *doRebootOnError,
    Sync: false,
    Debug: *doDebug,
}
if *doDebug {
    debug = log.Printf
}

[zaolin]

partly done, let's fix that finally afterwards

[insomniacslk]

just one line is enough:

if err := rng.UpdateLinuxRandomness(recoverer); err != nil {
    ...
}

[insomniacslk]

In cases like this strings can be dangerous and inefficient to carry around, and they should just be a convention for a main package, not for a library (they are defined in pkg/booter). I would rather use a iota (similar, but not equal to an enum), or a bitmask, or even a lightweight struct with two methods, IsVerified and IsMeasured that will check the enum/bitmask (but this is probably overkill)

[zaolin]

okay let me think about it. Follow up

[insomniacslk]

maybe it's time to rename Recoverer to RecoveryHandler? :)

[zaolin]

yeah

[insomniacslk]

this should use path.Join too

[zaolin]

Done

[zaolin]

done

[insomniacslk]

path.Join here too

[zaolin]

done

[insomniacslk]

this should be bool. The JSON parser will take care of setting this appropriately for you

[zaolin]

Done

[insomniacslk]

I actually meant to change the name in the recovery package

[insomniacslk]

Will review the rest on Monday

[insomniacslk]

what about using Fiano's uuid package? I wrote that code originally, and it's equivalent in terms of features that we need, plus we have control over. Find it at https://github.com/linuxboot/fiano/tree/master/uuid .

[codecov-io]

Codecov Report

Merging #28 into master will increase coverage by 21%.
The diff coverage is 54.94%.

@@           Coverage Diff            @@
##           master      #28    +/-   ##
========================================
+ Coverage   18.64%   39.64%   +21%     
========================================
  Files          17       11     -6     
  Lines         751      570   -181     
========================================
+ Hits          140      226    +86     
+ Misses        591      291   -300     
- Partials       20       53    +33

Impacted Files	Coverage Δ
pkg/booter/bootentry.go	94.87% <100%> (+0.93%)	⬆️
pkg/bootconfig/parser.go	43.56% <43.56%> (ø)
pkg/booter/verifiedbooter.go	47.82% <47.82%> (ø)
pkg/crypto/ed25519.go	74% <74%> (ø)
localboot/bootconfig.go
pkg/recovery/securerecoverer.go
localboot/main.go
pkg/rng/entropy.go
pkg/recovery/permissiverecoverer.go
localboot/grub.go
... and 4 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0b3658e...2e5ee26. Read the comment docs.