github.com/linuxboot/fiano@v1.2.0/pkg/intel/metadata/bg/bgkey/manifest.go (about) 1 // Copyright 2017-2023 the LinuxBoot Authors. All rights reserved 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 //go:generate manifestcodegen 6 7 package bgkey 8 9 import ( 10 "bytes" 11 "crypto" 12 "fmt" 13 14 "github.com/linuxboot/fiano/pkg/intel/metadata/bg" 15 ) 16 17 // PrettyString: BG Key Manifest 18 type Manifest struct { 19 bg.StructInfo `id:"__KEYM__" version:"0x10"` 20 KMVersion uint8 `json:"kmVersion"` 21 KMSVN bg.SVN `json:"kmSVN"` 22 KMID uint8 `json:"kmID"` 23 BPKey bg.HashStructure `json:"kmBPKey"` 24 KeyAndSignature bg.KeySignature `json:"kmKeySignature"` 25 } 26 27 func (m *Manifest) SetSignature( 28 algo bg.Algorithm, 29 privKey crypto.Signer, 30 signedData []byte, 31 ) error { 32 err := m.KeyAndSignature.SetSignature(algo, privKey, signedData) 33 if err != nil { 34 return fmt.Errorf("unable to set the signature: %w", err) 35 } 36 37 return nil 38 } 39 40 func (m *Manifest) ValidateBPMKey(bpmKS bg.KeySignature) error { 41 h, err := m.BPKey.HashAlg.Hash() 42 if err != nil { 43 return fmt.Errorf("invalid hash algo %v: %w", m.BPKey.HashAlg, err) 44 } 45 46 if len(m.BPKey.HashBuffer) != h.Size() { 47 return fmt.Errorf("invalid hash lenght: actual:%d expected:%d", len(m.BPKey.HashBuffer), h.Size()) 48 } 49 50 switch bpmKS.Key.KeyAlg { 51 case bg.AlgRSA: 52 if _, err := h.Write(bpmKS.Key.Data[4:]); err != nil { 53 return fmt.Errorf("unable to hash: %w", err) 54 } 55 default: 56 return fmt.Errorf("unsupported key algorithm: %v", bpmKS.Key.KeyAlg) 57 } 58 digest := h.Sum(nil) 59 60 if !bytes.Equal(m.BPKey.HashBuffer, digest) { 61 return fmt.Errorf("BPM key hash does not match the one in KM: actual:%X != in-KM:%X (hash algo: %v)", digest, m.BPKey.HashBuffer, m.BPKey.HashAlg) 62 } 63 64 return nil 65 }