From 216236c1eb622a04322ab1e3826d519271025f89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mika=C3=ABl=20Cluseau?= Date: Sun, 6 Jul 2025 11:11:36 +0200 Subject: [PATCH] sign bootstrap.tar content --- cmd/dkl-local-server/bootv2.go | 61 ++++++++++++++++++++++++++++++++-- 1 file changed, 58 insertions(+), 3 deletions(-) diff --git a/cmd/dkl-local-server/bootv2.go b/cmd/dkl-local-server/bootv2.go index cb7160f..9f33c8f 100644 --- a/cmd/dkl-local-server/bootv2.go +++ b/cmd/dkl-local-server/bootv2.go @@ -2,6 +2,8 @@ package main import ( "archive/tar" + "bytes" + "crypto" "encoding/json" "fmt" "io" @@ -93,13 +95,47 @@ func buildBootstrap(out io.Writer, ctx *renderContext) (err error) { arch := tar.NewWriter(out) defer arch.Close() + ca, err := getUsableClusterCA(ctx.Host.ClusterName, "boot-signer") + if err != nil { + return + } + signer, err := ca.ParseKey() + if err != nil { + return + } + + hash := crypto.SHA512 + + sign := func(name string, digest []byte) (err error) { + sigBytes, err := signer.Sign(nil, digest, hash) + if err != nil { + err = fmt.Errorf("signing to %s failed: %w", name, err) + return err + } + + if err = arch.WriteHeader(&tar.Header{ + Name: name, + Size: int64(len(sigBytes)), + Mode: 0o644, + }); err != nil { + return + } + + _, err = io.Copy(arch, bytes.NewReader(sigBytes)) + return + } + // config cfgBytes, cfg, err := ctx.Config() if err != nil { return err } - err = arch.WriteHeader(&tar.Header{Name: "config.yaml", Size: int64(len(cfgBytes))}) + err = arch.WriteHeader(&tar.Header{ + Name: "config.yaml", + Size: int64(len(cfgBytes)), + Mode: 0o600, + }) if err != nil { return } @@ -109,10 +145,19 @@ func buildBootstrap(out io.Writer, ctx *renderContext) (err error) { return } + { + h := hash.New() + h.Write(cfgBytes) + err = sign("config.yaml.sig", h.Sum(nil)) + if err != nil { + return + } + } + // layers for _, layer := range cfg.Layers { if layer == "modules" { - continue // modules are with the kernel in boot v2 + continue // modules are in the initrd with boot v2 } layerVersion := ctx.Host.Versions[layer] @@ -137,14 +182,24 @@ func buildBootstrap(out io.Writer, ctx *renderContext) (err error) { return err } + h := hash.New() + reader := io.TeeReader(f, h) + if err = arch.WriteHeader(&tar.Header{ Name: layer + ".fs", Size: stat.Size(), + Mode: 0o600, }); err != nil { return err } - _, err = io.Copy(arch, f) + _, err = io.Copy(arch, reader) + if err != nil { + return err + } + + digest := h.Sum(nil) + err = sign(layer+".fs.sig", digest) if err != nil { return err }