tcg

package
v0.9.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 14, 2026 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	LoadOptionActive      = (1 << 0)
	LoadOptionHidden      = (1 << 3)
	LoadOptionCategoryApp = (1 << 8)

	MediaProtocolType       = 4
	EndOfPathType           = 0x7f
	PiwgFirmwareFileSubType = 6

	// EFI_GUID    VariableName;
	// UINT64      UnicodeNameLength;
	// UINT64      VariableDataLength;
	// CHAR16      UnicodeName[1];
	// INT8        VariableData[1];
	UefiVariableDataMinSize = 16 + 8 + 8
)
View Source 
const (
	PrimaryPartHeaderLBA  = 1
	EfiPtabHeaderID       = 0x5452415020494645 // 'EFI PART'
	GptHeaderRevisionV1   = 0x00010000
	LogicalBlockSize      = 512 // default GPT logical block size
	HeaderSize            = 92
	MinPartitionEntrySize = 128
)
View Source 
const (
	MR_LEN       = 6
	INDEX_MRTD   = 0
	INDEX_RTMR0  = 1
	INDEX_RTMR1  = 2
	INDEX_RTMR2  = 3
	INDEX_RTMR3  = 4
	INDEX_MRSEAM = 5 // Additional reference value, not part of UEFI spec
)

UEFI Spec 2.10 Section 38.4.1: TPM PCR Index | CC Measurement Register Index | TDX-measurement register 0 | 0 | MRTD 1, 7 | 1 | RTMR[0] 2~6 | 2 | RTMR[1] 8~15 | 3 | RTMR[2]

View Source 
const (
	EFI_FV_FILETYPE_FIRMWARE_VOLUME_IMAGE = 0x0B
	EFI_SECTION_COMPRESSION               = 0x01
	EFI_SECTION_GUID_DEFINED              = 0x02
	EFI_SECTION_FIRMWARE_VOLUME_IMAGE     = 0x17
	EFI_SECTION_RAW                       = 0x19
)

Variables

View Source 
var (
	EfiGlobalVariableGuid                  = [16]byte{0x61, 0xdf, 0xe4, 0x8b, 0xca, 0x93, 0xd2, 0x11, 0xaa, 0x0d, 0x00, 0xe0, 0x98, 0x03, 0x2b, 0x8c}
	EfiImageSecurityDatabaseGuid           = [16]byte{0xcb, 0xb2, 0x19, 0xd7, 0x3a, 0x3d, 0x96, 0x45, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f}
	EfiImageSecurityDatabase1SbatLevelGuid = [16]byte{0x50, 0xab, 0x5d, 0x60, 0x46, 0xe0, 0x00, 0x43, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23}
	FvNameGuid                             = [16]byte{0xc9, 0xbd, 0xb8, 0x7c, 0xeb, 0xf8, 0x34, 0x4f, 0xaa, 0xea, 0x3e, 0xe4, 0xaf, 0x65, 0x16, 0xa1}
	FileGuid                               = [16]byte{0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31}
)
View Source 
var (
	LzmaDecompressGuid      = EfiGuid{0xEE4E5898, 0x3914, 0x4259, [8]byte{0x9D, 0x6E, 0xDC, 0x7B, 0xD7, 0x94, 0x03, 0xCF}}
	OvmfPlatformInfoHobGuid = EfiGuid{0xdec9b486, 0x1f16, 0x47c7, [8]byte{0x8f, 0x68, 0xdf, 0x1a, 0x41, 0x88, 0x8b, 0xa5}}
	EfiFirmwareFfs2Guid     = EfiGuid{0x8c8ce578, 0x8a3d, 0x4f1c, [8]byte{0x99, 0x35, 0x89, 0x61, 0x85, 0xc3, 0x2d, 0xd3}}
)
View Source 
var (
	EFI_FVH_SIGNATURE = []byte("_FVH")
)
View Source 
var Flags = []cli.Flag{
	&cli.StringFlag{Name: ovmfFlag, Usage: "The filename of the OVMF.fd file to be measured into PCR0/MRTD"},
	&cli.StringFlag{Name: acpirsdpFlag, Usage: "Path to QEMU etc/acpi/rsdp file for PCR1/RTMR0"},
	&cli.StringFlag{Name: acpitablesFlag, Usage: "Path to QEMU etc/acpi/tables file for PCR1/RTMR0"},
	&cli.StringFlag{Name: tableloaderFlag, Usage: "Path to QEMU etc/table-loader file for PCR1/RTMR0"},
	&cli.StringFlag{Name: tpmlogFlag, Usage: "Path to QEMU etc/tpm/log file for PCR1/RTMR0"},
	&cli.StringFlag{Name: efihobFlag, Usage: "Path to an EFI handoff table optionally measured into PCR1"},
	&cli.StringFlag{Name: bootorderFlag, Usage: "Comma-separated list of UEFI boot order numbers to be measured into PCR1/RTMR0"},
	&cli.StringFlag{Name: bootxxxxFlag, Usage: "Comma-separated list of UEFI Boot#### variable data files to be measured into PCR1/RTMR0"},
	&cli.BoolFlag{Name: nobootvarsFlag, Usage: "Do not measure UEFI boot variables into PCR1/RTMR0"},
	&cli.StringFlag{Name: driversFlag, Usage: "Comma-separated list of driver EFI files (PE/COFF or Option ROM format) to be measured into PCR2"},
	&cli.StringFlag{Name: bootloadersFlag, Usage: "Comma-separated list of bootloader EFI images to be measured into PCR4/RTMR1"},
	&cli.StringFlag{Name: loaderConfsFlag, Usage: "Comma-separated list of bootloader configuration files to be measured into PCR5"},
	&cli.StringFlag{Name: kernelFlag, Usage: "Path to a direct boot kernel image (PE/COFF format) measured into PCR4/RTMR1"},
	&cli.StringFlag{Name: configFlag, Usage: "Path to kernel configuration file"},
	&cli.StringFlag{Name: initrdFlag, Usage: "The filename of the initrd/initramfs"},
	&cli.StringFlag{Name: cmdlineFlag, Usage: "Kernel commandline"},
	&cli.BoolFlag{Name: qemuFlag, Usage: "QEMU VM (appends initrd=initrd to kernel cmdline)"},
	&cli.IntFlag{Name: addzerosFlag, Usage: "Add <num> trailing zeros to kernel cmdline", Value: 1},
	&cli.BoolFlag{Name: stripnewlineFlag, Usage: "Strip potential newline character from the cmdline"},
	&cli.StringFlag{Name: gptFlag, Usage: "Path to EFI GPT partition table file to be extended into PCR5/RTMR1"},
	&cli.StringFlag{Name: securebootFlag, Usage: "UEFI secure boot SecureBoot variable data file to be measured into PCR7/RTMR0"},
	&cli.StringFlag{Name: pkFlag, Usage: "UEFI secure boot Platform Key (PK) variable data file to be measured into PCR7/RTMR0"},
	&cli.StringFlag{Name: kekFlag, Usage: "UEFI secure boot Key Exchange Key (KEK) variable data file to be measured into PCR7/RTMR0"},
	&cli.StringFlag{Name: dbFlag, Usage: "UEFI secure boot DB variable data file to be measured into PCR7/RTMR0"},
	&cli.StringFlag{Name: dbxFlag, Usage: "UEFI secure boot DBX variable data file to be measured into PCR7/RTMR0"},
	&cli.StringFlag{Name: sbatlevelFlag, Usage: "SBAT level string for measuring DBX authority into PCR7"},
	&cli.StringFlag{Name: dumppeiFlag, Usage: "Optional path to folder to dump the measured PEIFV"},
	&cli.StringFlag{Name: dumpdxeFlag, Usage: "Optional path to folder to dump the measured DXEFV"},
	&cli.StringFlag{Name: dumpkernelFlag, Usage: "Optional path to folder to dump the measured kernel"},
	&cli.StringFlag{Name: dumpgptFlag, Usage: "Optional path to folder to dump the measured GPT"},
}

Functions

func CalculateAcpiTables added in v0.9.5 

func CalculateAcpiTables(alg crypto.Hash, ta TrustAnchor, digest []byte, refvals []*ar.ReferenceValue,
	index int, acpiRspd, acpiTables, tableLoader, tpmLog string,
) ([]byte, []*ar.ReferenceValue, error)

func CreateExtendRefval added in v0.9.5 

func CreateExtendRefval(alg crypto.Hash, ta TrustAnchor, idx int, mrDigest, data []byte, subtype, desc string,
) (*ar.ReferenceValue, []byte, error)

func EfiSectionHeaderSize added in v0.9.5 

func EfiSectionHeaderSize(s *EfiCommonSectionHeader) int

func FindFfsSectionInSectionsOffset added in v0.9.5 

func FindFfsSectionInSectionsOffset(sections []byte, sectionType uint8) (uint64, error)

func GuidsEqual added in v0.9.5 

func GuidsEqual(g1, g2 *EfiGuid) bool

func IndexToMr added in v0.9.5 

func IndexToMr(ta TrustAnchor, index int) string

func MeasureCmdline added in v0.9.5 

func MeasureCmdline(alg crypto.Hash, ta TrustAnchor, digest []byte, refvals []*ar.ReferenceValue,
	index int, cmdline, eventType string, zeros int, stripLf, appendInitrd bool,
) ([]byte, []*ar.ReferenceValue, error)

func MeasureCmdlineNarrow added in v0.9.5 

func MeasureCmdlineNarrow(alg crypto.Hash, ta TrustAnchor, digest []byte,
	refvals []*ar.ReferenceValue, index int, cmdline, eventType string, zeros int, stripLf,
	appendInitrd bool,
) ([]byte, []*ar.ReferenceValue, error)

func MeasureEfiBootVars added in v0.9.5 

func MeasureEfiBootVars(alg crypto.Hash, ta TrustAnchor, digest []byte,
	refvals []*ar.ReferenceValue, index int, bootOrder []string, bootXxxx []string,
) ([]byte, []*ar.ReferenceValue, error)

func MeasureFile added in v0.9.5 

func MeasureFile(alg crypto.Hash, ta TrustAnchor, eventType string, digest []byte, refvals []*ar.ReferenceValue,
	index int, file string,
) ([]byte, []*ar.ReferenceValue, error)

func MeasureFiles added in v0.9.5 

func MeasureFiles(alg crypto.Hash, ta TrustAnchor, digest []byte, refvals []*ar.ReferenceValue,
	index int, files []string,
) ([]byte, []*ar.ReferenceValue, error)

func MeasureGptFromFile added in v0.9.5 

func MeasureGptFromFile(h hash.Hash, path, dump string) ([]byte, string, error)

MeasureGptTable reads the GPT table from a raw disk file and returns its SHA-256 hash. Only valid partitions (non-zero) are included.

func MeasureMoklists added in v0.9.5 

func MeasureMoklists(alg crypto.Hash, ta TrustAnchor, digest []byte, refvals []*ar.ReferenceValue,
	index int, moklists []string,
) ([]byte, []*ar.ReferenceValue, error)

func MeasureOvmf added in v0.9.5 

func MeasureOvmf(alg crypto.Hash, ta TrustAnchor, digest []byte,
	refvals []*ar.ReferenceValue, index int, ovmfPath string,
) ([]byte, []*ar.ReferenceValue, error)

func MeasureSbatLevel added in v0.9.5 

func MeasureSbatLevel(alg crypto.Hash, ta TrustAnchor, digest []byte,
	refvals []*ar.ReferenceValue, index int, sbatlevelPath string,
) ([]byte, []*ar.ReferenceValue, error)

func MeasureSecureBootVariables added in v0.9.5 

func MeasureSecureBootVariables(alg crypto.Hash, ta TrustAnchor, digest []byte,
	refvals []*ar.ReferenceValue, index int, secureBoot, pk, kek, db, dbx string,
) ([]byte, []*ar.ReferenceValue, error)

func PrecomputeAggregatePcrValue added in v0.9.5 

func PrecomputeAggregatePcrValue(refvals []*ar.ReferenceValue) (*ar.ReferenceValue, error)

func PrecomputeFinalPcrValues added in v0.9.5 

func PrecomputeFinalPcrValues(refvals []*ar.ReferenceValue) ([]*ar.ReferenceValue, error)

func PrepareKernel 

func PrepareKernel(kernel []byte, hdr *KernelSetupHdr) error

func PrintGptHeader added in v0.9.5 

func PrintGptHeader(hdr *GptPartitionTableHeader)

func PrintGptPartitionEntry added in v0.9.5 

func PrintGptPartitionEntry(entry *EfiPartitionEntry)

func ReadStructAt added in v0.9.5 

func ReadStructAt[T any](r io.ReaderAt, offset int64, out *T) error

func WriteGptHeader added in v0.9.5 

func WriteGptHeader(hdr *GptPartitionTableHeader) string

Types

type Conf 

type Conf struct {
	Ovmf         string
	AcpiRsdp     string
	AcpiTables   string
	TableLoader  string
	TpmLog       string
	EfiHob       string
	BootOrder    []string
	BootXxxx     []string
	NoBootVars   bool
	Drivers      []string
	Bootloaders  []string
	LoaderConfs  []string
	Config       string
	Kernel       string
	Initrd       string
	Cmdline      string
	Qemu         bool
	AddZeros     int
	StripNewline bool
	Gpt          string
	SecureBoot   string
	Pk           string
	Kek          string
	Db           string
	Dbx          string
	SbatLevel    string
	DumpPei      string
	DumpDxe      string
	DumpKernel   string
	DumpGpt      string
}

func GetTcgConf 

func GetTcgConf(cmd *cli.Command) (*Conf, error)

func (*Conf) Print 

func (c *Conf) Print()

type EfiCommonSectionHeader added in v0.9.5 

type EfiCommonSectionHeader struct {
	Size [3]byte
	Type uint8
}

type EfiFfsFileHeader added in v0.9.5 

type EfiFfsFileHeader struct {
	Name           EfiGuid
	IntegrityCheck uint16
	Type           uint8
	Attributes     uint8
	Size           [3]byte
	State          uint8
}

type EfiFirmwareVolumeHeader added in v0.9.5 

type EfiFirmwareVolumeHeader struct {
	ZeroVector      [16]byte          // Reserved for processor reset vector
	FileSystemGuid  EfiGuid           // GUID of the firmware file system
	FvLength        uint64            // Length of the complete firmware volume
	Signature       uint32            // Set to EFI_FVH_SIGNATURE
	Attributes      EfiFvgAttributes2 // Capabilities and power-on defaults
	HeaderLength    uint16            // Length of the firmware volume header
	Checksum        uint16            // 16-bit checksum of the header
	ExtHeaderOffset uint16            // Offset of extended header, 0 if none
	Reserved        [1]byte           // Must be zero
	Revision        uint8             // Version, set to 2
}

EFI_FIRMWARE_VOLUME_HEADER without the run-length encoded block map, []EfiFvBlockMapEntry, which ends with a {0,0} block and must be dynamically parsed

type EfiFvBlockMapEntry added in v0.9.5 

type EfiFvBlockMapEntry struct {
	NumBlocks uint32 // Number of sequential blocks of the same size
	Length    uint32 // Size of the blocks
}

type EfiFvgAttributes2 added in v0.9.5 

type EfiFvgAttributes2 uint32

type EfiGuid added in v0.9.5 

type EfiGuid struct {
	Data1 uint32
	Data2 uint16
	Data3 uint16
	Data4 [8]uint8
}

EfiGuid represents a GUID/UUID.

func ParseGuid added in v0.9.5 

func ParseGuid(data []byte) EfiGuid

func (EfiGuid) Bytes added in v0.9.5 

func (guid EfiGuid) Bytes() []byte

func (EfiGuid) String added in v0.9.5 

func (guid EfiGuid) String() string

type EfiGuidDefinedSection added in v0.9.5 

type EfiGuidDefinedSection struct {
	CommonHeader          EfiCommonSectionHeader
	SectionDefinitionGuid EfiGuid
	DataOffset            uint16
	Attributes            uint16
}

type EfiLBA added in v0.9.5 

type EfiLBA uint64

EfiLBA represents a Logical Block Address.

type EfiPartitionEntry added in v0.9.5 

type EfiPartitionEntry struct {
	PartitionTypeGUID   EfiGuid    // GUID defining the type/purpose of the partition
	UniquePartitionGUID EfiGuid    // Unique GUID for this partition
	StartingLBA         EfiLBA     // Starting LBA of the partition
	EndingLBA           EfiLBA     // Ending LBA of the partition
	Attributes          uint64     // Partition attribute bits (UEFI defined)
	PartitionName       [36]uint16 // UTF-16 partition name
}

EfiPartitionEntry represents a single GPT partition entry.

type EfiTableHeader added in v0.9.5 

type EfiTableHeader struct {
	Signature  uint64 // 64-bit table type signature
	Revision   uint32 // EFI spec revision (major:upper16, minor:lower16)
	HeaderSize uint32 // Size of the table including this header
	CRC32      uint32 // 32-bit CRC of the table
	Reserved   uint32
}

EfiTableHeader represents the common header for all EFI tables.

type GptPartitionTableHeader added in v0.9.5 

type GptPartitionTableHeader struct {
	Header                   EfiTableHeader // Table header (EFI_PTAB_HEADER_ID)
	MyLBA                    EfiLBA         // LBA of this header
	AlternateLBA             EfiLBA         // LBA of alternate GPT header
	FirstUsableLBA           EfiLBA         // First usable block for partitions
	LastUsableLBA            EfiLBA         // Last usable block for partitions
	DiskGUID                 EfiGuid        // Unique disk identifier
	PartitionEntryLBA        EfiLBA         // Starting LBA of partition entries
	NumberOfPartitionEntries uint32         // Number of partition entries
	SizeOfPartitionEntry     uint32         // Size of each partition entry (128 * 2^n)
	PartitionEntryArrayCRC32 uint32         // CRC32 of partition entry array
}

GptPartitionTableHeader represents the GPT Partition Table Header.

type KernelSetupHdr 

type KernelSetupHdr struct {
	NotImplemented [0x210]uint8 `json:"notImplemented"`
	TypeOfLoader   uint8        `json:"typeOfLoader"`
	LoadFlags      uint8        `json:"loadFlags"`
	SetupMoveSize  uint16       `json:"setupMoveSize"`
	Code32Start    uint32       `json:"code32Start"`
	RamdiskImage   uint32       `json:"ramdiskImage"`
	RamdiskSize    uint32       `json:"ramdiskSize"`
	BootsectKludge uint32       `json:"bootsectKludge"`
	HeapEndPtr     uint16       `json:"heapEndPtr"`
	ExtLoaderVer   uint8        `json:"extLoaderVer"`
	ExtLoaderType  uint8        `json:"extLoaderType"`
	CmdLinePtr     uint32       `json:"cmdLinePtr"`
	RamdiskMax     uint32       `json:"ramdiskMax"`
}

func LoadKernelSetupHeader 

func LoadKernelSetupHeader(config string) (*KernelSetupHdr, error)

type SecBootVariableType added in v0.9.5 

type SecBootVariableType struct {
	EventType    string
	VariableName string
	VendorGuid   [16]byte
	Path         string
	Data         []byte
}

type TrustAnchor added in v0.9.5 

type TrustAnchor uint
const (
	TPM TrustAnchor = 1 + iota
	TDX
)

func (TrustAnchor) RefvalString added in v0.9.5 

func (t TrustAnchor) RefvalString() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.