chore: add ukify Go script

This is a port of ukify.py and systemd-measure from systemd.

This requires no actual TPM to be present to calculate the PCR
signatures.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>

.dockerignore

@@ -14,3 +14,4 @@
 !prototool.yaml
 !README.md
 !CONTRIBUTING.md
+!_out/uki-certs

Dockerfile

@@ -29,6 +29,14 @@ FROM ghcr.io/siderolabs/grub:${PKGS} AS pkg-grub
 FROM --platform=amd64 ghcr.io/siderolabs/grub:${PKGS} AS pkg-grub-amd64
 FROM --platform=arm64 ghcr.io/siderolabs/grub:${PKGS} AS pkg-grub-arm64
 
+FROM ghcr.io/siderolabs/sd-stub:${PKGS} AS pkg-sd-stub
+FROM --platform=amd64 ghcr.io/siderolabs/sd-stub:${PKGS} AS pkg-sd-stub-amd64
+FROM --platform=arm64 ghcr.io/siderolabs/sd-stub:${PKGS} AS pkg-sd-stub-arm64
+
+FROM ghcr.io/siderolabs/sd-boot:${PKGS} AS pkg-sd-boot
+FROM --platform=amd64 ghcr.io/siderolabs/sd-boot:${PKGS} AS pkg-sd-boot-amd64
+FROM --platform=arm64 ghcr.io/siderolabs/sd-boot:${PKGS} AS pkg-sd-boot-arm64
+
 FROM --platform=amd64 ghcr.io/siderolabs/iptables:${PKGS} AS pkg-iptables-amd64
 FROM --platform=arm64 ghcr.io/siderolabs/iptables:${PKGS} AS pkg-iptables-arm64
 
@@ -91,6 +99,7 @@ FROM --platform=${BUILDPLATFORM} $IMPORTVET as importvet
 
 FROM --platform=${BUILDPLATFORM} $TOOLS AS tools
 ENV PATH /toolchain/bin:/toolchain/go/bin
+ENV LD_LIBRARY_PATH /toolchain/lib
 RUN ["/toolchain/bin/mkdir", "/bin", "/tmp"]
 RUN ["/toolchain/bin/ln", "-svf", "/toolchain/bin/bash", "/bin/sh"]
 RUN ["/toolchain/bin/ln", "-svf", "/toolchain/etc/ssl", "/etc/ssl"]
@@ -135,6 +144,15 @@ RUN --mount=type=cache,target=/.cache cd /go/src/github.com/siderolabs/structpro
     && go build -o structprotogen . \
     && mv structprotogen /toolchain/go/bin/
 COPY --from=importvet /importvet /toolchain/go/bin/importvet
+COPY ./hack/ukify /go/src/github.com/siderolabs/ukify
+RUN --mount=type=cache,target=/.cache \
+    --mount=type=bind,source=pkg,target=/go/src/github.com/pkg \
+    cd /go/src/github.com/siderolabs/ukify \
+    && CGO_ENABLED=1 go test ./... \
+    && go build -o gen-uki-certs ./gen-certs \
+    && CGO_ENABLED=1 go build -o ukify . \
+    && mv gen-uki-certs /toolchain/go/bin/ \
+    && mv ukify /toolchain/go/bin/
 
 # The build target creates a container that will be used to build Talos source
 # code.
@@ -444,7 +462,7 @@ COPY --from=talosctl-freebsd-arm64-build /talosctl-freebsd-arm64 /talosctl-freeb
 FROM scratch AS talosctl-windows-amd64
 COPY --from=talosctl-windows-amd64-build /talosctl-windows-amd64.exe /talosctl-windows-amd64.exe
 
-FROM --platform=${BUILDPLATFORM} talosctl-${TARGETOS}-${TARGETARCH} AS talosctl-platform
+FROM --platform=${BUILDPLATFORM} talosctl-${TARGETOS}-${TARGETARCH} AS talosctl-targetarch
 
 FROM scratch AS talosctl-all
 COPY --from=talosctl-linux-amd64 / /
@@ -843,7 +861,6 @@ FROM scratch AS integration-test-provision-linux
 COPY --from=integration-test-provision-linux-build /src/integration.test /integration-test-provision-linux-amd64
 
 # The module-sig-verify targets builds module-sig-verify binary.
-
 FROM build-go AS module-sig-verify-linux-build
 ARG GO_BUILDFLAGS
 ARG GO_LDFLAGS
@@ -857,8 +874,45 @@ RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=amd64 GOAMD64=${GOAMD64}
 FROM scratch AS module-sig-verify-linux
 COPY --from=module-sig-verify-linux-build /src/module-sig-verify/module-sig-verify /module-sig-verify-linux-amd64
 
-# The lint target performs linting on the source code.
+FROM --platform=${BUILDPLATFORM} tools AS gen-uki-certs
+RUN gen-uki-certs
 
+FROM scratch as uki-certs
+COPY --from=gen-uki-certs /_out /
+
+FROM --platform=${BUILDPLATFORM} tools AS uki-build-amd64
+WORKDIR /build
+COPY --from=pkg-sd-stub-amd64 / _out/
+COPY --from=pkg-sd-boot-amd64 / _out/
+COPY --from=pkg-kernel-amd64 /boot/vmlinuz _out/vmlinuz-amd64
+COPY --from=initramfs-archive-amd64 /initramfs.xz _out/initramfs-amd64.xz
+COPY _out/uki-certs _out/uki-certs
+RUN ukify
+
+FROM scratch AS uki-amd64
+COPY --from=uki-build-amd64 /build/_out/systemd-bootx64.efi.signed /systemd-bootx64.efi.signed
+COPY --from=uki-build-amd64 /build/_out/vmlinuz.efi /vmlinuz-amd64.signed.efi
+
+FROM --platform=${BUILDPLATFORM} tools AS uki-build-arm64
+WORKDIR /build
+COPY --from=pkg-sd-stub-arm64 / _out/
+COPY --from=pkg-sd-boot-arm64 / _out/
+COPY --from=pkg-kernel-arm64 /boot/vmlinuz _out/vmlinuz-arm64
+COPY --from=initramfs-archive-arm64 /initramfs.xz _out/initramfs-arm64.xz
+COPY _out/uki-certs _out/uki-certs
+RUN ukify \
+    -sd-stub _out/linuxaa64.efi.stub \
+    -sd-boot _out/systemd-bootaa64.efi \
+    -kernel _out/vmlinuz-arm64 \
+    -initrd _out/initramfs-arm64.xz
+
+FROM scratch AS uki-arm64
+COPY --from=uki-build-arm64 /build/_out/systemd-bootaa64.efi.signed /systemd-bootaa64.efi.signed
+COPY --from=uki-build-arm64 /build/_out/vmlinuz.efi /vmlinuz-arm64.signed.efi
+
+FROM --platform=${BUILDPLATFORM} uki-${TARGETARCH} AS uki
+
+# The lint target performs linting on the source code.
 FROM base AS lint-go
 COPY .golangci.yml .
 ENV GOGC 50
@@ -921,7 +975,7 @@ FROM base AS docs-build
 ARG TARGETOS
 ARG TARGETARCH
 WORKDIR /src
-COPY --from=talosctl-platform /talosctl-${TARGETOS}-${TARGETARCH} /bin/talosctl
+COPY --from=talosctl-targetarch /talosctl-${TARGETOS}-${TARGETARCH} /bin/talosctl
 RUN env HOME=/home/user TAG=latest /bin/talosctl docs --config /tmp \
     && env HOME=/home/user TAG=latest /bin/talosctl docs --cli /tmp
 COPY ./pkg/machinery/config/types/v1alpha1/schemas/ /tmp/schemas/

Makefile

@@ -13,7 +13,7 @@ DOCKER_LOGIN_ENABLED ?= true
 NAME = Talos
 
 ARTIFACTS := _out
-TOOLS ?= ghcr.io/siderolabs/tools:v1.5.0-alpha.0-11-g88ebb40
+TOOLS ?= ghcr.io/siderolabs/tools:v1.5.0-alpha.0-12-g150efc2
 PKGS ?= v1.5.0-alpha.0-20-g97177be
 EXTRAS ?= v1.5.0-alpha.0
 # renovate: datasource=github-tags depName=golang/go
@@ -285,7 +285,13 @@ talosctl-windows-amd64:
 	@$(MAKE) local-talosctl-windows-amd64 DEST=$(ARTIFACTS) PUSH=false NAME=Client
 
 talosctl:
-	@$(MAKE) local-talosctl-platform DEST=$(ARTIFACTS)
+	@$(MAKE) local-talosctl-targetarch DEST=$(ARTIFACTS)
+
+uki-certs:
+	@$(MAKE) local-uki-certs DEST=$(ARTIFACTS)/uki-certs
+
+uki:
+	@$(MAKE) local-uki DEST=$(ARTIFACTS)
 
 image-%: ## Builds the specified image. Valid options are aws, azure, digital-ocean, gcp, and vmware (e.g. image-aws)
 	@docker pull $(REGISTRY_AND_USERNAME)/imager:$(IMAGE_TAG)

go.work

@@ -7,5 +7,6 @@ use (
 	./hack/gotagsrewrite
 	./hack/module-sig-verify
 	./hack/structprotogen
+	./hack/ukify
 	./pkg/machinery
 )

hack/ukify/constants/constants.go

@@ -0,0 +1,49 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package constants
+
+type Section string
+
+const (
+	Linux   Section = ".linux"
+	OSRel   Section = ".osrel"
+	CMDLine Section = ".cmdline"
+	Initrd  Section = ".initrd"
+	Splash  Section = ".splash"
+	DTB     Section = ".dtb"
+	Uname   Section = ".uname"
+	PCRSig  Section = ".pcrsig"
+	PCRPKey Section = ".pcrpkey"
+)
+
+// derived from https://github.com/systemd/systemd/blob/main/src/fundamental/tpm-pcr.h#L23-L36
+// OrderedSections returns the sections that are measured into PCR
+// .pcrsig section is omitted here since that's what we are calulating here
+func OrderedSections() []Section {
+	// DO NOT REARRANGE
+	return []Section{Linux, OSRel, CMDLine, Initrd, Splash, DTB, Uname, PCRPKey}
+}
+
+type Phase string
+
+const (
+	EnterInitrd Phase = "enter-initrd"
+	LeaveInitrd Phase = "leave-initrd"
+	SysInit     Phase = "sysinit"
+	Ready       Phase = "ready"
+)
+
+// derived from https://github.com/systemd/systemd/blob/v253/src/boot/measure.c#L295-L308
+// ref: https://www.freedesktop.org/software/systemd/man/systemd-pcrphase.service.html#Description
+// OrderedPhases returns the phases that are measured
+func OrderedPhases() []Phase {
+	// DO NOT REARRANGE
+	return []Phase{EnterInitrd, LeaveInitrd, SysInit, Ready}
+}
+
+const (
+	// UKI sections except `.pcrsig` are measured into PCR 11 by sd-stub
+	UKIPCR = 11
+)

hack/ukify/gen-certs/main.go

@@ -0,0 +1,82 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// gen-certs is a tool to generate UKI signing keys and certificates.
+package main
+
+import (
+	"flag"
+	"log"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/siderolabs/crypto/x509"
+)
+
+func generateSigningCerts(path, prefix, commonName string) error {
+	currentTime := time.Now()
+
+	opts := []x509.Option{
+		x509.RSA(true),
+		x509.CommonName(commonName),
+		x509.NotAfter(currentTime.Add(24 * time.Hour)),
+		x509.NotBefore(currentTime),
+	}
+
+	signingKey, err := x509.NewSelfSignedCertificateAuthority(opts...)
+	if err != nil {
+		return err
+	}
+
+	if err = os.WriteFile(filepath.Join(path, prefix+"-signing-cert.pem"), signingKey.CrtPEM, 0o600); err != nil {
+		return err
+	}
+
+	if err = os.WriteFile(filepath.Join(path, prefix+"-signing-key.pem"), signingKey.KeyPEM, 0o600); err != nil {
+		return err
+	}
+
+	pemKey := x509.PEMEncodedKey{
+		Key: signingKey.KeyPEM,
+	}
+
+	privKey, err := pemKey.GetRSAKey()
+	if err != nil {
+		return err
+	}
+
+	if err = os.WriteFile(filepath.Join(path, prefix+"-signing-public-key.pem"), privKey.PublicKeyPEM, 0o600); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func run() error {
+	var outputPath string
+
+	flag.StringVar(&outputPath, "output-path", "_out", "path to output directory")
+	flag.Parse()
+
+	if err := os.MkdirAll(outputPath, 0o755); err != nil {
+		return err
+	}
+
+	if err := generateSigningCerts(outputPath, "uki", "Test UKI Signing Key"); err != nil {
+		return err
+	}
+
+	if err := generateSigningCerts(outputPath, "pcr", "Test PCR Signing Key"); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func main() {
+	if err := run(); err != nil {
+		log.Fatal(err)
+	}
+}

hack/ukify/go.mod

@@ -0,0 +1,29 @@
+module github.com/siderolabs/ukify
+
+go 1.20
+
+replace github.com/siderolabs/talos/pkg/machinery => ../../pkg/machinery
+
+require (
+	github.com/google/go-tpm v0.3.3
+	github.com/google/go-tpm-tools v0.3.12
+	github.com/saferwall/pe v1.4.2
+	github.com/siderolabs/crypto v0.4.0
+	github.com/siderolabs/go-procfs v0.1.1
+	github.com/siderolabs/talos v1.4.4
+	github.com/siderolabs/talos/pkg/machinery v1.4.4
+)
+
+require (
+	github.com/containerd/go-cni v1.1.9 // indirect
+	github.com/containernetworking/cni v1.1.2 // indirect
+	github.com/edsrzf/mmap-go v1.1.0 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
+	golang.org/x/net v0.9.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
+	google.golang.org/grpc v1.55.0 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
+)

hack/ukify/go.sum

@@ -0,0 +1,300 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/containerd/go-cni v1.1.9 h1:ORi7P1dYzCwVM6XPN4n3CbkuOx/NZ2DOqy+SHRdo9rU=
+github.com/containerd/go-cni v1.1.9/go.mod h1:XYrZJ1d5W6E2VOvjffL3IZq0Dz6bsVlERHbekNK90PM=
+github.com/containernetworking/cni v1.1.2 h1:wtRGZVv7olUHMOqouPpn3cXJWpJgM6+EUl31EQbXALQ=
+github.com/containernetworking/cni v1.1.2/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw=
+github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
+github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
+github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
+github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/edsrzf/mmap-go v1.1.0 h1:6EUwBLQ/Mcr1EYLE4Tn1VdW1A4ckqCQWZBw8Hr0kjpQ=
+github.com/edsrzf/mmap-go v1.1.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-sev-guest v0.6.1 h1:NajHkAaLqN9/aW7bCFSUplUMtDgk2+HcN7jC2btFtk0=
+github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI=
+github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw=
+github.com/google/go-tpm v0.3.3 h1:P/ZFNBZYXRxc+z7i5uyd8VP7MaDteuLZInzrH2idRGo=
+github.com/google/go-tpm v0.3.3/go.mod h1:9Hyn3rgnzWF9XBWVk6ml6A6hNkbWjNFlDQL51BeghL4=
+github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfHadzbdzHo54inR2x1v640jdi1YSi3NauM2DUsxk0=
+github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4=
+github.com/google/go-tpm-tools v0.3.12 h1:hpWglH4RaZnGVbgOK3IThI5K++jnFvjQ94EIN34xrUU=
+github.com/google/go-tpm-tools v0.3.12/go.mod h1:2OtmyPGPuaWWIOjr+IDhNQb6t5njjbSmZtzc350Q6Ro=
+github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ=
+github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
+github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
+github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
+github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
+github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
+github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
+github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
+github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
+github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
+github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
+github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/saferwall/pe v1.4.2 h1:Vzustn1KS7uHvh6gpWfSlmgZbkWFNxEKHV0DOSuCV50=
+github.com/saferwall/pe v1.4.2/go.mod h1:SNzv3cdgk8SBI0UwHfyTcdjawfdnN+nbydnEL7GZ25s=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/siderolabs/crypto v0.4.0 h1:o1KIR1KyevUcY9nbJlSyQAj7+p+rveGGF8LjAAFMtjc=
+github.com/siderolabs/crypto v0.4.0/go.mod h1:itZpBsJ9i0aH8jiHAuSlKCal7hni7X1aDYo6vGVl5LY=
+github.com/siderolabs/go-procfs v0.1.1 h1:GkKjnDfFkupcuLN0w6A/Oy58/8FPAHcmlgiHIaw6M+g=
+github.com/siderolabs/go-procfs v0.1.1/go.mod h1:byGwc3MfF65wg1mz8t3qQ1zlrYhMngEYh1eDzaFAYq0=
+github.com/siderolabs/talos v1.4.4 h1:S09NZ+1lf81O2m3ui5C2e2s5eU1UaBH04tNj9HH4b/M=
+github.com/siderolabs/talos v1.4.4/go.mod h1:wHI43aCA5pf596PO/rOvtXS6hDDTgB1ffmuXDQRWfEU=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
+github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
+github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
+github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
+github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak=
+go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
+go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
+go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
+golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag=
+google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
+google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

hack/ukify/main.go

@@ -0,0 +1,308 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// ukify is a tool to generate UKI bundles from kernel/initramfs...
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"html/template"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	_ "embed"
+
+	"github.com/saferwall/pe"
+	"github.com/siderolabs/go-procfs/procfs"
+
+	"github.com/siderolabs/ukify/constants"
+	"github.com/siderolabs/ukify/measure"
+
+	talosconstants "github.com/siderolabs/talos/pkg/machinery/constants"
+	kernelpkg "github.com/siderolabs/talos/pkg/machinery/kernel"
+	"github.com/siderolabs/talos/pkg/version"
+)
+
+var (
+	//go:embed assets/sidero.bmp
+	splashBMP []byte
+)
+
+var (
+	sdStub         string
+	sdBoot         string
+	kernel         string
+	initrd         string
+	cmdline        string
+	signingKey     string
+	signingCert    string
+	pcrSigningKey  string
+	pcrPublicKey   string
+	pcrSigningCert string
+	output         string
+)
+
+func sbSign(input string) (string, error) {
+	out := input + ".signed"
+
+	if err := os.RemoveAll(out); err != nil {
+		return "", err
+	}
+
+	cmd := exec.Command("sbsign", "--key", signingKey, "--cert", signingCert, "--output", out, input)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	err := cmd.Run()
+
+	return out, err
+}
+
+type section struct {
+	name    constants.Section
+	file    string
+	measure bool
+	size    uint32
+	vma     uint32
+}
+
+func buildUKI(source, output string, sections []section) error {
+	peFile, err := pe.New(source, &pe.Options{Fast: true})
+	if err != nil {
+		return err
+	}
+
+	defer peFile.Close() //nolint: errcheck
+
+	if err = peFile.Parse(); err != nil {
+		return err
+	}
+
+	// find the first VMA address
+	lastSection := peFile.Sections[len(peFile.Sections)-1]
+
+	const alignment = 0xfff
+
+	baseVMA := lastSection.Header.VirtualAddress + lastSection.Header.VirtualSize
+	baseVMA = (baseVMA + alignment) &^ alignment
+
+	// calculate sections size and VMA
+	for i := range sections {
+		st, err := os.Stat(sections[i].file)
+		if err != nil {
+			return err
+		}
+
+		sections[i].size = uint32(st.Size())
+		sections[i].vma = baseVMA
+
+		baseVMA += sections[i].size
+		baseVMA = (baseVMA + alignment) &^ alignment
+	}
+
+	// create the output file
+	args := []string{}
+
+	for _, section := range sections {
+		args = append(args, "--add-section", fmt.Sprintf("%s=%s", section.name, section.file), "--change-section-vma", fmt.Sprintf("%s=0x%x", section.name, section.vma))
+	}
+
+	args = append(args, source, output)
+
+	cmd := exec.Command("objcopy", args...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	return cmd.Run()
+}
+
+func Measure(tempDir, kernel, signingKey string, sections []section) ([]section, error) {
+	sectionsData := measure.SectionsData{}
+
+	for _, section := range sections {
+		if !section.measure {
+			continue
+		}
+
+		sectionsData[section.name] = section.file
+	}
+
+	// manually add the linux section
+	sectionsData[constants.Linux] = kernel
+
+	pcrpsigFile := filepath.Join(tempDir, "pcrpsig")
+
+	pcrData, err := measure.GenerateSignedPCR(sectionsData, signingKey)
+	if err != nil {
+		return nil, err
+	}
+
+	pcrSignatureData, err := json.Marshal(&pcrData)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = os.WriteFile(pcrpsigFile, pcrSignatureData, 0644); err != nil {
+		return nil, err
+	}
+
+	sections = append(sections, section{
+		name:    constants.PCRSig,
+		file:    pcrpsigFile,
+		measure: false,
+	})
+
+	return sections, nil
+}
+
+func run() error {
+	defaultCmdline := procfs.NewCmdline("")
+	defaultCmdline.Append(talosconstants.KernelParamPlatform, "metal")
+
+	if err := defaultCmdline.AppendAll(kernelpkg.DefaultArgs); err != nil {
+		return err
+	}
+
+	flag.StringVar(&sdStub, "sd-stub", "_out/linuxx64.efi.stub", "path to sd-stub")
+	flag.StringVar(&sdBoot, "sd-boot", "_out/systemd-bootx64.efi", "path to sd-boot")
+	flag.StringVar(&output, "output", "_out/vmlinuz.efi", "output path")
+	flag.StringVar(&kernel, "kernel", "_out/vmlinuz-amd64", "path to kernel image")
+	flag.StringVar(&initrd, "initrd", "_out/initramfs-amd64.xz", "path to initrd image")
+	flag.StringVar(&cmdline, "cmdline", defaultCmdline.String(), "kernel cmdline")
+	flag.StringVar(&signingKey, "signing-key-path", "_out/uki-certs/uki-signing-key.pem", "path to signing key")
+	flag.StringVar(&signingCert, "signing-cert-path", "_out/uki-certs/uki-signing-cert.pem", "path to signing cert")
+	flag.StringVar(&pcrSigningKey, "pcr-signing-key-path", "_out/uki-certs/pcr-signing-key.pem", "path to PCR signing key")
+	flag.StringVar(&pcrPublicKey, "pcr-public-key-path", "_out/uki-certs/pcr-signing-public-key.pem", "path to PCR public key")
+	flag.StringVar(&pcrSigningCert, "prc-signing-cert-path", "_out/uki-certs/pcr-signing-cert.pem", "path to PCR signing cert")
+	flag.Parse()
+
+	_, err := sbSign(sdBoot)
+	if err != nil {
+		return fmt.Errorf("failed to sign sd-boot: %w", err)
+	}
+
+	signedKernel, err := sbSign(kernel)
+	if err != nil {
+		return fmt.Errorf("failed to sign kernel: %w", err)
+	}
+
+	tempDir, err := os.MkdirTemp("", "ukify")
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		if err = os.RemoveAll(tempDir); err != nil {
+			log.Printf("failed to remove temp dir: %v", err)
+		}
+	}()
+
+	cmdlineFile := filepath.Join(tempDir, "cmdline")
+
+	if err = os.WriteFile(cmdlineFile, []byte(cmdline), 0o644); err != nil {
+		return err
+	}
+
+	unameFile := filepath.Join(tempDir, "uname")
+
+	if err = os.WriteFile(unameFile, []byte(talosconstants.DefaultKernelVersion), 0o644); err != nil {
+		return err
+	}
+
+	osReleaseFile := filepath.Join(tempDir, "os-release")
+
+	var buf bytes.Buffer
+
+	tmpl, err := template.New("").Parse(talosconstants.OSReleaseTemplate)
+	if err != nil {
+		return err
+	}
+
+	if err = tmpl.Execute(&buf, struct {
+		Name    string
+		ID      string
+		Version string
+	}{
+		Name:    version.Name,
+		ID:      strings.ToLower(version.Name),
+		Version: version.Tag,
+	}); err != nil {
+		return err
+	}
+
+	if err = os.WriteFile(osReleaseFile, buf.Bytes(), 0o644); err != nil {
+		return err
+	}
+
+	splashFile := filepath.Join(tempDir, "splash.bmp")
+
+	if err = os.WriteFile(splashFile, splashBMP, 0o644); err != nil {
+		return err
+	}
+
+	sections := []section{
+		{
+			name:    constants.OSRel,
+			file:    osReleaseFile,
+			measure: true,
+		},
+		{
+			name:    constants.CMDLine,
+			file:    cmdlineFile,
+			measure: true,
+		},
+		{
+			name:    constants.Initrd,
+			file:    initrd,
+			measure: true,
+		},
+		{
+			name:    constants.Splash,
+			file:    splashFile,
+			measure: true,
+		},
+		{
+			name:    constants.Uname,
+			file:    unameFile,
+			measure: true,
+		},
+		{
+			name:    constants.PCRPKey,
+			file:    pcrPublicKey,
+			measure: true,
+		},
+	}
+
+	// systemd-measure
+	if sections, err = Measure(tempDir, signedKernel, pcrSigningKey, sections); err != nil {
+		return err
+	}
+
+	// kernel is added last to account for decompression
+	sections = append(sections,
+		section{
+			name:    constants.Linux,
+			file:    signedKernel,
+			measure: true,
+		},
+	)
+
+	if err = os.RemoveAll(output); err != nil {
+		return err
+	}
+
+	return buildUKI(sdStub, output, sections)
+}
+
+func main() {
+	if err := run(); err != nil {
+		log.Fatal(err)
+	}
+}

hack/ukify/measure/measure.go

@@ -0,0 +1,259 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package measure
+
+import (
+	"crypto"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/google/go-tpm-tools/simulator"
+	"github.com/google/go-tpm/tpm2"
+	"github.com/google/go-tpm/tpmutil"
+
+	"github.com/siderolabs/ukify/constants"
+)
+
+type PCRData struct {
+	SHA1   []bankData `json:"sha1,omitempty"`
+	SHA256 []bankData `json:"sha256,omitempty"`
+	SHA384 []bankData `json:"sha384,omitempty"`
+	SHA512 []bankData `json:"sha512,omitempty"`
+}
+
+type bankData struct {
+	// list of PCR banks
+	PCRS []int `json:"pcrs"`
+	// Public key of the TPM
+	PKFP string `json:"pkfp"`
+	// Policy digest
+	POL string `json:"pol"`
+	// Signature of the policy digest in base64
+	SIG string `json:"sig"`
+}
+
+// signatureData returns the hashed signature digest and base64 encoded signature
+type signatureData struct {
+	Digest          string
+	SignatureBase64 string
+}
+
+// SectionData holds a map of Section to file path to the corresponding section
+type SectionsData map[constants.Section]string
+
+func calculatePCRBankData(pcr int, alg tpm2.Algorithm, sectionData SectionsData, privateKeyFile string) ([]bankData, error) {
+	rsaKey, err := parseRSAKey(privateKeyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	// get fingerprint of public key
+	pubKeyFingerprint := sha256.Sum256(x509.MarshalPKCS1PublicKey(&rsaKey.PublicKey))
+
+	sim, err := simulator.Get()
+	if err != nil {
+		return nil, fmt.Errorf("creating tpm2 simulator failed: %v", err)
+	}
+
+	defer sim.Close()
+
+	for _, section := range constants.OrderedSections() {
+		if file, ok := sectionData[section]; ok && file != "" {
+			if err := pcrExtent(sim, pcr, alg, append([]byte(section), 0)); err != nil {
+				return nil, err
+			}
+
+			sectionData, err := os.ReadFile(file)
+			if err != nil {
+				return nil, err
+			}
+
+			if err := pcrExtent(sim, pcr, alg, sectionData); err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	banks := make([]bankData, len(constants.OrderedPhases()))
+
+	for i, phase := range constants.OrderedPhases() {
+		if err := pcrExtent(sim, pcr, alg, []byte(phase)); err != nil {
+			return nil, err
+		}
+
+		sigData, err := calculateSignature(sim, rsaKey, pcr, alg)
+		if err != nil {
+			return nil, err
+		}
+
+		banks[i] = bankData{
+			PCRS: []int{pcr},
+			PKFP: hex.EncodeToString(pubKeyFingerprint[:]),
+			SIG:  sigData.SignatureBase64,
+			POL:  sigData.Digest,
+		}
+	}
+
+	return banks, nil
+}
+
+func parseRSAKey(key string) (*rsa.PrivateKey, error) {
+	keyData, err := os.ReadFile(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// convert private key to rsa.PrivateKey
+	rsaPrivateKeyBlock, _ := pem.Decode(keyData)
+	if rsaPrivateKeyBlock == nil {
+		return nil, err
+	}
+
+	rsaKey, err := x509.ParsePKCS1PrivateKey(rsaPrivateKeyBlock.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("parse private key failed: %v", err)
+	}
+
+	return rsaKey, nil
+}
+
+func calculateSignature(rw io.ReadWriter, rsaKey *rsa.PrivateKey, pcr int, alg tpm2.Algorithm) (*signatureData, error) {
+	pcrData, err := tpm2.ReadPCR(rw, pcr, alg)
+	if err != nil {
+		return nil, fmt.Errorf("reading pcr failed: %v", err)
+	}
+
+	pcrHash := sha256.Sum256(pcrData)
+
+	tpm2Session, _, err := tpm2.StartAuthSession(
+		rw,
+		tpm2.HandleNull,
+		tpm2.HandleNull,
+		make([]byte, 16),
+		nil,
+		tpm2.SessionTrial,
+		tpm2.AlgNull,
+		// session hash alorithm is always SHA256
+		tpm2.AlgSHA256,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	defer tpm2.FlushContext(rw, tpm2Session)
+
+	sel := tpm2.PCRSelection{
+		Hash: alg,
+		PCRs: []int{pcr},
+	}
+
+	if err := tpm2.PolicyPCR(rw, tpm2Session, pcrHash[:], sel); err != nil {
+		return nil, err
+	}
+
+	policyDigest, err := tpm2.PolicyGetDigest(rw, tpm2Session)
+	if err != nil {
+		return nil, err
+	}
+
+	policyDigestHashed, err := hashFromAlg(alg, policyDigest)
+	if err != nil {
+		return nil, err
+	}
+
+	sigHash, err := alg.Hash()
+	if err != nil {
+		return nil, err
+	}
+
+	// sign policy digest
+	signedData, err := rsaKey.Sign(nil, policyDigestHashed, sigHash)
+	if err != nil {
+		return nil, fmt.Errorf("signing failed: %v", err)
+	}
+
+	return &signatureData{
+		Digest:          hex.EncodeToString(policyDigest[:]),
+		SignatureBase64: base64.StdEncoding.EncodeToString(signedData),
+	}, nil
+}
+
+func hashFromAlg(alg tpm2.Algorithm, data []byte) ([]byte, error) {
+	signHash, err := alg.Hash()
+	if err != nil {
+		return nil, err
+	}
+
+	switch signHash.String() {
+	case crypto.SHA1.String():
+		digest := sha1.Sum(data)
+
+		return digest[:], nil
+	case crypto.SHA256.String():
+		digest := sha256.Sum256(data)
+
+		return digest[:], nil
+	case crypto.SHA384.String():
+		digest := sha512.Sum384(data)
+
+		return digest[:], nil
+	case crypto.SHA512.String():
+		digest := sha512.Sum512(data)
+
+		return digest[:], nil
+	}
+
+	return nil, fmt.Errorf("unsupported hash algorithm: %v", signHash)
+}
+
+// pcrExtent hashes the input and extends the PCR with the hash
+func pcrExtent(rw io.ReadWriter, pcr int, alg tpm2.Algorithm, data []byte) error {
+	// we can't use tpm2.Hash here since it's buffer size is too limited
+	// ref: https://github.com/google/go-tpm/blob/3270509f088425fc9499bc9b7b8ff0811119bedb/tpm2/constants.go#L47
+	digest, err := hashFromAlg(alg, data)
+	if err != nil {
+		return err
+	}
+
+	return tpm2.PCRExtend(rw, tpmutil.Handle(pcr), alg, digest, "")
+}
+
+func GenerateSignedPCR(sectionsData SectionsData, rsaKey string) (*PCRData, error) {
+	sha1BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.AlgSHA1, sectionsData, rsaKey)
+	if err != nil {
+		return nil, err
+	}
+
+	sha256BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.AlgSHA256, sectionsData, rsaKey)
+	if err != nil {
+		return nil, err
+	}
+
+	sha384BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.AlgSHA384, sectionsData, rsaKey)
+	if err != nil {
+		return nil, err
+	}
+
+	sha512BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.AlgSHA512, sectionsData, rsaKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PCRData{
+		SHA1:   sha1BankData,
+		SHA256: sha256BankData,
+		SHA384: sha384BankData,
+		SHA512: sha512BankData,
+	}, nil
+}

hack/ukify/measure/measure_test.go

@@ -0,0 +1,163 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package measure_test
+
+import (
+	"bytes"
+	"crypto/sha512"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	_ "embed"
+
+	"github.com/siderolabs/ukify/constants"
+	"github.com/siderolabs/ukify/measure"
+)
+
+const (
+	// ExpectedSignatureHex is generated by running main()
+	ExpectedSignatureHex = "12e432978d18c9f720b3fb922cab180ca025ecd5f918966d1f878ae93f1eedbc6b20885d5a9f1c4ffdd4bf2dc3c25dc1097b6c5109d9c9a90128eff20056ace7"
+)
+
+var (
+	//go:embed testdata/pcr-signing-key.pem
+	pcrSigningKeyPEM []byte
+)
+
+func TestMeasureMatchesExpectedOutput(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	sectionsData := measure.SectionsData{}
+
+	// create temporary files with the ordered section name and data as the section name
+	for _, section := range constants.OrderedSections() {
+		sectionFile := filepath.Join(tmpDir, string(section))
+
+		if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil {
+			t.Fatal(err)
+		}
+
+		sectionsData[section] = sectionFile
+	}
+
+	signingKey := filepath.Join(tmpDir, "pcr-signing-key.pem")
+
+	if err := os.WriteFile(signingKey, pcrSigningKeyPEM, 0o644); err != nil {
+		t.Fatal(err)
+	}
+
+	pcrData, err := measure.GenerateSignedPCR(sectionsData, signingKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pcrDataJSON, err := json.Marshal(&pcrData)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pcrDataJSONHash := sha512.Sum512(pcrDataJSON)
+
+	if hex.EncodeToString(pcrDataJSONHash[:]) != ExpectedSignatureHex {
+		t.Fatalf("expected: %v, got: %v", ExpectedSignatureHex, hex.EncodeToString(pcrDataJSONHash[:]))
+	}
+}
+
+func TestGenerateSignatureUsingSDMeasure(t *testing.T) {
+	if os.Getenv("UKIFY_TEST_USE_SDMEASURE") == "" {
+		t.Skip("skipping test that requires swtpm")
+	}
+
+	tmpDir, err := os.MkdirTemp("", "measure-testdata-gen")
+	if err != nil {
+		panic(err)
+	}
+
+	defer os.RemoveAll(tmpDir)
+
+	sectionsData := measure.SectionsData{}
+	sdMeasureArgs := make([]string, len(constants.OrderedSections()))
+
+	// create temporary files with the ordered section name and data as the section name
+	for i, section := range constants.OrderedSections() {
+		sectionFile := filepath.Join(tmpDir, string(section))
+
+		if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil {
+			panic(err)
+		}
+
+		sectionsData[section] = sectionFile
+		sdMeasureArgs[i] = fmt.Sprintf("--%s=%s", strings.TrimPrefix(string(section), "."), sectionFile)
+	}
+
+	// start swtpm simulator
+	tpmStateDir, err := os.MkdirTemp("", "swtpm-state")
+	if err != nil {
+		panic(err)
+	}
+
+	defer os.RemoveAll(tpmStateDir)
+
+	cmd := exec.Command(
+		"swtpm",
+		"socket",
+		"--tpmstate",
+		fmt.Sprintf("dir=%s", tpmStateDir),
+		"--ctrl",
+		"type=tcp,bindaddr=localhost,port=2322",
+		"--server",
+		"type=tcp,bindaddr=localhost,port=2321",
+		"--tpm2",
+		"--flags",
+		"not-need-init,startup-clear",
+	)
+
+	if err := cmd.Start(); err != nil {
+		panic(err)
+	}
+
+	defer cmd.Process.Kill()
+
+	time.Sleep(1 * time.Second)
+
+	signingKey := filepath.Join(tmpDir, "pcr-signing-key.pem")
+
+	if err := os.WriteFile(signingKey, pcrSigningKeyPEM, 0o644); err != nil {
+		panic(err)
+	}
+
+	var signature bytes.Buffer
+
+	sdCmd := exec.Command(
+		"systemd-measure",
+		append([]string{
+			"sign",
+			"--tpm2-device=swtpm:",
+			"--private-key",
+			signingKey,
+			"--json=short",
+		},
+			sdMeasureArgs...,
+		)...)
+
+	sdCmd.Stdout = &signature
+
+	if err := sdCmd.Run(); err != nil {
+		panic(err)
+	}
+
+	s := bytes.TrimSpace(signature.Bytes())
+
+	signatureHash := sha512.Sum512(s)
+
+	fmt.Println(hex.EncodeToString(signatureHash[:]))
+}

hack/ukify/measure/testdata/pcr-signing-key.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEA7qhAkdtZxqkIP79DDGin9eaJBeNlJsClJTcbaXbNfk2QJGT3
+lqo9ErXQQftwYWLGo+kVd8puhnHGPkLW9apT1/ZmUJEFwxV5xws0RllGVPhUga+1
+oubHUqhEiy707S4RrUEMk/o9wqmtnl2hY5FxMeQn2o7xrpcNhm8FtHpvQrT0MsbC
+1cS1ytZH/hwPy/QIB9bx+ugOha6wtQBnpgix1BhHC/NwDIYPg+ONpQSCu9gkXVtL
+GlKfmjscUANQtBuVKa5NflrjkHw7NAdKYdKpMnmzr0yu6Tn/2oNmUiJAwHz0BXpf
+b4Yn8n/IoKJQ5Tv1g6d30wxxpBd0lbwSe9MLRchIDJ5aFRybyRxaPGT17U3yEVzb
+V78kIFtocaqkc1ise8remZ0wxHzuolbTZD6oswt7C9jMLvfMAQ7JtENXrpDM//Xz
+dRLzyTWKOjhG0YmKKRY6cIrPkugM0PHGCE3RMSH1FmPMrWWBNAMwS0Zba0Wm1b7v
+dw5fKeE8txH+IpA3IaE9AytYk0ig98ZgmXmBV0sgxmJ/94scEF+sDg65LIkSEJMz
+f6q30UghbJJoP7eKOoDX9KBrR+POEsWm/EcU5jTEQTHMU+qKtj5KD6TUn8R8yi4w
+CnyZ7uJLUqm8Ou8MzEZWbrsrbMvrewPDAHn0QQvb2tDtBgn6oH192jpkzckCAwEA
+AQKCAgEAkiWcrPU7i+lVMNxqLb4lJPOQ83cmKU4Nk7WkZrgm7PKIk5D1AWGs1rla
+GB3m2uxHIncI+3uOpWwk71m1E2nDwFuWmj3E3otXMKnO0Em5RS1xap10SJa0dwyu
+NOGDgX8Vuhg8oJ28lmmb9X/25edZ/yhts2yX2ceMs8dnIfdcDOiNJk8LXycAAH+q
+RJVgoxAEnvBk7LaQthKdCap+znFCnNRlJY9lDXZHKAgAZI5XlLquwjC21B7GuAb8
+to7hK/o8JPMlZ3w3IPLCuoDAbxk3Hb7jZzU5Y39uC50t2pw5NOcP9A7VRJFOAzV3
+Yc8kZMyL85xpR2e2a7slXNB4LTW3D0zy/fSO63R9cLNrlp+I9p7xDgz1mylo8FoW
+T1TyNAWo/gIa7r43Ufp/C0lrWSd5gkz2nMVWiFl8M1lpx7zDSZk8U1sKzFZswmFQ
+h5On7kxo14gUdzogb1hrJuEI9Ke52kRb4YMm094LFI/BWQ89QF0NXJ6CSkb2MyWc
+f0kyfEMRUbmHi/EfpQlKK2uhOsxXdhZN2VP4nl1Yg0xxv0cLSMcP7DdJPso5VSC/
++wF8ni7+GMEDtntMEGjuXjq/zypyjptaRKpw4iRqxydUqa0C1PovzDoUDn7eKJBv
+2p9evDG8zWenZ7g/VYWy4ZtpwVa3SAXeeuLmdllphPp6n6uweFECggEBAPiSb2IY
+O33JRmxQeqrc6cmcv1l4AbedSr3F7X4DC+HZCkG27bZlzMBqbAQichC/pPhx544S
+CBxB7e1Qsqjw8LLNea0sQsRbVXMSQpwBqjJ2g4mCN4S/hPQHSeESODPz/OaZrQq5
+iVSckrAlbgFs8HepOLxTQQVVp97m+vrnwlh7SZj/CXXi5QcZ4tHPNTFLLtwCgBUA
+X0Ausn9hpeHrud8imzQuPXJRgBMaF0BYRUxj0fjp3sty2ZfjiPjhTrdSCWOiJUSb
+onDb6kyYwN/hBEt7JNbSbC7viOM72/TwJQqDn4Bw8C7E0kiy3ZpQiCdyOYWnyDZP
+SyDhAM4nHLNYss0CggEBAPXJ+DMmLCPkE5OOElxGU+JIPM28+5jhKn+HcswAS5VV
+6tp1m8gIrmgwTpXA9aGi9BjPHzo6y3s1sNYHp3lGr5nSdgQaYuLvBR56FE0RXVP7
+bUHiN//R7a8QTkyYCqdrQNxLAzEARBNZaMIhMPfPXDDevFZWunAxIDXxC9IVRpjS
+VjmKwqLuk66uInko4qEn34NiU25x+VpDOjz0fia58VTlL9WrYy0w/QANVlg1JKRq
+wjjx4kWnmCQ1qQeagB+xqJtrEc/GK4z6qY/OC0pKZA26t6sXhkmn0zQshmwSAZem
+/QtEW3lDmsfAlvEibJUSshXz3ygWz4v21nWocF4gXu0CggEBAPgwXf43686gVSx4
+/sHzaYrgcz5F0JEhACuToJmdORP7vX33xEnGQzYsDEXkjreiYnmeYXE9F9P/EC1P
+0dNVHz+oYcFC3DdqaltG9DMIhoN0ScnWttBY2cs+K8oKgwt8phspfdmjfzd4Tg6K
+kNfjigYwdHG1Psqwx7iMMDStiyMFlmqo2y1Vqw/4DL0ogxgA1XzfEjvl7zUKazc8
+rIBy+VeOGiFzue6W6aYo+uZIPIkVceVyvf2tYw2BJpY5gHsR8kYE8+kY7Ix7R+nK
+62meJsem4RWNbG9AxBD/B5P84z8oRO3d1jMcWko0LYeSuR+JsV1+NS3k5kKh5kfw
+TXvVKFECggEACMp4fhvXaFE4AgcK0RIS3f0Hb7Raq1UiV/1YNcOs8GJqS/X45Gar
+Fj7kEKceIfHaGSkPTN3deUKqWH1dmBDXJwFIB02KS+OQo05qe3crh11uwvR8XEH9
+5k0G/+ZQOzyyzS5BpvcDeE2yWX8maTaZbYYJ5myjrm+TX1qHubPZGo4rV1OHMpyl
+25GO2haERI9Qhzp1EXYyHPBanOOBv5DW+NpZo6LFoVAnPGE9vVnpPZgz6iV8mlEs
+N99TdFoqSvfnt+dUc8H6vMgaWHJeJQIUIgmTmCL3QpsmCq+s/yCFvg7S7hw7yVKJ
+rqtMusMobwyEIhTe3mgydCcX9I1Zt4Qg4QKCAQAnnNjOMflzEz+TvGNPUyVyzXef
+xRs2XBDipX/vPK7L3VvgiXGQuOAq4PYj7NdYHfIiVmFeqz7eY9gMmQyoscMwVPCm
+X+FuHepHXfcxUjQwnpFa/lAqpNxspgU09CQXW5hUkIdWblZePtRiGKvlo51CdzU5
+KlOylrIXl6opsApdrgSCduBtuR9uz2Cn3NiaG0Xe2x67VphclNaW+RATU4bUJEMn
+9aO8k+wp8CjlJ1xjSrhqIIBHGMmouyK5J0r3S3vRlTCLEjGpGq8+Z9shVkfuDk6N
+HOB2KZ1LN68eOYb4eZFKE+l2nGylFsHlOtkagX1IxtVoW+a5vDenGBNd+gC9
+-----END RSA PRIVATE KEY-----

internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go

@@ -370,15 +370,6 @@ func WriteIMAPolicy(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 	}, "writeIMAPolicy"
 }
 
-const osReleaseTemplate = `
-NAME="{{ .Name }}"
-ID={{ .ID }}
-VERSION_ID={{ .Version }}
-PRETTY_NAME="{{ .Name }} ({{ .Version }})"
-HOME_URL="https://www.talos.dev/"
-BUG_REPORT_URL="https://github.com/siderolabs/talos/issues"
-`
-
 // OSRelease renders a valid /etc/os-release file and writes it to disk. The
 // node's OS Image field is reported by the node from /etc/os-release.
 func OSRelease() (err error) {
@@ -408,7 +399,7 @@ func OSRelease() (err error) {
 		Version: v,
 	}
 
-	tmpl, err = template.New("").Parse(osReleaseTemplate)
+	tmpl, err = template.New("").Parse(constants.OSReleaseTemplate)
 	if err != nil {
 		return err
 	}

pkg/machinery/constants/constants.go

@@ -865,3 +865,12 @@ var DefaultDroppedCapabilities = map[string]struct{}{
 var UdevdDroppedCapabilities = map[string]struct{}{
 	"cap_sys_boot": {},
 }
+
+// OSReleaseTemplate is the template for /etc/os-release.
+const OSReleaseTemplate = `NAME="{{ .Name }}"
+ID={{ .ID }}
+VERSION_ID={{ .Version }}
+PRETTY_NAME="{{ .Name }} ({{ .Version }})"
+HOME_URL="https://www.talos.dev/"
+BUG_REPORT_URL="https://github.com/siderolabs/talos/issues"
+`