WIP: feat: support new CBNT version 2.1

go.mod

@@ -59,3 +59,5 @@ require (
 	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 )
+
+replace github.com/linuxboot/fiano => github.com/RiSKeD/fiano v0.0.0-20250725130044-792d7ab512a9

go.sum

@@ -85,6 +85,8 @@ github.com/Masterminds/semver/v3 v3.1.0/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0
 github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
 github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/RiSKeD/fiano v0.0.0-20250725130044-792d7ab512a9 h1:+sToE1ekU85Jrqa0LxY2Nm4c7qpeV/u940Kxywo5Mcw=
+github.com/RiSKeD/fiano v0.0.0-20250725130044-792d7ab512a9/go.mod h1:aB4kacPpV1iKDXueYEpSh4dQ5uRenDrUNnPBIaf2hvU=
 github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g=
@@ -508,8 +510,6 @@ github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJ
 github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM=
 github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4=
-github.com/linuxboot/fiano v1.2.1-0.20250121191917-5620ca1697c5 h1:J/nKXBQztbBv/RBRzdfTGRyJEN2nd7JyQZHisobpaPE=
-github.com/linuxboot/fiano v1.2.1-0.20250121191917-5620ca1697c5/go.mod h1:aB4kacPpV1iKDXueYEpSh4dQ5uRenDrUNnPBIaf2hvU=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=

pkg/provisioning/bootguard/bootguard.go

@@ -175,7 +175,7 @@ func NewBPMAndKM(bpm io.ReadSeeker, km io.ReadSeeker) (*BootGuard, error) {
 	if err != nil {
 		return nil, err
 	}
-	if bpmV != kmV {
+	if bpmV != kmV && bpmV <= bgheader.Version20 {
 		return nil, fmt.Errorf("km and bpm version number differ")
 	}
 	b.Version = bpmV
@@ -192,6 +192,8 @@ func NewBPMAndKM(bpm io.ReadSeeker, km io.ReadSeeker) (*BootGuard, error) {
 			return nil, err
 		}
 	case bgheader.Version20:
+		fallthrough
+	case bgheader.Version21:
 		b.VData.CBNTbpm = cbntbootpolicy.NewManifest()
 		b.VData.CBNTkm = cbntkey.NewManifest()
 		_, err := b.VData.CBNTbpm.ReadFrom(bpm)
@@ -266,6 +268,8 @@ func (b *BootGuard) ValidateBPM() error {
 	case bgheader.Version10:
 		return b.VData.BGbpm.Validate()
 	case bgheader.Version20:
+		fallthrough
+	case bgheader.Version21:
 		return b.VData.CBNTbpm.Validate()
 	default:
 		return fmt.Errorf("ValidateBPM: can't identify bootguard header")