On Mon, Jul 14, 2025 at 11:04:53PM +0530, Sudhakar Kuppusamy wrote: > Add infrastructure to allow firmware to verify the integrity of GRUB > by use of a Linux-kernel-module-style appended signature. We initially > target powerpc-ieee1275, but the code should be extensible to other > platforms. > > Usually these signatures are appended to a file without modifying the > ELF file itself. (This is what the 'sign-file' tool does, for example.) > The verifier loads the signed file from the file system and looks at the > end of the file for the appended signature. However, on powerpc-ieee1275 > platforms, the bootloader is often stored directly in the PReP partition > as raw bytes without a file-system. This makes determining the location > of an appended signature more difficult. > > To address this, we add a new ELF note. > > The name field of shall be the string "Appended-Signature", zero-padded > to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values > for the string "ASig"). It must be the final section in the ELF binary. > > The description shall contain the appended signature structure as defined > by the Linux kernel. The description will also be padded to be a multiple > of 4 bytes. The padding shall be added before the appended signature > structure (not at the end) so that the final bytes of a signed ELF file > are the appended signature magic. > > A subsequent patch documents how to create a GRUB core.img validly signed > under this scheme. > > Signed-off-by: Rashmica Gupta <rashmic...@gmail.com> > Signed-off-by: Daniel Axtens <d...@axtens.net> > Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com> > Reviewed-by: Stefan Berger <stef...@linux.ibm.com> > Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
