On Mon, Jul 14, 2025 at 11:05:12PM +0530, Sudhakar Kuppusamy wrote:
> Introducing the following db and dbx commands
>
> 1. append_list_db:
> It will show the list of trusted certificates and binary hashes
s/It will show/Show/
> 2. append_list_dbx:
> It will show the list of distrusted certificates and binary/certificate
> hashes
s/It will show/Show/ and below please...
> 3. append_add_db_cert:
> It will add the trusted certificate to the db list
> 4. append_add_db_sig:
> It will add the certificate/binary hash to the db list
> 5. append_rm_dbx_cert:
> It will remove the trusted certificate from the db list
s/db/dbx/
> 6. append_add_dbx_sig:
> It will add the certificate/binary hash to the dbx list
>
> Note:-
> The addition/deletion of trusted certificates and binary hashes
> are not allowed in GRUB command prompt while secure boot is enabled.
>
> Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
> Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
> ---
> grub-core/commands/appendedsig/appendedsig.c | 351 +++++++++++++++----
> 1 file changed, 286 insertions(+), 65 deletions(-)
>
> diff --git a/grub-core/commands/appendedsig/appendedsig.c
> b/grub-core/commands/appendedsig/appendedsig.c
> index 1356babaf..f25e4734b 100644
> --- a/grub-core/commands/appendedsig/appendedsig.c
> +++ b/grub-core/commands/appendedsig/appendedsig.c
> @@ -102,6 +102,38 @@ static enum
> CHECK_SIGS_FORCED = 2
> } check_sigs = CHECK_SIGS_NO;
>
> +enum
> +{
> + OPTION_BINARY_HASH = 0,
> + OPTION_CERT_HASH = 1
> +};
Please define enum type properly/fully and use it or use plain constants.
> +static const struct grub_arg_option options[] =
> +{
> + {"binary-hash", 'b', 0, N_("hash file of the binary."), 0, ARG_TYPE_NONE},
> + {"cert-hash", 'c', 1, N_("hash file of the certificate."), 0,
> ARG_TYPE_NONE},
> + {0, 0, 0, 0, 0, 0}
> +};
> +
> +static void
> +print_hex (const grub_uint8_t *data, const grub_size_t length)
Could you use hexdump function instead?
> +{
> + grub_size_t i, count = 0;
> +
> + for (i = 0; i < length-1; i++)
> + {
> + grub_printf ("%02x:", data[i]);
> + count++;
> + if (count == 16)
> + {
> + grub_printf ("\n\t ");
> + count = 0;
> + }
> + }
> +
> + grub_printf ("%02x\n", data[i]);
> +}
> +
> /*
> * GUID can be used to determine the hashing function and
> * generate the hash using determined hashing function.
> @@ -634,37 +666,203 @@ grub_cmd_verify_signature (grub_command_t cmd
> __attribute__ ((unused)), int argc
> {
> grub_file_t signed_file;
> grub_err_t err;
> - grub_uint8_t *data;
> - grub_size_t file_size;
> + grub_uint8_t *signed_data;
> + grub_size_t signed_size;
If want better naming please change that in original patch.
> if (argc != 1)
> - return grub_error (GRUB_ERR_BAD_ARGUMENT, "one argument expected.");
> + return grub_error (GRUB_ERR_BAD_ARGUMENT,
> + "a signed file is
> expected.\nExample:\n\tappend_verify <SIGNED FILE>\n");
>
> grub_dprintf ("appendedsig", "verifying %s\n", args[0]);
>
> signed_file = grub_file_open (args[0], GRUB_FILE_TYPE_VERIFY_SIGNATURE);
> if (signed_file == NULL)
> - return grub_error (GRUB_ERR_BAD_FILE_TYPE, "could not open %s file.",
> args[0]);
> + return grub_error (GRUB_ERR_FILE_NOT_FOUND, "could not open %s file.",
> args[0]);
>
> - err = file_read_all (signed_file, &data, &file_size);
> + err = file_read_all (signed_file, &signed_data, &signed_size);
> if (err == GRUB_ERR_NONE)
> - err = grub_verify_appended_signature (data, file_size);
> + err = grub_verify_appended_signature (signed_data, signed_size);
>
> grub_file_close (signed_file);
> - grub_free (data);
> + grub_free (signed_data);
> +
> + return err;
All theses changes belong to original patch...
> +}
Daniel
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
