Re: [PATCH] arm/efi: fix ram base detection

2021-03-30 Thread Vincent Stehlé via Grub-devel
On Mon, Mar 22, 2021 at 06:28:51PM +, Leif Lindholm wrote: .. > > > diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c > > > index 0cdb063bb..abf8772bc 100644 > > > --- a/grub-core/kern/efi/mm.c > > > +++ b/grub-core/kern/efi/mm.c > > > @@ -677,7 +677,8 @@ grub_efi_get_ram_base(grub

RE: Dell BIOS issue reading Disk Extended data

2021-03-30 Thread K, Narendra
Internal Use - Confidential > -Original Message- > From: Guilherme Piccoli > Sent: Friday, March 12, 2021 9:14 PM > To: Limonciello, Mario; K, Narendra > Cc: Barabash, Alexander; Engel, Amit; Guilherme G. Piccoli; > hal...@canonical.com; Jay Vosburgh; Dan Streetman; Gavin Guo; > x...@kern

Re: multiboot2 and module2 boot issues via GRUB2

2021-03-30 Thread Andrew Cooper via Grub-devel
On 30/03/2021 19:28, Roman Shaposhnik wrote: > Hi! > > seems like I've run into an issue with multiboot2 and module2 > commands that I can't quite explain. Since it may be something > super simply and silly -- I wanted to reach out here before I do > a GRUB/Xen/LK source deepdive. > > So here's the

[PATCH 16/19] appended signatures: support verifying appended signatures

2021-03-30 Thread Daniel Axtens
Building on the parsers and the ability to embed x509 certificates, as well as the existing gcrypt functionality, add a module for verifying appended signatures. This includes a verifier that requires that Linux kernels and grub modules have appended signatures, and commands to manage the list of

[PATCH 15/19] appended signatures: parse PKCS#7 signedData and X.509 certificates

2021-03-30 Thread Daniel Axtens
This code allows us to parse: - PKCS#7 signedData messages. Only a single signerInfo is supported, which is all that the Linux sign-file utility supports creating out-of-the-box. Only RSA, SHA-256 and SHA-512 are supported. Any certificate embedded in the PKCS#7 message will be ignored.

[PATCH 18/19] appended signatures: documentation

2021-03-30 Thread Daniel Axtens
This explains how appended signatures can be used to form part of a secure boot chain, and documents the commands and variables introduced. Signed-off-by: Daniel Axtens --- docs/grub.texi | 193 - 1 file changed, 176 insertions(+), 17 deletions(-)

[PATCH 14/19] appended signatures: import GNUTLS's ASN.1 description files

2021-03-30 Thread Daniel Axtens
In order to parse PKCS#7 messages and X.509 certificates with libtasn1, we need some information about how they are encoded. We get these from GNUTLS, which has the benefit that they support the features we need and are well tested. The GNUTLS license is LGPLv2.1+, which is GPLv3 compatible, allo

[PATCH 13/19] grub-install: support embedding x509 certificates

2021-03-30 Thread Daniel Axtens
From: Alastair D'Silva To support verification of appended signatures, we need a way to embed the necessary public keys. Existing appended signature schemes in the Linux kernel use X.509 certificates, so allow certificates to be embedded in the grub core image in the same way as PGP keys. Signed

[PATCH 09/19] libtasn1: disable code not needed in grub

2021-03-30 Thread Daniel Axtens
We don't expect to be able to write ASN.1, only read it, so we can disable some code. Do that with #if 0/#endif, rather than deletion. This means that the difference between upstream and grub is smaller, which should make updating libtasn1 easier in the future. With these exclusions we also avoid

[PATCH 19/19] ieee1275: enter lockdown based on /ibm,secure-boot

2021-03-30 Thread Daniel Axtens
If the 'ibm,secure-boot' property of the root node is 2 or greater, enter lockdown. Signed-off-by: Daniel Axtens --- docs/grub.texi | 4 ++-- grub-core/Makefile.core.def| 1 + grub-core/kern/ieee1275/init.c | 27 +++ include/grub/lockdown.h|

[PATCH 11/19] libtasn1: compile into asn1 module

2021-03-30 Thread Daniel Axtens
Create a wrapper file that specifies the module license. Set up the makefile so it is built. Signed-off-by: Daniel Axtens --- grub-core/Makefile.core.def| 15 +++ grub-core/lib/libtasn1_wrap/wrap.c | 26 ++ 2 files changed, 41 insertions(+) create mod

[PATCH 06/19] crypto: move storage for grub_crypto_pk_* to crypto.c

2021-03-30 Thread Daniel Axtens
The way gcry_rsa and friends (the asymmetric ciphers) are loaded for the pgp module is a bit quirky. include/grub/crypto.h contains: extern struct gcry_pk_spec *grub_crypto_pk_rsa; commands/pgp.c contains the actual storage: struct gcry_pk_spec *grub_crypto_pk_rsa; And the module itself save

[PATCH 10/19] libtasn1: changes for grub compatibility

2021-03-30 Thread Daniel Axtens
Do a few things to make libtasn1 compile as part of grub: - replace strcat. grub removed strcat so replace it with the appropriate calls to memcpy and strlen. - replace c_isdigit with grub_isdigit (and don't import c-ctype from gnulib) grub_isdigit provides the same functionality as c_isd

[PATCH 17/19] appended signatures: verification tests

2021-03-30 Thread Daniel Axtens
These tests are run through all_functional_test and test a range of commands and behaviours. Signed-off-by: Daniel Axtens --- grub-core/Makefile.core.def | 6 + grub-core/tests/appended_signature_test.c | 281 +++ grub-core/tests/appended_signatures.h | 557 ++

[PATCH 05/19] pgp: factor out rsa_pad

2021-03-30 Thread Daniel Axtens
rsa_pad does the PKCS#1 v1.5 padding for the RSA signature scheme. We want to use it in other RSA signature verification applications. I considered and rejected putting it in lib/crypto.c. That file doesn't currently require any MPI functions, but rsa_pad does. That's not so much of a problem for

[PATCH 04/19] dl: provide a fake grub_dl_set_persistent for the emu target

2021-03-30 Thread Daniel Axtens
Trying to start grub-emu with a module that calls grub_dl_set_persistent will crash because grub-emu fakes modules and passes NULL to the module init function. Provide an empty function for the emu case. Fixes: ee7808e2197c (dl: Add support for persistent modules) Signed-off-by: Daniel Axtens --

[PATCH 03/19] docs/grub: Document signing grub with an appended signature

2021-03-30 Thread Daniel Axtens
Signing grub for firmware that verifies an appended signature is a bit fiddly. I don't want people to have to figure it out from scratch so document it here. Signed-off-by: Daniel Axtens --- docs/grub.texi | 42 ++ 1 file changed, 42 insertions(+) diff --

[PATCH 07/19] posix_wrap: tweaks in preparation for libtasn1

2021-03-30 Thread Daniel Axtens
- Define SIZEOF_UNSIGNED_LONG_INT, it's the same as SIZEOF_UNSIGNED_LONG. - Define WORD_BIT, the size in bits of an int. This is a defined in the Single Unix Specification and in gnulib's limits.h. gnulib assumes it's 32 bits on all our platforms, including 64 bit platforms, so we al

[PATCH 01/19] Add suport for signing grub with an appended signature

2021-03-30 Thread Daniel Axtens
From: Rashmica Gupta Add infrastructure to allow firmware to verify the integrity of grub by use of a Linux-kernel-module-style appended signature. We initially target powerpc-ieee1275, but the code should be extensible to other platforms. Usually these signatures are appended to a file without

[PATCH 02/19] docs/grub: Document signing grub under UEFI

2021-03-30 Thread Daniel Axtens
Before adding information about how grub is signed with an appended signature scheme, it's worth adding some information about how it can currently be signed for UEFI. Signed-off-by: Daniel Axtens --- docs/grub.texi | 22 +- 1 file changed, 21 insertions(+), 1 deletion(-) di

[PATCH 00/19] appended signature secure boot support

2021-03-30 Thread Daniel Axtens
This patch set contains a consolidated version of the patch sets sent for secure boot using appended signatures on powerpc, rebased on top of 2.06~rc1. This has required some changes, mostly around lockdown and the change to shim handling. I have also extended the X.509 parser to support printableS