latforms, so we also use that value.
- Provide strto[u]l[l] preprocessor macros that resolve to
grub_strto[u]l[l]. To avoid gcrypt redefining strtoul, we
also define HAVE_STRTOUL here.
Signed-off-by: Daniel Axtens
---
grub-core/lib/posix_wrap/limits.h| 1 +
grub-core/lib/posix_wrap/
before the appended signature
structure (not at the end) so that the final bytes of a signed ELF file
are the appended signature magic.
A subsequent patch documents how to create a grub core.img validly signed
under this scheme.
Signed-off-by: Daniel Axtens
Signed-off-by: Rashmica Gupta
---
You
Before adding information about how grub is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens
---
docs/grub.texi | 22 +-
1 file changed, 21 insertions(+), 1 del
at the 'right'
solution is and will send a followup patch.)
I have some information about testing all the parts together at
https://gist.github.com/daxtens/cfc0a7e15614b0383e0c57f308cacdd1
It's largely unchanged from
https://lists.gnu.org/archive/html/grub-devel/2020-10/msg00048.html
Glenn Washburn writes:
> On Sun, 14 Feb 2021 13:58:40 +1100
> Daniel Axtens wrote:
>
>> > Reading more about patchwork, it seems to have its own set of
>> > issues, partly revolving around using a mailing list of development
>> > as we do. see: https://l
> Reading more about patchwork, it seems to have its own set of issues,
> partly revolving around using a mailing list of development as we do.
> see: https://lwn.net/Articles/773456/
I'm a patchwork maintainer, happy to discuss how Patchwork might be
helpful. It certainly isn't perfect (and alter
These tests are run through all_functional_test and test a range
of commands and behaviours.
Signed-off-by: Daniel Axtens
---
grub-core/Makefile.core.def | 6 +
grub-core/tests/appended_signature_test.c | 250 +++
grub-core/tests/appended_signatures.h | 483
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
---
docs/grub.texi | 189 +
1 file changed, 174 insertions(+), 15 deletions
the the grub
command line or by load_env.
Thus, as with the PGP verifier, it is not a complete secure-boot solution:
other mechanisms must be used to ensure that a user cannot drop to the
grub shell and disable verification.
Signed-off-by: Daniel Axtens
---
grub-core/Makefile.core.def
.
- X.509 certificates: at least enough to verify the signatures on the
PKCS#7 messages. We expect that the certificates embedded in grub will
be leaf certificates, not CA certificates. The parser enforces this.
Signed-off-by: Daniel Axtens
---
grub-core/commands/appendedsig/appendedsig.h
, allowing
us to import it without issue.
Signed-off-by: Daniel Axtens
---
.../commands/appendedsig/gnutls_asn1_tab.c| 121 +
.../commands/appendedsig/pkix_asn1_tab.c | 484 ++
2 files changed, 605 insertions(+)
create mode 100644 grub-core/commands/appendedsig
Create a wrapper file that specifies the module license.
Set up the makefile so it is built.
Signed-off-by: Daniel Axtens
---
grub-core/Makefile.core.def| 15 +++
grub-core/lib/libtasn1_wrap/wrap.c | 26 ++
2 files changed, 41 insertions(+)
create
keys.
Signed-off-by: Alastair D'Silva
Signed-off-by: Daniel Axtens
---
grub-core/commands/pgp.c| 2 +-
include/grub/kernel.h | 3 ++-
include/grub/util/install.h | 7 +--
util/grub-install-common.c | 23 -
util/grub-mkimage.c | 15 --
util
latforms, so we also use that value.
- Provide strto[u]l[l] preprocessor macros that resolve to
grub_strto[u]l[l]. To avoid gcrypt redefining strtoul, we
also define HAVE_STRTOUL here.
Signed-off-by: Daniel Axtens
---
grub-core/lib/posix_wrap/limits.h| 1 +
grub-core/lib/posix_wrap/
also avoid the need for minmax.h,
which is convenient because it means we don't have to
import it from gnulib.
Signed-off-by: Daniel Axtens
---
grub-core/lib/libtasn1/lib/coding.c| 12 ++--
grub-core/lib/libtasn1/lib/decoding.c | 2 ++
grub-core/lib/libtasn1/lib/element.c | 4
ed for our
modules. Unconditionally support const and pure attributes and adjust
header paths.
- adjust header paths to "grub/libtasn1.h".
- replace a 64 bit division with a call to grub_divmod64, preventing
creation of __udivdi3 calls on 32 bit platforms.
Signed-off-by: Daniel Axtens
Trying to start grub-emu with a module that calls grub_dl_set_persistent
will crash because grub-emu fakes modules and passes NULL to the module
init function.
Provide an empty function for the emu case.
Fixes: ee7808e2197c (dl: Add support for persistent modules)
Signed-off-by: Daniel Axtens
a cipher handle. That depends on grub_ciphers being populated
by people calling grub_cipher_register. import_gcry.py ensures that the
symmetric ciphers call it.]
Signed-off-by: Daniel Axtens
---
grub-core/commands/pgp.c | 4
grub-core/lib/crypto.c | 4
2 files changed, 4 inserti
--pubkey is supported, so we can now document it.
Signed-off-by: Daniel Axtens
---
docs/grub.texi | 12 +++-
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/docs/grub.texi b/docs/grub.texi
index 6cbd753d12fd..6bac37728042 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
g this to land upstream for 2.06. Patches 1 and 2
might be suitable but I don't really mind either way. Having said
that, I'd appreciate any feedback before then.
Alastair D'Silva (1):
grub-install: support embedding x509 certificates
Daniel Axtens (17):
docs/grub: grub-install is no
Since commit cd46aa6cefab in 2013, grub-install hasn't been a shell
script. The para doesn't really add that much, especially since it's
the user manual, so just drop it.
Signed-off-by: Daniel Axtens
---
docs/grub.texi | 7 ---
1 file changed, 7 deletions(-)
diff --git a/d
Other verifiers that implement secure boot may want to be able to
reuse the same list and behaviour.
Signed-off-by: Daniel Axtens
---
grub-core/commands/efi/shim_lock.c | 45 +++--
grub-core/commands/verifiers.c | 46 ++
include/grub
KCS#1 v1.5 module.
Signed-off-by: Daniel Axtens
---
grub-core/Makefile.core.def | 8 +
grub-core/commands/pgp.c| 28 ++
grub-core/lib/pkcs1_v15.c | 59 +
include/grub/pkcs1_v15.h| 27 +
4 files changed, 96 inserti
solution and will post it shortly. However, for an end-user or packager with
a higher minimum memory requirement, this will work fine.
Signed-off-by: Daniel Axtens
---
grub-core/kern/ieee1275/init.c | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/grub-core/kern/ieee1275/
Hi Michal,
>> So grub is usually loaded from the PReP partition if you are booting
>> from disk. But, if you are booting from a CD/USB/etc, we first parse
>> /ppc/boot-info.txt and then load whatever file it identifies. If you're
>> netbooting we load the file we get from the network.
>>
>> One s
Hi Michal,
>> A simpler scheme would be for grub-install to parse the signature
>> footer, split-off the signature, write the ELF binary at the start of
>> the PReP partition, and the signature at the end. Then the grub
>> signature can use exactly same format as the kernel and modules.
>
> I got
Hi Michael,
>> +@section Signing GRUB with an appended signature
>> +
>> +The @file{core.img} itself can be signed with a Linux kernel module-style
>> +appended signature.
>> +
>> +To support IEEE1275 platforms where the boot image is often loaded directly
>> +from a disk partition rather than fro
[This bounced from the list for some reason, so I'm trying again.]
Hi Michal,
That's a really interesting proposal - thank you. I'm still thinking
about it and experimenting with it in SLOF.
Some thoughts:
> It has been pointed out in the plumbers session that the ELF note will
> cause problems
> +case 'x':
> + arguments->x509keys = xrealloc (arguments->x509keys,
> + sizeof (arguments->x509keys[0])
> + * (arguments->nx509keys + 1));
> + arguments->pubkeys[arguments->nx509keys++] = xstrdup (arg);
This shoul
r \
/boot/vmlinux /boot/vmlinux.signed
- You should now be able to boot with new SLOF and qemu in
secure-boot mode.
Daniel Axtens (1):
ieee1275: link appended-signature enforcement to /ibm,secure-boot
grub-core/commands/appendedsig/appendedsig.c | 44 +++-
If the 'ibm,secure-boot' property of the root node is 2 or greater,
require that the kernel pass appended-signature verification.
Do not consider the presence of a certificate to enforce verification.
Signed-off-by: Daniel Axtens
---
grub-core/commands/appendedsig/appended
Hi Konrad,
>> +LICENSING
>> +=
>> +
>> +The libtasn1 library is released under the GNU Lesser General Public
>> +License (LGPL) version 2.1 or later; see
>> [COPYING.LESSER](doc/COPYING.LESSER)
>> +for the license terms.
>> +
>> +The GNU LGPL applies to the main libtasn1 library, while th
the the grub
command line or by load_env.
Thus, as with the PGP verifier, it is not a complete secure-boot solution:
other mechanisms must be used to ensure that a user cannot drop to the
grub shell and disable verification.
Signed-off-by: Daniel Axtens
---
grub-core/Makefile.core.def
.
- X.509 certificates: at least enough to verify the signatures on the
PKCS#7 messages. We expect that the certificates embedded in grub will
be leaf certificates, not CA certificates. The parser enforces this.
Signed-off-by: Daniel Axtens
---
grub-core/commands/appendedsig/appendedsig.h
keys.
Signed-off-by: Alastair D'Silva
Signed-off-by: Daniel Axtens
---
grub-core/commands/pgp.c| 2 +-
include/grub/kernel.h | 3 ++-
include/grub/util/install.h | 7 +--
util/grub-install-common.c | 23 -
util/grub-mkimage.c | 15 --
util
, allowing
us to import it without issue.
Signed-off-by: Daniel Axtens
---
.../commands/appendedsig/gnutls_asn1_tab.c| 121 +
.../commands/appendedsig/pkix_asn1_tab.c | 484 ++
2 files changed, 605 insertions(+)
create mode 100644 grub-core/commands/appendedsig
Create a wrapper file that specifies the module license.
Set up the makefile so it is built.
Signed-off-by: Daniel Axtens
---
grub-core/Makefile.core.def| 15 +++
grub-core/lib/libtasn1_wrap/wrap.c | 26 ++
2 files changed, 41 insertions(+)
create
ed for our
modules. Unconditionally support const and pure attributes and adjust
header paths.
- adjust header paths to "grub/libtasn1.h".
- replace a 64 bit division with a call to grub_divmod64, preventing
creation of __udivdi3 calls on 32 bit platforms.
Signed-off-by: Daniel Axtens
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
---
docs/grub.texi | 189 +
1 file changed, 174 insertions(+), 15 deletions
latforms, so we also use that value.
- Provide strto[u]l[l] preprocessor macros that resolve to
grub_strto[u]l[l]. To avoid gcrypt redefining strtoul, we
also define HAVE_STRTOUL here.
Signed-off-by: Daniel Axtens
---
grub-core/lib/posix_wrap/limits.h| 1 +
grub-core/lib/posix_wrap/
a cipher handle. That depends on grub_ciphers being populated
by people calling grub_cipher_register. import_gcry.py ensures that the
symmetric ciphers call it.]
Signed-off-by: Daniel Axtens
---
grub-core/commands/pgp.c | 4
grub-core/lib/crypto.c | 4
2 files changed, 4 inserti
These tests are run through all_functional_test and test a range
of commands and behaviours.
Signed-off-by: Daniel Axtens
---
grub-core/Makefile.core.def | 6 +
grub-core/tests/appended_signature_test.c | 250 +++
grub-core/tests/appended_signatures.h | 483
Trying to start grub-emu with a module that calls grub_dl_set_persistent
will crash because grub-emu fakes modules and passes NULL to the module
init function.
Provide an empty function for the emu case.
Fixes: ee7808e2197c (dl: Add support for persistent modules)
Signed-off-by: Daniel Axtens
KCS#1 v1.5 module.
Signed-off-by: Daniel Axtens
---
grub-core/Makefile.core.def | 8 +
grub-core/commands/pgp.c| 28 ++
grub-core/lib/pkcs1_v15.c | 59 +
include/grub/pkcs1_v15.h| 27 +
4 files changed, 96 inserti
also avoid the need for minmax.h,
which is convenient because it means we don't have to
import it from gnulib.
Signed-off-by: Daniel Axtens
---
grub-core/lib/libtasn1/lib/coding.c| 12 ++--
grub-core/lib/libtasn1/lib/decoding.c | 2 ++
grub-core/lib/libtasn1/lib/element.c | 4
Other verifiers that implement secure boot may want to be able to
reuse the same list and behaviour.
Signed-off-by: Daniel Axtens
---
grub-core/commands/efi/shim_lock.c | 45 +++--
grub-core/commands/verifiers.c | 46 ++
include/grub
--pubkey is supported, so we can now document it.
Signed-off-by: Daniel Axtens
---
docs/grub.texi | 12 +++-
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/docs/grub.texi b/docs/grub.texi
index bd72b589522e..327c1bd0f412 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
Since commit cd46aa6cefab in 2013, grub-install hasn't been a shell
script. The para doesn't really add that much, especially since it's
the user manual, so just drop it.
Signed-off-by: Daniel Axtens
---
docs/grub.texi | 7 ---
1 file changed, 7 deletions(-)
diff --git a/d
signature enforcement is acceptable.
I'm not expecting this to land upstream for 2.06. Patches 1 and 2
might be suitable but I don't really mind either way. Having said
that, I'd appreciate any feedback before then.
Alastair D'Silva (1):
grub-install: support embedding x50
to chase it up further.
Thoughts? (on or off-list is fine.)
Kind regards,
Daniel
[1] https://linuxplumbersconf.org/event/7/contributions/738/
https://youtu.be/IJUNxHnopH4?t=537
> More details are in patch 1, including a link to an open-source firmware
> capable of verifying a grub
Signing grub for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens
---
docs/grub.texi | 42 ++
1 file changed, 42 insertions(+)
Before adding information about how grub is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens
---
docs/grub.texi | 22 +-
1 file changed, 21 insertions(+), 1 del
e size and location of the
signature.
More details are in patch 1, including a link to an open-source firmware
capable of verifying a grub image signed this way.
Daniel Axtens (2):
docs/grub: Document signing grub under UEFI
docs/grub: Document signing grub with an appended signature
Rashmic
before the appended signature
structure (not at the end) so that the final bytes of a signed ELF file
are the appended signature magic.
A subsequent patch documents how to create a grub core.img validly signed
under this scheme.
Signed-off-by: Daniel Axtens
Signed-off-by: Rashmica Gupta
---
You
^
1 error generated.
It's not really that unclear in context: there's a commented-out
if-statement. But tweak the alignment anyway so that clang is happy.
Signed-off-by: Daniel Axtens
---
With this and Patrick's patch 'json: Remove invalid typedef redefinition'
ence), it is not the only valid decision; in particular,
>> the Go x/crypto/openpgp library chooses to store issuer ID in the hashed
>> area.
>>
>> Without this patch, trying to verify a valid signature made by
>> x/crypto/openpgp results in `error: public key not
"Vladimir 'phcoder' Serbinenko" writes:
> On Tue, Jun 2, 2020, 10:40 Daniel Axtens wrote:
>
>> cmdline_cat takes a checksum of a screen that includes the grub
>> version number, so it has been broken since commit 94d9926a6640
>> ("Release 2.0
move both tests.
With this, 'make check' can pass (at least on my laptop) in a number
of configurations, including x86_64-emu and i386-pc.
Signed-off-by: Daniel Axtens
---
I had a crack at getting this into Travis CI, but I had a lot of
trouble with the existing boot test. Then I realis
f in "json.h". If enforcing the GNU99 C
> standard, clang may generate a warning about this non-standard
> construct.
>
> Fix the issue by using a simple `struct jsmntok` forward declaration
> instead of using a typedef.
>
> Signed-off-by: Patrick Steinhardt
Tested-b
Daniel Kiper writes:
> On Fri, May 29, 2020 at 02:10:46PM +1000, Daniel Axtens wrote:
>> Charles Duffy writes:
>>
>> > Amended the test repo to apply this patch; it applies and works-as-intended
>> > on both 2.04 and current master.
>> >
>>
al ]
>
>> [ modified by dja: rebase, split out 'readbuf' to both readbuf and
>> subpacket_buf for clarity
>> signature_test still passes but I have not run any other tests ]
Signed-off-by: Daniel Axtens
>> ---
>> grub-core/commands/pgp.c | 117 ++
Currently GRUB2 verify logic searches PGP keyid only in unhashed subpackets of
PGP signature packet. As a result, signatures generated with GoLang openpgp
package (https://godoc.org/golang.org/x/crypto/openpgp) could not be verified,
because this package puts keyid in hashed subpackets and GRUB cod
Charles Duffy writes:
> On Wed, May 27, 2020 at 11:42 PM Daniel Axtens wrote:
>
>> My team has been working on the verifier area to support appended
>> signatures (used to sign Linux kernel modules, and on at least powerpc64
>> also used to sign the kernel), so I have s
Charles Duffy writes:
> Howdy, y'all --
>
> In anticipation of trying to revive the OpenPGP compatibility patch created
> by Ignat Korchagin in 2016, I've assembled a simple test suite that can
> generate multiple builds of GRUB (different versions/patches/etc) and then
> test them with keys and
> clang still doesn't like 'make check', but that looks like a different
> issue around relocations. clang isn't a huge priority for me, so it
> might take a while. But this patch is good to go in regardless.
Turns out I needed to specify CXX=clang++ as well.
Daniel
>
> Thanks again,
> Daniel
>
th clang.
>
> Reported-by: Daniel Axtens
> Signed-off-by: Javier Martinez Canillas
With this patch, clang-9 builds and runs mainline grub-emu.
Tested-by: Daniel Axtens # emu platform only
clang still doesn't like 'make check', but that looks like a different
issue aroun
Javier Martinez Canillas writes:
> Hello Daniel,
>
> On 5/19/20 3:47 AM, Daniel Axtens wrote:
>> Javier Martinez Canillas writes:
>>
>>> Hello Daniel,
>>>
>>> On 5/18/20 5:49 PM, Daniel Kiper wrote:
>>>
>>> [snip]
>>>
&
Hi,
I've made a little progress on this.
> I keep having failures with the cmdline_cat test and the gfxmenu tests
> within grub_func_test - the video checksums don't match. The images all
> look OK to me, so I'm not quite sure what the problem is, and we don't
> ship known-good images for me to c
Javier Martinez Canillas writes:
> Hello Daniel,
>
> On 5/18/20 5:49 PM, Daniel Kiper wrote:
>
> [snip]
>
>>>
>>> Without this patch, clang-9 fails on the use of nested functions in
>>> commit cb2f15c54489 ("normal/main: Search for specific config files for
>>> netboot") - I'll send a fix for tha
Hi Daniel,
> Commit d5a32255d (misc: Make grub_strtol() "end" pointers have safer
> const qualifiers) introduced "restrict" keyword into some functions
> definitions. This keyword was introduced in C99 standard. However, some
> compilers by default may use C89 or something different. This behavior
#x27;./grub-core/lib/libgcrypt/src/global.c' ! -ipath
> './grub-core/lib/libgcrypt/src/secmem.c' ! -ipath
> './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath
> './gnulib/*' ! -ipath
Hi all,
I'm having some trouble with the grub tests run by `make check`.
In particular, grub_func_test is failing for me in every configuration I
try. I've tried various combinations of:
- master, grub-2.04 and grub-2.02 tags, as well as the grub-2.04
tarball.
- configuring for platform em
Hi,
I'd like to teach grub how to verify appended signatures. Appended
signatures are a format used by the Linux kernel to cryptographically
sign binaries. They're used to verify kernel modules on all platforms
[1], and they're also used on some platforms (such as PowerPC) for
signing the kernel i
Hi Hans,
> Hello,
>
> as I am continuing to flood this mailing list with patches, I am
> realizing that I am missing some general rules for how things work on
> grub-devel. Sorry for the inconvenience caused by that.
>
> Anyway, here are a few questions I am beginning realize I should know
> the a
0x0018 Unknown note type: (0x1275)
description data: ff ff ff ff 00 c0 00 00 ff ff ff ff ff ff ff ff ff ff ff
ff 00 00 40 00
So far as I can tell this issue has existed for as long as the note
generation code has existed, but I guess nothing really checks descsz.
Signed-off-
201 - 275 of 275 matches
Mail list logo