D'Silva
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
include/grub/kernel.h | 1 +
include/grub/util/install.h | 3 +++
util/grub-install-common.c | 19 +-
util
ignored.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
grub-core/commands/appendedsig/appendedsig.h | 38 ++
grub-core/commands/appendedsig/pkcs7.c | 452 +++
2 files changed
/blob/master/lib/gnutls.asn
- https://github.com/gnutls/gnutls/blob/master/lib/pkix.asn
The GNUTLS license is LGPLv2.1+, which is GPLv3 compatible, allowing
us to import it without issue.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by
by setting the appendedsig_key_mgmt variable back to "static".
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/commands/appendedsig/appendedsig.c | 75
1 file changed, 75 insertions(+)
diff --git a/grub-core/commands/appendedsig/appendedsig.c
b/grub-core/commands
Signing GRUB for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
ture
structure (not at the end) so that the final bytes of a signed ELF file
are the appended signature magic.
A subsequent patch documents how to create a GRUB core.img validly signed
under this scheme.
Signed-off-by: Rashmica Gupta
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusa
Usage extension and handle
it by verifying that the certificate has a Code Signing usage.
Signed-off-by: Javier Martinez Canillas # EKU support
Reported-by: Michal Suchanek # key usage issue
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by
automatically.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Daniel Kiper
---
grub-core/Makefile.core.def | 15 +
grub-core/commands/appendedsig/appendedsig.c | 587 +++
include/grub/err.h | 3 +-
include/grub
-by: Sudhakar Kuppusamy
---
grub-core/commands/appendedsig/appendedsig.c | 276 +++
include/grub/file.h | 2 +
2 files changed, 278 insertions(+)
diff --git a/grub-core/commands/appendedsig/appendedsig.c
b/grub-core/commands/appendedsig/appendedsig.c
From: Daniel Axtens
Before adding information about how GRUB is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Review
c key management mode. Read keys from the GRUB ELF Note and
use it for signature verification.
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/Makefile.am | 2 +
grub-core/Makefile.core.def | 2 +
grub-core/kern/ieee1275/ieee1275.c
nd enforce.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
docs/grub.texi | 2 +-
grub-core/Makefile.core.def| 1 +
grub-core/kern/ieee1275/i
etc) use grub_crypto_lookup_cipher_by_name()
to get a cipher handle. That depends on grub_ciphers being populated
by people calling grub_cipher_register. import_gcry.py ensures that the
symmetric ciphers call it.]
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by:
require an extra NULL byte at the end
- Bit strings because libtasn1 returns the length in bits, not bytes.
If the function returns a non-NULL value, the caller must free it.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
l Axtens (2):
crypto: Move storage for grub_crypto_pk_* to crypto.c
docs/grub: Document signing GRUB under UEFI
Sudhakar Kuppusamy (20):
powerpc-ieee1275: Add support for signing GRUB with an appended
signature
pgp: Rename OBJ_TYPE_PUBKEY to OBJ_TYPE_GPG_PUBKEY
grub-install: Suppo
it NULL check in both the unregister helpers.
>
> Signed-off-by: Srish Srinivasan
Reviewed-by: Sudhakar Kuppusamy
> ---
> grub-core/commands/extcmd.c | 3 +++
> grub-core/kern/command.c| 3 +++
> 2 files changed, 6 insertions(+)
>
> diff --git a/grub-core/commands/e
0 100644
> --- a/grub-core/kern/command.c
> +++ b/grub-core/kern/command.c
> @@ -104,6 +104,8 @@ grub_register_command_lockdown (const char *name,
> void
> grub_unregister_command (grub_command_t cmd)
> {
> + if (!cmd)
For pointer, use cmd == NULL
> +return;
It would be nice if add e
Thank you Daniel for the review.
> On 27 Aug 2025, at 9:11 PM, Daniel Kiper wrote:
>
> On Mon, Aug 25, 2025 at 04:38:33PM +0530, Sudhakar Kuppusamy wrote:
>> Introducing the following GRUB commands to manage the db list.
>>
>> 1. append_list_db:
>> Show
Thank you Daniel for the review.
> On 27 Aug 2025, at 8:43 PM, Daniel Kiper wrote:
>
> On Mon, Aug 25, 2025 at 04:38:32PM +0530, Sudhakar Kuppusamy wrote:
>> Building on the parsers and the ability to embed X.509 certificates, as
>> well as the existing gcrypt functional
From: Daniel Axtens
Before adding information about how GRUB is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Review
Signing GRUB for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
grub-core/commands/appendedsig/appendedsig.h | 36 ++
grub-core/commands/appendedsig/pkcs7.c | 454 +++
2 files changed
with an appended signature.
3. When append_add_dbx_hash executes, then the certificate/binary
hash file must be signed with an appended signature.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/appendedsig.c | 319 ++-
include
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Avnish Chouhan
---
docs/grub.texi | 405
: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/appendedsig.c | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/grub-core/commands/appendedsig/appendedsig.c
b/grub-core/commands/appendedsig/appendedsig.c
Usage extension and handle
it by verifying that the certificate has a Code Signing usage.
Signed-off-by: Javier Martinez Canillas # EKU support
Reported-by: Michal Suchanek # key usage issue
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by
tract the static keys from
the GRUB ELF Note and stored in the db list.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
.../kern/powerpc/ieee1275/platform_keystore.c | 21 ++-
.../grub/powerpc/iee
These tests are run through all_functional_test and test a range
of commands and behaviours.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
grub-core/Makefile.core.def | 8
Signature verification: verify the kernel against lists of hashes
that are either in dbx or db list. If it is not in the dbx list
then the trusted keys from the db list are used to verify the signature.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
etc) use grub_crypto_lookup_cipher_by_name()
to get a cipher handle. That depends on grub_ciphers being populated
by people calling grub_cipher_register. import_gcry.py ensures that the
symmetric ciphers call it.]
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by:
to the db list.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/appendedsig.c | 517 ++-
include/grub/crypto.h| 1 +
include/grub/efi/pks.h | 112
4. append_verify:
Verify the signed file using db list
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/commands/appendedsig/appendedsig.c | 310 +++
1 file changed, 310 insertions(+)
diff --git a/grub-core/commands/appendedsig/appendedsig.c
c key management mode. Read keys from the GRUB ELF Note and
use it for signature verification.
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/Makefile.am | 2 +
grub-core/Makefile.core.def | 2 +
grub-core/kern/ieee1275/ieee1275.c
sabled and enforced.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
docs/grub.texi | 2 +-
grub-core/Makefile.core.def| 1 +
grub-core/kern/ieee1275/i
ertificate based PGP signature.
Signed-off-by: Alastair D'Silva
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Daniel Kiper
---
docs/grub.texi | 34 +-
grub-core/commands/pgp.c | 2 +-
include/grub/kernel.h|
require an extra NULL byte at the end
- Bit strings because libtasn1 returns the length in bits, not bytes.
If the function returns a non-NULL value, the caller must free it.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
-engel1/2020/11/20/powervm-introduces-the-platform-keystore
Daniel Axtens (2):
crypto: Move storage for grub_crypto_pk_* to crypto.c
docs/grub: Document signing GRUB under UEFI
Sudhakar Kuppusamy (19):
powerpc-ieee1275: Add support for signing GRUB with an appended
signature
pgp: Rename OBJ
/blob/master/lib/gnutls.asn
- https://github.com/gnutls/gnutls/blob/master/lib/pkix.asn
The GNUTLS license is LGPLv2.1+, which is GPLv3 compatible, allowing
us to import it without issue.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by
D'Silva
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
include/grub/kernel.h | 1 +
include/grub/util/install.h | 3 +++
util/grub-install-common.c | 19 +-
util
ture
structure (not at the end) so that the final bytes of a signed ELF file
are the appended signature magic.
A subsequent patch documents how to create a GRUB core.img validly signed
under this scheme.
Signed-off-by: Rashmica Gupta
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusa
automatically.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/Makefile.core.def | 15 +
grub-core/commands/appendedsig/appendedsig.c | 597 +++
include/grub/err.h | 3 +-
include/grub/file.h
Thank you Daniel for the review.
> On 23 Aug 2025, at 12:23 AM, Daniel Kiper wrote:
>
> On Thu, Aug 21, 2025 at 01:25:04PM +0530, Sudhakar Kuppusamy wrote:
>> Enhancing the infrastructure to enable the Platform Keystore (PKS) feature,
>> which provides access to the SB
Thank you Daniel for the review.
> On 21 Aug 2025, at 8:53 PM, Daniel Kiper wrote:
>
> On Thu, Aug 21, 2025 at 01:25:03PM +0530, Sudhakar Kuppusamy wrote:
>> Building on the parsers and the ability to embed X.509 certificates, as
>> well as the existing gcrypt functional
/blob/master/lib/gnutls.asn
- https://github.com/gnutls/gnutls/blob/master/lib/pkix.asn
The GNUTLS license is LGPLv2.1+, which is GPLv3 compatible, allowing
us to import it without issue.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by
etc) use grub_crypto_lookup_cipher_by_name()
to get a cipher handle. That depends on grub_ciphers being populated
by people calling grub_cipher_register. import_gcry.py ensures that the
symmetric ciphers call it.]
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by:
ertificate based PGP signature.
Signed-off-by: Alastair D'Silva
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Daniel Kiper
---
docs/grub.texi | 34 +-
grub-core/commands/pgp.c | 2 +-
include/grub/kernel.h|
> On 21 Aug 2025, at 12:14 PM, Gary Lin wrote:
>
> On Tue, Aug 19, 2025 at 06:43:23PM +0530, Sudhakar Kuppusamy wrote:
>> This explains how appended signatures can be used to form part of
>> a secure boot chain, and documents the commands and variables
>> intro
require an extra NULL byte at the end
- Bit strings because libtasn1 returns the length in bits, not bytes.
If the function returns a non-NULL value, the caller must free it.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
If Secure Boot is enabled with dynamic key management mode and the
use_static_keys flag is set, then read the static keys as a db default
keys from the ELF Note and add them into the db.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core
ture
structure (not at the end) so that the final bytes of a signed ELF file
are the appended signature magic.
A subsequent patch documents how to create a GRUB core.img validly signed
under this scheme.
Signed-off-by: Rashmica Gupta
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusa
Signature verification: verify the kernel against lists of hashes
that are either in dbx or db list. If it is not in the dbx list
then the trusted keys from the db list are used to verify the signature.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Avnish Chouhan
---
docs/grub.texi | 403
Signing GRUB for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
grub-core/commands/appendedsig/appendedsig.h | 36 ++
grub-core/commands/appendedsig/pkcs7.c | 454 +++
2 files changed
D'Silva
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
include/grub/kernel.h | 1 +
include/grub/util/install.h | 3 +++
util/grub-install-common.c | 19 +-
util
These tests are run through all_functional_test and test a range
of commands and behaviours.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
grub-core/Makefile.core.def | 8
with an appended signature.
3. When append_add_dbx_hash executes, then the certificate/binary
hash file must be signed with an appended signature.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/appendedsig.c | 427 ++-
include
Usage extension and handle
it by verifying that the certificate has a Code Signing usage.
Signed-off-by: Javier Martinez Canillas # EKU support
Reported-by: Michal Suchanek # key usage issue
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by
c key management mode. Read keys from the GRUB ELF Note and
use it for signature verification.
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/Makefile.am | 2 +
grub-core/Makefile.core.def | 2 +
grub-core/kern/ieee1275/ieee1275.c
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/Makefile.core.def | 15 +
grub-core/commands/appendedsig/appendedsig.c | 793 +++
include/grub/err.h
not add that certificate/certificate hash to the db list.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/appendedsig.c | 497 ++-
include/grub/crypto.h| 1 +
include/grub/efi
sabled and enforced.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
docs/grub.texi | 2 +-
grub-core/Makefile.core.def| 1 +
grub-core/kern/ieee1275/i
tract the static keys from
the GRUB ELF Note and stored in the db list.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
grub-core/kern/powerpc/ieee1275/platform_keystore.c | 13 -
include/grub/powerpc/iee
From: Daniel Axtens
Before adding information about how GRUB is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Review
o: Move storage for grub_crypto_pk_* to crypto.c
docs/grub: Document signing GRUB under UEFI
Sudhakar Kuppusamy (18):
powerpc-ieee1275: Add support for signing GRUB with an appended
signature
pgp: Rename OBJ_TYPE_PUBKEY to OBJ_TYPE_GPG_PUBKEY
grub-install: Support embedding x509 certi
> On 21 Aug 2025, at 8:38 AM, Gary Lin wrote:
>
> On Thu, Aug 21, 2025 at 10:34:18AM +0800, Gary Lin wrote:
>> On Tue, Aug 19, 2025 at 06:43:15PM +0530, Sudhakar Kuppusamy wrote:
>>> If secure boot is enabled with static key management mode, the trusted
>>> ce
ture
structure (not at the end) so that the final bytes of a signed ELF file
are the appended signature magic.
A subsequent patch documents how to create a GRUB core.img validly signed
under this scheme.
Signed-off-by: Rashmica Gupta
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusa
If Secure Boot is enabled with dynamic key management mode and the
use_static_keys flag is set, then read the static keys as a db default
keys from the ELF Note and add them into the db.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core
etc) use grub_crypto_lookup_cipher_by_name()
to get a cipher handle. That depends on grub_ciphers being populated
by people calling grub_cipher_register. import_gcry.py ensures that the
symmetric ciphers call it.]
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by:
From: Daniel Axtens
Before adding information about how GRUB is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Review
with an appended signature.
3. When append_add_dbx_hash executes, then the certificate/binary
hash file must be signed with an appended signature.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/appendedsig.c | 426 ++-
include
: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/Makefile.core.def | 15 +
grub-core/commands/appendedsig/appendedsig.c | 783 +++
include/grub/err.h | 3
Signing GRUB for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Avnish Chouhan
---
docs/grub.texi | 401
m for signature verification.
0 - Enable static key management mode. Read keys from the GRUB ELF Note and
use it for signature verification.
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/Makefile.am | 2 +
grub-core/Makefile.core.def | 2 +
grub-core
/blob/master/lib/gnutls.asn
- https://github.com/gnutls/gnutls/blob/master/lib/pkix.asn
The GNUTLS license is LGPLv2.1+, which is GPLv3 compatible, allowing
us to import it without issue.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by
tract the static keys from
the GRUB ELF Note and stored in the db list.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
grub-core/kern/powerpc/ieee1275/platform_keystore.c | 12 +++-
include/grub/powerpc/iee
These tests are run through all_functional_test and test a range
of commands and behaviours.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
grub-core/Makefile.core.def | 8
not add that certificate/certificate hash to the db list.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/appendedsig.c | 452 ++-
include/grub/crypto.h| 1 +
include/grub/efi
sabled and enforced.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
docs/grub.texi | 2 +-
grub-core/Makefile.core.def| 1 +
grub-core/kern/ieee1275/i
Signature verification: verify the kernel against lists of hashes
that are either in dbx or db list. If it is not in the dbx list
then the trusted keys from the db list are used to verify the signature.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
logs/chris-engel1/2020/11/20/powervm-introduces-the-platform-keystore
Daniel Axtens (2):
crypto: Move storage for grub_crypto_pk_* to crypto.c
docs/grub: Document signing GRUB under UEFI
Sudhakar Kuppusamy (16):
powerpc-ieee1275: Add support for signing GRUB with an appended
signature
pgp:
require an extra NULL byte at the end
- Bit strings because libtasn1 returns the length in bits, not bytes.
If the function returns a non-NULL value, the caller must free it.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
grub-core/commands/appendedsig/appendedsig.h | 36 ++
grub-core/commands/appendedsig/pkcs7.c | 454 +++
2 files changed
Usage extension and handle
it by verifying that the certificate has a Code Signing usage.
Signed-off-by: Javier Martinez Canillas # EKU support
Reported-by: Michal Suchanek # key usage issue
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by
D'Silva
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
include/grub/kernel.h | 1 +
include/grub/util/install.h | 3 +++
util/grub-install-common.c | 19 +-
util
ertificate based PGP signature.
Signed-off-by: Alastair D'Silva
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Daniel Kiper
---
docs/grub.texi | 34 +-
grub-core/commands/pgp.c | 2 +-
include/grub/kernel.h|
Thank you Daniel.
> On 14 Aug 2025, at 7:50 PM, Daniel Kiper wrote:
>
> On Tue, Jul 29, 2025 at 08:21:56PM +0530, Sudhakar Kuppusamy wrote:
>> This explains how appended signatures can be used to form part of
>> a secure boot chain, and documents the commands and va
Thank you Daniel.
> On 13 Aug 2025, at 10:15 PM, Daniel Kiper wrote:
>
> On Tue, Jul 29, 2025 at 08:21:55PM +0530, Sudhakar Kuppusamy wrote:
>> Signing GRUB for firmware that verifies an appended signature is a
>> bit fiddly. I don't want people to have to figure
Thank you Daniel.
> On 13 Aug 2025, at 9:12 PM, Daniel Kiper wrote:
>
> On Tue, Jul 29, 2025 at 08:21:52PM +0530, Sudhakar Kuppusamy wrote:
>> Introducing the following db and dbx commands
>>
>> 1. append_list_db:
>> Show the list of trusted certificat
> On 13 Aug 2025, at 8:13 PM, Daniel Kiper wrote:
>
> On Tue, Jul 29, 2025 at 08:21:51PM +0530, Sudhakar Kuppusamy wrote:
>> If Secure Boot is enabled with dynamic key management mode and the
>> use_static_keys flag is set, then read the static keys as a db default
>
> On 13 Aug 2025, at 8:03 PM, Daniel Kiper wrote:
>
> On Tue, Aug 12, 2025 at 05:16:22PM +0530, Sudhakar Kuppusamy wrote:
>>> On 12 Aug 2025, at 5:00 PM, Daniel Kiper wrote:
>>> On Tue, Aug 12, 2025 at 10:30:55AM +0530, Sudhakar Kuppusamy wrote:
>>>>
> On 12 Aug 2025, at 5:00 PM, Daniel Kiper wrote:
>
> On Tue, Aug 12, 2025 at 10:30:55AM +0530, Sudhakar Kuppusamy wrote:
>> Thank you Daniel.
>>
>>> On 11 Aug 2025, at 9:24 PM, Daniel Kiper wrote:
>>> On Tue, Jul 29, 2025 at 08:
Thank you Daniel.
> On 11 Aug 2025, at 9:24 PM, Daniel Kiper wrote:
>
> On Tue, Jul 29, 2025 at 08:21:46PM +0530, Sudhakar Kuppusamy wrote:
>> Building on the parsers and the ability to embed X.509 certificates, as
>> well as the existing gcrypt functionality, add a
Thank you Daniel.
> On 11 Aug 2025, at 10:51 PM, Daniel Kiper wrote:
>
> On Tue, Jul 29, 2025 at 08:21:48PM +0530, Sudhakar Kuppusamy wrote:
>> If secure boot is enabled with static key management mode, the trusted
>> certificates will be extracted from the GRUB ELF Note
Thank you Daniel.
> On 11 Aug 2025, at 9:54 PM, Daniel Kiper wrote:
>
> On Tue, Jul 29, 2025 at 08:21:47PM +0530, Sudhakar Kuppusamy wrote:
>> Enhancing the infrastructure to enable the Platform Keystore (PKS) feature,
>> which provides access to the SB_VERSION, db
> On 24 Jul 2025, at 2:25 PM, Gary Lin wrote:
>
> On Wed, Jul 09, 2025 at 05:15:21PM +0530, Sudhakar Kuppusamy wrote:
>> From: Daniel Axtens
>>
>> rsa_pad does the PKCS#1 v1.5 padding for the RSA signature scheme.
>> We want to use it in other RSA si
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Avnish Chouhan
---
docs/grub.texi | 232
append_add_dbx_hash executes, then the certificate/binary
hash file must be signed.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/appendedsig.c | 377 ++-
include/grub/file.h | 2 +
2 files changed
tract the static keys from
the GRUB ELF Note and stored in the db list.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
grub-core/kern/powerpc/ieee1275/platform_keystore.c | 12 +++-
include/grub/powerpc/iee
1 - 100 of 342 matches
Mail list logo
