This patch set contains the long-awaited v3 for secure boot using appended signatures on powerpc.
The v2 series is at https://lists.gnu.org/archive/html/grub-devel/2021-06/msg00044.html This series is based on the latest memory rework series I sent (https://lists.gnu.org/archive/html/grub-devel/2022-04/msg00064.html) minus the RFC. (See github.com/daxtens/grub branch mem+appsig-2204 for precise patches.) I have not included those patches in this posting. The series consists of 3 main parts: 1) Patches 1-3: signing grub.elf with an appended signature Part of a secure boot chain is allowing boot firmware to verify the grub core image. For UEFI platforms, this is done by signing the PE binary with a tool like pesign or sb-sign. However, for platforms that don't implement UEFI, an alternative scheme is required. These patches provide some infrastructure and documentation for signing grub's core.elf with a Linux-kernel-module style appended signature. An appended signature is a 'dumb' signature over the contents of a file. (It is distinct from schemes like Authenticode that are aware of the structure of the file and only sign certain parts.) The signature is wrapped in a PKCS#7 message, and is appended to the signed file along with some metadata and a magic string. The signatures are validated against a public key which is usually provided as an x509 certificate. Because some platforms, such as powerpc-ieee1275, may load grub from a raw disk partition rather than a filesystem, we extend grub-install to add an ELF note that allows us to specify the size and location of the signature. 2) Patches 4 - 18: Teach grub to verify appended signatures Part of a secure boot chain is allowing grub to verify the boot kernel. For UEFI platforms, this is usually delegated to the shim. However, for platforms that do not implement UEFI, an alternative scheme is required. This part teaches grub how to verify Linux kernel-style appended signatures. Kernels on powerpc are already signed with this scheme and can be verified by IMA for kexec. As PKCS#7 messages and x509 certificates are both based on ASN.1, we import libtasn1 to parse them. Because ASN.1 isn't self-documenting, we import from GNUTLS the information we need to navigate their structure. This section is composed of the following patches: - patch 4 is a small fix to allow persistent modules to work on the emu target. - patches 5 and 6 are small refactorings. - patch 7 prepares posix_wrap for importing libtasn1 - patches 8 through 12 import libtasn1 and add tests. I've taken a different approach from gcrypt. We import gcrypt via a script that transforms the code into something that works for grub. Rather than taking that approach, we import libtasn1 through first just copying a subset of the code in (patch 8), then disabling parts we don't need for grub (patch 9), making changes for grub compatibility (patch 10) and then compiling it into a module (patch 11) and testing it (patch 12). This means that should we want to upgrade our version of libtasn1, we should be able to copy the new files in (repeat the process in patch 8) and then just cherry-pick/reapply patches 9 and 10 to repeat the process of disabling unused code and making grub compatiblity fixes. - patch 13 allows x509 certificates to be built in to the grub core in much the same way as PGP keys. - patch 14 brings in the code from GNUTLS that allows us to parse PKCS#7 and x509 with libtasn1. - patch 15 is our PKCS#7 and x509 parser. They're minimal and fairly strict parsers that extract only the bits we need to verify the signatures. - patch 16 is the guts of the appended signature verifier. It uses the verifier infrastructure like pgp, and adds a number of user-friendly commands that mirror the pgp module. - patch 17 adds tests, and patch 18 adds documentation. 3) Patch 19: Enter lockdown if in powerpc secure boot Detect if the DT property advertising SB is set, and enter lockdown if it is. The main appended signature module now tests for lockdown to enter 'forced' mode. Thanks to Stefan Berger for providing further review comments on v2. I've pushed this all to https://github.com/daxtens/grub/tree/mem+appsig-2204 This patch series is easy to experiment with. In particular, the appended signature verifier doesn't require any particular platform. Alastair D'Silva (1): grub-install: support embedding x509 certificates Daniel Axtens (17): docs/grub: Document signing grub under UEFI docs/grub: Document signing grub with an appended signature dl: provide a fake grub_dl_set_persistent for the emu target pgp: factor out rsa_pad crypto: move storage for grub_crypto_pk_* to crypto.c posix_wrap: tweaks in preparation for libtasn1 libtasn1: import libtasn1-4.18.0 libtasn1: disable code not needed in grub libtasn1: changes for grub compatibility libtasn1: compile into asn1 module test_asn1: test module for libtasn1 appended signatures: import GNUTLS's ASN.1 description files appended signatures: parse PKCS#7 signedData and X.509 certificates appended signatures: support verifying appended signatures appended signatures: verification tests appended signatures: documentation ieee1275: enter lockdown based on /ibm,secure-boot Rashmica Gupta (1): Add suport for signing grub with an appended signature .gitignore | 1 + Makefile.util.def | 6 + docs/grub.texi | 259 +- grub-core/Makefile.core.def | 57 + grub-core/commands/appendedsig/appendedsig.c | 662 +++++ grub-core/commands/appendedsig/appendedsig.h | 119 + grub-core/commands/appendedsig/asn1util.c | 104 + .../commands/appendedsig/gnutls_asn1_tab.c | 121 + grub-core/commands/appendedsig/pkcs7.c | 512 ++++ .../commands/appendedsig/pkix_asn1_tab.c | 484 ++++ grub-core/commands/appendedsig/x509.c | 1082 +++++++ grub-core/commands/pgp.c | 34 +- grub-core/kern/ieee1275/init.c | 27 + grub-core/lib/crypto.c | 4 + grub-core/lib/libtasn1/COPYING | 16 + grub-core/lib/libtasn1/README.md | 98 + grub-core/lib/libtasn1/lib/coding.c | 1433 ++++++++++ grub-core/lib/libtasn1/lib/decoding.c | 2504 +++++++++++++++++ grub-core/lib/libtasn1/lib/element.c | 1110 ++++++++ grub-core/lib/libtasn1/lib/element.h | 42 + grub-core/lib/libtasn1/lib/errors.c | 103 + grub-core/lib/libtasn1/lib/gstr.c | 74 + grub-core/lib/libtasn1/lib/gstr.h | 50 + grub-core/lib/libtasn1/lib/int.h | 221 ++ grub-core/lib/libtasn1/lib/parser_aux.c | 1179 ++++++++ grub-core/lib/libtasn1/lib/parser_aux.h | 172 ++ grub-core/lib/libtasn1/lib/structure.c | 1227 ++++++++ grub-core/lib/libtasn1/lib/structure.h | 46 + .../tests/CVE-2018-1000654-1_asn1_tab.h | 32 + .../tests/CVE-2018-1000654-2_asn1_tab.h | 36 + .../libtasn1_wrap/tests/CVE-2018-1000654.c | 61 + .../lib/libtasn1_wrap/tests/Test_overflow.c | 138 + .../lib/libtasn1_wrap/tests/Test_simple.c | 207 ++ .../lib/libtasn1_wrap/tests/Test_strings.c | 150 + .../libtasn1_wrap/tests/object-id-decoding.c | 116 + .../libtasn1_wrap/tests/object-id-encoding.c | 120 + .../lib/libtasn1_wrap/tests/octet-string.c | 211 ++ .../lib/libtasn1_wrap/tests/reproducers.c | 81 + grub-core/lib/libtasn1_wrap/wrap.c | 27 + grub-core/lib/libtasn1_wrap/wrap_tests.c | 76 + grub-core/lib/libtasn1_wrap/wrap_tests.h | 39 + grub-core/lib/pkcs1_v15.c | 59 + grub-core/lib/posix_wrap/limits.h | 1 + grub-core/lib/posix_wrap/stdlib.h | 8 + grub-core/lib/posix_wrap/sys/types.h | 1 + grub-core/tests/appended_signature_test.c | 275 ++ grub-core/tests/appended_signatures.h | 975 +++++++ grub-core/tests/lib/functional_test.c | 1 + include/grub/dl.h | 11 + include/grub/file.h | 2 + include/grub/kernel.h | 3 +- include/grub/libtasn1.h | 641 +++++ include/grub/lockdown.h | 3 +- include/grub/pkcs1_v15.h | 27 + include/grub/util/install.h | 15 +- include/grub/util/mkimage.h | 4 +- tests/test_asn1.in | 12 + util/grub-install-common.c | 37 +- util/grub-mkimage.c | 26 +- util/grub-mkimagexx.c | 39 +- util/mkimage.c | 54 +- 61 files changed, 15161 insertions(+), 74 deletions(-) create mode 100644 grub-core/commands/appendedsig/appendedsig.c create mode 100644 grub-core/commands/appendedsig/appendedsig.h create mode 100644 grub-core/commands/appendedsig/asn1util.c create mode 100644 grub-core/commands/appendedsig/gnutls_asn1_tab.c create mode 100644 grub-core/commands/appendedsig/pkcs7.c create mode 100644 grub-core/commands/appendedsig/pkix_asn1_tab.c create mode 100644 grub-core/commands/appendedsig/x509.c create mode 100644 grub-core/lib/libtasn1/COPYING create mode 100644 grub-core/lib/libtasn1/README.md create mode 100644 grub-core/lib/libtasn1/lib/coding.c create mode 100644 grub-core/lib/libtasn1/lib/decoding.c create mode 100644 grub-core/lib/libtasn1/lib/element.c create mode 100644 grub-core/lib/libtasn1/lib/element.h create mode 100644 grub-core/lib/libtasn1/lib/errors.c create mode 100644 grub-core/lib/libtasn1/lib/gstr.c create mode 100644 grub-core/lib/libtasn1/lib/gstr.h create mode 100644 grub-core/lib/libtasn1/lib/int.h create mode 100644 grub-core/lib/libtasn1/lib/parser_aux.c create mode 100644 grub-core/lib/libtasn1/lib/parser_aux.h create mode 100644 grub-core/lib/libtasn1/lib/structure.c create mode 100644 grub-core/lib/libtasn1/lib/structure.h create mode 100644 grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654-1_asn1_tab.h create mode 100644 grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654-2_asn1_tab.h create mode 100644 grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_overflow.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_simple.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_strings.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/object-id-decoding.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/object-id-encoding.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/octet-string.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/reproducers.c create mode 100644 grub-core/lib/libtasn1_wrap/wrap.c create mode 100644 grub-core/lib/libtasn1_wrap/wrap_tests.c create mode 100644 grub-core/lib/libtasn1_wrap/wrap_tests.h create mode 100644 grub-core/lib/pkcs1_v15.c create mode 100644 grub-core/tests/appended_signature_test.c create mode 100644 grub-core/tests/appended_signatures.h create mode 100644 include/grub/libtasn1.h create mode 100644 include/grub/pkcs1_v15.h create mode 100644 tests/test_asn1.in -- 2.32.0 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel