Hi Daniel, On Wed, Oct 28, 2020 at 12:57:17PM +1100, Daniel Axtens wrote: > v2: fix the grub-mkimage bug. I haven't changed any libtasn1 licensing > because I don't think we reached any conclusion on whether anything > was needed, and if so what. > > Part of a secure boot chain is allowing grub to verify the boot > kernel. For UEFI platforms, this is usually delegated to the shim: see > shim_lock.c. However, for platforms that do not implement UEFI, an > alternative scheme is required. > > This series teaches grub how to verify Linux kernel-style 'appended > signatures'. I talked about this in my recent Linux Plumbers talk: > https://linuxplumbersconf.org/event/7/contributions/738/ and > https://youtu.be/IJUNxHnopH4?t=510 > > In very short, an appended signature is a 'dumb' signature over the > contents of a file. (It is distinct from schemes like Authenticode > that are aware of the structure of the file and only sign certain > parts.) The signature is wrapped in a PKCS#7 message, and is appended > to the signed file along with some metadata and a magic string. The > signatures are validated against a public key which is usually > provided as an x509 certificate. Kernels on powerpc are already signed > with this scheme and can be verified by IMA for kexec.
Sounds interesting. Unfortunately I am not able to take it because the GRUB is in code freeze state. I have just reviewed two patches which fixes the docs and I will take them. I will take closer look at the rest of the patch series after release. I hope this is not a problem for you... Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
