If secure boot is enabled with static key management mode, the trusted certificates will be extracted from the GRUB ELF Note and added to db list. This is introduced by a subsequent patch.
If secure boot is enabled with dynamic key management mode, the trusted certificates and certificate/binary hash will be extracted from the PKS and added to db list. The distrusted certificates, certificate/binary hash are read from the PKS and added to dbx list. Both dbx and db lists are introduced by a subsequent patch. Note:- If the certificate or the certificate hash exists in the dbx list, then do not add that certificate/certificate hash to the db list. Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com> Reviewed-by: Stefan Berger <stef...@linux.ibm.com> Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com> --- grub-core/commands/appendedsig/appendedsig.c | 497 ++++++++++++++++++- include/grub/crypto.h | 1 + include/grub/efi/pks.h | 112 +++++ include/grub/types.h | 4 + 4 files changed, 608 insertions(+), 6 deletions(-) create mode 100644 include/grub/efi/pks.h diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c index 2ddbb3a15..ea65c3988 100644 --- a/grub-core/commands/appendedsig/appendedsig.c +++ b/grub-core/commands/appendedsig/appendedsig.c @@ -33,7 +33,8 @@ #include <libtasn1.h> #include <grub/env.h> #include <grub/lockdown.h> - +#include <grub/efi/pks.h> +#include <grub/powerpc/ieee1275/platform_keystore.h> #include "appendedsig.h" GRUB_MOD_LICENSE ("GPLv3+"); @@ -72,10 +73,21 @@ struct grub_database { struct x509_certificate *certs; /* Certificates. */ grub_uint32_t cert_entries; /* Number of certificates. */ + grub_uint8_t **signatures; /* Certificate/binary hashes. */ + grub_size_t *signature_size; /* Size of certificate/binary hashes. */ + grub_uint32_t signature_entries;/* Number of certificate/binary hashes. */ }; /* The db list is used to validate appended signatures. */ -struct grub_database db = {.certs = NULL, .cert_entries = 0}; +struct grub_database db = {.certs = NULL, .cert_entries = 0, .signatures = NULL, + .signature_size = NULL, .signature_entries = 0}; + +/* + * The dbx list is used to ensure that the distrusted certificates/kernel binaries are + * rejected during appended signatures/hashes validation. + */ +struct grub_database dbx = {.certs = NULL, .cert_entries = 0, .signatures = NULL, + .signature_size = NULL, .signature_entries = 0}; /* Appended signature size. */ static grub_size_t append_sig_len = 0; @@ -98,6 +110,8 @@ static void free_db_list (void); static void build_static_db_list (void); +static void +build_pks_keystore (void); static const char * grub_env_read_sec (struct grub_env_var *var __attribute__ ((unused)), @@ -140,6 +154,145 @@ grub_env_write_sec (struct grub_env_var *var __attribute__ ((unused)), const cha return ret; } +static const char * +grub_env_read_key_mgmt (struct grub_env_var *var __attribute__ ((unused)), + const char *val __attribute__ ((unused))) +{ + if (grub_pks_use_keystore == true) + return "dynamic"; + + return "static"; +} + +static char * +grub_env_write_key_mgmt (struct grub_env_var *var __attribute__ ((unused)), const char *val) +{ + char *ret; + + /* + * Do not allow the value to be changed if check_sigs is set to enforce and + * GRUB is locked down. + */ + if (check_sigs == true && grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) + { + ret = grub_strdup (grub_env_read_key_mgmt (NULL, NULL)); + if (ret == NULL) + grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory"); + + return ret; + } + + if ((*val == '1') || (*val == 'd')) + { + /* + * If dynamic key management is disabled and PKS support is available, + * load the PKS. + */ + if (grub_pks_is_support_pks == true && grub_pks_use_keystore == false) + build_pks_keystore (); + + grub_pks_use_keystore = true; + } + else if ((*val == '0') || (*val == 's')) + grub_pks_use_keystore = false; + + ret = grub_strdup (grub_env_read_key_mgmt (NULL, NULL)); + if (ret == NULL) + grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory"); + + return ret; +} + +/* + * GUID can be used to determine the hashing function and + * generate the hash using determined hashing function. + */ +static grub_err_t +get_hash (const grub_packed_guid_t *guid, const grub_uint8_t *data, const grub_size_t data_size, + grub_uint8_t *hash, grub_size_t *hash_size) +{ + gcry_md_spec_t *hash_func = NULL; + + if (guid == NULL) + return grub_error (GRUB_ERR_OUT_OF_RANGE, "GUID is not available"); + + if (grub_memcmp (guid, &GRUB_PKS_CERT_SHA256_GUID, GRUB_PACKED_GUID_SIZE) == 0 || + grub_memcmp (guid, &GRUB_PKS_CERT_X509_SHA256_GUID, GRUB_PACKED_GUID_SIZE) == 0) + hash_func = &_gcry_digest_spec_sha256; + else if (grub_memcmp (guid, &GRUB_PKS_CERT_SHA384_GUID, GRUB_PACKED_GUID_SIZE) == 0 || + grub_memcmp (guid, &GRUB_PKS_CERT_X509_SHA384_GUID, GRUB_PACKED_GUID_SIZE) == 0) + hash_func = &_gcry_digest_spec_sha384; + else if (grub_memcmp (guid, &GRUB_PKS_CERT_SHA512_GUID, GRUB_PACKED_GUID_SIZE) == 0 || + grub_memcmp (guid, &GRUB_PKS_CERT_X509_SHA512_GUID, GRUB_PACKED_GUID_SIZE) == 0) + hash_func = &_gcry_digest_spec_sha512; + else + return grub_error (GRUB_ERR_OUT_OF_RANGE, "unsupported GUID hash"); + + grub_memset (hash, 0, GRUB_MAX_HASH_SIZE); + grub_crypto_hash (hash_func, hash, data, data_size); + *hash_size = hash_func->mdlen; + + return GRUB_ERR_NONE; +} + +/* Add the certificate/binary hash into the db/dbx list. */ +static grub_err_t +add_hash (grub_uint8_t *const data, const grub_size_t data_size, + grub_uint8_t ***signature_list, grub_size_t **signature_size_list, + grub_uint32_t *signature_list_entries) +{ + grub_uint8_t **signatures; + grub_size_t *signature_size; + grub_uint32_t signature_entries = *signature_list_entries; + + if (data == NULL || data_size == 0) + return grub_error (GRUB_ERR_OUT_OF_RANGE, "certificate/binary-hash data or size is not available"); + + signatures = grub_realloc (*signature_list, sizeof (grub_uint8_t *) * (signature_entries + 1)); + if (signatures == NULL) + return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory"); + + signature_size = grub_realloc (*signature_size_list, + sizeof (grub_size_t) * (signature_entries + 1)); + if (signature_size == NULL) + { + /* + * Allocated memory will be freed by + * free_db_list/free_dbx_list. + */ + signatures[signature_entries + 1] = NULL; + *signature_list = signatures; + *signature_list_entries = signature_entries + 1; + + return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory"); + } + + signatures[signature_entries] = grub_malloc (data_size); + if (signatures[signature_entries] != NULL) + grub_memcpy (signatures[signature_entries], data, data_size); + + signature_size[signature_entries] = data_size; + signature_entries++; + + if (signatures[signature_entries] == NULL) + return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory"); + + *signature_list = signatures; + *signature_size_list = signature_size; + *signature_list_entries = signature_entries; + + return GRUB_ERR_NONE; +} + +static bool +is_x509 (const grub_packed_guid_t *guid) +{ + if (grub_memcmp (guid, &GRUB_PKS_CERT_X509_GUID, GRUB_PACKED_GUID_SIZE) == 0) + return true; + + return false; +} + static bool is_cert_match (const struct x509_certificate *distrusted_cert, const struct x509_certificate *db_cert) @@ -154,6 +307,95 @@ is_cert_match (const struct x509_certificate *distrusted_cert, return false; } +/* Check the certificate presence in the Platform Keystore dbx list. */ +static grub_err_t +is_dbx_cert (const struct x509_certificate *db_cert) +{ + grub_err_t rc; + grub_uint32_t i; + struct x509_certificate *distrusted_cert; + + for (i = 0; i < grub_pks_keystore.dbx_entries; i++) + { + if (grub_pks_keystore.dbx[i].data == NULL) + continue; + + if (is_x509 (&grub_pks_keystore.dbx[i].guid) == true) + { + distrusted_cert = grub_zalloc (sizeof (struct x509_certificate)); + if (distrusted_cert == NULL) + return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory"); + + rc = parse_x509_certificate (grub_pks_keystore.dbx[i].data, + grub_pks_keystore.dbx[i].data_size, distrusted_cert); + if (rc != GRUB_ERR_NONE) + { + grub_free (distrusted_cert); + continue; + } + + if (is_cert_match (distrusted_cert, db_cert) == true) + { + grub_dprintf ("appendedsig", "a certificate CN='%s' is ignored " + "because it is on the dbx list\n", db_cert->subject); + return GRUB_ERR_ACCESS_DENIED; + } + + certificate_release (distrusted_cert); + grub_free (distrusted_cert); + } + } + + return GRUB_ERR_NONE; +} + +/* Add the certificate into the db/dbx list */ +static grub_err_t +add_certificate (const grub_uint8_t *data, const grub_size_t data_size, + struct grub_database *database, const bool is_db) +{ + struct x509_certificate *cert; + grub_err_t rc; + grub_uint32_t cert_entries = database->cert_entries; + + if (data == NULL || data_size == 0) + return grub_error (GRUB_ERR_OUT_OF_RANGE, "certificate data or size is not available"); + + cert = grub_zalloc (sizeof (struct x509_certificate)); + if (cert == NULL) + return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory"); + + rc = parse_x509_certificate (data, data_size, cert); + if (rc != GRUB_ERR_NONE) + { + grub_dprintf ("appendedsig", "cannot add a certificate CN='%s' to %s\n", + cert->subject, ((is_db == true) ? "db" : "dbx")); + grub_free (cert); + return rc; + } + + if (is_db == true) + { + rc = is_dbx_cert (cert); + if (rc != GRUB_ERR_NONE) + { + certificate_release (cert); + grub_free (cert); + return rc; + } + } + + grub_dprintf ("appendedsig", "add a certificate CN='%s' to %s", cert->subject, + ((is_db == true) ? "db" : "dbx")); + + cert_entries++; + cert->next = database->certs; + database->certs = cert; + database->cert_entries = cert_entries; + + return rc; +} + static grub_err_t file_read_whole (grub_file_t file, grub_uint8_t **buf, grub_size_t *len) { @@ -653,11 +895,169 @@ static struct grub_fs pseudo_fs = { static grub_command_t cmd_verify, cmd_list_db, cmd_dbx_cert, cmd_db_cert; +/* Check the certificate hash presence in the PKS dbx list. */ +static bool +is_dbx_cert_hash (grub_uint8_t *const data, const grub_size_t data_size) +{ + grub_err_t rc; + grub_uint32_t i; + grub_size_t cert_hash_size = 0; + grub_uint8_t cert_hash[GRUB_MAX_HASH_SIZE] = { 0 }; + + for (i = 0; i < grub_pks_keystore.dbx_entries; i++) + { + if (grub_pks_keystore.dbx[i].data == NULL || + grub_pks_keystore.dbx[i].data_size == 0) + continue; + + rc = get_hash (&grub_pks_keystore.dbx[i].guid, data, data_size, + cert_hash, &cert_hash_size); + if (rc != GRUB_ERR_NONE) + continue; + + if (cert_hash_size == grub_pks_keystore.dbx[i].data_size && + grub_memcmp (grub_pks_keystore.dbx[i].data, cert_hash, cert_hash_size) == 0) + { + grub_dprintf ("appendedsig", "a certificate (%02x%02x%02x%02x) is ignored " + "because this certificate hash is on the dbx list\n", + cert_hash[0], cert_hash[1], cert_hash[2], cert_hash[3]); + return true; + } + } + + return false; +} + +/* Check the binary hash presence in the PKS dbx list. */ +static bool +is_dbx_binary_hash (grub_uint8_t *const binary_hash, const grub_size_t binary_hash_size) +{ + grub_uint32_t i; + + for (i = 0; i < grub_pks_keystore.dbx_entries; i++) + { + if (grub_pks_keystore.dbx[i].data == NULL || + grub_pks_keystore.dbx[i].data_size == 0) + continue; + + if (binary_hash_size == grub_pks_keystore.dbx[i].data_size && + grub_memcmp (grub_pks_keystore.dbx[i].data, binary_hash, binary_hash_size) == 0) + { + grub_dprintf ("appendedsig", "a binary hash (%02x%02x%02x%02x) is ignored" + " because it is on the dbx list\n", binary_hash[0], binary_hash[1], + binary_hash[2], binary_hash[3]); + return true; + } + } + + return false; +} + +/* Add the binary hash to the db list if it does not exist in the PKS dbx list. */ +static grub_err_t +add_db_binary_hash (grub_uint8_t *const data, const grub_size_t data_size) +{ + if (data == NULL || data_size == 0) + return grub_error (GRUB_ERR_OUT_OF_RANGE, "binary hash data or size is not available"); + + if (is_dbx_binary_hash (data, data_size) == false) + return add_hash (data, data_size, &db.signatures, &db.signature_size, + &db.signature_entries); + + return GRUB_ERR_BAD_SIGNATURE; +} + +static bool +is_hash (const grub_packed_guid_t *guid) +{ + /* GUID type of the binary hash. */ + if (grub_memcmp (guid, &GRUB_PKS_CERT_SHA256_GUID, GRUB_PACKED_GUID_SIZE) == 0 || + grub_memcmp (guid, &GRUB_PKS_CERT_SHA384_GUID, GRUB_PACKED_GUID_SIZE) == 0 || + grub_memcmp (guid, &GRUB_PKS_CERT_SHA512_GUID, GRUB_PACKED_GUID_SIZE) == 0) + return true; + + /* GUID type of the certificate hash. */ + if (grub_memcmp (guid, &GRUB_PKS_CERT_X509_SHA256_GUID, GRUB_PACKED_GUID_SIZE) == 0 || + grub_memcmp (guid, &GRUB_PKS_CERT_X509_SHA384_GUID, GRUB_PACKED_GUID_SIZE) == 0 || + grub_memcmp (guid, &GRUB_PKS_CERT_X509_SHA512_GUID, GRUB_PACKED_GUID_SIZE) == 0) + return true; + + return false; +} + +/* Add the X.509 certificates/binary hash to the db list from PKS. */ +static grub_err_t +create_db_list (void) +{ + grub_err_t rc; + grub_uint32_t i; + + for (i = 0; i < grub_pks_keystore.db_entries; i++) + { + if (is_hash (&grub_pks_keystore.db[i].guid) == true) + { + rc = add_db_binary_hash (grub_pks_keystore.db[i].data, + grub_pks_keystore.db[i].data_size); + if (rc == GRUB_ERR_OUT_OF_MEMORY) + return rc; + } + else if (is_x509 (&grub_pks_keystore.db[i].guid) == true) + { + if (is_dbx_cert_hash (grub_pks_keystore.db[i].data, + grub_pks_keystore.db[i].data_size) == true) + continue; + + rc = add_certificate (grub_pks_keystore.db[i].data, + grub_pks_keystore.db[i].data_size, &db, true); + if (rc == GRUB_ERR_OUT_OF_MEMORY) + return rc; + } + else + grub_dprintf ("appendedsig", "unsupported signature data type and " + "skipped (%u)\n", i + 1); + } + + return GRUB_ERR_NONE; +} + +/* Add the certificates and certificate/binary hash to the dbx list from PKS. */ +static grub_err_t +create_dbx_list (void) +{ + grub_err_t rc; + grub_uint32_t i; + + for (i = 0; i < grub_pks_keystore.dbx_entries; i++) + { + if (is_x509 (&grub_pks_keystore.dbx[i].guid) == true) + { + rc = add_certificate (grub_pks_keystore.dbx[i].data, + grub_pks_keystore.dbx[i].data_size, &dbx, false); + if (rc == GRUB_ERR_OUT_OF_MEMORY) + return rc; + } + else if (is_hash (&grub_pks_keystore.dbx[i].guid) == true) + { + rc = add_hash (grub_pks_keystore.dbx[i].data, + grub_pks_keystore.dbx[i].data_size, &dbx.signatures, + &dbx.signature_size, &dbx.signature_entries); + if (rc != GRUB_ERR_NONE) + return rc; + } + else + grub_dprintf ("appendedsig", "unsupported signature data type and " + "skipped (%u)\n", i + 1); + } + + return GRUB_ERR_NONE; +} + /* Free db list memory */ static void free_db_list (void) { struct x509_certificate *cert; + grub_uint32_t i; while (db.certs != NULL) { @@ -667,9 +1067,37 @@ free_db_list (void) grub_free (cert); } + for (i = 0; i < db.signature_entries; i++) + grub_free (db.signatures[i]); + + grub_free (db.signatures); + grub_free (db.signature_size); grub_memset (&db, 0, sizeof (struct grub_database)); } +/* Free dbx list memory */ +static void +free_dbx_list (void) +{ + struct x509_certificate *cert; + grub_uint32_t i; + + while (dbx.certs != NULL) + { + cert = dbx.certs; + dbx.certs = dbx.certs->next; + certificate_release (cert); + grub_free (cert); + } + + for (i = 0; i < dbx.signature_entries; i++) + grub_free (dbx.signatures[i]); + + grub_free (dbx.signatures); + grub_free (dbx.signature_size); + grub_memset (&dbx, 0, sizeof (struct grub_database)); +} + /* * Extract the X.509 certificates from the ELF Note header, * parse it, and add it to the db list. @@ -715,6 +1143,30 @@ build_static_db_list (void) } } +/* + * Extract trusted and distrusted keys from PKS and store them in + * the db and dbx list. + */ +static void +build_pks_keystore (void) +{ + grub_err_t err; + + err = create_db_list (); + if (err != GRUB_ERR_NONE) + grub_printf ("warning: db list might not be fully populated\n"); + + err = create_dbx_list (); + if (err != GRUB_ERR_NONE) + grub_printf ("warning: dbx list might not be fully populated\n"); + + grub_pks_free_keystore (); + grub_dprintf ("appendedsig", "the db list now has %u keys\n" + "the dbx list now has %u keys\n", + db.signature_entries + db.cert_entries, + dbx.signature_entries + dbx.cert_entries); +} + /* It registers the appended signatures GRUB commands. */ static void register_appended_signatures_cmd (void) @@ -763,15 +1215,45 @@ GRUB_MOD_INIT (appendedsig) */ grub_register_variable_hook ("check_appended_signatures", grub_env_read_sec, grub_env_write_sec); grub_env_export ("check_appended_signatures"); + /* + * This is appended signature key management environment variable. + * It is automatically set to "static" or "dynamic" based on the + * ’ibm,secure-boot’ device tree property and Platform KeyStore + * (grub_pks_use_keystore). + * + * "static": Enforce static key management signature verification. + * This is the default. When the GRUB is locked down, + * user cannot change the value by setting the + * appendedsig_key_mgmt variable back to "dynamic". + * + * "dynamic": Enforce dynamic key management signature verification. + * When the GRUB is locked down, user cannot change the value + * by setting the appendedsig_key_mgmt variable back to "static". + */ + grub_register_variable_hook ("appendedsig_key_mgmt", grub_env_read_key_mgmt, + grub_env_write_key_mgmt); + grub_env_export ("appendedsig_key_mgmt"); rc = asn1_init (); if (rc != ASN1_SUCCESS) grub_fatal ("error initing ASN.1 data structures: %d: %s\n", rc, asn1_strerror (rc)); - /* Extract trusted keys from ELF Note and store them in the db. */ - build_static_db_list (); - grub_dprintf ("appendedsig", "the db list now has %u static keys\n", - db.cert_entries); + /* + * If signature verification is enabled with the static key management, + * extract trusted keys from ELF Note and store them in the db list. + */ + if (grub_pks_use_keystore == false) + { + build_static_db_list (); + grub_dprintf ("appendedsig", "the db list now has %u static keys\n", + db.cert_entries); + } + /* + * If signature verification is enabled with the dynamic key management, + * load the Platform KeyStore(PKS). + */ + else if (grub_pks_use_keystore == true) + build_pks_keystore (); register_appended_signatures_cmd (); grub_verifier_register (&grub_appendedsig_verifier); @@ -786,8 +1268,11 @@ GRUB_MOD_FINI (appendedsig) */ free_db_list (); + free_dbx_list (); grub_register_variable_hook ("check_appended_signatures", NULL, NULL); grub_env_unset ("check_appended_signatures"); + grub_register_variable_hook ("appendedsig_key_mgmt", NULL, NULL); + grub_env_unset ("appendedsig_key_mgmt"); grub_verifier_unregister (&grub_appendedsig_verifier); unregister_appended_signatures_cmd (); } diff --git a/include/grub/crypto.h b/include/grub/crypto.h index b0d7add1d..00d074df8 100644 --- a/include/grub/crypto.h +++ b/include/grub/crypto.h @@ -510,6 +510,7 @@ grub_crypto_hmac_buffer (const struct gcry_md_spec *md, extern gcry_md_spec_t _gcry_digest_spec_md5; extern gcry_md_spec_t _gcry_digest_spec_sha1; extern gcry_md_spec_t _gcry_digest_spec_sha256; +extern gcry_md_spec_t _gcry_digest_spec_sha384; extern gcry_md_spec_t _gcry_digest_spec_sha512; extern gcry_md_spec_t _gcry_digest_spec_crc32; extern gcry_cipher_spec_t _gcry_cipher_spec_aes; diff --git a/include/grub/efi/pks.h b/include/grub/efi/pks.h new file mode 100644 index 000000000..ff306f591 --- /dev/null +++ b/include/grub/efi/pks.h @@ -0,0 +1,112 @@ +/* + * Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved. This + * program and the accompanying materials are licensed and made available + * under the terms and conditions of the 2-Clause BSD License which + * accompanies this distribution. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * https://github.com/tianocore/edk2-staging (edk2-staging repo of tianocore), + * the ImageAuthentication.h file under it, and here's the copyright and license. + * + * MdePkg/Include/Guid/ImageAuthentication.h + * + * Copyright 2022, 2023, 2024, 2025 IBM Corp. + */ + +#ifndef PKS_HEADER +#define PKS_HEADER 1 + +#include <grub/types.h> + +/* + * It is derived from EFI_CERT_X509_GUID. + * https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h + */ +#define GRUB_PKS_CERT_X509_GUID \ + (grub_guid_t) \ + { 0xa159c0a5, 0xe494, 0xa74a, \ + { 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 } \ + } + +/* + * It is derived from EFI_CERT_SHA256_GUID. + * https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h + */ +#define GRUB_PKS_CERT_SHA256_GUID \ + (grub_guid_t) \ + { 0x2616c4c1, 0x4c50, 0x9240, \ + { 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 } \ + } + +/* + * It is derived from EFI_CERT_SHA384_GUID. + * https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h + */ +#define GRUB_PKS_CERT_SHA384_GUID \ + (grub_guid_t) \ + { 0x07533eff, 0xd09f, 0xc948, \ + { 0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1 } \ + } + +/* + * It is derived from EFI_CERT_SHA512_GUID. + * https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h + */ +#define GRUB_PKS_CERT_SHA512_GUID \ + (grub_guid_t) \ + { 0xae0f3e09, 0xc4a6, 0x504f, \ + { 0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a } \ + } + +/* + * It is derived from EFI_CERT_X509_SHA256_GUID. + * https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h + */ +#define GRUB_PKS_CERT_X509_SHA256_GUID \ + (grub_guid_t) \ + { 0x92a4d23b, 0xc096, 0x7940, \ + { 0xb4, 0x20, 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed } \ + } + +/* + * It is derived from EFI_CERT_X509_SHA384_GUID. + * https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h + */ +#define GRUB_PKS_CERT_X509_SHA384_GUID \ + (grub_guid_t) \ + { 0x6e877670, 0xc280, 0xe64e, \ + { 0xaa, 0xd2, 0x28, 0xb3, 0x49, 0xa6, 0x86, 0x5b } \ + } + +/* + * It is derived from EFI_CERT_X509_SHA512_GUID. + * https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h + */ +#define GRUB_PKS_CERT_X509_SHA512_GUID \ + (grub_guid_t) \ + { 0x63bf6d44, 0x0225, 0xda4c, \ + { 0xbc, 0xfa, 0x24, 0x65, 0xd2, 0xb0, 0xfe, 0x9d } \ + } + +#endif diff --git a/include/grub/types.h b/include/grub/types.h index 45079bf65..b3ba762fc 100644 --- a/include/grub/types.h +++ b/include/grub/types.h @@ -379,6 +379,8 @@ struct grub_guid } __attribute__ ((aligned(4))); typedef struct grub_guid grub_guid_t; +#define GRUB_GUID_SIZE (sizeof (grub_guid_t)) + struct grub_packed_guid { grub_uint32_t data1; @@ -388,4 +390,6 @@ struct grub_packed_guid } GRUB_PACKED; typedef struct grub_packed_guid grub_packed_guid_t; +#define GRUB_PACKED_GUID_SIZE (sizeof (grub_packed_guid_t)) + #endif /* ! GRUB_TYPES_HEADER */ -- 2.39.5 (Apple Git-154) _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel