Re: [External] Re: [PATCH] BugFix: grub menu gets stuck due to unserialized rdtsc

[段亚勇 via Grub-devel]

Hi,

That's alright!
May I know if the first patch is allowed to be merged? And how long will it
be merged approximately？
So that I can track it after that time! Thanks!
---
Best Regards,
Will Duan  Data-SYS-STE-OS
3F, T2B, Xinjiangwan Square, Yangpu District, Shanghai
---
From: "Daniel Kiper"
Date: Tue, Feb 25, 2025, 23:35
Subject: [External] Re: [PATCH] BugFix: grub menu gets stuck due to
unserialized rdtsc
To: "段亚勇"
Cc: , , <
jinke@bytedance.com>, , <
likunkun@bytedance.com>, "Li Yongqiang", "Sun
Ming"
Hi,

On Mon, Feb 24, 2025 at 10:41:38PM -0800, 段亚勇 wrote:
> Hello Daniel,
> May I know the Merge Plan of Grub Master branch?
> From this time, we almost check grub master changes every day
> and take enough patience to wait for the bugfix to be merged.
> But we found the recent update of master branch has no our
> two bugfix patches. If there are any extra problems, we sincerely hope
> we can know it, so that we can plan our OS release.
>
> Our two bugfix patches:
> https://lists.gnu.org/archive/html/grub-devel/2024-11/msg00222.html
> https://lists.gnu.org/archive/html/grub-devel/2025-01/msg00051.html

The second one is queued for push. It should happen no later than by
the end of the week. Sorry for delay...

Daniel
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH v1 09/21] appended signatures: parse PKCS#7 signedData and X.509 certificates

[sudhakar]

On 2024-12-29 01:16, Stefan Berger wrote:

On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:

From: Daniel Axtens 

This code allows us to parse:

  - PKCS#7 signedData messages. Only a single signerInfo is supported,
which is all that the Linux sign-file utility supports creating
out-of-the-box. Only RSA, SHA-256 and SHA-512 are supported.
Any certificate embedded in the PKCS#7 message will be ignored.

  - X.509 certificates: at least enough to verify the signatures on 
the
PKCS#7 messages. We expect that the certificates embedded in grub 
will
be leaf certificates, not CA certificates. The parser enforces 
this.


  - X.509 certificates support the Extended Key Usage extension and 
handle
it by verifying that the certificate has a single purpose, that is 
code
signing. This is required because Red Hat certificates have both 
Key

Usage and Extended Key Usage extensions present.

Signed-off-by: Javier Martinez Canillas  # EKU 
support

Reported-by: Michal Suchanek  # key usage issue
Signed-off-by: Daniel Axtens 
Signed-off-by: Sudhakar Kuppusamy 
---
  grub-core/commands/appendedsig/appendedsig.h | 110 +++
  grub-core/commands/appendedsig/asn1util.c|  99 ++
  grub-core/commands/appendedsig/pkcs7.c   | 473 +
  grub-core/commands/appendedsig/x509.c| 981 
+++

  4 files changed, 1663 insertions(+)
  create mode 100644 grub-core/commands/appendedsig/appendedsig.h
  create mode 100644 grub-core/commands/appendedsig/asn1util.c
  create mode 100644 grub-core/commands/appendedsig/pkcs7.c
  create mode 100644 grub-core/commands/appendedsig/x509.c

diff --git a/grub-core/commands/appendedsig/appendedsig.h 
b/grub-core/commands/appendedsig/appendedsig.h

new file mode 100644
index 0..fa59302c8
--- /dev/null
+++ b/grub-core/commands/appendedsig/appendedsig.h
@@ -0,0 +1,110 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2020, 2022 Free Software Foundation, Inc.
+ *  Copyright (C) 2020, 2022 IBM Corporation
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published 
by

+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see .
+ */
+
+#include 
+#include 
+
+extern asn1_node _gnutls_gnutls_asn;
+extern asn1_node _gnutls_pkix_asn;
+
+#define MAX_OID_LEN 32
+
+/*
+ * One or more x509 certificates.
+ * We do limited parsing: extracting only the serial, CN and RSA 
public key.

+ */
+struct x509_certificate
+{
+  struct x509_certificate *next;
+  grub_uint8_t *serial;
+  grub_size_t serial_len;
+  char *subject;
+  grub_size_t subject_len;
+  /* We only support RSA public keys. This encodes [modulus, 
publicExponent] */

+  gcry_mpi_t mpis[2];
+};
+
+/*
+ * A PKCS#7 signedData signerInfo.
+ */
+struct pkcs7_signerInfo
+{
+  const gcry_md_spec_t *hash;
+  gcry_mpi_t sig_mpi;
+};
+
+/*
+ * A PKCS#7 signedData message.
+ * We make no attempt to match intelligently, so we don't save any 
info about

+ * the signer.
+ */
+struct pkcs7_signedData
+{
+  int signerInfo_count;
+  struct pkcs7_signerInfo *signerInfos;
+};
+
+/* Do libtasn1 init */
+int
+asn1_init (void);
+
+/*
+ * Import a DER-encoded certificate at 'data', of size 'size'.
+ * Place the results into 'results', which must be already allocated.
+ */
+grub_err_t
+parse_x509_certificate (const void *data, grub_size_t size, struct 
x509_certificate *results);

+
+/*
+ * Release all the storage associated with the x509 certificate.
+ * If the caller dynamically allocated the certificate, it must free 
it.

+ * The caller is also responsible for maintenance of the linked list.
+ */
+void
+certificate_release (struct x509_certificate *cert);
+
+/*
+ * Parse a PKCS#7 message, which must be a signedData message.
+ * The message must be in 'sigbuf' and of size 'data_size'. The 
result is

+ * placed in 'msg', which must already be allocated.
+ */
+grub_err_t
+parse_pkcs7_signedData (const void *sigbuf, grub_size_t data_size, 
struct pkcs7_signedData *msg);

+
+/*
+ * Release all the storage associated with the PKCS#7 message.
+ * If the caller dynamically allocated the message, it must free it.
+ */
+void
+pkcs7_signedData_release (struct pkcs7_signedData *msg);
+
+/*
+ * Read a value from an ASN1 node, allocating memory to store it.
+ * It will work for anything where the size libtasn1 returns is 
right:

+ *  - Integers
+ *  - Octet strings
+ *  - DER encoding of other structures
+ * It will _not_ work for things where libtasn1 size requires 
adjustment:

+ *  

Re: [PATCH v1 01/21] powerpc-ieee1275: Add support for signing grub with an appended signature

[sudhakar]

On 2024-12-27 20:28, Stefan Berger wrote:

On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:

From: Rashmica Gupta 

Add infrastructure to allow firmware to verify the integrity of grub
by use of a Linux-kernel-module-style appended signature. We initially
target powerpc-ieee1275, but the code should be extensible to other
platforms.

Usually these signatures are appended to a file without modifying the
ELF file itself. (This is what the 'sign-file' tool does, for 
example.)
The verifier loads the signed file from the file system and looks at 
the
end of the file for the appended signature. However, on 
powerpc-ieee1275
platforms, the bootloader is often stored directly in the PReP 
partition
as raw bytes without a file-system. This makes determining the 
location

of an appended signature more difficult.

To address this, we add a new ELF note.

The name field of shall be the string "Appended-Signature", 
zero-padded
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII 
values
for the string "ASig"). It must be the final section in the ELF 
binary.


The description shall contain the appended signature structure as 
defined
by the Linux kernel. The description will also be padded to be a 
multiple

of 4 bytes. The padding shall be added before the appended signature
structure (not at the end) so that the final bytes of a signed ELF 
file

are the appended signature magic.

A subsequent patch documents how to create a grub core.img validly 
signed

under this scheme.

Signed-off-by: Rashmica Gupta 
Signed-off-by: Daniel Axtens 
Signed-off-by: Sudhakar Kuppusamy 
---
  include/grub/util/install.h |  7 +--
  include/grub/util/mkimage.h |  4 ++--
  util/grub-install-common.c  | 15 ---
  util/grub-mkimage.c | 11 +++
  util/grub-mkimagexx.c   | 38 
-

  util/mkimage.c  |  6 +++---
  6 files changed, 70 insertions(+), 11 deletions(-)

diff --git a/include/grub/util/install.h b/include/grub/util/install.h
index 5c0a52ca2..3aabc4285 100644
--- a/include/grub/util/install.h
+++ b/include/grub/util/install.h
@@ -69,6 +69,8 @@
N_("disable shim_lock verifier"), 0 },\
{ "disable-cli", GRUB_INSTALL_OPTIONS_DISABLE_CLI, 0, 0,  \
  N_("disabled command line interface access"), 0 },  \
+  { "appended-signature-size", 
GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,  \
+"SIZE", 0, N_("Add a note segment reserving SIZE bytes for an 
appended signature"), 1}, \

{ "verbose", 'v', 0, 0,   \
  N_("print verbose messages."), 1 }
  @@ -132,7 +134,8 @@ enum grub_install_options {
GRUB_INSTALL_OPTIONS_DTB,
GRUB_INSTALL_OPTIONS_SBAT,
GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK,
-  GRUB_INSTALL_OPTIONS_DISABLE_CLI
+  GRUB_INSTALL_OPTIONS_DISABLE_CLI,
+  GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE
  };
extern char *grub_install_source_directory;
@@ -192,7 +195,7 @@ grub_install_generate_image (const char *dir, 
const char *prefix,

 size_t npubkeys,
 char *config_path,
 const struct grub_install_image_target_desc 
*image_target,
-int note,
+int note, size_t appsig_size,
 grub_compression_t comp, const char *dtb_file,
 const char *sbat_path, const int disable_shim_lock,
 const int disable_cli);
diff --git a/include/grub/util/mkimage.h b/include/grub/util/mkimage.h
index 9d74f82c5..0d40383eb 100644
--- a/include/grub/util/mkimage.h
+++ b/include/grub/util/mkimage.h
@@ -51,12 +51,12 @@ grub_mkimage_load_image64 (const char 
*kernel_path,

   const struct grub_install_image_target_desc 
*image_target);
  void
  grub_mkimage_generate_elf32 (const struct 
grub_install_image_target_desc *image_target,

-int note, char *sbat, char **core_img, size_t 
*core_size,
+			 int note, char *sbat, size_t appsig_size, char **core_img, 
size_t *core_size,

 Elf32_Addr target_addr,
 struct grub_mkimage_layout *layout);
  void
  grub_mkimage_generate_elf64 (const struct 
grub_install_image_target_desc *image_target,

-int note, char *sbat, char **core_img, size_t 
*core_size,
+			 int note, char *sbat, size_t appsig_size, char **core_img, 
size_t *core_size,

 Elf64_Addr target_addr,
 struct grub_mkimage_layout *layout);
  diff --git a/util/grub-install-common.c b/util/grub-install-common.c
index 22bccb6a3..22f0e56cb 100644
--- a/util/grub-install-common.c
+++ b/util/grub-install-common.c
@@ -467,10 +467,12 @@ static char *sbat;
  static int disable_shim_lock;
  static grub_compression_t compression;
  static 

Re: [PATCH v1 14/21] ieee1275: Platform Keystore (PKS) Support

[sudhakar]

On 2024-12-31 03:44, Stefan Berger wrote:

On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
enhancing the infrastructure to enable the Platform Keystore (PKS) 
feature,
which provides access to the SB VERSION, DB, and DBX secure boot 
variables

from PKS.

Signed-off-by: Sudhakar Kuppusamy 
---
  grub-core/kern/ieee1275/ieee1275.c | 117 
+


Since this is pSeries-specific stuff I wonder whether this should not
rather go into include/grub/powerpc/ieee1275/ieee1275.h and
grub-core/kern/powerpc/ieee1275/ieee1275.c ?


Thank you Stefan.
yes. This should go into pSeries-specific. moved it to pSeries-specific.





  include/grub/ieee1275/ieee1275.h   |  14 
  2 files changed, 131 insertions(+)

diff --git a/grub-core/kern/ieee1275/ieee1275.c 
b/grub-core/kern/ieee1275/ieee1275.c

index 36ca2dbfc..8d0048844 100644
--- a/grub-core/kern/ieee1275/ieee1275.c
+++ b/grub-core/kern/ieee1275/ieee1275.c
@@ -807,3 +807,120 @@ grub_ieee1275_get_block_size 
(grub_ieee1275_ihandle_t ihandle)

  return args.size;
  }
+
+int
+grub_ieee1275_test (const char *name, grub_ieee1275_cell_t *missing)
+{
+  struct test_args
+  {
+struct grub_ieee1275_common_hdr common;
+grub_ieee1275_cell_t name;
+grub_ieee1275_cell_t missing;
+  } args;
+
+  INIT_IEEE1275_COMMON (&args.common, "test", 1, 1);
+  args.name = (grub_ieee1275_cell_t) name;
+
+  if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+return -1;
+
+  if (args.missing == IEEE1275_CELL_INVALID)
+return -1;
+
+  *missing = args.missing;
+
+  return 0;
+}
+
+int
+grub_ieee1275_pks_max_object_size (grub_size_t *result)
+{
+  struct mos_args
+  {
+struct grub_ieee1275_common_hdr common;
+grub_ieee1275_cell_t size;
+  } args;
+
+  INIT_IEEE1275_COMMON (&args.common, "pks-max-object-size", 0, 1);
+
+  if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+return -1;
+
+  if (args.size == IEEE1275_CELL_INVALID)
+return -1;
+
+  *result = args.size;
+
+  return 0;
+}
+
+int
+grub_ieee1275_pks_read_object (grub_uint8_t consumer, grub_uint8_t 
*label,
+   grub_size_t label_len, grub_uint8_t 
*buffer,
+   grub_size_t buffer_len, grub_size_t 
*data_len,

+   grub_uint32_t *policies)
+{
+  struct pks_read_args
+  {
+struct grub_ieee1275_common_hdr common;
+grub_ieee1275_cell_t consumer;
+grub_ieee1275_cell_t label;
+grub_ieee1275_cell_t label_len;
+grub_ieee1275_cell_t buffer;
+grub_ieee1275_cell_t buffer_len;
+grub_ieee1275_cell_t data_len;
+grub_ieee1275_cell_t policies;
+grub_ieee1275_cell_t rc;
+  } args;
+
+  INIT_IEEE1275_COMMON (&args.common, "pks-read-object", 5, 3);
+  args.consumer = (grub_ieee1275_cell_t) consumer;
+  args.label = (grub_ieee1275_cell_t) label;
+  args.label_len = (grub_ieee1275_cell_t) label_len;
+  args.buffer = (grub_ieee1275_cell_t) buffer;
+  args.buffer_len = (grub_ieee1275_cell_t) buffer_len;
+
+  if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+return -1;
+
+  if (args.data_len == IEEE1275_CELL_INVALID)
+return -1;
+
+  *data_len = args.data_len;
+  *policies = args.policies;
+
+  return (int) args.rc;
+}
+
+int
+grub_ieee1275_pks_read_sbvar (grub_uint8_t sbvarflags, grub_uint8_t 
sbvartype,
+  grub_uint8_t *buffer, grub_size_t 
buffer_len,

+  grub_size_t *data_len)
+{
+  struct pks_read_sbvar_args
+  {
+struct grub_ieee1275_common_hdr common;
+grub_ieee1275_cell_t sbvarflags;
+grub_ieee1275_cell_t sbvartype;
+grub_ieee1275_cell_t buffer;
+grub_ieee1275_cell_t buffer_len;
+grub_ieee1275_cell_t data_len;
+grub_ieee1275_cell_t rc;
+  } args;
+
+  INIT_IEEE1275_COMMON (&args.common, "pks-read-sbvar", 4, 2);
+  args.sbvarflags = (grub_ieee1275_cell_t) sbvarflags;
+  args.sbvartype = (grub_ieee1275_cell_t) sbvartype;
+  args.buffer = (grub_ieee1275_cell_t) buffer;
+  args.buffer_len = (grub_ieee1275_cell_t) buffer_len;
+
+  if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+return -1;
+
+  if (args.data_len == IEEE1275_CELL_INVALID)
+return -1;
+
+  *data_len = args.data_len;
+
+  return (int) args.rc;
+}
diff --git a/include/grub/ieee1275/ieee1275.h 
b/include/grub/ieee1275/ieee1275.h

index c445d0499..edd8cd0eb 100644
--- a/include/grub/ieee1275/ieee1275.h
+++ b/include/grub/ieee1275/ieee1275.h
@@ -230,6 +230,20 @@ char *EXPORT_FUNC(grub_ieee1275_encode_uint4) 
(grub_ieee1275_ihandle_t ihandle,

   grub_size_t *size);
  int EXPORT_FUNC(grub_ieee1275_get_block_size) 
(grub_ieee1275_ihandle_t ihandle);

  +int EXPORT_FUNC (grub_ieee1275_test) (const char *name,
+  grub_ieee1275_cell_t *missing);
+
+int grub_ieee1275_pks_max_object_size (grub_size_t *result);
+
+int grub_ieee1275_pks_read_object (grub_uint8_t consumer, 
grub_uint8_t *label,
+   grub_size_t label_len, 
grub_uint8_t *buffer,
+   

Re: [PATCH v1 12/21] appended signatures: documentation

[sudhakar]

On 2024-12-30 21:20, Stefan Berger wrote:

On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:

From: Daniel Axtens 

This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.

Signed-off-by: Daniel Axtens 
Signed-off-by: Sudhakar Kuppusamy 
---
  docs/grub.texi | 185 
-

  1 file changed, 167 insertions(+), 18 deletions(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index 6e483298d..f71ce9ffc 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -3274,6 +3274,7 @@ These variables have special meaning to GRUB.
@menu
  * biosnum::
+* check_appended_signatures::
  * check_signatures::
  * chosen::
  * cmdpath::
@@ -3336,12 +3337,16 @@ this.
  For an alternative approach which also changes BIOS drive mappings 
for the

  chain-loaded system, @pxref{drivemap}.
  +@node check_appended_signatures
+@subsection check_appended_signatures
+This variable controls whether GRUB enforces appended signature 
validation on

+certain loaded files. @xref{Using appended signatures}.
@node check_signatures
  @subsection check_signatures
  -This variable controls whether GRUB enforces digital signature
-validation on loaded files. @xref{Using digital signatures}.
+This variable controls whether GRUB enforces GPG-style digital 
signature
+validation on loaded files. @xref{Using GPG-style digital 
signatures}.


I am not sure whether everybody knows what GPG-style digitiabl
signatures are. Maybe mention here once that those are in a separate
file.


@node chosen
  @subsection chosen
@@ -6377,6 +6382,7 @@ you forget a command, you can run the command 
@command{help}

  * date::Display or set current date and time
  * devicetree::  Load a device tree blob
  * distrust::Remove a pubkey from trusted keys
+* distrust_certificate::Remove a certificate from the list of 
trusted certificates

  * drivemap::Map a drive to another
  * echo::Display a line of text
  * efitextmode:: Set/Get text output mode resolution
@@ -6395,6 +6401,7 @@ you forget a command, you can run the command 
@command{help}
  * hexdump:: Show raw contents of a file or 
memory

  * insmod::  Insert a module
  * keystatus::   Check key modifier status
+* list_certificates::   List trusted certificates
  * list_env::List variables in environment block
  * list_trusted::List trusted public keys
  * load_env::Load variables from environment 
block
@@ -6435,8 +6442,10 @@ you forget a command, you can run the command 
@command{help}

  * tpm2_key_protector_clear::Clear the TPM2 key protector
  * true::Do nothing, successfully
  * trust::   Add public key to list of trusted 
keys
+* trust_certificate::   Add an x509 certificate to the list 
of trusted certificates

  * unset::   Unset an environment variable
  @comment * vbeinfo:: List available video modes
+* verify_appended:: Verify appended digital signature
  * verify_detached:: Verify detached digital signature
  * videoinfo::   List available video modes
  * wrmsr::   Write values to model-specific 
registers
@@ -6778,7 +6787,24 @@ These keys are used to validate signatures when 
environment variable

  @code{check_signatures} is set to @code{enforce}
  (@pxref{check_signatures}), and by some invocations of
  @command{verify_detached} (@pxref{verify_detached}).  @xref{Using
-digital signatures}, for more information.
+GPG-style digital signatures}, for more information.
+@end deffn
+
+@node distrust_certificate
+@subsection distrust_certificate
+
+@deffn Command distrust_certificate cert_number
+Remove the x509 certificate numbered @var{cert_number} from GRUB's 
keyring of

+trusted x509 certificates for verifying appended signatures.
+
+@var{cert_number} is the certificate number as listed by
+@command{list_certificates} (@pxref{list_certificates}).
+
+These certificates are used to validate appended signatures when 
environment

+variable @code{check_appended_signatures} is set to @code{enforce}
+(@pxref{check_appended_signatures}), and by @command{verify_appended}
+(@pxref{verify_appended}). See @xref{Using appended signatures} for 
more

+information.
  @end deffn
@node drivemap
@@ -7169,6 +7195,19 @@ without any options, the @command{keystatus} 
command returns true if and

  only if checking key modifier status is supported.
  @end deffn
  +@node list_certificates
+@subsection list_certificates
+
+@deffn Command list_certificates
+List all x509 certificates trusted by GRUB for validating appended 
signatures.
+The output is a numbered list of certificates, showing the 
certi

Re: [PATCH v1 15/21] ieee1275: Read the DB and DBX secure boot variables

[sudhakar]

On 2024-12-31 04:31, Stefan Berger wrote:

On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:

If secure boot is enabled with PKS, it will read secure boot variables
such as db and dbx from PKS and extract certificates from ESL.
It would be saved in the platform keystore buffer, and
the appendedsig (module) would read it later to extract
the certificate's details.

In the following scenarios, static key mode will be activated:
  1. When secure boot is enabled with static
  2. When SB Version is unavailable but Secure Boot is enabled
  3. When PKS support is unavailable but secure boot is enabled

Note:-

SB Version - secure boot mode
1 - PKS
0 - static key (embeded key)

Signed-off-by: Sudhakar Kuppusamy 
---
  grub-core/Makefile.am   |   1 +
  grub-core/Makefile.core.def |   1 +
  grub-core/kern/ieee1275/init.c  |  14 +-
  grub-core/kern/ieee1275/platform_keystore.c | 337 


  include/grub/platform_keystore.h| 233 ++
  5 files changed, 584 insertions(+), 2 deletions(-)
  create mode 100644 grub-core/kern/ieee1275/platform_keystore.c
  create mode 100644 include/grub/platform_keystore.h

diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index e50db8106..afb25dc4f 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -79,6 +79,7 @@ KERNEL_HEADER_FILES += 
$(top_srcdir)/include/grub/file.h

  KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
  KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
  KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/platform_keystore.h
  KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
  KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
  KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 1ed55b0e3..2fd060123 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -170,6 +170,7 @@ kernel = {
ieee1275 = kern/ieee1275/openfw.c;
ieee1275 = term/ieee1275/console.c;
ieee1275 = kern/ieee1275/init.c;
+  ieee1275 = kern/ieee1275/platform_keystore.c;


This now becomes a file shared with other ieee1275 platforms, such as
sparc64, as well. Also here maybe it should be

 powerpc_ieee1275 = kern/ieee1275/platform_keystore.c

or

 powerpc_ieee1275 = kern/powerpc/ieee1275/platform_keystore.c ?



Yes. You are correct. moved it to pSeries-specific.



  uboot = disk/uboot/ubootdisk.c;
uboot = kern/uboot/uboot.c;
diff --git a/grub-core/kern/ieee1275/init.c 
b/grub-core/kern/ieee1275/init.c

index 59984b605..7d96c38f3 100644
--- a/grub-core/kern/ieee1275/init.c
+++ b/grub-core/kern/ieee1275/init.c
@@ -50,6 +50,7 @@
  #include 
  #endif
  #include 
+#include 
/* The maximum heap size we're going to claim at boot. Not used by 
sparc. */

  #ifdef __i386__
@@ -959,7 +960,7 @@ grub_get_ieee1275_secure_boot (void)
  {
grub_ieee1275_phandle_t root;
int rc;
-  grub_uint32_t is_sb;
+  grub_uint32_t is_sb = 0;
  grub_ieee1275_finddevice ("/", &root);
  @@ -976,7 +977,16 @@ grub_get_ieee1275_secure_boot (void)
 * We only support enforce.
 */
if (rc >= 0 && is_sb >= 2)
-grub_lockdown ();
+{
+  grub_printf ("secure boot enabled\n");
+  rc = grub_platform_keystore_init ();
+  if (rc != GRUB_ERR_NONE)
+grub_printf ("Warning: initialization of the platform 
keystore failed!\n");

+
+  grub_lockdown ();
+}
+  else
+  grub_printf ("secure boot disabled\n");
  }
grub_addr_t grub_modbase;
diff --git a/grub-core/kern/ieee1275/platform_keystore.c 
b/grub-core/kern/ieee1275/platform_keystore.c

new file mode 100644
index 0..1c564d5da
--- /dev/null
+++ b/grub-core/kern/ieee1275/platform_keystore.c
@@ -0,0 +1,337 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2024  Free Software Foundation, Inc.
+ *  Copyright (C) 2024 IBM Corporation
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published 
by

+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see .
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#define PKS_CONSUMER_FW 1
+#define SB_VERSION_KEY_NAME ((grub_uint8_t *) "SB_VERSION")
+#define SB_VERSION_KEY_LEN 10
+#define DB 1
+#define DBX 2
+#define PKS_OBJECT_NOT_FOUND ((grub_err_t) -7)
+
+/* Platform Keystore */
+static grub_size_t pks_max_object_size;

Re: [PATCH v1 15/21] ieee1275: Read the DB and DBX secure boot variables

[sudhakar]

On 2024-12-31 04:34, Stefan Berger wrote:

On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:

If secure boot is enabled with PKS, it will read secure boot variables
such as db and dbx from PKS and extract certificates from ESL.
It would be saved in the platform keystore buffer, and


What is 'it'. The certificates would be saved ... ?


the appendedsig (module) would read it later to extract
the certificate's details.


certifcates' ?



In the following scenarios, static key mode will be activated:
  1. When secure boot is enabled with static


static keys ?


  2. When SB Version is unavailable but Secure Boot is enabled
  3. When PKS support is unavailable but secure boot is enabled


Secure Boot



Note:-

SB Version - secure boot mode


Secure Boot


1 - PKS
0 - static key (embeded key)


Thank you Stefan. Fixed it.

Thanks,
Sudhakar Kuppusamy

___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH] BugFix: grub menu gets stuck due to unserialized rdtsc

[Daniel Kiper]

Hi,

On Mon, Feb 24, 2025 at 10:41:38PM -0800, 段亚勇 wrote:
> Hello Daniel,
> May I know the Merge Plan of Grub Master branch? 
> From this time, we almost check grub master changes every day
> and take enough patience to wait for the bugfix to be merged.
> But we found the recent update of master branch has no our
> two bugfix patches. If there are any extra problems, we sincerely hope
> we can know it, so that we can plan our OS release.
>
> Our two bugfix patches:
> https://lists.gnu.org/archive/html/grub-devel/2024-11/msg00222.html
> https://lists.gnu.org/archive/html/grub-devel/2025-01/msg00051.html

The second one is queued for push. It should happen no later than by
the end of the week. Sorry for delay...

Daniel

___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH 3/3] blsuki: Add uki command to load Unified Kernel Image entries

[Gerd Hoffmann]

> > +  coff_header = &(pe->coff_header);
> > +  section_offset = dos->pe_image_header_offset + sizeof (*pe);
> > +
> > +  for (int i = 0; i < coff_header->num_sections; i++)
> > +{
> > +  char *val;
> > +  char *key;
> 
> I don't quite understand this. So every section found in the PE becomes a
> key/val pair for this GRUB menu option? It seems like you would not want to
> do that for non-UKI related sections (like data, reloc sections, etc).

There is a '.osrel' which is formated like /etc/os-release and can be
used to create pretty and descriptive menu titles.

So, yes, this should only try to parse sections which are expected to be
in this format.

take care,
  Gerd


___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel