On 6/30/21 4:40 AM, Daniel Axtens wrote:
Building on the parsers and the ability to embed x509 certificates, as
well as the existing gcrypt functionality, add a module for verifying
appended signatures.
This includes a verifier that requires that Linux kernels and grub modules
have appended sig
On 6/30/21 4:40 AM, Daniel Axtens wrote:
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
One small thing below.
---
v2: fix a grammar issue, thanks Stefan Berger.
---
On 6/30/21 4:40 AM, Daniel Axtens wrote:
If the 'ibm,secure-boot' property of the root node is 2 or greater,
enter lockdown.
Signed-off-by: Daniel Axtens
Reviewed-by: Stefan Berger
---
docs/grub.texi | 4 ++--
grub-core/Makefile.core.def| 1 +
grub-core/kern/iee
On 6/30/21 4:40 AM, Daniel Axtens wrote:
This code allows us to parse:
- PKCS#7 signedData messages. Only a single signerInfo is supported,
which is all that the Linux sign-file utility supports creating
out-of-the-box. Only RSA, SHA-256 and SHA-512 are supported.
Any certificate
On 6/30/21 4:40 AM, Daniel Axtens wrote:
In order to parse PKCS#7 messages and X.509 certificates with libtasn1,
we need some information about how they are encoded.
We get these from GNUTLS, which has the benefit that they support the
features we need and are well tested.
The GNUTLS license i
