On Thu, Apr 21, 2022 at 09:32:41PM +1000, Daniel Axtens wrote:
> Hi,
>
> >> This code allows us to parse:
> >>
> >> - PKCS#7 signedData messages. Only a single signerInfo is supported,
> >>which is all that the Linux sign-file utility supports creating
> >>out-of-the-box. Only RSA, SHA-2
On Thu, Apr 21, 2022 at 01:56:35PM +, zhangqiumiao via Grub-devel wrote:
> On Thu, Apr 21, 2022 at 21:41:52PM +0800, Daniel Kiper wrote:
> > On Sat, Apr 16, 2022 at 09:50:11AM +0800, Qiumiao Zhang via Grub-devel
> > wrote:
> > > During UEFI PXE boot in IPv6 network, if the DHCP server adopts
>
On Thu, Apr 21, 2022 at 21:41:52PM +0800, Daniel Kiper wrote:
> On Sat, Apr 16, 2022 at 09:50:11AM +0800, Qiumiao Zhang via Grub-devel wrote:
> > During UEFI PXE boot in IPv6 network, if the DHCP server adopts
> > stateful automatic configuration, then the client receives a
> > ICMP6_ROUTER_ADVER
On Sun, Feb 06, 2022 at 04:00:11PM -0600, Glenn Washburn wrote:
> When all tests complete successfully, filesystems mounted by grub-fs-tester
> will be unmounted before exiting. However, on certain test failures the
> tester will exit with a failure code and not unmount previously mounted
> filesys
On Sat, Apr 16, 2022 at 09:50:11AM +0800, Qiumiao Zhang via Grub-devel wrote:
> During UEFI PXE boot in IPv6 network, if the DHCP server adopts
> stateful automatic configuration, then the client receives a
> ICMP6_ROUTER_ADVERTISE multicast message from the server. This may be
> received without t
On Thu, Apr 21, 2022 at 04:50:34PM +1000, Daniel Axtens wrote:
> I genuinely do not know how I missed this, but we do need one more tweak
> so as not to break grub-emu builds:
>
> diff --git a/include/grub/mm.h b/include/grub/mm.h
> index 5d916809666c..f3bf87fa0f9a 100644
> --- a/include/grub/mm.h
Hi,
>> This code allows us to parse:
>>
>> - PKCS#7 signedData messages. Only a single signerInfo is supported,
>>which is all that the Linux sign-file utility supports creating
>>out-of-the-box. Only RSA, SHA-256 and SHA-512 are supported.
>>Any certificate embedded in the PKCS#7 me
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
Reviewed-by: Stefan Berger
---
v3: fix CR->LF, thanks Stefan Berger.
v2: fix a grammar issue, thanks Stefan Berger.
---
docs/
These tests are run through all_functional_test and test a range
of commands and behaviours.
Signed-off-by: Daniel Axtens
Reviewed-by: Stefan Berger
---
v3: clean up error codes at the start, fix copyright headers.
v2 changes:
- add a test for EKU
- add tests for files signed with multip
In order to parse PKCS#7 messages and X.509 certificates with libtasn1,
we need some information about how they are encoded.
We get these from GNUTLS, which has the benefit that they support the
features we need and are well tested.
The GNUTLS files are from:
-
https://github.com/gnutls/gnutls/
Trying to start grub-emu with a module that calls grub_dl_set_persistent
will crash because grub-emu fakes modules and passes NULL to the module
init function.
Provide an empty function for the emu case.
Fixes: ee7808e2197c (dl: Add support for persistent modules)
Signed-off-by: Daniel Axtens
Re
We don't expect to be able to write ASN.1, only read it,
so we can disable some code.
Do that with #if 0/#endif, rather than deletion. This means
that the difference between upstream and grub is smaller,
which should make updating libtasn1 easier in the future.
With these exclusions we also avoid
Signing grub for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens
Reviewed-by: Stefan Berger
---
docs/grub.texi | 42 ++
1 file change
- Define SIZEOF_UNSIGNED_LONG_INT, it's the same as
SIZEOF_UNSIGNED_LONG.
- Define WORD_BIT, the size in bits of an int. This is a defined
in the Single Unix Specification and in gnulib's limits.h. gnulib
assumes it's 32 bits on all our platforms, including 64 bit
platforms, so we al
Before adding information about how grub is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens
Reviewed-by: Stefan Berger
---
docs/grub.texi | 22 +-
1 file changed, 21 inse
rsa_pad does the PKCS#1 v1.5 padding for the RSA signature scheme.
We want to use it in other RSA signature verification applications.
I considered and rejected putting it in lib/crypto.c. That file doesn't
currently require any MPI functions, but rsa_pad does. That's not so
much of a problem for
From: Rashmica Gupta
Add infrastructure to allow firmware to verify the integrity of grub
by use of a Linux-kernel-module-style appended signature. We initially
target powerpc-ieee1275, but the code should be extensible to other
platforms.
Usually these signatures are appended to a file without
This patch set contains the long-awaited v3 for secure boot using appended
signatures on powerpc.
The v2 series is at
https://lists.gnu.org/archive/html/grub-devel/2021-06/msg00044.html
This series is based on the latest memory rework series I sent
(https://lists.gnu.org/archive/html/grub-devel/
Hello,
On Thu, Apr 21, 2022 at 05:47:10PM +1000, Daniel Axtens wrote:
> This code allows us to parse:
>
> - PKCS#7 signedData messages. Only a single signerInfo is supported,
>which is all that the Linux sign-file utility supports creating
>out-of-the-box. Only RSA, SHA-256 and SHA-512 a
From: Alastair D'Silva
To support verification of appended signatures, we need a way to
embed the necessary public keys. Existing appended signature schemes
in the Linux kernel use X.509 certificates, so allow certificates to
be embedded in the grub core image in the same way as PGP keys.
Signed
Create a wrapper file that specifies the module license.
Set up the makefile so it is built.
Signed-off-by: Daniel Axtens
Reviewed-by: Stefan Berger
---
v3: Proper copyright headers.
---
grub-core/Makefile.core.def| 15 +++
grub-core/lib/libtasn1_wrap/wrap.c | 27 +
If the 'ibm,secure-boot' property of the root node is 2 or greater,
enter lockdown.
Signed-off-by: Daniel Axtens
Reviewed-by: Stefan Berger
---
docs/grub.texi | 4 ++--
grub-core/Makefile.core.def| 1 +
grub-core/kern/ieee1275/init.c | 27 +++
inclu
The way gcry_rsa and friends (the asymmetric ciphers) are loaded for the
pgp module is a bit quirky.
include/grub/crypto.h contains:
extern struct gcry_pk_spec *grub_crypto_pk_rsa;
commands/pgp.c contains the actual storage:
struct gcry_pk_spec *grub_crypto_pk_rsa;
And the module itself save
This code allows us to parse:
- PKCS#7 signedData messages. Only a single signerInfo is supported,
which is all that the Linux sign-file utility supports creating
out-of-the-box. Only RSA, SHA-256 and SHA-512 are supported.
Any certificate embedded in the PKCS#7 message will be ignored.
Building on the parsers and the ability to embed x509 certificates, as
well as the existing gcrypt functionality, add a module for verifying
appended signatures.
This includes a verifier that requires that Linux kernels and grub modules
have appended signatures, and commands to manage the list of
Do a few things to make libtasn1 compile as part of grub:
- redefine _asn1_strcat. grub removed strcat so replace it with the
appropriate calls to memcpy and strlen. Use this internally where
strcat was used.
- replace c_isdigit with grub_isdigit (and don't import c-ctype from
gnulib)
>> +@example
>> +~Module signature appended~\n
>> +@end example
>> +
>> +where @code{\n} represents the carriage-return character, @code{0x0a}.
>
>
> \n is 0xa but it's called line-feed.
D'oh, you're completely right, of course. Fixed.
>> +
>> +To enable appended signature verification, load the
I genuinely do not know how I missed this, but we do need one more tweak
so as not to break grub-emu builds:
diff --git a/include/grub/mm.h b/include/grub/mm.h
index 5d916809666c..f3bf87fa0f9a 100644
--- a/include/grub/mm.h
+++ b/include/grub/mm.h
@@ -42,7 +42,9 @@ typedef grub_err_t (*grub_mm_add
>> +static enum
>> +{ check_sigs_no = 0,
>
>
> nit: newline after '{'
>
fixed
>
>> + check_sigs_enforce = 1,
>> + check_sigs_forced = 2
>> +} check_sigs = check_sigs_no;
>
>
> What does 'forced' mean?
It means that it cannot be turned of with `set check_appended_signatures=0`
at the grub prompt
29 matches
Mail list logo
