[PATCH RFC v2 0/5] verifiers: Framework and EFI shim lock verifier

Hi, As I promised I am posting verifiers framework patchset. This is an RFC because I have some concerns which should be discussed. Some verifiers, e.g. shim lock, may not be able to verify all file types, e.g. GRUB2 modules, on your own and would want to delegate verification to other verifiers,

[PATCH RFC v2 2/5] verifiers: Framework core

From: Vladimir Serbinenko Verifiers framework provides core file verification functionality which can be used by various security mechanisms, e.g., UEFI secure boot, TPM, PGP signature verification, etc. The patch contains PGP code changes and probably they should be extracted to separate patch

[PATCH RFC v2 1/5] verifiers: File type for fine-grained signature-verification controlling

From: Vladimir Serbinenko Let's provide file type info to the I/O layer. This way verifiers framework and its users will be able to differentiate files and verify only required ones. This is preparatory patch. Signed-off-by: Vladimir Serbinenko Signed-off-by: Daniel Kiper --- grub-core/comma

[PATCH RFC v2 4/5] verifiers: Add the documentation

From: Vladimir Serbinenko Signed-off-by: Vladimir Serbinenko Signed-off-by: Daniel Kiper --- docs/grub-dev.texi | 53 1 file changed, 53 insertions(+) diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi index a9f4de6..591fd80 100644 ---

[PATCH RFC v2 3/5] verifiers: Add possibility to verify kernel and modules command lines

From: Vladimir Serbinenko Signed-off-by: Vladimir Serbinenko Signed-off-by: Daniel Kiper --- grub-core/commands/verify_helper.c| 14 ++ grub-core/lib/cmdline.c |9 + grub-core/loader/arm/linux.c |8 ++-- grub-core/loader/

[PATCH RFC v2 5/5] efi: Add EFI shim lock verifier

Just an RFC. TODO: - disable the GRUB2 modules load/unload, - disable the dangerous modules, e.g. iorw, memrw. Signed-off-by: Daniel Kiper --- grub-core/Makefile.core.def|6 +++ grub-core/commands/efi/shim_lock.c | 93 2 files changed, 99 i

Re: [PATCH RFC v2 0/5] verifiers: Framework and EFI shim lock verifier

On Fri, Aug 03, 2018 at 03:39:53PM +0200, Daniel Kiper wrote: > Some verifiers, e.g. shim lock, may not be able to verify all file types, e.g. > GRUB2 modules, on your own and would want to delegate verification to other > verifiers, e.g. PGP. Currently this is not possible. So, I think that we >

Re: [PATCH RFC v2 1/5] verifiers: File type for fine-grained signature-verification controlling

On Fri, Aug 03, 2018 at 03:39:54PM +0200, Daniel Kiper wrote: > +++ b/grub-core/commands/i386/nthibr.c Should this be a separate patch? It seems to be unrelated new functionality. -- Matthew Garrett | mj...@srcf.ucam.org ___ Grub-devel mailing list G

Re: [PATCH RFC v2 1/5] verifiers: File type for fine-grained signature-verification controlling

On Fri, Aug 03, 2018 at 09:56:41PM +0100, Matthew Garrett wrote: > On Fri, Aug 03, 2018 at 03:39:54PM +0200, Daniel Kiper wrote: > > +++ b/grub-core/commands/i386/nthibr.c > > Should this be a separate patch? It seems to be unrelated new > functionality. Yep, you are right. I will fix it in next v