Re: [PATCH v2 05/22] docs/grub: Document signing grub under UEFI

On 6/30/21 4:40 AM, Daniel Axtens wrote: Before adding information about how grub is signed with an appended signature scheme, it's worth adding some information about how it can currently be signed for UEFI. Signed-off-by: Daniel Axtens Reviewed-by: Stefan Berger --- docs/grub.texi |

Re: [PATCH v2 06/22] docs/grub: Document signing grub with an appended signature

On 6/30/21 4:40 AM, Daniel Axtens wrote: Signing grub for firmware that verifies an appended signature is a bit fiddly. I don't want people to have to figure it out from scratch so document it here. Signed-off-by: Daniel Axtens --- docs/grub.texi | 42

Re: [PATCH v2 02/22] ieee1275: claim more memory

On 6/30/21 4:40 AM, Daniel Axtens wrote: On powerpc-ieee1275, we are running out of memory trying to verify anything. This is because: - we have to load an entire file into memory to verify it. This is extremely difficult to change with appended signatures. - We only have 32MB of heap.

Re: [PATCH v2 03/22] ieee1275: request memory with ibm, client-architecture-support

On 6/30/21 4:40 AM, Daniel Axtens wrote: On PowerVM, the first time we boot a Linux partition, we may only get 256MB of real memory area, even if the partition has more memory. This isn't really enough. Fortunately, the Power Architecture Platform Reference (PAPR) defines a method we can call t

Re: [PATCH v2 01/22] ieee1275: drop HEAP_MAX_ADDR, HEAP_MIN_SIZE

On 6/30/21 4:40 AM, Daniel Axtens wrote: HEAP_MAX_ADDR is confusing. Currently it is set to 32MB, except on ieee1275 on x86, where it is 64MB. There is a comment which purports to explain it: /* If possible, we will avoid claiming heap above this address, because it seems to cause relocati

Re: [PATCH v2 08/22] pgp: factor out rsa_pad

On 6/30/21 4:40 AM, Daniel Axtens wrote: rsa_pad does the PKCS#1 v1.5 padding for the RSA signature scheme. We want to use it in other RSA signature verification applications. I considered and rejected putting it in lib/crypto.c. That file doesn't currently require any MPI functions, but rsa_pa

Re: [PATCH v2 07/22] dl: provide a fake grub_dl_set_persistent for the emu target

On 6/30/21 4:40 AM, Daniel Axtens wrote: Trying to start grub-emu with a module that calls grub_dl_set_persistent will crash because grub-emu fakes modules and passes NULL to the module init function. Provide an empty function for the emu case. Fixes: ee7808e2197c (dl: Add support for persiste

Re: [PATCH v2 13/22] libtasn1: changes for grub compatibility

On 6/30/21 4:40 AM, Daniel Axtens wrote: Do a few things to make libtasn1 compile as part of grub: - redefine _asn1_strcat. grub removed strcat so replace it with the appropriate calls to memcpy and strlen. Use this internally where strcat was used. - replace c_isdigit with grub_is

Re: [PATCH v2 04/22] Add suport for signing grub with an appended signature

On 6/30/21 4:40 AM, Daniel Axtens wrote: From: Rashmica Gupta Add infrastructure to allow firmware to verify the integrity of grub by use of a Linux-kernel-module-style appended signature. We initially target powerpc-ieee1275, but the code should be extensible to other platforms. Usually thes

Re: [PATCH v2 09/22] crypto: move storage for grub_crypto_pk_* to crypto.c

On 6/30/21 4:40 AM, Daniel Axtens wrote: The way gcry_rsa and friends (the asymmetric ciphers) are loaded for the pgp module is a bit quirky. include/grub/crypto.h contains: extern struct gcry_pk_spec *grub_crypto_pk_rsa; commands/pgp.c contains the actual storage: struct gcry_pk_spec *g

Re: [PATCH v2 10/22] posix_wrap: tweaks in preparation for libtasn1

On 6/30/21 4:40 AM, Daniel Axtens wrote: - Define SIZEOF_UNSIGNED_LONG_INT, it's the same as SIZEOF_UNSIGNED_LONG. - Define WORD_BIT, the size in bits of an int. This is a defined in the Single Unix Specification and in gnulib's limits.h. gnulib assumes it's 32 bits on all our p

Re: [PATCH v2 14/22] libtasn1: compile into asn1 module

On 6/30/21 4:40 AM, Daniel Axtens wrote: Create a wrapper file that specifies the module license. Set up the makefile so it is built. Signed-off-by: Daniel Axtens Reviewed-by: Stefan Berger --- grub-core/Makefile.core.def| 15 +++ grub-core/lib/libtasn1_wrap/wrap.c

RE: UEFI Secureboot not succeeding with Grub 2.06 and later version

Hi Daniel, Secureboot worked fine with the change(GRUB_FILE_TYPE_LINUX_KERNEL -> GRUB_FILE_TYPE_NONE) you suggested. disk/efi/efidisk.c:531: opening hd0 succeeded partmap/gpt.c:93: Read a valid GPT header partmap/gpt.c:115: GPT entry 0: start=2048, length=40959 partmap/gpt.c:115: GPT entry 1: st

RE: UEFI Secureboot not succeeding with Grub 2.06 and later version

Hi Dimitri, Thanks for detailed response. Sorry for bit late response. We are generating own keys and signing with same. You can kindly have a look at the steps, which are followed for Generating Secure Keys and Secure Busybox boot https://gitlab.arm.com/arm-reference-solutions/arm-reference-s

Re: UEFI Secureboot not succeeding with Grub 2.06 and later version

On Mon, 12 Jul 2021, 17:16 Sayanta Pattanayak, wrote: > Hi Dimitri, > > > > Thanks for detailed response. Sorry for bit late response. > > > > We are generating own keys and signing with same. > > You can kindly have a look at the steps, which are followed for Generating > Secure Keys and Secure

[PATCH] ibmvtpm: Add support for trusted boot using a vTPM 2.0

From: Stefan Berger Add support for trusted boot using a vTPM 2.0 on the IBM ieee1275 platform. With this patch grub now measures text and binary data into the TPM's PCRs 8 and 9 in the same way as the x86_64 platform does. This patch requires Daniel Axtens's patches for claiming more memory. S

Re: [PATCH v2 16/22] grub-install: support embedding x509 certificates

On 6/30/21 4:40 AM, Daniel Axtens wrote: From: Alastair D'Silva To support verification of appended signatures, we need a way to embed the necessary public keys. Existing appended signature schemes in the Linux kernel use X.509 certificates, so allow certificates to be embedded in the grub cor