Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
replaced with one 'grub-protect' command to simplify the test script.
'tpm2_evictcontrol' is also replaced with 'grub-protect --tpm2-evict'.
Signed-off-by: Gary Lin
---
tests/tpm2_key_protector_test.in | 108 +---
On Fri, Mar 21, 2025 at 03:59:03PM +0800, Gary Lin wrote:
> This commit implements the missing NV index mode support in
> 'grub-protect'. NV index mode stores the sealed key in the TPM
> non-volatile memory (NVRAM) instead of a file. There are two supported
> types of TPM handles.
>
> 1. Persistent
On Fri, Mar 21, 2025 at 03:59:04PM +0800, Gary Lin wrote:
> Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
> replaced with one 'grub-protect' command to simplify the test script.
>
> 'tpm2_evictcontrol' is also replaced with 'grub-protect --tpm2-evict'.
>
> Signed-off-by: Ga
On Mon, Mar 10, 2025 at 03:48:16PM +0800, Gary Lin via Grub-devel wrote:
> On Thu, Mar 06, 2025 at 08:46:52PM +0100, Yann Diorcet wrote:
> > When tpm2_submit_command_real is called for a retry, the content of
> > out buffer can already be set with previous grub_tcg2_submit_command
> > call's reply.
On Tue, Mar 25, 2025 at 8:16 AM Alec Brown via Grub-devel
wrote:
>
> A Unified Kernel Image is a single UEFI PE file that combines a UEFI boot
> stub,
> a Linux kernel image, an initrd, and further resources. The uki command will
> locate where the uki file is and create a GRUB menu entry to load
On Wed, Mar 19, 2025 at 01:47:56PM +0100, Renaud Métrich via Grub-devel wrote:
> Signed-off-by: Renaud Métrich
> ---
> grub-core/commands/efi/lsefi.c | 4
> 1 file changed, 4 insertions(+)
>
> diff --git a/grub-core/commands/efi/lsefi.c b/grub-core/commands/efi/lsefi.c
> index 7b8316d41..bda
On Fri, Mar 21, 2025 at 03:59:08PM +0800, Gary Lin wrote:
> The TPM2 key protector tests require two external packages: swtpm-tools
> and tpm2-tools. Add those two packages to the INSTALL file to inform
> the user to install those packages before starting the TPM2 key protector
> tests.
>
> Signed-
From: Daniel Axtens
This code allows us to parse:
- PKCS#7 signedData messages. Only a single signerInfo is supported,
which is all that the Linux sign-file utility supports creating
out-of-the-box. Only RSA, SHA-256 and SHA-512 are supported.
Any certificate embedded in the PKCS#7 mes
On 3/20/25 3:54 PM, Andrew Hamilton wrote:
A regression was introduced recently as a part of the series of
filesystem related patches to address some CVEs found in GRUB.
This issue may cause either an infinite loop at startup when
accessing certain valid NTFS file systems, or may cause a crash
d
From: Daniel Axtens
If the 'ibm,secure-boot' property of the root node is 2 or greater,
enter lockdown.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
docs/grub.texi | 2 +-
grub-core/Makefile.core.d
From: Daniel Axtens
These tests are run through all_functional_test and test a range
of commands and behaviours.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/Makefile.core.def | 6 +
grub-
enhancing the infrastructure to enable the Platform Keystore (PKS) feature,
which provides access to the SB VERSION, DB, and DBX secure boot variables
from PKS.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/Makefile.am
To verify the kernel's signature: verify the kernel binary against lists of
binary hashes
that are either distrusted or trusted. If it is not list in either trusted or
distrusted hashes list
then the trusted keys from the trusted key list are used to verify the
signature.
Signed-off-by: Sudhaka
The trusted certificates and binary hashes, distrusted certificates and
binary/certificate hashes will be extracted from the platform keystore buffer
if Secure Boot is enabled with PKS.
In order to verify the integrity of the kernel, the extracted data
needs to be stored stored in the buffer db an
To support the following trusted and distrusted commands
1. trusted_list:
It will show the list of trusted certificates and binary hashes
2. distrusted_list:
It will show the list of distrusted certificates and binary/certificate
hashes
3. trusted_certificate:
It wil
If Secure Boot is enabled with PKS and the use_static_keys flag is set,
then read the DB default keys from the ELF note and store them in the trusted
list buffer.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/append
From: Daniel Axtens
Before adding information about how grub is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
---
docs/grub.
This patch set contains v2 of the consolidated version of the patch
sets for secure boot using appended signatures on powerpc,
rebased on top of git HEAD.
The v1 series is at
https://lists.gnu.org/archive/html/grub-devel/2024-12/msg00071.html
Linux on Power LPAR secure boot ensures the integrity
From: Rashmica Gupta
Add infrastructure to allow firmware to verify the integrity of grub
by use of a Linux-kernel-module-style appended signature. We initially
target powerpc-ieee1275, but the code should be extensible to other
platforms.
Usually these signatures are appended to a file without
From: Daniel Axtens
Trying to start grub-emu with a module that calls grub_dl_set_persistent
will crash because grub-emu fakes modules and passes NULL to the module
init function.
Provide an empty function for the emu case.
Fixes: ee7808e2197c (dl: Add support for persistent modules)
Signed-off
From: Daniel Axtens
Signing grub for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouh
From: Daniel Axtens
Building on the parsers and the ability to embed x509 certificates, as
well as the existing gcrypt functionality, add a module for verifying
appended signatures.
This includes a verifier that requires that Linux kernels and grub modules
have appended signatures, and commands
If secure boot is enabled with PKS, it will read secure boot variables
such as db and dbx from PKS and extract ESL's from it.
The ESL's would be saved in the platform keystore buffer, and
the appendedsig (module) would read it later to extract
the certificate's details from ESL.
In the following s
From: Daniel Axtens
In order to parse PKCS#7 messages and X.509 certificates with libtasn1,
we need some information about how they are encoded.
We get these from GNUTLS, which has the benefit that they support the
features we need and are well tested.
The GNUTLS files are from:
-
https://git
From: Daniel Axtens
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
docs/grub
From: Daniel Axtens
rsa_pad does the PKCS#1 v1.5 padding for the RSA signature scheme.
We want to use it in other RSA signature verification applications.
I considered and rejected putting it in lib/crypto.c. That file doesn't
currently require any MPI functions, but rsa_pad does. That's not so
This explains how static and dynamic key appended signatures can be used to
form part of
a secure boot chain, and documents the commands and variables introduced.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Avnish Chouhan
---
docs/grub.texi | 108 +++-
From: Alastair D'Silva
To support verification of appended signatures, we need a way to
embed the necessary public keys. Existing appended signature schemes
in the Linux kernel use X.509 certificates, so allow certificates to
be embedded in the grub core image in the same way as PGP keys.
Signed
Introduce the use_static_keys flag to indicate that static keys are to be used
rather than keys from the PKS storage's DB variable. This variable is set when
Secure Boot is enabled with PKS but the DB variable is not present in the PKS
storage.
The appendedsig module would use this variable to ext
From: Daniel Axtens
The way gcry_rsa and friends (the asymmetric ciphers) are loaded for the
pgp module is a bit quirky.
include/grub/crypto.h contains:
extern struct gcry_pk_spec *grub_crypto_pk_rsa;
commands/pgp.c contains the actual storage:
struct gcry_pk_spec *grub_crypto_pk_rsa;
And
>
>
>
> +#ifdef GRUB_MACHINE_EFI
> +#include
> +#include
> +#include
> +#endif
> +
>
Can UKI work without EFI? I think of scenario of putting e.g. EFI disk into
coreboot or BIOS machine.
> GRUB_MOD_LICENSE ("GPLv3+");
>
> #define GRUB_BLS_CONFIG_PATH "/loader/entries/"
> +#define GRUB_UKI_CON
On Tue, Mar 25, 2025 at 05:01:02PM +0100, Daniel Kiper wrote:
> On Fri, Mar 21, 2025 at 03:59:01PM +0800, Gary Lin wrote:
> > Extract the logic to handle the file buffer from the SRK recover
> > function to prepare to load the sealed key from the NV index handle,
> > so the NV index mode can share
32 matches
Mail list logo
