This patch series implements support for loading and verifying a signed
xen.gz binary. This would allow the same xen.gz binary to be used for
BIOS boot, UEFI boot, and UEFI boot with Secure Boot verification.
There is an accompanying Xen patch series.
The first two patches update the multiboot2 sp
Add support for entry addresses that may be either 32 bits or 64 bits in
size. This may be necessary if the binary is built with an entry address
above 4G.
Signed-off-by: Ross Lagerwall
---
grub-core/loader/multiboot_mbi2.c | 10 --
include/multiboot2.h | 6 +-
2 files
GRUB doesn't do anything with multiboot modules except loading them and
passing a pointer to the multiboot kernel. Therefore GRUB itself doesn't
need to verify the module. Multiboot modules may contain code that needs
to be verified. If this is the case, the expectation is that the
multiboot kernel
Add the ability to load multiboot binaries in PE format. This allows the
binaries to be signed and verified.
Signed-off-by: Ross Lagerwall
---
grub-core/Makefile.core.def | 1 +
grub-core/loader/multiboot_mbi2.c | 15 +-
grub-core/loader/multiboot_pe.c | 694 ++
It is convenient and common to have binaries stored in gzip archives
(e.g. xen.gz). Verification should be run after decompression rather
than before so reorder the file filter list as appropriate.
Signed-off-by: Ross Lagerwall
---
include/grub/file.h | 2 +-
1 file changed, 1 insertion(+), 1 de
The binary may expose its type using the load type header tag. Implement
it according to the specification.
Signed-off-by: Ross Lagerwall
---
grub-core/loader/multiboot_mbi2.c | 45 ---
include/grub/multiboot2.h | 1 +
include/multiboot2.h | 13 +
Binaries may be built with entry points above 4G. While bootloaders may
relocate them below 4G, it should be possible for the binary to specify
those entry points. Therefore, extend the multiboot2 protocol such that
64 bit addresses are allowed for entry points. The extension is done in
a backwards
Currently, multiboot2-compatible bootloaders can load ELF binaries and
a.out binaries. The presence of the address header tag determines
how the bootloader tries to interpret the binary (a.out if the address
tag is present else ELF).
Add a new load type header tag that explicitly states the type o
On Thu, Mar 14, 2024 at 7:24 AM Jan Beulich wrote:
>
> On 13.03.2024 16:07, Ross Lagerwall wrote:
> > In addition to the existing address and ELF load types, specify a new
> > optional PE binary load type. This new type is a useful addition since
> > PE binaries can be signed and verified (i.e. us
On Thu, Mar 14, 2024 at 1:37 PM Jan Beulich wrote:
>
> On 14.03.2024 10:30, Ross Lagerwall wrote:
> > On Thu, Mar 14, 2024 at 7:24 AM Jan Beulich wrote:
> >>
> >> On 13.03.2024 16:07, Ross Lagerwall wrote:
> >>> In addition to the existing address and ELF load types, specify a new
> >>> optional
On Tue, Mar 19, 2024 at 1:18 PM Roger Pau Monné wrote:
>
> On Wed, Mar 13, 2024 at 03:07:42PM +, Ross Lagerwall wrote:
> > Currently, multiboot2-compatible bootloaders can load ELF binaries and
> > a.out binaries. The presence of the address header tag determines
> > how the bootloader tries t
On Fri, Mar 15, 2024 at 7:26 AM Vladimir 'phcoder' Serbinenko
wrote:
>
> Verifying after decompression is a bad security practice. It relies on
> decompression having no security holes. Given how complex decompression is,
> this is almost guaranteed to be false.
>
Point taken... I'll drop this
On Fri, Mar 15, 2024 at 7:31 AM Vladimir 'phcoder' Serbinenko
wrote:
>
> Not a full review. Just one blocking problem
>
>>
>>
>> }
>> + case MULTIBOOT_LOAD_TYPE_PE:
>> + grub_fatal ("Unsupported load type: %u\n", mld.load_type);
>> + default:
>> +/* should be impossible */
>> +
On Tue, Mar 19, 2024 at 10:07 AM Roger Pau Monné wrote:
>
> On Wed, Mar 13, 2024 at 03:07:43PM +, Ross Lagerwall wrote:
> > Binaries may be built with entry points above 4G. While bootloaders may
> > relocate them below 4G, it should be possible for the binary to specify
> > those entry points
This patch series implements support for loading and verifying a signed
xen binary. This would allow the same xen binary to be used for BIOS
boot, UEFI boot, and UEFI boot with Secure Boot verification.
There is an accompanying Xen patch series.
The first patch updates the multiboot2 specification
Currently, multiboot2-compatible bootloaders can load ELF binaries and
a.out binaries. The presence of the address header tag determines
how the bootloader tries to interpret the binary (a.out if the address
tag is present else ELF).
In addition to the existing address and ELF load types, specify
GRUB doesn't do anything with multiboot modules except loading them and
passing a pointer to the multiboot kernel. Therefore GRUB itself doesn't
need to verify the module. Multiboot modules may contain code that needs
to be verified. If this is the case, the expectation is that the
multiboot kernel
Add the ability to load multiboot binaries in PE format. This allows the
binaries to be signed and verified.
Signed-off-by: Ross Lagerwall
---
grub-core/Makefile.core.def | 1 +
grub-core/loader/multiboot.c | 7 +
grub-core/loader/multiboot_mbi2.c | 11 +-
grub-core/loader/multib
On Mon, Jun 23, 2025 at 12:33 PM Frediano Ziglio via Grub-devel
wrote:
>
> If a simple string for arguments are passed it should be NUL
> terminated. This is true for other code but not for "linux"
> command.
>
> Signed-off-by: Frediano Ziglio
> ---
> grub-core/loader/efi/linux.c | 9 +
>
On Tue, Jul 8, 2025 at 9:02 PM Frediano Ziglio via Grub-devel
wrote:
>
> Allows to load modules using LoadFile2 protocol.
> Add and use a new GUID for kernel media device.
> This will allow Xen to pick up additional modules using
> EFI interface instead of using multiboot2 interface (not
> availab
On Wed, Jul 9, 2025 at 12:54 PM Frediano Ziglio
wrote:
>
> On Wed, Jul 9, 2025 at 10:54 AM Ross Lagerwall
> wrote:
> >
> > On Wed, Jul 9, 2025 at 10:35 AM Frediano Ziglio via Grub-devel
> > wrote:
> > >
> > > On Tue, Jul 8, 2025 at 11:43 AM Frediano Ziglio
> > > wrote:
> > > >
> > > > Compile f
On Tue, Jul 8, 2025 at 9:02 PM Frediano Ziglio via Grub-devel
wrote:
>
> Allows to load modules using LoadFile2 protocol.
> Add and use a new GUID for kernel media device.
> This will allow Xen to pick up additional modules using
> EFI interface instead of using multiboot2 interface (not
> availab
On Tue, Jul 8, 2025 at 8:26 PM Frediano Ziglio via Grub-devel
wrote:
>
> For ARM64 command lines are passed using device tree, for
> x86_64 we need to use LoadOptions putting both Xen and kernel
> arguments.
> On x86_64 the LoadOptions is composed by 2 parts, EFI options
> and Xen options. The Xen
On Wed, Jul 9, 2025 at 10:35 AM Frediano Ziglio via Grub-devel
wrote:
>
> On Tue, Jul 8, 2025 at 11:43 AM Frediano Ziglio
> wrote:
> >
> > Compile for x86_64 EFI architecture.
> > Do not fill device tree, not present for this architecture.
> >
> > Signed-off-by: Frediano Ziglio
> > ---
> > grub
On Wed, Jul 9, 2025 at 4:21 PM Frediano Ziglio
wrote:
>
> On Wed, Jul 9, 2025 at 2:08 PM Ross Lagerwall
> wrote:
> >
> > On Tue, Jul 8, 2025 at 9:02 PM Frediano Ziglio via Grub-devel
> > wrote:
> > >
> > > Allows to load modules using LoadFile2 protocol.
> > > Add and use a new GUID for kernel
25 matches
Mail list logo
