=4bd9877f62166b7e369773ab92fe24a39f6515f8
thanks,
Sudhakar Kuppusamy
On 2022-11-24 20:39, Daniel Kiper wrote:
Adding Daniel Axtens...
On Tue, Nov 15, 2022 at 06:31:45PM +, Steve McIntyre wrote:
Hi all!
программист некто (in CC) reported this bug a few weeks back in
Debian. Since I applied
On 2024-10-16 20:36, Daniel Kiper wrote:
On Fri, Sep 13, 2024 at 04:57:58PM +0530, Sudhakar Kuppusamy wrote:
In order to store the SBAT data, we create a new ELF note. The string
"Secure-Boot-Advanced-Targeting",
zero-padded to 4 byte alignment, shall be entered in the name field.
On 2024-10-16 20:42, Daniel Kiper wrote:
On Fri, Sep 13, 2024 at 04:57:59PM +0530, Sudhakar Kuppusamy wrote:
The SBAT metadata, which is read from .csv file and transformed into
an ELF note,
is made into an image using the -s option.
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel
On 2025-01-02 18:49, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
if secure boot enabled with PKS and set use_static_keys flag, it
If Secure Boot is enabled with PKS and the use_static_keys flag is
set, then read the DB default keys from the ELF note and store them in
On 2024-12-31 22:51, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
The trusted certificates and binary hashes, distrusted certificates
and
binary/certificate hashes will be extracted from the platform keystore
buffer
if Secure Boot is enabled with PKS.
In order to verify
On 2024-12-31 23:07, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
To verify the kernel's: verify the kernel binary against list of
binary hashes
To verify the kernel's signature?
against lists of binary hashes
that are distrusted and trusted. If it is not
On 2025-01-02 18:52, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
if secure boot enabled with PKS, it set the use_static_keys flag
I was not sure at this point what the patch actually does so I
reformulated it a bit. I would start the patch description with the
reason
On 2025-01-05 00:10, Vladimir 'phcoder' Serbinenko wrote:
rsa_pad will be removed when we update libgcrypt (see pending patch).
Can we accommodate for this?
On Wed, Dec 18, 2024 at 5:58 PM Sudhakar Kuppusamy
wrote:
From: Daniel Axtens
rsa_pad does the PKCS#1 v1.5 padding f
On 2025-01-24 16:10, Avnish Chouhan wrote:
Indentation looks off in couple of places. Please fix it.
Reviewed-by: Avnish Chouhan
On 2024-12-18 20:26, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
rsa_pad does the PKCS#1 v1.5 padding for the RSA signature scheme.
We want to use it in other
On 2025-01-24 16:40, Avnish Chouhan wrote:
Suggestion : It will be good if we can remove the brackets in one
liner if conditions and loops!
Reviewed-by: Avnish Chouhan
On 2024-12-18 20:26, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
This code allows us to parse:
- PKCS#7 signedData
On 2025-02-06 11:40, Avnish Chouhan wrote:
On 2024-12-18 20:26, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
Building on the parsers and the ability to embed x509 certificates, as
well as the existing gcrypt functionality, add a module for verifying
appended signatures.
This includes a
On 2025-02-06 11:53, Avnish Chouhan wrote:
On 2024-12-18 20:26, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
If the 'ibm,secure-boot' property of the root node is 2 or greater,
enter lockdown.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
docs
On 2024-12-29 01:16, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
This code allows us to parse:
- PKCS#7 signedData messages. Only a single signerInfo is supported,
which is all that the Linux sign-file utility supports creating
out-of-the
On 2024-12-27 20:28, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
From: Rashmica Gupta
Add infrastructure to allow firmware to verify the integrity of grub
by use of a Linux-kernel-module-style appended signature. We initially
target powerpc-ieee1275, but the code
On 2024-12-31 03:44, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
enhancing the infrastructure to enable the Platform Keystore (PKS)
feature,
which provides access to the SB VERSION, DB, and DBX secure boot
variables
from PKS.
Signed-off-by: Sudhakar Kuppusamy
On 2024-12-30 21:20, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
Signed-off-by
On 2024-12-31 04:31, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
If secure boot is enabled with PKS, it will read secure boot variables
such as db and dbx from PKS and extract certificates from ESL.
It would be saved in the platform keystore buffer, and
the appendedsig
On 2024-12-31 04:34, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
If secure boot is enabled with PKS, it will read secure boot variables
such as db and dbx from PKS and extract certificates from ESL.
It would be saved in the platform keystore buffer, and
What is &#x
Hi Marta,
Thanks Martha, yes that would be very helpful and I appreciate your
consideration for that. Yes the patch-set is getting reviewed actively
so I am also hopeful that these would be upstreamed soon.
Thanks,
Sudhakar Kuppusamy
On 2025-05-13 19:46, Marta Lewandowska wrote:
Red Hat
arg : args[0]);
+ if (! prefix)
ditto
+ return grub_errno;
+ grub_free(old_prefix);
+}
+
r = grub_normal_add_menu_entry (argc - 1, (const char **) args,
ctxt->state[0].args, ctxt->state[4].arg,
Hi Gary Lin,
Thank you so much for a review!. I wil fix the bug in the code mentioned
by you.
Thanks,
Sudhakar Kuppusmay
On 2025-04-17 13:13, Gary Lin wrote:
On Thu, Mar 27, 2025 at 01:02:41AM +0530, Sudhakar Kuppusamy wrote:
To support the following trusted and distrusted commands
1
On 2025-04-15 13:54, Gary Lin wrote:
On Thu, Mar 27, 2025 at 01:02:41AM +0530, Sudhakar Kuppusamy wrote:
To support the following trusted and distrusted commands
1. trusted_list:
It will show the list of trusted certificates and binary
hashes
2. distrusted_list:
It will
On 2025-04-15 09:16, Gary Lin wrote:
On Thu, Mar 27, 2025 at 01:02:31AM +0530, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
Building on the parsers and the ability to embed x509 certificates, as
well as the existing gcrypt functionality, add a module for verifying
appended signatures.
This
o avoid this
warning: _attribute_((nonstring)).
Fixes: https://savannah.gnu.org/bugs/?66470
Signed-off-by: Andrew Hamilton
Reviewed-by: Sudhakar Kuppusamy
---
bootstrap.conf| 3 ++-
grub-core/lib/gnulib-patches/gcc-15-compile-fix.patch | 11 +++
f51c (util/grub-protect: Support NV index mode)
Signed-off-by: Andrew Hamilton
Reviewed-by: Sudhakar Kuppusamy
---
util/grub-protect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util/grub-protect.c b/util/grub-protect.c
index d53c2572d..868eb76b9 100644
--- a/util/grub
;len - LZMA_MATCH_LEN_MIN" to avoid underflow
when 'len' equals to 1.
Fixed: CID 51508
Signed-off-by: Lidong Chen
Reviewed-by: Sudhakar Kuppusamy
---
grub-core/lib/LzmaEnc.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/Lzm
;& (unsigned) i + 1 > line_start;
+ for (i = (signed) kk - 1; i >= 0 && (unsigned) i + 1 >
line_start;
i--)
{
enum grub_join_type join_type = get_join_type (visual[i].base);
Reviewed-by: Sudhakar Kuppusamy
-off-by: Lidong Chen
it looks good..
Reviewed-by: Sudhakar Kuppusamy
---
grub-core/loader/i386/pc/linux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/loader/i386/pc/linux.c
b/grub-core/loader/i386/pc/linux.c
index 4adeee9ae..0c2a4ae51 100644
--- a/grub-core
@ check_protocol (void)
gop_handle = 0;
grub_dprintf ("video", "GOP: no usable mode\n");
-
+ grub_free (handles);
return 0;
}
Thanks,
Sudhakar Kuppusamy
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
option, and it may not be the PCR bank for key unsealing.
To dump the real PCR bank for key unsealing, this commit records the
PCR
bank used by 'TPM2_PolicyPCR' and dumps PCR values from that bank when
necessary.
Signed-off-by: Gary Lin
Reviewed-by: Sudhakar Kuppusamy
---
grub-c
On 2025-06-09 13:16, Gary Lin via Grub-devel wrote:
Add a few more tests to seal and unseal the key with the SHA384 PCR
bank instead of the default SHA256 PCR bank.
Signed-off-by: Gary Lin
Reviewed-by: Sudhakar Kuppusamy
---
tests/tpm2_key_protector_test.in | 34
gorithm of PCR digest in grub-protect to
avoid the potential unsealing failure.
Ref: https://github.com/lcp/grub2/issues/4
Signed-off-by: Gary Lin
Reviewed-by: Sudhakar Kuppusamy
---
util/grub-protect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util/grub-protect.c b/util
From: Sudhakar Kuppusamy
Introduce the use_static_keys flag to indicate that static keys are to be used
rather than keys from the PKS storage's DB variable. This variable is set when
Secure Boot is enabled with PKS but the DB variable is not present in the PKS
storage.
The appendedsig m
From: Daniel Axtens
If the 'ibm,secure-boot' property of the root node is 2 or greater,
enter lockdown.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
docs/grub.texi | 2 +-
From: Sudhakar Kuppusamy
The trusted certificates and binary hashes, distrusted certificates and
binary/certificate hashes will be extracted from the platform keystore buffer
if Secure Boot is enabled with PKS.
In order to verify the integrity of the kernel, the extracted data
needs to be
From: Sudhakar Kuppusamy
To verify the kernel's signature: verify the kernel binary against lists of
binary hashes
that are either distrusted or trusted. If it is not list in either trusted or
distrusted hashes list
then the trusted keys from the trusted key list are used to verif
Hi Daniel,
Thank you for your valuable review.
addressed all your review comments in v3.
Thanks,
sudhakar Kuppusamy
On 2025-05-28 22:50, Daniel Kiper wrote:
On Thu, Mar 27, 2025 at 01:02:31AM +0530, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
Building on the parsers and the ability to
Hi Daniel,
Thank you for your valuable review.
On 2025-05-28 22:59, Daniel Kiper wrote:
On Thu, Mar 27, 2025 at 01:02:32AM +0530, Sudhakar Kuppusamy wrote:
[...]
diff --git a/grub-core/tests/appended_signatures.h
b/grub-core/tests/appended_signatures.h
new file mode 100644
index 0
Hi Daniel,
Thank you for your valuable review. addressed all the below review
comments in v3.
Thanks,
Sudhakar Kuppusmay
On 2025-05-28 21:25, Daniel Kiper wrote:
On Thu, Mar 27, 2025 at 01:02:29AM +0530, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
In order to parse PKCS#7 messages and
From: Daniel Axtens
These tests are run through all_functional_test and test a range
of commands and behaviours.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/Makefile.core.def | 6 +
grub
://github.com/gnutls/gnutls/blob/master/lib/gnutls.asn
- https://github.com/gnutls/gnutls/blob/master/lib/pkix.asn
The GNUTLS license is LGPLv2.1+, which is GPLv3 compatible, allowing
us to import it without issue.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan
persistent modules)
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
include/grub/dl.h | 21 -
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/include/grub/dl.h b/include/grub/dl.h
index
From: Sudhakar Kuppusamy
To support the following trusted and distrusted commands
1. trusted_list:
It will show the list of trusted certificates and binary hashes
2. distrusted_list:
It will show the list of distrusted certificates and binary/certificate
hashes
3
d out into its own
PKCS#1 v1.5 module.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
Reviewed-by: Daniel Kiper
---
grub-core/Makefile.core.def | 9 ++
grub-core/commands/pgp.c| 28 ++---
grub-core/lib/p
Add support for signing GRUB with an appended
signature
Sudhakar (1):
PGP: renames the OBJ_TYPE_PUBKEY
Sudhakar Kuppusamy (9):
ieee1275: Platform Keystore (PKS) Support
ieee1275: Read the DB and DBX secure boot variables
appendedsig: The creation of trusted and distrusted lists
appende
support the Extended Key Usage extension and handle
it by verifying that the certificate has a Code Signing usage.
Signed-off-by: Javier Martinez Canillas # EKU support
Reported-by: Michal Suchanek # key usage issue
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by
etc) use grub_crypto_lookup_cipher_by_name()
to get a cipher handle. That depends on grub_ciphers being populated
by people calling grub_cipher_register. import_gcry.py ensures that the
symmetric ciphers call it.]
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by:
message will be ignored.
Signed-off-by: Javier Martinez Canillas # EKU support
Reported-by: Michal Suchanek # key usage issue
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/appendedsig.h
From: Daniel Axtens
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
docs
before the appended signature
structure (not at the end) so that the final bytes of a signed ELF file
are the appended signature magic.
A subsequent patch documents how to create a GRUB core.img validly signed
under this scheme.
Signed-off-by: Rashmica Gupta
Signed-off-by: Daniel Axtens
Sig
From: Sudhakar Kuppusamy
enhancing the infrastructure to enable the Platform Keystore (PKS) feature,
which provides access to the SB VERSION, DB, and DBX secure boot variables
from PKS.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core
From: Sudhakar Kuppusamy
If Secure Boot is enabled with PKS and the use_static_keys flag is set,
then read the DB default keys from the ELF note and store them in the trusted
list buffer.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core
From: Sudhakar Kuppusamy
This explains how static and dynamic key appended signatures can be used to
form part of
a secure boot chain, and documents the commands and variables introduced.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Avnish Chouhan
---
docs/grub.texi | 113
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/appendedsig.h | 42 +
grub-core/commands/appendedsig/asn1util.c| 96
2 files changed, 138 insertions(+)
create
From: Daniel Axtens
Signing GRUB for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: A
From: Sudhakar Kuppusamy
changed the following grub commands:
- "trust_certificate" to "trusted_certificate"
- "distrust_certificate" to "distrusted_certificate"
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/tests/appended_signature_test.c | 30 +++
keys.
Signed-off-by: Alastair D'Silva
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
include/grub/kernel.h | 1 +
include/grub/util/install.h | 3 +++
util/grub-install-common.c | 19 ++-
From: Sudhakar Kuppusamy
To support the following trusted and distrusted commands
1. trusted_list:
It will show the list of trusted certificates and binary hashes
2. distrusted_list:
It will show the list of distrusted certificates and binary/certificate
hashes
3
solution:
other mechanisms, such as a password or lockdown, must be used to ensure
that a user cannot drop to the grub shell and disable verification.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core
From: Sudhakar Kuppusamy
If secure boot is enabled with PKS, it will read secure boot variables
such as db and dbx from PKS and extract ESL's from it.
The ESL's would be saved in the platform keystore buffer, and
the appendedsig (module) would read it later to extract
the certificate
renames the OBJ_TYPE_PUBKEY to OBJ_TYPE_GPG_PUBKEY
Signed-off-by: Alastair D'Silva
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/commands/pgp.c | 2 +-
include/grub/kernel.h| 2 +-
util/grub-mkim
From: Daniel Axtens
Before adding information about how grub is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Review
Hi Daniel,
Thank you for your valuable review. addressed all the below review
comments in v3.
Thanks,
Sudhakar Kuppusmay
On 2025-05-28 22:14, Daniel Kiper wrote:
On Thu, Mar 27, 2025 at 01:02:30AM +0530, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
This code allows us to parse:
- PKCS
Hi Daniel,
Thank you for your valuable review. splited this patch into two in v3.
Thanks,
Sudhakar Kuppusmay
On 2025-05-28 21:17, Daniel Kiper wrote:
On Thu, Mar 27, 2025 at 01:02:28AM +0530, Sudhakar Kuppusamy wrote:
From: Alastair D'Silva
To support verification of appended signa
Hi Daniel,
Thank you for your valuable review comments.
On 2025-05-22 23:19, Daniel Kiper wrote:
On Thu, Mar 27, 2025 at 01:02:22AM +0530, Sudhakar Kuppusamy wrote:
From: Rashmica Gupta
Add infrastructure to allow firmware to verify the integrity of grub
by use of a Linux-kernel-module
Hi Daniel,
Thank you for your valuable review comments. addressed all your
comments.
On 2025-05-22 23:49, Daniel Kiper wrote:
On Thu, Mar 27, 2025 at 01:02:24AM +0530, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
Signing grub for firmware that verifies an appended signature is a
s/grub
Add support for signing GRUB with an appended
signature
Sudhakar (1):
PGP: renames the OBJ_TYPE_PUBKEY
Sudhakar Kuppusamy (9):
ieee1275: Platform Keystore (PKS) Support
ieee1275: Read the DB and DBX secure boot variables
appendedsig: The creation of trusted and distrusted list
Add support for signing GRUB with an appended
signature
Sudhakar (1):
PGP: renames the OBJ_TYPE_PUBKEY
Sudhakar Kuppusamy (9):
ieee1275: Platform Keystore (PKS) Support
ieee1275: Read the DB and DBX secure boot variables
appendedsig: The creation of trusted and distrusted lists
appende
"pciroot|disk|all",
+ N_("Connect EFI handles."
+ " If 'pciroot' is specified, connect PCI"
+ " root EFI handles recursively."
+
(protocols);
Hi Renaud Métrich,
better to use like this
if (protocols != NULL)
grub_efi_free_pool (protocols);
thanks,
Sudhakar
}
+ grub_free (handles);
+
return 0;
}
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lis
p->state = kMatchNextStates[p->state];
+ if (len < LZMA_MATCH_LEN_MIN)
+ {
+ p->result = SZ_ERROR_DATA;
+ return CheckErrors(p);
+ }
Hi Lidong Chen,
please fix the indentation issue in if condition.
thanks,
sudhakar
LenEnc_Encode2(&a
at.csv and create the ELF Note for it then
store the SBAT data on it while generate image with -s option
Sudhakar Kuppusamy and Daniel Axtens (2):
mkimage: create new ELF Note for SBAT
mkimage: adding sbat data into sbat ELF Note on powerpc
include/grub/util/mkimage.h | 4 +--
util/gr
we add a new ELF note for SBAT which store the SBAT data.
The name field of shall be the string "Secure-Boot-Advanced-Targeting",
zero-padded
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
for the string "sbat").
Signed-off-by: Sudhakar Kuppu
we add a new ELF note for SBAT which store the SBAT data.
The name field of shall be the string "Secure-Boot-Advanced-Targeting",
zero-padded
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
for the string "sbat").
Signed-off-by: Sudhakar Kuppu
at.csv and create the ELF Note for it then
store the SBAT data on it while generate image with -s option
Sudhakar Kuppusamy and Daniel Axtens (2):
mkimage: create new ELF Note for SBAT
mkimage: adding sbat data into sbat ELF Note on powerpc
include/grub/util/mkimage.h | 4 +--
util/gr
it reads the SBAT data from sbat.csv and create the ELF Note for it then
store the SBAT data on it while generate image with -s option
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel Axtens
---
util/mkimage.c | 21 -
1 file changed, 16 insertions(+), 5 deletions
it reads the SBAT data from sbat.csv and create the ELF Note for it then
store the SBAT data on it while generate image with -s option
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel Axtens
---
util/mkimage.c | 19 +++
1 file changed, 15 insertions(+), 4 deletions
alignment. The type field shall be 0x41536967 (the ASCII values
for the string "sbat").
2) Patch 2: adding sbat data into sbat ELF Note
it reads the SBAT data from sbat.csv and create the ELF Note for it then
store the SBAT data on it while generate image with -s opti
we add a new ELF note for SBAT which store the SBAT data.
The name field of shall be the string "Secure-Boot-Advanced-Targeting",
zero-padded
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
for the string "sbat").
Signed-off-by: Sudhakar Kuppu
In order to store the SBAT data, we create a new ELF note. The string
"Secure-Boot-Advanced-Targeting",
zero-padded to 4 byte alignment, shall be entered in the name field. The string
"sbat"'s ASCII values,
0x41536967, should be entered in the type field.
Signed-off-b
sudo ./grub-install --modules "$GRUB_MODULES" -d ./grub-core/ -v "/dev/sda2"
--sbat=./sbat_metadata.csv
dd if=/boot/grub/powerpc-ieee1275/core.elf of=/dev/sda2
Sudhakar Kuppusamy (2):
mkimage: create new ELF Note for SBAT
mkimage: adding sbat metadata into sbat E
The SBAT metadata, which is read from .csv file and transformed into an ELF
note,
is made into an image using the -s option.
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel Axtens
---
util/mkimage.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a
The SBAT metadata, which is read from .csv file and transformed into an ELF
note,
is made into an image using the -s option.
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel Axtens
---
util/mkimage.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a
In order to store the SBAT data, we create a new ELF note. The string
"Secure-Boot-Advanced-Targeting",
zero-padded to 4 byte alignment, shall be entered in the name field. The string
"sbat"'s ASCII values,
0x41536967, should be entered in the type field.
Signed-off-b
sudo ./grub-install --modules "$GRUB_MODULES" -d ./grub-core/ -v "/dev/sda2"
--sbat=./sbat_metadata.csv
dd if=/boot/grub/powerpc-ieee1275/core.elf of=/dev/sda2
Sudhakar Kuppusamy (2):
mkimage: create new ELF Note for SBAT
mkimage: adding sbat metadata into sbat E
es "$GRUB_MODULES" -d ./grub-core/ -v "/dev/sda2"
--sbat=./sbat_metadata.csv
dd if=/boot/grub/powerpc-ieee1275/core.elf of=/dev/sda2
Daniel Axtens and Sudhakar Kuppusamy (2):
mkimage: create new ELF Note for SBAT
mkimage: adding sbat metadata into sbat ELF Note on po
The SBAT metadata, which is read from .csv file and transformed into an ELF
note,
is made into an image using the -s option.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
util/mkimage.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/util
In order to store the SBAT data, we create a new ELF note. The string ".sbat",
zero-padded to 4 byte alignment, shall be entered in the name field. The string
"SBAT"'s ASCII values,
0x53424154, should be entered in the type field.
Signed-off-by: Daniel Axtens
Signed-o
From: Daniel Axtens
These tests are run through all_functional_test and test a range
of commands and behaviours.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/Makefile.core.def | 6 +
grub-core/tests/appended_signature_test.c | 258 ++
grub
enhancing the infrastructure to enable the Platform Keystore (PKS) feature,
which provides access to the SB VERSION, DB, and DBX secure boot variables
from PKS.
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/kern/ieee1275/ieee1275.c | 117 +
include/grub/ieee1275
# key usage issue
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/commands/appendedsig/appendedsig.h | 110 +++
grub-core/commands/appendedsig/asn1util.c| 99 ++
grub-core/commands/appendedsig/pkcs7.c | 473 +
grub-core/commands/appendedsig/x509.c
),
rejected it while extracting it from the platform keystore buffer.
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/commands/appendedsig/appendedsig.c | 636 +--
1 file changed, 592 insertions(+), 44 deletions(-)
diff --git a/grub-core/commands/appendedsig/appendedsig.c
b/grub
ff-by: Sudhakar Kuppusamy
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 1 +
grub-core/kern/ieee1275/init.c | 14 +-
grub-core/kern/ieee1275/platform_keystore.c | 337
include/grub/platform_keyst
.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
.../commands/appendedsig/gnutls_asn1_tab.c| 121 +
.../commands/appendedsig/pkix_asn1_tab.c | 484 ++
2 files changed, 605 insertions(+)
create mode 100644 grub-core/commands/appendedsig/gnutls_asn1_tab.c
From: Daniel Axtens
Before adding information about how grub is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
docs/grub.texi
etc) use grub_crypto_lookup_cipher_by_name()
to get a cipher handle. That depends on grub_ciphers being populated
by people calling grub_cipher_register. import_gcry.py ensures that the
symmetric ciphers call it.]
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/commands/pgp.c | 4
grub
keys.
Signed-off-by: Alastair D'Silva
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/commands/pgp.c| 2 +-
include/grub/kernel.h | 2 ++
include/grub/util/install.h | 3 +++
util/grub-install-common.c | 19 ++-
util/grub-mkimage.c
-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
include/grub/dl.h | 11 +++
1 file changed, 11 insertions(+)
diff --git a/include/grub/dl.h b/include/grub/dl.h
index 750fc8d3d..fb4476797 100644
--- a/include/grub/dl.h
+++ b/include/grub/dl.h
@@ -242,11 +242,22 @@ grub_dl_get
before the appended signature
structure (not at the end) so that the final bytes of a signed ELF file
are the appended signature magic.
A subsequent patch documents how to create a grub core.img validly signed
under this scheme.
Signed-off-by: Rashmica Gupta
Signed-off-by: Daniel Axtens
Sig
From: Daniel Axtens
Signing grub for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
docs/grub.texi
1 - 100 of 246 matches
Mail list logo
