=4bd9877f62166b7e369773ab92fe24a39f6515f8
thanks,
Sudhakar Kuppusamy
On 2022-11-24 20:39, Daniel Kiper wrote:
Adding Daniel Axtens...
On Tue, Nov 15, 2022 at 06:31:45PM +, Steve McIntyre wrote:
Hi all!
программист некто (in CC) reported this bug a few weeks back in
Debian. Since I applied
On 2024-10-16 20:36, Daniel Kiper wrote:
On Fri, Sep 13, 2024 at 04:57:58PM +0530, Sudhakar Kuppusamy wrote:
In order to store the SBAT data, we create a new ELF note. The string
"Secure-Boot-Advanced-Targeting",
zero-padded to 4 byte alignment, shall be entered in the name field.
On 2024-10-16 20:42, Daniel Kiper wrote:
On Fri, Sep 13, 2024 at 04:57:59PM +0530, Sudhakar Kuppusamy wrote:
The SBAT metadata, which is read from .csv file and transformed into
an ELF note,
is made into an image using the -s option.
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel
On 2024-12-29 01:16, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
This code allows us to parse:
- PKCS#7 signedData messages. Only a single signerInfo is supported,
which is all that the Linux sign-file utility supports creating
out-of-the
On 2024-12-27 20:28, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
From: Rashmica Gupta
Add infrastructure to allow firmware to verify the integrity of grub
by use of a Linux-kernel-module-style appended signature. We initially
target powerpc-ieee1275, but the code
On 2024-12-31 03:44, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
enhancing the infrastructure to enable the Platform Keystore (PKS)
feature,
which provides access to the SB VERSION, DB, and DBX secure boot
variables
from PKS.
Signed-off-by: Sudhakar Kuppusamy
On 2024-12-30 21:20, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
Signed-off-by
On 2024-12-31 04:31, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
If secure boot is enabled with PKS, it will read secure boot variables
such as db and dbx from PKS and extract certificates from ESL.
It would be saved in the platform keystore buffer, and
the appendedsig
On 2024-12-31 04:34, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
If secure boot is enabled with PKS, it will read secure boot variables
such as db and dbx from PKS and extract certificates from ESL.
It would be saved in the platform keystore buffer, and
What is &#x
On 2025-01-02 18:49, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
if secure boot enabled with PKS and set use_static_keys flag, it
If Secure Boot is enabled with PKS and the use_static_keys flag is
set, then read the DB default keys from the ELF note and store them in
On 2024-12-31 22:51, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
The trusted certificates and binary hashes, distrusted certificates
and
binary/certificate hashes will be extracted from the platform keystore
buffer
if Secure Boot is enabled with PKS.
In order to verify
On 2024-12-31 23:07, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
To verify the kernel's: verify the kernel binary against list of
binary hashes
To verify the kernel's signature?
against lists of binary hashes
that are distrusted and trusted. If it is not
On 2025-01-02 18:52, Stefan Berger wrote:
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
if secure boot enabled with PKS, it set the use_static_keys flag
I was not sure at this point what the patch actually does so I
reformulated it a bit. I would start the patch description with the
reason
On 2025-01-05 00:10, Vladimir 'phcoder' Serbinenko wrote:
rsa_pad will be removed when we update libgcrypt (see pending patch).
Can we accommodate for this?
On Wed, Dec 18, 2024 at 5:58 PM Sudhakar Kuppusamy
wrote:
From: Daniel Axtens
rsa_pad does the PKCS#1 v1.5 padding f
On 2025-01-24 16:10, Avnish Chouhan wrote:
Indentation looks off in couple of places. Please fix it.
Reviewed-by: Avnish Chouhan
On 2024-12-18 20:26, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
rsa_pad does the PKCS#1 v1.5 padding for the RSA signature scheme.
We want to use it in other
On 2025-01-24 16:40, Avnish Chouhan wrote:
Suggestion : It will be good if we can remove the brackets in one
liner if conditions and loops!
Reviewed-by: Avnish Chouhan
On 2024-12-18 20:26, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
This code allows us to parse:
- PKCS#7 signedData
On 2025-02-06 11:40, Avnish Chouhan wrote:
On 2024-12-18 20:26, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
Building on the parsers and the ability to embed x509 certificates, as
well as the existing gcrypt functionality, add a module for verifying
appended signatures.
This includes a
On 2025-02-06 11:53, Avnish Chouhan wrote:
On 2024-12-18 20:26, Sudhakar Kuppusamy wrote:
From: Daniel Axtens
If the 'ibm,secure-boot' property of the root node is 2 or greater,
enter lockdown.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
docs
at.csv and create the ELF Note for it then
store the SBAT data on it while generate image with -s option
Sudhakar Kuppusamy and Daniel Axtens (2):
mkimage: create new ELF Note for SBAT
mkimage: adding sbat data into sbat ELF Note on powerpc
include/grub/util/mkimage.h | 4 +--
util/gr
we add a new ELF note for SBAT which store the SBAT data.
The name field of shall be the string "Secure-Boot-Advanced-Targeting",
zero-padded
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
for the string "sbat").
Signed-off-by: Sudhakar Kuppu
we add a new ELF note for SBAT which store the SBAT data.
The name field of shall be the string "Secure-Boot-Advanced-Targeting",
zero-padded
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
for the string "sbat").
Signed-off-by: Sudhakar Kuppu
at.csv and create the ELF Note for it then
store the SBAT data on it while generate image with -s option
Sudhakar Kuppusamy and Daniel Axtens (2):
mkimage: create new ELF Note for SBAT
mkimage: adding sbat data into sbat ELF Note on powerpc
include/grub/util/mkimage.h | 4 +--
util/gr
it reads the SBAT data from sbat.csv and create the ELF Note for it then
store the SBAT data on it while generate image with -s option
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel Axtens
---
util/mkimage.c | 21 -
1 file changed, 16 insertions(+), 5 deletions
it reads the SBAT data from sbat.csv and create the ELF Note for it then
store the SBAT data on it while generate image with -s option
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel Axtens
---
util/mkimage.c | 19 +++
1 file changed, 15 insertions(+), 4 deletions
alignment. The type field shall be 0x41536967 (the ASCII values
for the string "sbat").
2) Patch 2: adding sbat data into sbat ELF Note
it reads the SBAT data from sbat.csv and create the ELF Note for it then
store the SBAT data on it while generate image with -s opti
we add a new ELF note for SBAT which store the SBAT data.
The name field of shall be the string "Secure-Boot-Advanced-Targeting",
zero-padded
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
for the string "sbat").
Signed-off-by: Sudhakar Kuppu
In order to store the SBAT data, we create a new ELF note. The string
"Secure-Boot-Advanced-Targeting",
zero-padded to 4 byte alignment, shall be entered in the name field. The string
"sbat"'s ASCII values,
0x41536967, should be entered in the type field.
Signed-off-b
sudo ./grub-install --modules "$GRUB_MODULES" -d ./grub-core/ -v "/dev/sda2"
--sbat=./sbat_metadata.csv
dd if=/boot/grub/powerpc-ieee1275/core.elf of=/dev/sda2
Sudhakar Kuppusamy (2):
mkimage: create new ELF Note for SBAT
mkimage: adding sbat metadata into sbat E
The SBAT metadata, which is read from .csv file and transformed into an ELF
note,
is made into an image using the -s option.
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel Axtens
---
util/mkimage.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a
The SBAT metadata, which is read from .csv file and transformed into an ELF
note,
is made into an image using the -s option.
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel Axtens
---
util/mkimage.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a
In order to store the SBAT data, we create a new ELF note. The string
"Secure-Boot-Advanced-Targeting",
zero-padded to 4 byte alignment, shall be entered in the name field. The string
"sbat"'s ASCII values,
0x41536967, should be entered in the type field.
Signed-off-b
sudo ./grub-install --modules "$GRUB_MODULES" -d ./grub-core/ -v "/dev/sda2"
--sbat=./sbat_metadata.csv
dd if=/boot/grub/powerpc-ieee1275/core.elf of=/dev/sda2
Sudhakar Kuppusamy (2):
mkimage: create new ELF Note for SBAT
mkimage: adding sbat metadata into sbat E
es "$GRUB_MODULES" -d ./grub-core/ -v "/dev/sda2"
--sbat=./sbat_metadata.csv
dd if=/boot/grub/powerpc-ieee1275/core.elf of=/dev/sda2
Daniel Axtens and Sudhakar Kuppusamy (2):
mkimage: create new ELF Note for SBAT
mkimage: adding sbat metadata into sbat ELF Note on po
The SBAT metadata, which is read from .csv file and transformed into an ELF
note,
is made into an image using the -s option.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
util/mkimage.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/util
In order to store the SBAT data, we create a new ELF note. The string ".sbat",
zero-padded to 4 byte alignment, shall be entered in the name field. The string
"SBAT"'s ASCII values,
0x53424154, should be entered in the type field.
Signed-off-by: Daniel Axtens
Signed-o
From: Daniel Axtens
These tests are run through all_functional_test and test a range
of commands and behaviours.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/Makefile.core.def | 6 +
grub-core/tests/appended_signature_test.c | 258 ++
grub
enhancing the infrastructure to enable the Platform Keystore (PKS) feature,
which provides access to the SB VERSION, DB, and DBX secure boot variables
from PKS.
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/kern/ieee1275/ieee1275.c | 117 +
include/grub/ieee1275
# key usage issue
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/commands/appendedsig/appendedsig.h | 110 +++
grub-core/commands/appendedsig/asn1util.c| 99 ++
grub-core/commands/appendedsig/pkcs7.c | 473 +
grub-core/commands/appendedsig/x509.c
),
rejected it while extracting it from the platform keystore buffer.
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/commands/appendedsig/appendedsig.c | 636 +--
1 file changed, 592 insertions(+), 44 deletions(-)
diff --git a/grub-core/commands/appendedsig/appendedsig.c
b/grub
ff-by: Sudhakar Kuppusamy
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 1 +
grub-core/kern/ieee1275/init.c | 14 +-
grub-core/kern/ieee1275/platform_keystore.c | 337
include/grub/platform_keyst
.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
.../commands/appendedsig/gnutls_asn1_tab.c| 121 +
.../commands/appendedsig/pkix_asn1_tab.c | 484 ++
2 files changed, 605 insertions(+)
create mode 100644 grub-core/commands/appendedsig/gnutls_asn1_tab.c
From: Daniel Axtens
Before adding information about how grub is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
docs/grub.texi
etc) use grub_crypto_lookup_cipher_by_name()
to get a cipher handle. That depends on grub_ciphers being populated
by people calling grub_cipher_register. import_gcry.py ensures that the
symmetric ciphers call it.]
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/commands/pgp.c | 4
grub
keys.
Signed-off-by: Alastair D'Silva
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/commands/pgp.c| 2 +-
include/grub/kernel.h | 2 ++
include/grub/util/install.h | 3 +++
util/grub-install-common.c | 19 ++-
util/grub-mkimage.c
-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
include/grub/dl.h | 11 +++
1 file changed, 11 insertions(+)
diff --git a/include/grub/dl.h b/include/grub/dl.h
index 750fc8d3d..fb4476797 100644
--- a/include/grub/dl.h
+++ b/include/grub/dl.h
@@ -242,11 +242,22 @@ grub_dl_get
before the appended signature
structure (not at the end) so that the final bytes of a signed ELF file
are the appended signature magic.
A subsequent patch documents how to create a grub core.img validly signed
under this scheme.
Signed-off-by: Rashmica Gupta
Signed-off-by: Daniel Axtens
Sig
From: Daniel Axtens
Signing grub for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
docs/grub.texi
d out into its own
PKCS#1 v1.5 module.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/Makefile.core.def | 8 +
grub-core/commands/pgp.c| 28 ++
grub-core/lib/pkcs1_v15.c | 59 +
include/grub/pkcs1_v15
natures: parse PKCS#7 signedData and X.509 certificates
appended signatures: support verifying appended signatures
appended signatures: verification tests
appended signatures: documentation
ieee1275: enter lockdown based on /ibm,secure-boot
Rashmica Gupta (1):
powerpc-ieee1275: Add support fo
solution:
other mechanisms, such as a password or lockdown, must be used to ensure
that a user cannot drop to the grub shell and disable verification.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/Makefile.core.def | 14 +
grub-core/commands
From: Daniel Axtens
If the 'ibm,secure-boot' property of the root node is 2 or greater,
enter lockdown.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
docs/grub.texi | 4 ++--
grub-core/Makefile.core.def| 1 +
grub-core/kern/ieee1275/i
/binary hash to the distrsuted list
Note:-
The addition/deletion of trusted certificates and binary hashes
are not allowed in grub command prompt while secure boot is enabled.
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/commands/appendedsig/appendedsig.c | 517 +--
1 file
if secure boot enabled with PKS, it set the use_static_keys flag
when DB variable is not present in PKS storage and the appendedsig (module)
would use it later to extract the default DB key's from ELF Note and
store it in trustedlist.
Signed-off-by: Sudhakar Kuppusamy
---
grub-core
From: Daniel Axtens
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
---
docs/grub.texi | 185
This explains how static and dynamic key appended signatures can be used to
form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Sudhakar Kuppusamy
---
docs/grub.texi | 110 +++--
1 file changed, 78
To verify the kernel's: verify the kernel binary against list of binary hashes
that are distrusted and trusted. If it is not listed in both trusted and
distrusted,
the trusted keys from trusted key list used to verify the signature.
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/com
if secure boot enabled with PKS and set use_static_keys flag, it
reads the DB default keys from ELF Note and store it in trusted list buffer.
Signed-off-by: Sudhakar Kuppusamy
---
grub-core/commands/appendedsig/appendedsig.c | 58 ++--
1 file changed, 41 insertions(+), 17
extension and handle
it by verifying that the certificate has a Code Signing usage.
Signed-off-by: Javier Martinez Canillas # EKU support
Reported-by: Michal Suchanek # key usage issue
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish
From: Daniel Axtens
If the 'ibm,secure-boot' property of the root node is 2 or greater,
enter lockdown.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
docs/grub.texi | 2 +-
From: Daniel Axtens
These tests are run through all_functional_test and test a range
of commands and behaviours.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/Makefile.core.def | 6 +
grub
enhancing the infrastructure to enable the Platform Keystore (PKS) feature,
which provides access to the SB VERSION, DB, and DBX secure boot variables
from PKS.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/Makefile.am
ff-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/appendedsig.c | 199 +--
1 file changed, 142 insertions(+), 57 deletions(-)
diff --git a/grub-core/commands/appendedsig/appendedsig.c
b/grub-core/commands/append
distrusted
list (dbx),
rejects it while extracting certificate/binary hash from the platform keystore
buffer.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/appendedsig.c | 584 +--
grub-core/kern/file.c
/binary hash to the distrsuted list
Note:-
The addition/deletion of trusted certificates and binary hashes
are not allowed in grub command prompt while secure boot is enabled.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig/appendedsig.c | 518
If Secure Boot is enabled with PKS and the use_static_keys flag is set,
then read the DB default keys from the ELF note and store them in the trusted
list buffer.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/commands/appendedsig
From: Daniel Axtens
Before adding information about how grub is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
---
cation tests
appended signatures: documentation
ieee1275: enter lockdown based on /ibm,secure-boot
Rashmica Gupta (1):
powerpc-ieee1275: Add support for signing grub with an appended
signature
Sudhakar Kuppusamy (8):
ieee1275: Platform Keystore (PKS) Support
ieee1275: Read the DB
before the appended signature
structure (not at the end) so that the final bytes of a signed ELF file
are the appended signature magic.
A subsequent patch documents how to create a grub core.img validly signed
under this scheme.
Signed-off-by: Rashmica Gupta
Signed-off-by: Daniel Axtens
Sig
-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
include/grub/dl.h | 11 +++
1 file changed, 11 insertions(+)
diff --git a/include/grub/dl.h b/include/grub/dl.h
index 84509c5c1..43e411fef 100644
--- a/include/grub/dl.h
From: Daniel Axtens
Signing grub for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: A
solution:
other mechanisms, such as a password or lockdown, must be used to ensure
that a user cannot drop to the grub shell and disable verification.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core
ey (embeded key)
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 1 +
grub-core/kern/ieee1275/init.c| 15 +-
.../kern/p
.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
.../commands/appendedsig/gnutls_asn1_tab.c| 121 +
.../commands/appendedsig/pkix_asn1_tab.c | 484 ++
2 files changed, 605 insertions(+)
create mode
From: Daniel Axtens
This explains how appended signatures can be used to form part of
a secure boot chain, and documents the commands and variables
introduced.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
docs
d out into its own
PKCS#1 v1.5 module.
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/Makefile.core.def | 8 +
grub-core/commands/pgp.c| 28 ++
grub-core/lib/pkcs1_v1
This explains how static and dynamic key appended signatures can be used to
form part of
a secure boot chain, and documents the commands and variables introduced.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Avnish Chouhan
---
docs/grub.texi | 108
keys.
Signed-off-by: Alastair D'Silva
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
grub-core/commands/pgp.c| 2 +-
include/grub/kernel.h | 2 ++
include/grub/util/install.h | 3 +++
util/grub-install-comm
le to extract the default DB keys
from
the ELF note and store the keys found there in the trustedlist.
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by: Avnish Chouhan
---
.../kern/powerpc/ieee1275/platform_keystore.c| 16 +++-
grub-core/term/tp
etc) use grub_crypto_lookup_cipher_by_name()
to get a cipher handle. That depends on grub_ciphers being populated
by people calling grub_cipher_register. import_gcry.py ensures that the
symmetric ciphers call it.]
Signed-off-by: Daniel Axtens
Signed-off-by: Sudhakar Kuppusamy
Reviewed-by: Stefan Berger
Reviewed-by:
In order to store the SBAT data, we create a new ELF note. The string
"Secure-Boot-Advanced-Targeting",
zero-padded to 4 byte alignment, shall be entered in the name field. The string
"sbat"'s ASCII values,
0x41536967, should be entered in the type field.
Signed-off-b
all --modules "$GRUB_MODULES" -d ./grub-core/ -v "/dev/sda2"
--sbat=./sbat_metadata.csv
dd if=/boot/grub/powerpc-ieee1275/core.elf of=/dev/sda2
Sudhakar Kuppusamy (2):
mkimage: create new ELF Note for SBAT
mkimage: adding sbat metadata into sbat ELF Note on powerpc
in
The SBAT metadata, which is read from .csv file and transformed into an ELF
note,
is made into an image using the -s option.
Signed-off-by: Sudhakar Kuppusamy
Co-authored-by: Daniel Axtens
---
util/mkimage.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a
82 matches
Mail list logo
