From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1kTRBX-0003ps-F6
	for mharc-grub-devel@gnu.org; Fri, 16 Oct 2020 10:58:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:57746)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <msuchanek@suse.de>) id 1kTNsg-0007zX-CA
 for grub-devel@gnu.org; Fri, 16 Oct 2020 07:26:42 -0400
Received: from mx2.suse.de ([195.135.220.15]:50586)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <msuchanek@suse.de>) id 1kTNse-0008N7-Px
 for grub-devel@gnu.org; Fri, 16 Oct 2020 07:26:42 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.221.27])
 by mx2.suse.de (Postfix) with ESMTP id EFE2CAC23
 for <grub-devel@gnu.org>; Fri, 16 Oct 2020 11:26:38 +0000 (UTC)
Resent-From: Michal =?iso-8859-1?Q?Such=E1nek?= <msuchanek@suse.de>
Resent-Date: Fri, 16 Oct 2020 13:26:31 +0200
Resent-Message-ID: <20201016112631.GA18546@kitsune.suse.cz>
Resent-To: grub-devel@gnu.org
AF: 
NF: 0
PS: 10
SRH: 1
SFN: 
DSR: 
MID: 
CFG: 
PT: 0
S: msuchanek@suse.de
RQ: 
SSV: imap.suse.de
NSV: 
SSH: 
R: <dja@axtens.net>,<grub-devel@lists.gnu.org>
MAID: 1
X-Claws-Privacy-System: 
X-Claws-Sign: 0
SCF: #imap/msuchanek@imap.suse.de/INBOX/Sent
X-Claws-Auto-Wrapping: 1
X-Claws-Auto-Indent: 1
X-Claws-End-Special-Headers: 1
Date: Fri, 16 Oct 2020 13:20:38 +0200
From: Michal =?UTF-8?B?U3VjaMOhbmVr?= <msuchanek@suse.de>
To: dja@axtens.net, grub-devel@lists.gnu.org
Subject: [PATCH 0/3] Add support for signing grub with an appended signature
Message-ID: <20201016132038.4f48eea9@naga.suse.cz>
X-Mailer: Claws Mail 3.17.7 (GTK+ 2.24.32; x86_64-suse-linux-gnu)
In-Reply-To: 20200821023720.13747-1-dja@axtens.net
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=195.135.220.15; envelope-from=msuchanek@suse.de;
 helo=mx2.suse.de
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 22:26:55
X-ACL-Warn: Detected OS   = Linux 2.2.x-3.x (no timestamps) [generic]
X-Spam_score_int: -41
X-Spam_score: -4.2
X-Spam_bar: ----
X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3,
 RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Mailman-Approved-At: Fri, 16 Oct 2020 10:58:20 -0400
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2020 11:26:42 -0000

Hello,

It has been pointed out in the plumbers session that the ELF note will
cause problems when user wants to add additional signature.

The normal appended signature has only one size information - in the
footer at the end of the binary, and that is not part of the signed
data. So if you want to add additional signature it if possible to
expand the room for the signature data.

In contrast the ELF note size is present in the ELF header which is
also signed. This does not allow adjusting the size of the signature
data once the binary is signed.

A simpler scheme would be for grub-install to parse the signature
footer, split-off the signature, write the ELF binary at the start of
the PReP partition, and the signature at the end. Then the grub
signature can use exactly same format as the kernel and modules.

The disadvantage is that for signed grub dd is no longer an alternative
to grub-install.

There was also concern about distinguishing signed and un-signed grub.
That is that writing an un-signed grub might lease a stale signature
leading to an error.

However, secure boot is something that should be enabled or disabled in
firmware settings, and not triggered by the PPeP partition containing a
signature. 

When secure boot is enabled checking the grub signature is required and
un-signed grub is invalid. When secure boot is disabled the signature
is irrelevant and stale signature should not cause any error.

grub-install can also remove the signature magic when installing
un-signed grub for consistency. Users using dd to install un-signed
grub might still have an old signature at the end of the partition.

Thanks

Michal