From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1kUkft-0003YD-GR for mharc-grub-devel@gnu.org; Tue, 20 Oct 2020 01:59:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42826) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kUkfr-0003XX-4a for grub-devel@gnu.org; Tue, 20 Oct 2020 01:59:07 -0400 Received: from de-smtp-delivery-102.mimecast.com ([62.140.7.102]:56846) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1kUkfl-0005eL-VA for grub-devel@gnu.org; Tue, 20 Oct 2020 01:59:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=mimecast20200619; t=1603173539; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=qKc37An6Cm+d1hg+LggnF0EXIXyc9vtVNQ8ku2nksU8=; b=TjERMEt+xRb1pf5UG4a1MDdEhNai95HRw8wM62l1468BkWvSQr6mHjuaIbt1SwfSVn9Qsf 4V8xYXdorWPggzpbylVtQHa+FnNKfZ/2Yaqpo9+8cJcGvUZ/PqLd5IEwGzk48k7J8wmFnv KNq3fDsn76icidJBqS53HVQyTP0QISU= Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04lp2056.outbound.protection.outlook.com [104.47.12.56]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-12-OcirW59lPVGZBP6fT9DXaw-1; Tue, 20 Oct 2020 07:58:58 +0200 X-MC-Unique: OcirW59lPVGZBP6fT9DXaw-1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DwJP7jIYV5xC0luCpzS3BVx1e9wxUHLQnYgVf7AAKJ36W/Fxhh6hkZi3wKn9g59EDXAWNHNBnfxdi3Ct4d9ngnjs4jtwxPC9eKXerwz+FZXcxfZED+UKlqle8eoFRe7cZ289I0e0yTNhUhrqqN8W6jHS4DdgiXirGa+Q96DdJ9pvfr7/uvXxaVibmNOCmduAn4t1prpNB7HYvmTuSpRxKAAmlpaEh2V5UJ5lmgylE5kRZFLkUIbSPDmwyZWbNGC74I2cFqCNyB6OgoAAjn26ssk+dMnshH4MYypv60tLyzHJjzfqqGVZ2Q9ewBzzs3myZWSQldWB76aKkKzi8pvR8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qKc37An6Cm+d1hg+LggnF0EXIXyc9vtVNQ8ku2nksU8=; b=H307XOPKgLs+M1fHQVjgJQtm+IjKpkZYMiincG0H2bsOy3xT4PmfP7Q8mM+6nNJNb/vEkJPwU63qenMPsUJYHPxkNnNx+1EnJ02zhxPj0y8Yi8GIfPA8CIrsTRZ64LWlg/FpdySFIazBDawMzj3VwBNk+h2MuAspZXBaLw/jh3E2KZlME6LfJ05t3lK/w3PcL1QDKdqOp6UoijKwDHIY1CAVjJlVWS69Bpg5HzYzerBIqhg7b+IYpRvWDzvUatlT2RWeT7LQOx8dD3jUAIcA2/c1NG0Vp4/5C0dk4WN7jUBNx6MaV0Gs1P8i2azN45ACBO8yiBBrbmqKRva5OwBjBg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none Authentication-Results: axtens.net; dkim=none (message not signed) header.d=none;axtens.net; dmarc=none action=none header.from=suse.com; Received: from VI1PR04MB4991.eurprd04.prod.outlook.com (2603:10a6:803:57::28) by VI1PR04MB6783.eurprd04.prod.outlook.com (2603:10a6:803:130::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.22; Tue, 20 Oct 2020 05:58:56 +0000 Received: from VI1PR04MB4991.eurprd04.prod.outlook.com ([fe80::3103:76b1:ed7f:8994]) by VI1PR04MB4991.eurprd04.prod.outlook.com ([fe80::3103:76b1:ed7f:8994%7]) with mapi id 15.20.3499.018; Tue, 20 Oct 2020 05:58:56 +0000 Date: Tue, 20 Oct 2020 13:58:46 +0800 From: Michael Chang To: Daniel Axtens Cc: The development of GNU GRUB , rashmica.g@gmail.com, alastair@d-silva.org Subject: Re: [PATCH 3/3] docs/grub: Document signing grub with an appended signature Message-ID: <20201020055846.GA23295@mercury> References: <20200821023720.13747-1-dja@axtens.net> <20200821023720.13747-4-dja@axtens.net> <20201020035450.GA14748@mercury> <87sga9v6tc.fsf@dja-thinkpad.axtens.net> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87sga9v6tc.fsf@dja-thinkpad.axtens.net> User-Agent: Mutt/1.10.1 (2018-07-13) X-Originating-IP: [2001:b011:30d0:3845:3e97:eff:feb6:5ceb] X-ClientProxiedBy: HKAPR03CA0019.apcprd03.prod.outlook.com (2603:1096:203:c9::6) To VI1PR04MB4991.eurprd04.prod.outlook.com (2603:10a6:803:57::28) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from mercury (2001:b011:30d0:3845:3e97:eff:feb6:5ceb) by HKAPR03CA0019.apcprd03.prod.outlook.com (2603:1096:203:c9::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.4 via Frontend Transport; Tue, 20 Oct 2020 05:58:54 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a3d8b27a-32ef-4611-65dd-08d874bd3ab2 X-MS-TrafficTypeDiagnostic: VI1PR04MB6783: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: gGE9RYoyQdHk+ueVAuyf9AeedxJguDtnVq0iAars8FjEgs1QKrE4Tc3rZnGBIt9Nl4oMctTXYaNo08xYwwS1xgq840x2gJb8EOJC0D6zRiLY40vhS704gg9+bY2TiVjZo2dNCWk0RBpJjzFPH123qZacTEQFIFY5aZjGUT+wp0GnKT5YIojXHONxBMiUjc7USKwm3Ak1qicrfl3yp4x9CDUs4/Tpnw+5Gu6fvO8KXxHUfKEVsxu+vMMO1Wy3cJd9eJ1L5pWUc31kX10pDjJpNYz5V4G8C2MUxlvQGB1sdfqwtHFgWXRYzXsqt3fM9CNshuV+bhlM9xDviyhJzR0F67wby1Dz8pgzE6f5GlUE3YuQpWZRLnLvBLgz+3pt2O/L8ctYts6pnHP6mTJuTS5Buw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR04MB4991.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(396003)(366004)(376002)(316002)(5660300002)(2906002)(55016002)(33656002)(6916009)(8936002)(52116002)(966005)(83380400001)(478600001)(6496006)(86362001)(9576002)(33716001)(186003)(4326008)(9686003)(66946007)(6666004)(66556008)(8676002)(66476007)(16526019)(1076003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData: Vs0AmbiX0Lj679sk0rX52olr2V/j+U7P7XdqwoBDlb/r1N/fcwzN242QARHedlSBao6FTWZ5YInz56mX5jRRIRn7Sf4vn8JzmTvmF9VtnUaDUMCwCZQi3VK3E1/yto5/GRSQF9Wf/6Zact8j9K/DYUyUCfSgDBCDe/cBFeHQm/o8I0ZE883h2XYRToySJAIr7DArw8j3QpsO+Y6vSz4D7noSdKiTQYfxtGnUWTeVJEyCVnOrRNfVbIMEi6x4TMCK+k98vdSw6wRjrsACgFsqVxe2JVALKAekEqYvwU7JQN2GTrXfqLSqs2Py5tQjnq5JF78Wc7dcp8ralCZk8mEPNDc29pdXXsggegpsj7oREZ8t2q30f5W+F2UmO5X5qLSWodOG7TMfYplfQys1U++oQqBzZyBoh+tHT3Rv4PuvUeaEU7q/kdYsz+ZNWH5jFfVv2HkwEDyxfz7m8tDJ4/hEZHqn2CGz0u4sB02cDYPpmWhdEmrCQPcWZ78MUuw0UNp1iPYQkV7gx7K+T4X6PIL8y5DtK3RgOehVwr9StQaElB0orgO+7QzCd+9yiArfbJVul6KQoC4YzdUrEkS7ZHE7+eEvvkyI9LFXsFpcQVKAb1OfW6QEf/yu/Mdc2FtgiSIF3+yv/KvD6rZsLZylDOwpmeHUwRXm6hwaExP+zlOQ/9cbRKRFMvT/mV+I1h16CAMlecPINPQXyygykOyZr0Szxg== X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: a3d8b27a-32ef-4611-65dd-08d874bd3ab2 X-MS-Exchange-CrossTenant-AuthSource: VI1PR04MB4991.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Oct 2020 05:58:55.8454 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: zlkhmWpohWvVDvWCDGmQIl2EeObQlqSNZc9SgIFFcuYGeNOom6zyk8WgeYDFE+Op X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB6783 Received-SPF: pass client-ip=62.140.7.102; envelope-from=mchang@suse.com; helo=de-smtp-delivery-102.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/20 01:58:59 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Oct 2020 05:59:07 -0000 On Tue, Oct 20, 2020 at 03:51:11PM +1100, Daniel Axtens wrote: > Hi Michael, > > >> +@section Signing GRUB with an appended signature > >> + > >> +The @file{core.img} itself can be signed with a Linux kernel module-style > >> +appended signature. > >> + > >> +To support IEEE1275 platforms where the boot image is often loaded directly > >> +from a disk partition rather than from a file system, the @file{core.img} > > > > Maybe `core.elf` should be used for embedded image on ieee1275 platform? > > The core.img is more pc bios specific IMHO, and hence would be edited > > on-the-fly during the grub-install/grub-bios-setup process for keeping > > or adding some records, making it not a good example to the proposed > > procedure here as the image on filesysetm and partition may differ. > > Sure, I will change this in v2. > > >> +can specify the size and location of the appended signature with an ELF > >> +note added by @command{grub-install}. > >> + > >> +An image can be signed this way using the @command{sign-file} command from > >> +the Linux kernel: > >> + > >> +@example > >> +@group > >> +# grub.key is your private key and certificate.der is your public key > >> + > >> +# Determine the size of the appended signature. It depends on the signing > >> +# certificate and the hash algorithm > >> +touch empty > >> +sign-file SHA256 grub.key certificate.der empty empty.sig > >> +SIG_SIZE=`stat -c '%s' empty.sig` > >> +rm empty empty.sig > >> + > >> +# Build a grub image with $SIG_SIZE reserved for the signature > >> +grub-install --appended-signature-size $SIG_SIZE --modules="..." ... > >> + > >> +# Replace the reserved size with a signature: > >> +# cut off the last $SIG_SIZE bytes with truncate's minus modifier > >> +truncate -s -$SIG_SIZE /boot/grub/powerpc-ieee1275/core.elf core.elf.unsigned > >> +# sign the trimmed file with an appended signature, restoring the correct size > >> +sign-file SHA256 grub.key certificate.der core.elf.unsigned core.elf.signed > >> + > >> +# Don't forget to install the signed image as required > >> +# (e.g. on powerpc-ieee1275, to the PReP partition) > > > > Could you please provide more indication on how to install the signed > > image afterwards ? I suppose it is 'dd' for writing the core.elf.signed > > to the PReP partition but not really sure that is correct. > > At the moment, yes, dd. > > Firmware loads raw bytes off the PReP partition and expects them to be a > 32-bit BE ELF binary. Therefore any method that can put raw bytes on > disk will work, and dd is the classic tool for the job. > > I'll improve this for v2 on the basis of how the discussions on Michal's > proposal to do away with the ELF note go. > > > It also looked to me that the entire process can be integrated to > > grub-install so the user can get less hassle to setting it up. For that > > matters we could work out new grub-install options to accept user's > > private key and public key certicate to compose signed image with > > appended signature and install it on the fly. Is there anything that > > I could have missed here ? > > We'd need to add a dependency on OpenSSL (or maybe GNUTLS) to grub-install, > as there's no support in grub to generate PKCS#7 messages. I don't know > if that's acceptable? I think it is acceptable if we invoke utility like openssl in grub-install as there has been some utilities got invoked for different purpose. (Remember, grub-install used to be written as script :)) > One of the reasons I didn't go down that road initially is that I > imagine that most signed images are going to be signed by distros prior > to installation. Maybe grub-mkimage would be a better place to add this > feature. I think this is something we'll need to revisit once we resolve > the discussion about the ELF note generally. Yes. That sounds reasonable as long as the distro would have to work out the signed core.efi via grub-mkimage in a way that can handle different installation setup without resorting to any setup work performed by the user to the image itself (ie running grub-install). The `dd` should just work and the right thing to do so. Thanks, Michael > > Kind regards, > Daniel > > > > > Thanks, > > Michael > > > >> +@end group > >> +@end example > >> + > >> +As with UEFI secure boot, it is necessary to build in the required modules, > >> +or sign them separately. > >> + > >> + > >> @node Platform limitations > >> @chapter Platform limitations > >> > >> -- > >> 2.25.1 > >> > >> > >> _______________________________________________ > >> Grub-devel mailing list > >> Grub-devel@gnu.org > >> https://lists.gnu.org/mailman/listinfo/grub-devel >