From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1kfS68-0002Nt-53 for mharc-grub-devel@gnu.org; Wed, 18 Nov 2020 13:22:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:56362) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kfS61-0002Ll-EF for grub-devel@gnu.org; Wed, 18 Nov 2020 13:22:24 -0500 Received: from dibed.net-space.pl ([84.10.22.86]:34303) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_3DES_EDE_CBC_SHA1:192) (Exim 4.90_1) (envelope-from ) id 1kfS5x-0002U9-Ge for grub-devel@gnu.org; Wed, 18 Nov 2020 13:22:20 -0500 Received: from router-fw.i.net-space.pl ([192.168.52.1]:54154 "EHLO tomti.i.net-space.pl") by router-fw-old.i.net-space.pl with ESMTP id S1131379AbgKRSSw (ORCPT ); Wed, 18 Nov 2020 19:18:52 +0100 X-Comment: RFC 2476 MSA function at dibed.net-space.pl logged sender identity as: dkiper Date: Wed, 18 Nov 2020 19:18:50 +0100 From: Daniel Kiper To: Daniel Axtens Cc: grub-devel@gnu.org, rashmica.g@gmail.com, alastair@d-silva.org Subject: Re: [PATCH v2 00/18] Verify appended signatures from grub Message-ID: <20201118181850.dk3cei2fohyklw3y@tomti.i.net-space.pl> References: <20201028015735.1131291-1-dja@axtens.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201028015735.1131291-1-dja@axtens.net> User-Agent: NeoMutt/20170113 (1.7.2) Received-SPF: pass client-ip=84.10.22.86; envelope-from=dkiper@net-space.pl; helo=dibed.net-space.pl X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/18 13:06:55 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2020 18:22:25 -0000 Hi Daniel, On Wed, Oct 28, 2020 at 12:57:17PM +1100, Daniel Axtens wrote: > v2: fix the grub-mkimage bug. I haven't changed any libtasn1 licensing > because I don't think we reached any conclusion on whether anything > was needed, and if so what. > > Part of a secure boot chain is allowing grub to verify the boot > kernel. For UEFI platforms, this is usually delegated to the shim: see > shim_lock.c. However, for platforms that do not implement UEFI, an > alternative scheme is required. > > This series teaches grub how to verify Linux kernel-style 'appended > signatures'. I talked about this in my recent Linux Plumbers talk: > https://linuxplumbersconf.org/event/7/contributions/738/ and > https://youtu.be/IJUNxHnopH4?t=510 > > In very short, an appended signature is a 'dumb' signature over the > contents of a file. (It is distinct from schemes like Authenticode > that are aware of the structure of the file and only sign certain > parts.) The signature is wrapped in a PKCS#7 message, and is appended > to the signed file along with some metadata and a magic string. The > signatures are validated against a public key which is usually > provided as an x509 certificate. Kernels on powerpc are already signed > with this scheme and can be verified by IMA for kexec. Sounds interesting. Unfortunately I am not able to take it because the GRUB is in code freeze state. I have just reviewed two patches which fixes the docs and I will take them. I will take closer look at the rest of the patch series after release. I hope this is not a problem for you... Daniel