From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1lyVm2-0008VT-MA for mharc-grub-devel@gnu.org; Wed, 30 Jun 2021 04:40:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53664) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lyVm0-0008VK-UV for grub-devel@gnu.org; Wed, 30 Jun 2021 04:40:45 -0400 Received: from mail-pl1-x635.google.com ([2607:f8b0:4864:20::635]:42873) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lyVly-0003P6-2w for grub-devel@gnu.org; Wed, 30 Jun 2021 04:40:44 -0400 Received: by mail-pl1-x635.google.com with SMTP id v13so1047993ple.9 for ; Wed, 30 Jun 2021 01:40:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=7s8PlO0/EuNroSNfaohj+1wPE4GiqlJhoPjJ3nMhTwc=; b=iUw9q8Fx63CNyn29NjEs4NxYjOeWrgbUoSnheW1pjE30DSyscaRLgGdiQ6Ru+CQ+zV 0S6k0LHZ/qnceaX2hzpOZJ+opibEbZ5j93MmzyGVB1zpl2tqohRZzsyF24su8Law8u+a vayNgxjJTZoaTc00TbTAzz6RONDo0PP6Gshu4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=7s8PlO0/EuNroSNfaohj+1wPE4GiqlJhoPjJ3nMhTwc=; b=UOdiCfcOvKl5g3MQ9ZeXaZ9f+O8ZKupIikNBR/MArdSOcK9JG/b3E8Q3v2IDoUPWM/ Bg6nUpiRbPx5Mj+jFuPOz1UcmzTzdibyAWSbdeKn07G9DFEfVkNnMi843RqRa6FFQxT6 7MB6QVoDKFryhSVXVAWax0DtWJ4dMDQijIWxQQce7UwHiigVAPGTOGj3ajiYFjuQzl9n 4pXj8UB6ulTqO10FbXsjIsnFjDBLBjJXU6lQeMbH8OJgTyxctqIJL27RQUS4hQdzNdx2 lPLuiO8Ha4Hihml4bBi+bPS2zJT4OsQ9xY0MLGe889nOCLgSMXhqNoscWmLy0jOkIj9q tZWA== X-Gm-Message-State: AOAM532wPd5UNq0ZRZL+DX1HJ3AgVZ/7AdnoVgymMDCKUwNbqr2lpDvH zbHm4rRzFYzhteQMSrGPzJc7ix74s90TBg== X-Google-Smtp-Source: ABdhPJyqQMeuZH1wj5F0a/Mei4zdJ4EDKlDwLuY77qdWrecJIdP7TyvaDAdRY/Kfy5Kr+jMsNbIxJw== X-Received: by 2002:a17:902:aa4a:b029:10e:f98c:2b83 with SMTP id c10-20020a170902aa4ab029010ef98c2b83mr31301328plr.62.1625042439365; Wed, 30 Jun 2021 01:40:39 -0700 (PDT) Received: from localhost ([203.206.29.204]) by smtp.gmail.com with ESMTPSA id kk4sm5663269pjb.50.2021.06.30.01.40.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Jun 2021 01:40:38 -0700 (PDT) From: Daniel Axtens To: grub-devel@gnu.org Cc: rashmica.g@gmail.com, alastair@d-silva.org, nayna@linux.ibm.com, Daniel Axtens Subject: [PATCH v2 00/22] appended signature secure boot support Date: Wed, 30 Jun 2021 18:40:09 +1000 Message-Id: <20210630084031.2663622-1-dja@axtens.net> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::635; envelope-from=dja@axtens.net; helo=mail-pl1-x635.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2021 08:40:45 -0000 This patch set contains v2 of the consolidated version of the patch sets sent for secure boot using appended signatures on powerpc, rebased on top of git HEAD. The series consists of 4 main parts: 0) Patches 1-3: powerpc-ieee1275 memory enablement. These patches have already been posted to the mailing list and are unchanged. I have included them here as well to make this one monolithic series of everything needed for full support for appended signatures on powerpc-ieee1275. 1) Patches 4-6: signing grub.elf with an appended signature Part of a secure boot chain is allowing boot firmware to verify the grub core image. For UEFI platforms, this is done by signing the PE binary with a tool like pesign or sb-sign. However, for platforms that don't implement UEFI, an alternative scheme is required. These patches provide some infrastructure and documentation for signing grub's core.elf with a Linux-kernel-module style appended signature. An appended signature is a 'dumb' signature over the contents of a file. (It is distinct from schemes like Authenticode that are aware of the structure of the file and only sign certain parts.) The signature is wrapped in a PKCS#7 message, and is appended to the signed file along with some metadata and a magic string. The signatures are validated against a public key which is usually provided as an x509 certificate. Because some platforms, such as powerpc-ieee1275, may load grub from a raw disk partition rather than a filesystem, we extend grub-install to add an ELF note that allows us to specify the size and location of the signature. This has attracted some controversy in the past, with suggestions that we could avoid the ELF note by placing the signature at the end of core.elf if the image was loaded from a filesystem or network, and by placing it at the end of the PReP partition if it is loaded from there. This is not currently supported by either proprietary or open source firmware, but the current solution does not preclude this solution being added in the future. There was also a suggestion of allowing grub-{install,mkimage} to call out to openssl directly to sign itself. I'm not opposed to doing this, but as I expect signing to mostly be something done by distros rather than the average grub-install user, I'm interested to hear any thoughts on whether that's actually going to be useful. 2) Patches 7 - 21: Teach grub to verify appended signatures Part of a secure boot chain is allowing grub to verify the boot kernel. For UEFI platforms, this is usually delegated to the shim. However, for platforms that do not implement UEFI, an alternative scheme is required. This part teaches grub how to verify Linux kernel-style appended signatures. Kernels on powerpc are already signed with this scheme and can be verified by IMA for kexec. As PKCS#7 messages and x509 certificates are both based on ASN.1, we import libtasn1 to parse them. Because ASN.1 isn't self-documenting, we import from GNUTLS the information we need to navigate their structure. This section is composed of the following patches: - patch 7 is a small fix to allow persistent modules to work on the emu target. - patches 8 and 9 are small refactorings. - patch 10 prepares posix_wrap for importing libtasn1 - patches 11 through 15 import libtasn1 and add tests. I've taken a different approach from gcrypt. We import gcrypt via a script that transforms the code into something that works for grub. Rather than taking that approach, we import libtasn1 through first just copying a subset of the code in (patch 11), then disabling parts we don't need for grub (patch 12), making changes for grub compatibility (patch 13) and then compiling it into a module (patch 14) and testing it (patch 15). This means that should we want to upgrade our version of libtasn1, we should be able to copy the new files in (repeat the process in patch 11) and then just cherry-pick/reapply patches 12 and 13 to repeat the process of disabling unused code and making grub compatiblity fixes. Hopefully that makes sense! - patch 16 allows x509 certificates to be built in to the grub core in much the same way as PGP keys. - patch 17 brings in the code from GNUTLS that allows us to parse PKCS#7 and x509 with libtasn1. - patch 18 is our PKCS#7 and x509 parser. They're minimal and fairly strict parsers that extract only the bits we need to verify the signatures. - patch 19 is the guts of the appended signature verifier. It uses the verifier infrastructure like pgp, and adds a number of user-friendly commands that mirror the pgp module. - patch 20 adds tests, and patch 21 adds documentation. This chunk is where all the v2 changes are. They're documented in the patches themselves, but the big feature changes are: support for Extended Key Usage, thanks to Javier Martinez; and support for verifying a file with multiple signatures in the pkcs7 message. If any trusted key can verify any signature, the file will be considered to have passed verification. 3) Patch 22: Enter lockdown if in powerpc secure boot This is now a much neater and nicer solution than before 2.06 - it detects if the DT property advertising SB is set, and enters lockdown if it is. The main appended signature series now tests for lockdown to enter 'forced' mode. Thanks to Nayna Jain and Stefan Berger for providing review comments on v1. I've pushed this all to https://github.com/daxtens/grub/tree/appendedsig-2.11 This patch series is easy to experiment with. In particular, the appended signature verifier doesn't require any particular platform. It works under emu and passes tests under x86_64-efi. I have some information about testing all the parts together at https://gist.github.com/daxtens/cfc0a7e15614b0383e0c57f308cacdd1 It's largely unchanged from https://lists.gnu.org/archive/html/grub-devel/2020-10/msg00048.html Kind regards, Daniel Alastair D'Silva (1): grub-install: support embedding x509 certificates Daniel Axtens (20): ieee1275: drop HEAP_MAX_ADDR, HEAP_MIN_SIZE ieee1275: claim more memory ieee1275: request memory with ibm,client-architecture-support docs/grub: Document signing grub under UEFI docs/grub: Document signing grub with an appended signature dl: provide a fake grub_dl_set_persistent for the emu target pgp: factor out rsa_pad crypto: move storage for grub_crypto_pk_* to crypto.c posix_wrap: tweaks in preparation for libtasn1 libtasn1: import libtasn1-4.16.0 libtasn1: disable code not needed in grub libtasn1: changes for grub compatibility libtasn1: compile into asn1 module test_asn1: test module for libtasn1 appended signatures: import GNUTLS's ASN.1 description files appended signatures: parse PKCS#7 signedData and X.509 certificates appended signatures: support verifying appended signatures appended signatures: verification tests appended signatures: documentation ieee1275: enter lockdown based on /ibm,secure-boot Rashmica Gupta (1): Add suport for signing grub with an appended signature .gitignore | 1 + Makefile.util.def | 6 + docs/grub-dev.texi | 6 +- docs/grub.texi | 259 +- grub-core/Makefile.core.def | 57 + grub-core/commands/appendedsig/appendedsig.c | 669 +++++ grub-core/commands/appendedsig/appendedsig.h | 118 + grub-core/commands/appendedsig/asn1util.c | 103 + .../commands/appendedsig/gnutls_asn1_tab.c | 121 + grub-core/commands/appendedsig/pkcs7.c | 509 ++++ .../commands/appendedsig/pkix_asn1_tab.c | 484 ++++ grub-core/commands/appendedsig/x509.c | 1079 +++++++ grub-core/commands/pgp.c | 34 +- grub-core/kern/ieee1275/cmain.c | 3 + grub-core/kern/ieee1275/init.c | 265 +- grub-core/lib/crypto.c | 4 + grub-core/lib/libtasn1/LICENSE | 16 + grub-core/lib/libtasn1/README.md | 91 + grub-core/lib/libtasn1/lib/coding.c | 1423 ++++++++++ grub-core/lib/libtasn1/lib/decoding.c | 2481 +++++++++++++++++ grub-core/lib/libtasn1/lib/element.c | 1112 ++++++++ grub-core/lib/libtasn1/lib/element.h | 40 + grub-core/lib/libtasn1/lib/errors.c | 103 + grub-core/lib/libtasn1/lib/gstr.c | 74 + grub-core/lib/libtasn1/lib/gstr.h | 47 + grub-core/lib/libtasn1/lib/int.h | 221 ++ grub-core/lib/libtasn1/lib/parser_aux.c | 1174 ++++++++ grub-core/lib/libtasn1/lib/parser_aux.h | 172 ++ grub-core/lib/libtasn1/lib/structure.c | 1222 ++++++++ grub-core/lib/libtasn1/lib/structure.h | 45 + .../tests/CVE-2018-1000654-1_asn1_tab.h | 32 + .../tests/CVE-2018-1000654-2_asn1_tab.h | 36 + .../libtasn1_wrap/tests/CVE-2018-1000654.c | 61 + .../lib/libtasn1_wrap/tests/Test_overflow.c | 138 + .../lib/libtasn1_wrap/tests/Test_simple.c | 207 ++ .../lib/libtasn1_wrap/tests/Test_strings.c | 150 + .../libtasn1_wrap/tests/object-id-decoding.c | 116 + .../libtasn1_wrap/tests/object-id-encoding.c | 120 + .../lib/libtasn1_wrap/tests/octet-string.c | 211 ++ .../lib/libtasn1_wrap/tests/reproducers.c | 81 + grub-core/lib/libtasn1_wrap/wrap.c | 26 + grub-core/lib/libtasn1_wrap/wrap_tests.c | 75 + grub-core/lib/libtasn1_wrap/wrap_tests.h | 38 + grub-core/lib/pkcs1_v15.c | 59 + grub-core/lib/posix_wrap/limits.h | 1 + grub-core/lib/posix_wrap/stdlib.h | 8 + grub-core/lib/posix_wrap/sys/types.h | 1 + grub-core/tests/appended_signature_test.c | 273 ++ grub-core/tests/appended_signatures.h | 975 +++++++ grub-core/tests/lib/functional_test.c | 1 + include/grub/dl.h | 11 + include/grub/file.h | 2 + include/grub/ieee1275/ieee1275.h | 6 + include/grub/kernel.h | 3 +- include/grub/libtasn1.h | 589 ++++ include/grub/lockdown.h | 3 +- include/grub/pkcs1_v15.h | 27 + include/grub/util/install.h | 15 +- include/grub/util/mkimage.h | 4 +- tests/test_asn1.in | 12 + util/grub-install-common.c | 37 +- util/grub-mkimage.c | 26 +- util/grub-mkimagexx.c | 39 +- util/mkimage.c | 54 +- 64 files changed, 15267 insertions(+), 109 deletions(-) create mode 100644 grub-core/commands/appendedsig/appendedsig.c create mode 100644 grub-core/commands/appendedsig/appendedsig.h create mode 100644 grub-core/commands/appendedsig/asn1util.c create mode 100644 grub-core/commands/appendedsig/gnutls_asn1_tab.c create mode 100644 grub-core/commands/appendedsig/pkcs7.c create mode 100644 grub-core/commands/appendedsig/pkix_asn1_tab.c create mode 100644 grub-core/commands/appendedsig/x509.c create mode 100644 grub-core/lib/libtasn1/LICENSE create mode 100644 grub-core/lib/libtasn1/README.md create mode 100644 grub-core/lib/libtasn1/lib/coding.c create mode 100644 grub-core/lib/libtasn1/lib/decoding.c create mode 100644 grub-core/lib/libtasn1/lib/element.c create mode 100644 grub-core/lib/libtasn1/lib/element.h create mode 100644 grub-core/lib/libtasn1/lib/errors.c create mode 100644 grub-core/lib/libtasn1/lib/gstr.c create mode 100644 grub-core/lib/libtasn1/lib/gstr.h create mode 100644 grub-core/lib/libtasn1/lib/int.h create mode 100644 grub-core/lib/libtasn1/lib/parser_aux.c create mode 100644 grub-core/lib/libtasn1/lib/parser_aux.h create mode 100644 grub-core/lib/libtasn1/lib/structure.c create mode 100644 grub-core/lib/libtasn1/lib/structure.h create mode 100644 grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654-1_asn1_tab.h create mode 100644 grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654-2_asn1_tab.h create mode 100644 grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_overflow.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_simple.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_strings.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/object-id-decoding.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/object-id-encoding.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/octet-string.c create mode 100644 grub-core/lib/libtasn1_wrap/tests/reproducers.c create mode 100644 grub-core/lib/libtasn1_wrap/wrap.c create mode 100644 grub-core/lib/libtasn1_wrap/wrap_tests.c create mode 100644 grub-core/lib/libtasn1_wrap/wrap_tests.h create mode 100644 grub-core/lib/pkcs1_v15.c create mode 100644 grub-core/tests/appended_signature_test.c create mode 100644 grub-core/tests/appended_signatures.h create mode 100644 include/grub/libtasn1.h create mode 100644 include/grub/pkcs1_v15.h create mode 100644 tests/test_asn1.in -- 2.30.2