From: Avnish Chouhan <avnish@linux.ibm.com>
To: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Cc: grub-devel@gnu.org, dja@axtens.net, jan.setjeeilers@oracle.com,
julian.klode@canonical.com, mate.kukri@canonical.com,
pjones@redhat.com, stefanb@linux.ibm.com, nayna@linux.ibm.com,
ssrish@linux.ibm.com, daniel.kiper@oracle.com
Subject: Re: [PATCH v1 15/21] ieee1275: Read the DB and DBX secure boot variables
Date: Fri, 07 Feb 2025 11:27:07 +0530 [thread overview]
Message-ID: <10ded8921b9b25b713c1db7434eeefbe@linux.ibm.com> (raw)
In-Reply-To: <20241218145647.1390837-16-sudhakar@linux.ibm.com>
Suggestion : Can we use grub_dprintf instead of grub_printf, unless it
is extremely necessary!
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
On 2024-12-18 20:26, Sudhakar Kuppusamy wrote:
> If secure boot is enabled with PKS, it will read secure boot variables
> such as db and dbx from PKS and extract certificates from ESL.
> It would be saved in the platform keystore buffer, and
> the appendedsig (module) would read it later to extract
> the certificate's details.
>
> In the following scenarios, static key mode will be activated:
> 1. When secure boot is enabled with static
> 2. When SB Version is unavailable but Secure Boot is enabled
> 3. When PKS support is unavailable but secure boot is enabled
>
> Note:-
>
> SB Version - secure boot mode
> 1 - PKS
> 0 - static key (embeded key)
>
> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
> ---
> grub-core/Makefile.am | 1 +
> grub-core/Makefile.core.def | 1 +
> grub-core/kern/ieee1275/init.c | 14 +-
> grub-core/kern/ieee1275/platform_keystore.c | 337 ++++++++++++++++++++
> include/grub/platform_keystore.h | 233 ++++++++++++++
> 5 files changed, 584 insertions(+), 2 deletions(-)
> create mode 100644 grub-core/kern/ieee1275/platform_keystore.c
> create mode 100644 include/grub/platform_keystore.h
>
> diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
> index e50db8106..afb25dc4f 100644
> --- a/grub-core/Makefile.am
> +++ b/grub-core/Makefile.am
> @@ -79,6 +79,7 @@ KERNEL_HEADER_FILES +=
> $(top_srcdir)/include/grub/file.h
> KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
> KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
> KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
> +KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/platform_keystore.h
> KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
> KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
> KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
> diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
> index 1ed55b0e3..2fd060123 100644
> --- a/grub-core/Makefile.core.def
> +++ b/grub-core/Makefile.core.def
> @@ -170,6 +170,7 @@ kernel = {
> ieee1275 = kern/ieee1275/openfw.c;
> ieee1275 = term/ieee1275/console.c;
> ieee1275 = kern/ieee1275/init.c;
> + ieee1275 = kern/ieee1275/platform_keystore.c;
>
> uboot = disk/uboot/ubootdisk.c;
> uboot = kern/uboot/uboot.c;
> diff --git a/grub-core/kern/ieee1275/init.c
> b/grub-core/kern/ieee1275/init.c
> index 59984b605..7d96c38f3 100644
> --- a/grub-core/kern/ieee1275/init.c
> +++ b/grub-core/kern/ieee1275/init.c
> @@ -50,6 +50,7 @@
> #include <grub/ieee1275/alloc.h>
> #endif
> #include <grub/lockdown.h>
> +#include <grub/platform_keystore.h>
>
> /* The maximum heap size we're going to claim at boot. Not used by
> sparc. */
> #ifdef __i386__
> @@ -959,7 +960,7 @@ grub_get_ieee1275_secure_boot (void)
> {
> grub_ieee1275_phandle_t root;
> int rc;
> - grub_uint32_t is_sb;
> + grub_uint32_t is_sb = 0;
>
> grub_ieee1275_finddevice ("/", &root);
>
> @@ -976,7 +977,16 @@ grub_get_ieee1275_secure_boot (void)
> * We only support enforce.
> */
> if (rc >= 0 && is_sb >= 2)
> - grub_lockdown ();
> + {
> + grub_printf ("secure boot enabled\n");
> + rc = grub_platform_keystore_init ();
> + if (rc != GRUB_ERR_NONE)
> + grub_printf ("Warning: initialization of the platform
> keystore failed!\n");
> +
> + grub_lockdown ();
> + }
> + else
> + grub_printf ("secure boot disabled\n");
> }
>
> grub_addr_t grub_modbase;
> diff --git a/grub-core/kern/ieee1275/platform_keystore.c
> b/grub-core/kern/ieee1275/platform_keystore.c
> new file mode 100644
> index 000000000..1c564d5da
> --- /dev/null
> +++ b/grub-core/kern/ieee1275/platform_keystore.c
> @@ -0,0 +1,337 @@
> +/*
> + * GRUB -- GRand Unified Bootloader
> + * Copyright (C) 2024 Free Software Foundation, Inc.
> + * Copyright (C) 2024 IBM Corporation
> + *
> + * GRUB is free software: you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published
> by
> + * the Free Software Foundation, either version 3 of the License, or
> + * (at your option) any later version.
> + *
> + * GRUB is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
> + */
> +
> +#include <grub/mm.h>
> +#include <grub/ieee1275/ieee1275.h>
> +#include <grub/types.h>
> +#include <grub/misc.h>
> +#include <grub/lockdown.h>
> +#include <grub/platform_keystore.h>
> +
> +#define PKS_CONSUMER_FW 1
> +#define SB_VERSION_KEY_NAME ((grub_uint8_t *) "SB_VERSION")
> +#define SB_VERSION_KEY_LEN 10
> +#define DB 1
> +#define DBX 2
> +#define PKS_OBJECT_NOT_FOUND ((grub_err_t) -7)
> +
> +/* Platform Keystore */
> +static grub_size_t pks_max_object_size;
> +grub_uint8_t grub_use_platform_keystore = 0;
> +grub_pks_t grub_platform_keystore = { .db = NULL, .dbx = NULL,
> .db_entries = 0, .dbx_entries = 0 };
> +
> +/* converts the esl data into the ESL */
> +static grub_esl_t *
> +grub_convert_to_esl (const grub_uint8_t *esl_data, const grub_size_t
> esl_data_size)
> +{
> + grub_esl_t *esl = NULL;
> +
> + if (esl_data_size < sizeof (grub_esl_t) || esl_data == NULL)
> + return esl;
> +
> + esl = (grub_esl_t *) esl_data;
> +
> + return esl;
> +}
> +
> +/*
> + * imports the GUID, esd, and its size into the pks sd buffer and
> + * pks sd entries from the EFI signature list.
> + */
> +static grub_err_t
> +grub_esd_from_esl (const grub_uint8_t *esl_data, grub_size_t esl_size,
> + const grub_size_t signature_size, const grub_uuid_t
> *guid,
> + grub_pks_sd_t **pks_sd, grub_size_t
> *pks_sd_entries)
> +{
> + grub_esd_t *esd = NULL;
> + grub_pks_sd_t *signature = *pks_sd;
> + grub_size_t entries = *pks_sd_entries;
> + grub_size_t data_size = 0, offset = 0;
> +
> + /* reads the esd from esl */
> + while (esl_size > 0)
> + {
> + esd = (grub_esd_t *) (esl_data + offset);
> + data_size = signature_size - sizeof (grub_esd_t);
> +
> + if (signature != NULL)
> + signature = grub_realloc (signature, (entries + 1) * sizeof
> (grub_pks_sd_t));
> + else
> + signature = grub_malloc (sizeof (grub_pks_sd_t));
> +
> + if (signature == NULL)
> + return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
> +
> + signature[entries].data = grub_malloc (data_size * sizeof
> (grub_uint8_t));
> + if (signature[entries].data == NULL)
> + {
> + /*
> + * allocated memory will be freed by
> + * grub_release_platform_keystore
> + */
> + *pks_sd = signature;
> + *pks_sd_entries = entries + 1;
> + return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
> + }
> +
> + grub_memcpy (signature[entries].data, esd->signaturedata,
> data_size);
> + signature[entries].data_size = data_size;
> + signature[entries].guid = *guid;
> + entries++;
> + esl_size -= signature_size;
> + offset += signature_size;
> + }
> +
> + *pks_sd = signature;
> + *pks_sd_entries = entries;
> +
> + return GRUB_ERR_NONE;
> +}
> +
> +/*
> + * extracts the esd after removing the esl header from esl.
> + */
> +static grub_err_t
> +grub_esl_to_esd (const grub_uint8_t *esl_data, grub_size_t *next_esl,
> + grub_pks_sd_t **pks_sd, grub_size_t *pks_sd_entries)
> +{
> + grub_uuid_t guid = { 0 };
> + grub_esl_t *esl = NULL;
> + grub_size_t offset = 0, esl_size = 0,
> + signature_size = 0, signature_header_size = 0;
> +
> + esl = grub_convert_to_esl (esl_data, *next_esl);
> + if (esl == NULL)
> + return grub_error (GRUB_ERR_BUG, "invalid ESL");
> +
> + esl_size = grub_le_to_cpu32 (esl->signaturelistsize);
> + signature_header_size = grub_le_to_cpu32 (esl->signatureheadersize);
> + signature_size = grub_le_to_cpu32 (esl->signaturesize);
> + guid = esl->signaturetype;
> +
> + if (esl_size < sizeof (grub_esl_t) || esl_size > *next_esl)
> + return grub_error (GRUB_ERR_BUG, "invalid ESL size (%u)\n",
> esl_size);
> +
> + *next_esl = esl_size;
> + offset = sizeof (grub_esl_t) + signature_header_size;
> + esl_size = esl_size - offset;
> +
> + return grub_esd_from_esl (esl_data + offset, esl_size,
> signature_size, &guid,
> + pks_sd, pks_sd_entries);
> +}
> +
> +/*
> + * imports the EFI signature data and the number of esd from the esl
> + * into the pks sd buffer and pks sd entries.
> + */
> +static grub_err_t
> +grub_pks_sd_from_esl (const grub_uint8_t *esl_data, grub_size_t
> esl_size,
> + grub_pks_sd_t **pks_sd, grub_size_t
> *pks_sd_entries)
> +{
> + grub_err_t rc = GRUB_ERR_NONE;
> + grub_size_t next_esl = esl_size;
> +
> + do
> + {
> + rc = grub_esl_to_esd (esl_data, &next_esl, pks_sd,
> pks_sd_entries);
> + if (rc != GRUB_ERR_NONE)
> + break;
> +
> + esl_data += next_esl;
> + esl_size -= next_esl;
> + next_esl = esl_size;
> + }
> + while (esl_size > 0);
> +
> + return rc;
> +}
> +
> +/*
> + * reads the secure boot version from PKS as an object.
> + * caller must free result
> + */
> +static grub_err_t
> +grub_read_sbversion_from_pks (grub_uint8_t **out, grub_size_t
> *outlen, grub_size_t *policy)
> +{
> + *out = grub_malloc (pks_max_object_size);
> + if (*out == NULL)
> + return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
> +
> + return grub_ieee1275_pks_read_object (PKS_CONSUMER_FW,
> SB_VERSION_KEY_NAME,
> + SB_VERSION_KEY_LEN, *out,
> pks_max_object_size,
> + outlen, policy);
> +}
> +
> +/*
> + * reads the secure boot variable from PKS.
> + * caller must free result
> + */
> +static grub_err_t
> +grub_read_sbvar_from_pks (const grub_uint8_t sbvarflags, const
> grub_uint8_t sbvartype,
> + grub_uint8_t **out, grub_size_t *outlen)
> +{
> + *out = grub_malloc (pks_max_object_size);
> + if (*out == NULL)
> + return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
> +
> + return grub_ieee1275_pks_read_sbvar (sbvarflags, sbvartype, *out,
> + pks_max_object_size, outlen);
> +}
> +
> +/* Test the availability of PKS support. */
> +static grub_err_t
> +grub_is_support_pks (void)
> +{
> + grub_err_t rc = GRUB_ERR_NONE;
> + grub_ieee1275_cell_t missing = 0;
> +
> + rc = grub_ieee1275_test ("pks-max-object-size", &missing);
> + if (rc != GRUB_ERR_NONE || (int) missing == -1)
> + grub_printf ("Warning: doesn't have PKS support!\n");
> + else
> + {
> + rc = grub_ieee1275_pks_max_object_size (&pks_max_object_size);
> + if (rc != GRUB_ERR_NONE)
> + grub_printf ("Warning: PKS support is there but it has zero
> objects!\n");
> + }
> +
> + return rc;
> +}
> +
> +/*
> + * retrieves the secure boot variable from PKS, unpacks it, reads the
> esd
> + * from ESL, and stores the information in the pks sd buffer.
> + */
> +static grub_err_t
> +grub_read_secure_boot_variables (const grub_uint8_t sbvarflags, const
> grub_uint8_t sbvartype,
> + grub_pks_sd_t **pks_sd, grub_size_t
> *pks_sd_entries)
> +{
> + grub_err_t rc = GRUB_ERR_NONE;
> + grub_uint8_t *esl_data = NULL;
> + grub_size_t esl_data_size = 0;
> +
> + rc = grub_read_sbvar_from_pks (sbvarflags, sbvartype, &esl_data,
> &esl_data_size);
> + /*
> + * at this point we have SB_VERSION, so any error is worth
> + * at least some user-visible info
> + */
> + if (rc != GRUB_ERR_NONE)
> + rc = grub_error (rc, "secure boot variable %s reading (%d)",
> + (sbvartype == DB ? "db" : "dbx"), rc);
> + else if (esl_data_size != 0)
> + rc = grub_pks_sd_from_esl ((const grub_uint8_t *) esl_data,
> esl_data_size,
> + pks_sd, pks_sd_entries);
> + grub_free (esl_data);
> +
> + return rc;
> +}
> +
> +/* reads secure boot version (SB_VERSION) */
> +static grub_err_t
> +grub_get_secure_boot_version (void)
> +{
> + grub_err_t rc = GRUB_ERR_NONE;
> + grub_uint8_t *data = NULL;
> + grub_size_t len = 0, policy = 0;
> +
> + rc = grub_read_sbversion_from_pks (&data, &len, &policy);
> + if (rc != GRUB_ERR_NONE)
> + grub_printf ("Warning: SB version read failed! (%d)\n", rc);
> + else if (len != 1 || (*data != 1 && *data != 0))
> + {
> + grub_printf ("Warning: found unexpected SB version! (%d)\n",
> *data);
> + rc = GRUB_ERR_INVALID_COMMAND;
> + }
> +
> + if (rc != GRUB_ERR_NONE)
> + {
> + grub_printf ("Warning: switch to static key!\n");
> + if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
> + grub_fatal ("Secure Boot locked down");
> + }
> + else
> + grub_use_platform_keystore = *data;
> +
> + grub_free (data);
> +
> + return rc;
> +}
> +
> +/* releasing allocated memory */
> +void
> +grub_release_platform_keystore (void)
> +{
> + grub_size_t i = 0;
> +
> + for (i = 0; i < grub_platform_keystore.db_entries; i++)
> + grub_free (grub_platform_keystore.db[i].data);
> +
> + for (i = 0; i < grub_platform_keystore.dbx_entries; i++)
> + grub_free (grub_platform_keystore.dbx[i].data);
> +
> + grub_free (grub_platform_keystore.db);
> + grub_free (grub_platform_keystore.dbx);
> + grub_memset (&grub_platform_keystore, 0x00, sizeof (grub_pks_t));
> +}
> +
> +/* initialization of the Platform Keystore */
> +grub_err_t
> +grub_platform_keystore_init (void)
> +{
> + grub_err_t rc = GRUB_ERR_NONE;
> +
> + grub_printf ("trying to load Platform Keystore\n");
> +
> + rc = grub_is_support_pks ();
> + if (rc != GRUB_ERR_NONE)
> + {
> + grub_printf ("Warning: switch to static key!\n");
> + return rc;
> + }
> +
> + /* SB_VERSION */
> + rc = grub_get_secure_boot_version ();
> + if (rc != GRUB_ERR_NONE)
> + return rc;
> +
> + if (grub_use_platform_keystore)
> + {
> + grub_memset (&grub_platform_keystore, 0x00, sizeof
> (grub_pks_t));
> + /* DB */
> + rc = grub_read_secure_boot_variables (0, DB,
> &grub_platform_keystore.db,
> +
> &grub_platform_keystore.db_entries);
> + if (rc == GRUB_ERR_NONE)
> + {
> + /* DBX */
> + rc = grub_read_secure_boot_variables (0, DBX,
> &grub_platform_keystore.dbx,
> +
> &grub_platform_keystore.dbx_entries);
> + if (rc == PKS_OBJECT_NOT_FOUND)
> + {
> + grub_printf ("Warning: dbx is not found!\n");
> + rc = GRUB_ERR_NONE;
> + }
> + }
> +
> + }
> +
> + if (rc != GRUB_ERR_NONE)
> + grub_release_platform_keystore ();
> +
> + return rc;
> +}
> diff --git a/include/grub/platform_keystore.h
> b/include/grub/platform_keystore.h
> new file mode 100644
> index 000000000..7a7378926
> --- /dev/null
> +++ b/include/grub/platform_keystore.h
> @@ -0,0 +1,233 @@
> +/*
> + * Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved.
> This
> + * program and the accompanying materials are licensed and made
> available
> + * under the terms and conditions of the 2-Clause BSD License which
> + * accompanies this distribution.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> are met:
> + *
> + * 1. Redistributions of source code must retain the above copyright
> notice,
> + * this list of conditions and the following disclaimer.
> + *
> + * 2. Redistributions in binary form must reproduce the above
> copyright
> + * notice, this list of conditions and the following disclaimer in the
> + * documentation and/or other materials provided with the
> distribution.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> "AS IS"
> + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
> TO, THE
> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> PURPOSE
> + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
> CONTRIBUTORS BE
> + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
> + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
> OF
> + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
> BUSINESS
> + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
> WHETHER IN
> + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
> OTHERWISE)
> + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
> OF THE
> + * POSSIBILITY OF SUCH DAMAGE.
> + *
> + *
> + * https://github.com/tianocore/edk2-staging (edk2-staging repo of
> tianocore),
> + * the ImageAuthentication.h file under it, and here's the copyright
> and license.
> + *
> + * MdePkg/Include/Guid/ImageAuthentication.h
> + *
> + * Copyright 2024 IBM Corp.
> + */
> +
> +#ifndef __PLATFORM_KEYSTORE_H__
> +#define __PLATFORM_KEYSTORE_H__
> +
> +#include <grub/symbol.h>
> +#include <grub/mm.h>
> +#include <grub/types.h>
> +
> +#if __GNUC__ >= 9
> +#pragma GCC diagnostic ignored "-Waddress-of-packed-member"
> +#endif
> +
> +#define GRUB_UUID_SIZE 16
> +#define GRUB_MAX_HASH_SIZE 64
> +
> +typedef struct grub_uuid grub_uuid_t;
> +typedef struct grub_esd grub_esd_t;
> +typedef struct grub_esl grub_esl_t;
> +
> +/* The structure of a UUID.*/
> +struct grub_uuid
> +{
> + grub_uint8_t b[GRUB_UUID_SIZE];
> +};
> +
> +/*
> + * It is derived from EFI_SIGNATURE_DATA
> + *
> https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
> + *
> + * The structure of an EFI signature database (ESD).*/
> +struct grub_esd
> +{
> + /*
> + * An identifier which identifies the agent which added
> + * the signature to the list.
> + */
> + grub_uuid_t signatureowner;
> + /* The format of the signature is defined by the SignatureType.*/
> + grub_uint8_t signaturedata[];
> +} GRUB_PACKED;
> +
> +/*
> + * It is derived from EFI_SIGNATURE_LIST
> + *
> https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
> + *
> + * The structure of an EFI signature list (ESL).*/
> +struct grub_esl
> +{
> + /* Type of the signature. GUID signature types are defined in
> below.*/
> + grub_uuid_t signaturetype;
> + /* Total size of the signature list, including this header.*/
> + grub_uint32_t signaturelistsize;
> + /*
> + * Size of the signature header which precedes
> + * the array of signatures.
> + */
> + grub_uint32_t signatureheadersize;
> + /* Size of each signature.*/
> + grub_uint32_t signaturesize;
> +} GRUB_PACKED;
> +
> +/*
> + * It is derived from EFI_CERT_X509_GUID
> + *
> https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
> + */
> +#define GRUB_PKS_CERT_X509_GUID \
> + (grub_uuid_t) \
> + { \
> + { \
> + 0xa1, 0x59, 0xc0, 0xa5, 0xe4, 0x94, \
> + 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, \
> + 0x5c, 0x2b, 0xf0, 0x72 \
> + } \
> + }
> +
> +/*
> + * It is derived from EFI_CERT_SHA256_GUID
> + *
> https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
> + */
> +#define GRUB_PKS_CERT_SHA256_GUID \
> + (grub_uuid_t) \
> + { \
> + { \
> + 0x26, 0x16, 0xc4, 0xc1, 0x4c, 0x50, \
> + 0x92, 0x40, 0xac, 0xa9, 0x41, 0xf9, \
> + 0x36, 0x93, 0x43, 0x28 \
> + } \
> + }
> +
> +/*
> + * It is derived from EFI_CERT_SHA384_GUID
> + *
> https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
> + */
> +#define GRUB_PKS_CERT_SHA384_GUID \
> + (grub_uuid_t) \
> + { \
> + { \
> + 0x07, 0x53, 0x3e, 0xff, 0xd0, 0x9f, \
> + 0xc9, 0x48, 0x85, 0xf1, 0x8a, 0xd5, \
> + 0x6c, 0x70, 0x1e, 0x1 \
> + } \
> + }
> +
> +/*
> + * It is derived from EFI_CERT_SHA512_GUID
> + *
> https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
> + */
> +#define GRUB_PKS_CERT_SHA512_GUID \
> + (grub_uuid_t) \
> + { \
> + { \
> + 0xae, 0x0f, 0x3e, 0x09, 0xc4, 0xa6, \
> + 0x50, 0x4f, 0x9f, 0x1b, 0xd4, 0x1e, \
> + 0x2b, 0x89, 0xc1, 0x9a \
> + } \
> + }
> +
> +/*
> + * It is derived from EFI_CERT_X509_SHA256_GUID
> + *
> https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
> + */
> +#define GRUB_PKS_CERT_X509_SHA256_GUID \
> + (grub_uuid_t) \
> + { \
> + { \
> + 0x92, 0xa4, 0xd2, 0x3b, 0xc0, 0x96, \
> + 0x79, 0x40, 0xb4, 0x20, 0xfc, 0xf9, \
> + 0x8e, 0xf1, 0x03, 0xed \
> + } \
> + }
> +
> +/*
> + * It is derived from EFI_CERT_X509_SHA384_GUID
> + *
> https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
> + */
> +#define GRUB_PKS_CERT_X509_SHA384_GUID \
> + (grub_uuid_t) \
> + { \
> + { \
> + 0x6e, 0x87, 0x76, 0x70, 0xc2, 0x80, \
> + 0xe6, 0x4e, 0xaa, 0xd2, 0x28, 0xb3, \
> + 0x49, 0xa6, 0x86, 0x5b \
> + } \
> + }
> +
> +/*
> + * It is derived from EFI_CERT_X509_SHA512_GUID
> + *
> https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
> + */
> +#define GRUB_PKS_CERT_X509_SHA512_GUID \
> + (grub_uuid_t) \
> + { \
> + { \
> + 0x63, 0xbf, 0x6d, 0x44, 0x02, 0x25, \
> + 0xda, 0x4c, 0xbc, 0xfa, 0x24, 0x65, \
> + 0xd2, 0xb0, 0xfe, 0x9d \
> + } \
> + }
> +
> +typedef struct grub_pks_sd grub_pks_sd_t;
> +typedef struct grub_pks grub_pks_t;
> +
> +/* The structure of a PKS signature data.*/
> +struct grub_pks_sd
> +{
> + grub_uuid_t guid; /* signature type */
> + grub_uint8_t *data; /* signature data */
> + grub_size_t data_size; /* size of signature data */
> +} GRUB_PACKED;
> +
> +/* The structure of a PKS.*/
> +struct grub_pks
> +{
> + grub_pks_sd_t *db; /* signature database */
> + grub_pks_sd_t *dbx; /* forbidden signature database */
> + grub_size_t db_entries; /* size of signature database */
> + grub_size_t dbx_entries; /* size of forbidden signature database */
> +} GRUB_PACKED;
> +
> +#ifdef __powerpc__
> +
> +/* initialization of the Platform Keystore */
> +grub_err_t grub_platform_keystore_init (void);
> +/* releasing allocated memory */
> +void EXPORT_FUNC(grub_release_platform_keystore) (void);
> +extern grub_uint8_t EXPORT_VAR(grub_use_platform_keystore);
> +extern grub_pks_t EXPORT_VAR(grub_platform_keystore);
> +
> +#else
> +
> +#define grub_use_platform_keystore 0
> +grub_pks_t grub_platform_keystore = {NULL, NULL, 0, 0};
> +void grub_release_platform_keystore (void);
> +
> +#endif
> +
> +#endif
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next prev parent reply other threads:[~2025-02-07 5:57 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-18 14:56 [PATCH v1 00/21] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2024-12-18 14:56 ` [PATCH v1 01/21] powerpc-ieee1275: Add support for signing grub with an appended signature Sudhakar Kuppusamy
2024-12-27 14:58 ` Stefan Berger
2025-02-26 4:24 ` sudhakar
2025-01-04 18:30 ` Vladimir 'phcoder' Serbinenko
2025-01-06 6:25 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 02/21] docs/grub: Document signing grub under UEFI Sudhakar Kuppusamy
2024-12-27 15:00 ` Stefan Berger
2024-12-18 14:56 ` [PATCH v1 03/21] docs/grub: Document signing grub with an appended signature Sudhakar Kuppusamy
2024-12-27 15:04 ` Stefan Berger
2025-01-04 18:32 ` Vladimir 'phcoder' Serbinenko
2025-01-24 9:44 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 04/21] dl: provide a fake grub_dl_set_persistent for the emu target Sudhakar Kuppusamy
2024-12-27 15:06 ` Stefan Berger
2025-01-04 18:36 ` Vladimir 'phcoder' Serbinenko
2025-01-24 9:47 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 05/21] pgp: factor out rsa_pad Sudhakar Kuppusamy
2024-12-27 15:11 ` Stefan Berger
2025-01-04 18:40 ` Vladimir 'phcoder' Serbinenko
2025-02-27 15:26 ` sudhakar
2025-01-24 10:40 ` Avnish Chouhan
2025-02-27 15:28 ` sudhakar
2024-12-18 14:56 ` [PATCH v1 06/21] crypto: move storage for grub_crypto_pk_* to crypto.c Sudhakar Kuppusamy
2024-12-27 15:13 ` Stefan Berger
2025-01-04 18:41 ` Vladimir 'phcoder' Serbinenko
2025-01-24 10:42 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 07/21] grub-install: support embedding x509 certificates Sudhakar Kuppusamy
2024-12-27 16:08 ` Stefan Berger
2025-01-24 10:45 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 08/21] appended signatures: import GNUTLS's ASN.1 description files Sudhakar Kuppusamy
2024-12-28 19:02 ` Stefan Berger
2025-01-24 10:47 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 09/21] appended signatures: parse PKCS#7 signedData and X.509 certificates Sudhakar Kuppusamy
2024-12-28 19:46 ` Stefan Berger
2025-02-26 4:26 ` sudhakar
2025-01-24 11:10 ` Avnish Chouhan
2025-02-27 15:31 ` sudhakar
2025-01-24 11:23 ` Michal Suchánek
2024-12-18 14:56 ` [PATCH v1 10/21] appended signatures: support verifying appended signatures Sudhakar Kuppusamy
2024-12-29 16:37 ` Stefan Berger
2025-02-06 6:10 ` Avnish Chouhan
2025-02-27 15:33 ` sudhakar
2024-12-18 14:56 ` [PATCH v1 11/21] appended signatures: verification tests Sudhakar Kuppusamy
2024-12-30 15:39 ` Stefan Berger
2025-02-14 10:27 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 12/21] appended signatures: documentation Sudhakar Kuppusamy
2024-12-30 15:50 ` Stefan Berger
2025-02-26 4:28 ` sudhakar
2025-02-14 10:39 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 13/21] ieee1275: enter lockdown based on /ibm,secure-boot Sudhakar Kuppusamy
2024-12-30 22:02 ` Stefan Berger
2025-02-06 6:23 ` Avnish Chouhan
2025-02-27 15:34 ` sudhakar
2024-12-18 14:56 ` [PATCH v1 14/21] ieee1275: Platform Keystore (PKS) Support Sudhakar Kuppusamy
2024-12-30 22:14 ` Stefan Berger
2025-02-26 4:33 ` sudhakar
2025-02-06 9:09 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 15/21] ieee1275: Read the DB and DBX secure boot variables Sudhakar Kuppusamy
2024-12-30 23:01 ` Stefan Berger
2025-02-26 4:43 ` sudhakar
2024-12-30 23:04 ` Stefan Berger
2025-02-26 4:44 ` sudhakar
2025-02-07 5:57 ` Avnish Chouhan [this message]
2024-12-18 14:56 ` [PATCH v1 16/21] appendedsig: The creation of trusted and distrusted lists Sudhakar Kuppusamy
2024-12-31 17:21 ` Stefan Berger
2025-02-27 15:21 ` sudhakar
2025-02-07 6:39 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 17/21] appendedsig: While verifying the kernel, use " Sudhakar Kuppusamy
2024-12-31 17:37 ` Stefan Berger
2025-02-27 15:22 ` sudhakar
2025-02-07 6:44 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 18/21] ieee1275: set use_static_keys flag Sudhakar Kuppusamy
2025-01-02 13:22 ` Stefan Berger
2025-02-27 15:24 ` sudhakar
2025-02-07 6:46 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 19/21] appendedsig: Reads the default DB keys from ELF Note Sudhakar Kuppusamy
2025-01-02 13:19 ` Stefan Berger
2025-02-27 15:23 ` sudhakar
2025-02-07 6:54 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 20/21] appendedsig: The grub command's trusted and distrusted support Sudhakar Kuppusamy
2025-02-07 10:16 ` Avnish Chouhan
2024-12-18 14:56 ` [PATCH v1 21/21] appendedsig: documentation Sudhakar Kuppusamy
2025-02-07 10:00 ` Avnish Chouhan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10ded8921b9b25b713c1db7434eeefbe@linux.ibm.com \
--to=avnish@linux.ibm.com \
--cc=daniel.kiper@oracle.com \
--cc=dja@axtens.net \
--cc=grub-devel@gnu.org \
--cc=jan.setjeeilers@oracle.com \
--cc=julian.klode@canonical.com \
--cc=mate.kukri@canonical.com \
--cc=nayna@linux.ibm.com \
--cc=pjones@redhat.com \
--cc=ssrish@linux.ibm.com \
--cc=stefanb@linux.ibm.com \
--cc=sudhakar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.