All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
To: Daniel Kiper <dkiper@net-space.pl>
Cc: grub-devel@gnu.org, dja@axtens.net, jan.setjeeilers@oracle.com,
	julian.klode@canonical.com, mate.kukri@canonical.com,
	pjones@redhat.com, msuchanek@suse.com, mlewando@redhat.com,
	stefanb@linux.ibm.com, avnish@linux.ibm.com, nayna@linux.ibm.com,
	ssrish@linux.ibm.com
Subject: Re: [PATCH v6 10/20] appended signatures: Support verifying appended signatures
Date: Wed, 13 Aug 2025 20:18:51 +0530	[thread overview]
Message-ID: <20392367-ED09-4DBB-9A2D-520CD2567115@linux.ibm.com> (raw)
In-Reply-To: <20250813143342.d5chkvslcjkfbque@tomti.i.net-space.pl>



> On 13 Aug 2025, at 8:03 PM, Daniel Kiper <dkiper@net-space.pl> wrote:
> 
> On Tue, Aug 12, 2025 at 05:16:22PM +0530, Sudhakar Kuppusamy wrote:
>>> On 12 Aug 2025, at 5:00 PM, Daniel Kiper <dkiper@net-space.pl> wrote:
>>> On Tue, Aug 12, 2025 at 10:30:55AM +0530, Sudhakar Kuppusamy wrote:
>>>> Thank you Daniel.
>>>> 
>>>>> On 11 Aug 2025, at 9:24 PM, Daniel Kiper <dkiper@net-space.pl> wrote:
>>>>> On Tue, Jul 29, 2025 at 08:21:46PM +0530, Sudhakar Kuppusamy wrote:
>>> 
>>> [...]
>>> 
>>>>>> +  if (is_cert_removed_from_db (cert) == false)
>>>>>> +    err = grub_error (GRUB_ERR_EOF,
>>>>>> +                      "not found certificate with CN:%s in the db list", cert->subject);
>>>>> 
>>>>> First of all, I am not convinced the cert should be removed automatically
>>>>> from the db. I think it would be better if it is documented it should be
>>>>> done manually. However, if you convince me it should be done automatically
>>>>> here then lack of cert in the db should not trigger an error...
>>>> 
>>>> It is not automatically removing the cert from the db but does it manually
>>>> when user try to remove distrusted cert via append_rm_dbx_cert command.
>>> 
>>> So, I mean it should not happen then...
>> 
>> The removal of certificate here is not persist accross the boots, it is only for the current boot.
> 
> Ahhh... OK... You can ignore my comment then. Though I think it means
> comments and/or code should be more clear about it...

Sure. Will add clear comments.
> 
>> Also, this command accepts only signed certificates when secure boot is set to enabled.
>> 
>> I do not understand “automatic" and “manual” from your previous comments.
>> Could you please elabarate it.
> 
> When I say "automatic" I mean here the command at once inserts a given
> cert into dbx and removes it from the db.

Thank you Daniel.
> 
> Daniel



_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

  reply	other threads:[~2025-08-13 14:49 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-29 14:51 [PATCH v6 00/20] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 01/20] powerpc-ieee1275: Add support for signing GRUB with an appended signature Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 02/20] crypto: Move storage for grub_crypto_pk_* to crypto.c Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 03/20] pgp: Rename OBJ_TYPE_PUBKEY to OBJ_TYPE_GPG_PUBKEY Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 04/20] grub-install: Support embedding x509 certificates Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 05/20] appended signatures: Import GNUTLS's ASN.1 description files Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 06/20] appended signatures: Parse ASN1 node Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 07/20] appended signatures: Parse PKCS#7 signedData Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 08/20] appended signatures: Parse X.509 certificates Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 09/20] powerpc_ieee1275: Enter lockdown based on /ibm, secure-boot Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 10/20] appended signatures: Support verifying appended signatures Sudhakar Kuppusamy
2025-08-11 15:54   ` Daniel Kiper
2025-08-12  5:00     ` Sudhakar Kuppusamy
2025-08-12 11:30       ` Daniel Kiper
2025-08-12 11:46         ` Sudhakar Kuppusamy
2025-08-13 14:33           ` Daniel Kiper
2025-08-13 14:48             ` Sudhakar Kuppusamy [this message]
2025-07-29 14:51 ` [PATCH v6 11/20] powerpc_ieee1275: Read the db and dbx secure boot variables Sudhakar Kuppusamy
2025-08-11 16:24   ` Daniel Kiper
2025-08-11 16:40     ` Sudhakar Kuppusamy
2025-08-12 11:39       ` Daniel Kiper
2025-07-29 14:51 ` [PATCH v6 12/20] appended signatures: Create db and dbx lists Sudhakar Kuppusamy
2025-08-11 17:21   ` Daniel Kiper
2025-08-11 17:34     ` Sudhakar Kuppusamy
2025-08-12 11:50       ` Daniel Kiper
2025-07-29 14:51 ` [PATCH v6 13/20] appended signatures: Using db and dbx lists for signature verification Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 14/20] powerpc_ieee1275: Introduce use_static_keys flag Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 15/20] appended signatures: Read default db keys from the ELF Note Sudhakar Kuppusamy
2025-08-13 14:43   ` Daniel Kiper
2025-08-13 14:49     ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 16/20] appended signatures: Introduce GRUB commands to access db and dbx Sudhakar Kuppusamy
2025-08-13 15:42   ` Daniel Kiper
2025-08-14  6:22     ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 17/20] appended signatures: Verification tests Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 18/20] docs/grub: Document signing GRUB under UEFI Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 19/20] docs/grub: Document signing GRUB with an appended signature Sudhakar Kuppusamy
2025-08-13 16:45   ` Daniel Kiper
2025-08-14  6:54     ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 20/20] docs/grub: Document " Sudhakar Kuppusamy
2025-08-14 14:20   ` Daniel Kiper
2025-08-14 18:33     ` Sudhakar Kuppusamy
  -- strict thread matches above, loose matches on Subject: below --
2025-07-29 12:36 [PATCH v6 00/20] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2025-07-29 12:36 ` [PATCH v6 10/20] appended signatures: Support verifying appended signatures Sudhakar Kuppusamy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20392367-ED09-4DBB-9A2D-520CD2567115@linux.ibm.com \
    --to=sudhakar@linux.ibm.com \
    --cc=avnish@linux.ibm.com \
    --cc=dja@axtens.net \
    --cc=dkiper@net-space.pl \
    --cc=grub-devel@gnu.org \
    --cc=jan.setjeeilers@oracle.com \
    --cc=julian.klode@canonical.com \
    --cc=mate.kukri@canonical.com \
    --cc=mlewando@redhat.com \
    --cc=msuchanek@suse.com \
    --cc=nayna@linux.ibm.com \
    --cc=pjones@redhat.com \
    --cc=ssrish@linux.ibm.com \
    --cc=stefanb@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.