Re: [PATCH v1 19/21] appendedsig: Reads the default DB keys from ELF Note

From: sudhakar <sudhakar@linux.ibm.com>
To: Stefan Berger <stefanb@linux.ibm.com>
Cc: grub-devel@gnu.org, dja@axtens.net, jan.setjeeilers@oracle.com,
	julian.klode@canonical.com, mate.kukri@canonical.com,
	pjones@redhat.com, avnish@linux.ibm.com, nayna@linux.ibm.com,
	ssrish@linux.ibm.com
Subject: Re: [PATCH v1 19/21] appendedsig: Reads the default DB keys from ELF Note
Date: Thu, 27 Feb 2025 20:53:49 +0530	[thread overview]
Message-ID: <32083eac64357a4f4bbf859fcb1d7960@linux.ibm.com> (raw)
In-Reply-To: <657c822e-aab5-43c1-8e27-79f2bb236c02@linux.ibm.com>

On 2025-01-02 18:49, Stefan Berger wrote:
> On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
>> if secure boot enabled with PKS and set use_static_keys flag, it
> 
> If Secure Boot is enabled with PKS and the use_static_keys flag is
> set, then read the DB default keys from the ELF note and store them in
> the trusted list buffer.
> 
>> reads the DB default keys from ELF Note and store it in trusted list 
>> buffer.
>> 
>> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
>> ---
>>   grub-core/commands/appendedsig/appendedsig.c | 58 
>> ++++++++++++++------
>>   1 file changed, 41 insertions(+), 17 deletions(-)
>> 
>> diff --git a/grub-core/commands/appendedsig/appendedsig.c 
>> b/grub-core/commands/appendedsig/appendedsig.c
>> index 8b084087e..9a9f4ef1c 100644
>> --- a/grub-core/commands/appendedsig/appendedsig.c
>> +++ b/grub-core/commands/appendedsig/appendedsig.c
>> @@ -1082,7 +1082,7 @@ grub_create_distrusted_list (void)
>>    * parses it, and adds it to the trusted list.
>>    */
>>   static grub_err_t
>> -grub_build_static_trusted_list (const struct grub_module_header 
>> *header)
>> +grub_build_static_trusted_list (const struct grub_module_header 
>> *header, const grub_bool_t mode)
> 
> A more meaningful variable name than 'mode' would be good. mode = true
> or false doesn't mean much.
> 
>>   {
>>     grub_err_t err = GRUB_ERR_NONE;
>>     struct grub_file pseudo_file;
>> @@ -1101,7 +1101,14 @@ grub_build_static_trusted_list (const struct 
>> grub_module_header *header)
>>     if (err != GRUB_ERR_NONE)
>>       return err;
>>   -  err = grub_add_certificate (cert_data, cert_data_size, &grub_db, 
>> 1);
>> +  if (mode)
>> +    {
>> +      err = grub_is_distrusted_cert_hash (cert_data, cert_data_size);
>> +      if (err != GRUB_ERR_NONE)
>> +        return err;
>> +    }
>> +
>> +  err = grub_add_certificate (cert_data, cert_data_size, &grub_db, 
>> mode);
>>     if (cert_data != NULL)
>>       grub_free (cert_data);
>>   @@ -1154,6 +1161,20 @@ grub_release_distrusted_list (void)
>>     grub_memset (&grub_dbx, 0x00, sizeof (grub_dbx));
>>   }
>>   +static grub_err_t
>> +grub_load_static_keys (const struct grub_module_header *header, const 
>> grub_bool_t mode)
>> +{
>> +  int rc = GRUB_ERR_NONE;
>> +  FOR_MODULES (header)
>> +    {
>> +      /* Not an ELF module, skip.  */
>> +      if (header->type != OBJ_TYPE_X509_PUBKEY)
>> +        continue;
>> +      rc = grub_build_static_trusted_list (header, mode);
> 
> Do you have to check rc at this point?
> 
>> +    }
>> +  return rc;
>> +}
>> +
>>   GRUB_MOD_INIT (appendedsig)
>>   {
>>     int rc;
>> @@ -1172,26 +1193,29 @@ GRUB_MOD_INIT (appendedsig)
>>       if (!grub_use_platform_keystore && check_sigs == 
>> check_sigs_forced)
>>       {
>> -      FOR_MODULES (header)
>> +      rc = grub_load_static_keys (header, 0);
>> +      if (rc != GRUB_ERR_NONE)
>>           {
>> -          /* Not an ELF module, skip.  */
>> -          if (header->type != OBJ_TYPE_X509_PUBKEY)
>> -            continue;
>> -
>> -          rc = grub_build_static_trusted_list (header);
>> -          if (rc != GRUB_ERR_NONE)
>> -            {
>> -              grub_release_trusted_list ();
>> -              grub_error (rc, "static trusted list creation failed");
>> -            }
>> -          else
>> -            grub_printf ("appendedsig: the trusted list now has %" 
>> PRIuGRUB_SIZE " static keys\n",
>> -                         grub_db.key_entries);
>> +          grub_release_trusted_list ();
>> +          grub_error (rc, "static trusted list creation failed");
>>           }
>> +      else
>> +        grub_printf ("appendedsig: the trusted list now has %" 
>> PRIuGRUB_SIZE " static keys\n",
>> +                     grub_db.key_entries);
>> +
>>       }
>>     else if (grub_use_platform_keystore && check_sigs == 
>> check_sigs_forced)
>>       {
>> -      rc = grub_create_trusted_list ();
>> +
>> +      if (grub_platform_keystore.use_static_keys == 1)
> 
> if (grub_platform_keystore.use_static_keys)
> 
>> +        {
>> +          grub_printf ("Warning: db variable is not available at PKS 
>> and using a static keys "
>> +                       "as a default key in trusted list\n");
>> +          rc = grub_load_static_keys (header, 1);
>> +        }
>> +      else
>> +        rc = grub_create_trusted_list ();
>> +
>>         if (rc != GRUB_ERR_NONE)
>>           {
>>             grub_release_trusted_list ();

addressed all the comments. thank you Stefan.

Thanks,
Sudhakar Kuppusamy

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel