From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1LbEok-00077o-8m for mharc-grub-devel@gnu.org; Sun, 22 Feb 2009 08:56:26 -0500 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1LbEog-000777-Mr for grub-devel@gnu.org; Sun, 22 Feb 2009 08:56:22 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1LbEog-00076v-9a for grub-devel@gnu.org; Sun, 22 Feb 2009 08:56:22 -0500 Received: from [199.232.76.173] (port=57733 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1LbEog-00076s-3u for grub-devel@gnu.org; Sun, 22 Feb 2009 08:56:22 -0500 Received: from fg-out-1718.google.com ([72.14.220.158]:62710) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1LbEof-0002Ow-Jj for grub-devel@gnu.org; Sun, 22 Feb 2009 08:56:21 -0500 Received: by fg-out-1718.google.com with SMTP id l27so1791195fgb.30 for ; Sun, 22 Feb 2009 05:56:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=rAf7JOpG/m3nD4nzmgpVZ5VaJ0a7x6UqOQnYGYG5L3w=; b=Arxrq2FP5xQD8J4gLMycpnVP4GDK8H4wMGW962Run9t0PYiI36/quH1CPmQwZnxtfF 4Ft3qbpU5+Tbx8YmoP7IVwanvVmcopQCpXss9LDW6Y1n90goWohVdgbs9N7aZJ20v3ZJ c6Aw+T5rtCUKoagLzoKCgNRCnTgxJ0tg2ZDJU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=iUjRcRJ2OFJrehf/f+laugg0Il9nd9fuIgmP5vbfolWbG0lmJDk7P0/JExwO2pCSWe pDgbs7EZxQceiqAkVZjMJod/CycKWFYNnuUklQZANJYQcFVJTEI10eBvKbuENCHIQVcZ NTvDD1Z73gZQy/7AIoR3244BsohnxPk9l6wcA= Received: by 10.86.92.4 with SMTP id p4mr2270024fgb.36.1235310979704; Sun, 22 Feb 2009 05:56:19 -0800 (PST) Received: from ?192.168.1.25? (112-27.1-85.cust.bluewin.ch [85.1.27.112]) by mx.google.com with ESMTPS id 12sm9861033fgg.53.2009.02.22.05.56.19 (version=SSLv3 cipher=RC4-MD5); Sun, 22 Feb 2009 05:56:19 -0800 (PST) Message-ID: <49A15982.4000001@gmail.com> Date: Sun, 22 Feb 2009 14:56:18 +0100 From: phcoder User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: The development of GRUB 2 References: <49A152BD.6010907@student.ethz.ch> In-Reply-To: <49A152BD.6010907@student.ethz.ch> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer, 2) Subject: Re: GRUB trusted boot framework X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: The development of GRUB 2 List-Id: The development of GRUB 2 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Feb 2009 13:56:23 -0000 > - hooks for any disk read (not sure if write is necessary) This way how trusted grub does it is an ad-hoc solution which results in a MESS. They just try to hash and rehash everything without design. So if grub is instructed to load all modules in a directory and filesystem is reindexed then grub will load the same modules in a different order which results in a different hash. IMO we can't allow such thing to come to grub2 it's just against its basic design principles. Much better would be a layer similar to gzio: grub_gnupg_open (const char *filename, int flags, struct grub_gnupg_info *info); Which internally checks the certificate. This layer can also encrypt/decrypt from gnupg containers Then all kernel and config loads would use this function instead of grub_gzio_open and grub_gnupg_open would check if its contents is gzipped. Flags can include: GRUB_GNUPG_FLAGS_ALLOW_UNSIGNED if signature can be checked later on (e.g. signed ELF) Then the behavior is controlled by an environment variable allow_unsigned=yes|no If grub_gnupg_open is invoked without GRUB_GNUPG_FLAGS_ALLOW_UNSIGNED and allow_unsigned=no and signature is broken or not present it should prompt for password (if it isn't supplied yet) and write something like File %s is unsigned. Are you sure you want to load it? Type "YES" if you do. Regards Vladimir 'phcoder' Serbinenko