From: "Vladimir 'φ-coder/phcoder' Serbinenko" <phcoder@gmail.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Subject: Re: Signature verification in GRUB
Date: Sat, 13 Oct 2012 12:36:11 +0200 [thread overview]
Message-ID: <5079441B.6010809@gmail.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1210091456130.27430@salmon-of-wisdom>
[-- Attachment #1: Type: text/plain, Size: 2004 bytes --]
On 10.10.2012 00:54, Geoffrey Thomas wrote:
> Hi GRUB list,
>
> I'm working on adding verified boot / Secure Boot support to my
> company's OS-level product (MokaFive BareMetal). As background, we use
> whole-image updates to help with reliable unattended upgrades and for
> debugging; an upgrade is delivered as a new ISO image, and we have GRUB
> configuration to loop-mount the ISO and load further configuration, a
> kernel, and an initrd.
>
> First, does GRUB has a mechanism for me to validate a digitally-signed
> file of some sort? This could be e.g. a PGP-signed file or something
> from `openssl dgst -sign`. I see that GRUB has all the relevant crypto
> primitives to do this, but I can't find a command to invoke them. (As
> far as I can tell, gcrypt is only used for PBKDF2 and cryptodisk support?)
>
I have some code dating from about a year ago but because of my current
personal situation it's put on hold for some time.
> If not, I'd like to add a command to verify a signature on a file, or
> possibly to verify a signature on a GRUB configuration file and execute
> it if it validates. Does this seem like a reasonable thing to add?
>
> Secondarily, I'm curious if anyone has done work towards porting verity
> or some similar signed (but not encrypted) disk support to GRUB. Since
> we're already planning on using dm-verity once the kernel is booted, I
> think the simplest solution will be to have a signature on the verity
> root hash, mount the ISO using verity, and load the GRUB configuration /
> kernel / initrd from the resulting block device. Does this support exist
> already? (I've also asked this question on the dm-crypt list.)
>
Is there some doc on dm-verify? It may be interesting.
> Finally, if there's an easier way to do verified boot with GRUB or some
> existing effort along these lines that I should be helping out with, let
> me know.
>
> Thanks,
--
Regards
Vladimir 'φ-coder/phcoder' Serbinenko
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 294 bytes --]
next prev parent reply other threads:[~2012-10-13 10:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-09 22:54 Signature verification in GRUB Geoffrey Thomas
2012-10-10 0:32 ` Chris Murphy
2012-10-10 1:14 ` Geoffrey Thomas
2012-10-10 18:33 ` Matthew Garrett
2012-10-10 19:07 ` Chris Murphy
2012-10-13 10:36 ` Vladimir 'φ-coder/phcoder' Serbinenko [this message]
2012-10-15 21:33 ` Geoffrey Thomas
2012-10-18 18:06 ` Vladimir 'φ-coder/phcoder' Serbinenko
2012-10-18 18:17 ` Geoffrey Thomas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5079441B.6010809@gmail.com \
--to=phcoder@gmail.com \
--cc=grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.