From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1TMz52-0008I3-4t for mharc-grub-devel@gnu.org; Sat, 13 Oct 2012 06:36:28 -0400 Received: from eggs.gnu.org ([208.118.235.92]:53201) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TMz4z-0008F9-Bx for grub-devel@gnu.org; Sat, 13 Oct 2012 06:36:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TMz4y-0006Pz-Bv for grub-devel@gnu.org; Sat, 13 Oct 2012 06:36:25 -0400 Received: from mail-wi0-f171.google.com ([209.85.212.171]:49768) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TMz4y-0006Pr-12 for grub-devel@gnu.org; Sat, 13 Oct 2012 06:36:24 -0400 Received: by mail-wi0-f171.google.com with SMTP id hj13so253134wib.12 for ; Sat, 13 Oct 2012 03:36:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type; bh=v/xwfDEivJdGu67ho4DdeDC9ZkKQ8BGsisPM61G691g=; b=bm/qsLTIoIjoVgoc+HDr+zpD2zg+kpyvUFB47Jjr/udVWwNSlyUy4GbM7FXGOgSidE QnejxO38YRKkZQKXFF1Z1kDNpjOt++nC1J7TkJy0dw2yw9w+Gtsd189fQguE9Jaqh8vr 3iPyCYAlW+RjZ7gemVlbaoUv/uQeKoFWAIIhNF6aIPXTtrvUmCsLyXmf9Xs4m+le9Z6n bAaxO5kPm4z+s3VPtGOPT5owQTuz7KZIZoJWAHMRzpyRN9oMi3BEgZsD3eNLz7A9v6+v 4bnS0BMJcqFLvjoP7Qiyp+xqIe/5TfVTBPJA+BwMeKKPZhZeUVKGElyTtrXcvz4q+1Xv clIA== Received: by 10.180.82.35 with SMTP id f3mr11768552wiy.6.1350124582596; Sat, 13 Oct 2012 03:36:22 -0700 (PDT) Received: from debian.x201.phnet (62-225.203-62.cust.bluewin.ch. [62.203.225.62]) by mx.google.com with ESMTPS id p4sm2719292wix.0.2012.10.13.03.36.21 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 13 Oct 2012 03:36:21 -0700 (PDT) Message-ID: <5079441B.6010809@gmail.com> Date: Sat, 13 Oct 2012 12:36:11 +0200 From: =?UTF-8?B?VmxhZGltaXIgJ8+GLWNvZGVyL3BoY29kZXInIFNlcmJpbmVua28=?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.7) Gecko/20120922 Icedove/10.0.7 MIME-Version: 1.0 To: The development of GNU GRUB Subject: Re: Signature verification in GRUB References: In-Reply-To: X-Enigmail-Version: 1.4.1 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enig2FB2C1ACEE9A899AF74D610C" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 209.85.212.171 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Oct 2012 10:36:26 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig2FB2C1ACEE9A899AF74D610C Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 10.10.2012 00:54, Geoffrey Thomas wrote: > Hi GRUB list, >=20 > I'm working on adding verified boot / Secure Boot support to my > company's OS-level product (MokaFive BareMetal). As background, we use > whole-image updates to help with reliable unattended upgrades and for > debugging; an upgrade is delivered as a new ISO image, and we have GRUB= > configuration to loop-mount the ISO and load further configuration, a > kernel, and an initrd. >=20 > First, does GRUB has a mechanism for me to validate a digitally-signed > file of some sort? This could be e.g. a PGP-signed file or something > from `openssl dgst -sign`. I see that GRUB has all the relevant crypto > primitives to do this, but I can't find a command to invoke them. (As > far as I can tell, gcrypt is only used for PBKDF2 and cryptodisk suppor= t?) >=20 I have some code dating from about a year ago but because of my current personal situation it's put on hold for some time. > If not, I'd like to add a command to verify a signature on a file, or > possibly to verify a signature on a GRUB configuration file and execute= > it if it validates. Does this seem like a reasonable thing to add? >=20 > Secondarily, I'm curious if anyone has done work towards porting verity= > or some similar signed (but not encrypted) disk support to GRUB. Since > we're already planning on using dm-verity once the kernel is booted, I > think the simplest solution will be to have a signature on the verity > root hash, mount the ISO using verity, and load the GRUB configuration = / > kernel / initrd from the resulting block device. Does this support exis= t > already? (I've also asked this question on the dm-crypt list.) >=20 Is there some doc on dm-verify? It may be interesting. > Finally, if there's an easier way to do verified boot with GRUB or some= > existing effort along these lines that I should be helping out with, le= t > me know. >=20 > Thanks, --=20 Regards Vladimir '=CF=86-coder/phcoder' Serbinenko --------------enig2FB2C1ACEE9A899AF74D610C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREKAAYFAlB5RCIACgkQNak7dOguQglxtAEAjYO2RqjSRddjegkq4n0/5IwZ F/xdtYJcHrCd2HqNMjsA/089C2aeAcG6GJXvw9vybxYkHBiccMB2RwoOD2llU1EU =RDDT -----END PGP SIGNATURE----- --------------enig2FB2C1ACEE9A899AF74D610C--