From: "Vladimir 'φ-coder/phcoder' Serbinenko" <phcoder@gmail.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Subject: Re: [PATCH v0] Additional security-relevant documentation
Date: Thu, 17 Oct 2013 23:44:14 +0200 [thread overview]
Message-ID: <52605A2E.4010107@gmail.com> (raw)
In-Reply-To: <CADtfRCVgUFWkTLnr7fXczvZZk5a5+Oi-rf==v+7-TRXmJhydkQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1867 bytes --]
On 17.10.2013 20:03, Jonathan McCune wrote:
> grub-mkimage is internal implementation detail. It should not be
> mentioned here.
>
>
> I tend to agree, but right now it's necessary to understand this. When
> grub-install support for --pubkey matures, this can be removed.
>
>
> > This
> > +can be done using the @code{--pubkey} option to
> @command{grub-mkimage}
> > +and manually specifying that the modules required for signature
> > +verification be embedded in @file{core.img}. For example:
> > +
> > +@example
> > +# First, wrap grub-mkimage to include your public key(s).
> > +cat <<EOF > /root/grub-mkimage-pubkey.sh
> > +#!/bin/sh
> > +/usr/bin/grub-mkimage --pubkey=/boot/pubkey.gpg $@@
> > +EOF
> > +chmod +x /root/grub-mkimage-pubkey.sh
> > +# Then, invoke grub-install, explicitly including the `verify'
> > +# module and its dependencies (as verify cannot signature-check
> > +# itself).
> > +grub-install \
> > + --grub-mkimage=/root/grub-mkimage-pubkey.sh \
> > + --modules="verify gcry_rsa gcry_dsa gcry_sha256 hashsum"\
> > +"gcry_sha1 mpi echo loadenv" \
> > + /dev/sda
> > +@end example
> > +
>
> Nor should this example really be included.
>
>
> Same thoughts as above. This should get dropped as part of some future
> cleanup, but for the moment I think it's necessary. It's also already
> committed so somewhat moot.
Not true
a) This part was removed
b) I actually forgot Andrey's message when I committed your patch. Sorry
for this. Most of problems he mentions are valid and should be fixed.
Also, interestingly, I removed most of parts he had problem with even
though I didn't look at his email at that time.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 291 bytes --]
prev parent reply other threads:[~2013-10-17 21:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-27 17:00 [PATCH v0] Additional security-relevant documentation Jon McCune
2013-09-29 9:29 ` Andrey Borzenkov
2013-10-17 18:03 ` Jonathan McCune
2013-10-17 21:44 ` Vladimir 'φ-coder/phcoder' Serbinenko [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52605A2E.4010107@gmail.com \
--to=phcoder@gmail.com \
--cc=grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.