From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1m2vHl-0001cg-Df for mharc-grub-devel@gnu.org; Mon, 12 Jul 2021 08:43:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43150) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m2vHh-0001Zw-IS for grub-devel@gnu.org; Mon, 12 Jul 2021 08:43:42 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:37024) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m2vHe-0006XU-BD for grub-devel@gnu.org; Mon, 12 Jul 2021 08:43:41 -0400 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16CCY0H6010945; Mon, 12 Jul 2021 08:43:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=PODXBiNydvLqs3OsRv700+I+OACmh/weBb+qKykns/U=; b=qy78yzZvavL7vbayxZ4b/+XFkKIpDaXhqEvGQJ6V/gF32Tuln3sSAo7GJUYXvWh24lXI tqneCrYVjE4C1B95I2QqV75s9zU440KcoxGpuF/c+Uj8uIdSIPcXJjRggutGuCxNsvWE CwXQs458UWoDW8JjicmU3mwp8Az6F+TalGLEMGxb/DsIPlq+Eyq3iGU47V5j9rOGowEt 8BalXTSbnr38j12mPUSqyOr1EwW+MFyXQ9ypXk/cVkZWRZUe0N0lrOKf+fMgmFljYYgb pK9Oa9wE6yxzmBleMhPWnWogQyMeenun+c8gVe/CxmUu7O5cPgo0PQj0DRIsrzkjp14l UA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39qrkvrt0u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Jul 2021 08:43:35 -0400 Received: from m0098396.ppops.net (m0098396.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16CCY2v2011203; Mon, 12 Jul 2021 08:43:35 -0400 Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0a-001b2d01.pphosted.com with ESMTP id 39qrkvrsyu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Jul 2021 08:43:35 -0400 Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16CChRAc024698; Mon, 12 Jul 2021 12:43:34 GMT Received: from b01cxnp23032.gho.pok.ibm.com (b01cxnp23032.gho.pok.ibm.com [9.57.198.27]) by ppma01wdc.us.ibm.com with ESMTP id 39q36aawhj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Jul 2021 12:43:34 +0000 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp23032.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16CChXSP45482372 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 12 Jul 2021 12:43:33 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B413C112066; Mon, 12 Jul 2021 12:43:33 +0000 (GMT) Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A4D6511206F; Mon, 12 Jul 2021 12:43:33 +0000 (GMT) Received: from [9.47.158.152] (unknown [9.47.158.152]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 12 Jul 2021 12:43:33 +0000 (GMT) Subject: Re: [PATCH v2 04/22] Add suport for signing grub with an appended signature To: The development of GNU GRUB , Daniel Axtens Cc: rashmica.g@gmail.com, alastair@d-silva.org, nayna@linux.ibm.com References: <20210630084031.2663622-1-dja@axtens.net> <20210630084031.2663622-5-dja@axtens.net> From: Stefan Berger Message-ID: <94e64fee-9396-db36-fa33-fdcbc8b03b79@linux.ibm.com> Date: Mon, 12 Jul 2021 08:43:33 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: <20210630084031.2663622-5-dja@axtens.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-GUID: TOCXL0e0ZzRfNTeBiti5s-fVrJOpquov X-Proofpoint-ORIG-GUID: HYP9leYQaYLtrYts55ozCXlI430nrbz6 Content-Transfer-Encoding: 7bit X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-12_07:2021-07-12, 2021-07-12 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 malwarescore=0 suspectscore=0 impostorscore=0 phishscore=0 priorityscore=1501 spamscore=0 mlxlogscore=999 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107120099 Received-SPF: pass client-ip=148.163.156.1; envelope-from=stefanb@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.479, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2021 12:43:42 -0000 On 6/30/21 4:40 AM, Daniel Axtens wrote: > From: Rashmica Gupta > > Add infrastructure to allow firmware to verify the integrity of grub > by use of a Linux-kernel-module-style appended signature. We initially > target powerpc-ieee1275, but the code should be extensible to other > platforms. > > Usually these signatures are appended to a file without modifying the > ELF file itself. (This is what the 'sign-file' tool does, for example.) > The verifier loads the signed file from the file system and looks at the > end of the file for the appended signature. However, on powerpc-ieee1275 > platforms, the bootloader is often stored directly in the PReP partition > as raw bytes without a file-system. This makes determining the location > of an appended signature more difficult. > > To address this, we add a new ELF note. > > The name field of shall be the string "Appended-Signature", zero-padded > to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values > for the string "ASig"). It must be the final section in the ELF binary. > > The description shall contain the appended signature structure as defined > by the Linux kernel. The description will also be padded to be a multiple > of 4 bytes. The padding shall be added before the appended signature > structure (not at the end) so that the final bytes of a signed ELF file > are the appended signature magic. > > A subsequent patch documents how to create a grub core.img validly signed > under this scheme. > > Signed-off-by: Daniel Axtens > Signed-off-by: Rashmica Gupta > > --- > > You can experiment with this code with a patched version of SLOF > that verifies these signatures. You can find one at: > https://github.com/daxtens/SLOF > > I will be proposing this for inclusion in a future Power Architecture > Platform Reference (PAPR). > --- > include/grub/util/install.h | 8 ++++++-- > include/grub/util/mkimage.h | 4 ++-- > util/grub-install-common.c | 15 +++++++++++--- > util/grub-mkimage.c | 11 +++++++++++ > util/grub-mkimagexx.c | 39 ++++++++++++++++++++++++++++++++++++- > util/mkimage.c | 13 +++++++------ > 6 files changed, 76 insertions(+), 14 deletions(-) > > diff --git a/include/grub/util/install.h b/include/grub/util/install.h > index 7df3191f47ef..cf4531e02b66 100644 > --- a/include/grub/util/install.h > +++ b/include/grub/util/install.h > @@ -67,6 +67,9 @@ > N_("SBAT metadata"), 0 }, \ > { "disable-shim-lock", GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK, 0, 0, \ > N_("disable shim_lock verifier"), 0 }, \ > + { "appended-signature-size", GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,\ > + "SIZE", 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), \ > + 1}, \ > { "verbose", 'v', 0, 0, \ > N_("print verbose messages."), 1 } > > @@ -128,7 +131,8 @@ enum grub_install_options { > GRUB_INSTALL_OPTIONS_INSTALL_CORE_COMPRESS, > GRUB_INSTALL_OPTIONS_DTB, > GRUB_INSTALL_OPTIONS_SBAT, > - GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK > + GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK, > + GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE > }; > > extern char *grub_install_source_directory; > @@ -188,7 +192,7 @@ grub_install_generate_image (const char *dir, const char *prefix, > size_t npubkeys, > char *config_path, > const struct grub_install_image_target_desc *image_target, > - int note, > + int note, size_t appsig_size, > grub_compression_t comp, const char *dtb_file, > const char *sbat_path, const int disable_shim_lock); > > diff --git a/include/grub/util/mkimage.h b/include/grub/util/mkimage.h > index 3819a67441c8..6f1da89b9b65 100644 > --- a/include/grub/util/mkimage.h > +++ b/include/grub/util/mkimage.h > @@ -51,12 +51,12 @@ grub_mkimage_load_image64 (const char *kernel_path, > const struct grub_install_image_target_desc *image_target); > void > grub_mkimage_generate_elf32 (const struct grub_install_image_target_desc *image_target, > - int note, char **core_img, size_t *core_size, > + int note, size_t appsig_size, char **core_img, size_t *core_size, > Elf32_Addr target_addr, > struct grub_mkimage_layout *layout); > void > grub_mkimage_generate_elf64 (const struct grub_install_image_target_desc *image_target, > - int note, char **core_img, size_t *core_size, > + int note, size_t appsig_size, char **core_img, size_t *core_size, > Elf64_Addr target_addr, > struct grub_mkimage_layout *layout); > > diff --git a/util/grub-install-common.c b/util/grub-install-common.c > index 4e212e690c52..1216a203c292 100644 > --- a/util/grub-install-common.c > +++ b/util/grub-install-common.c > @@ -461,10 +461,12 @@ static size_t npubkeys; > static char *sbat; > static int disable_shim_lock; > static grub_compression_t compression; > +static size_t appsig_size; > > int > grub_install_parse (int key, char *arg) > { > + const char *end; > switch (key) > { > case 'C': > @@ -562,6 +564,12 @@ grub_install_parse (int key, char *arg) > grub_util_error (_("Unrecognized compression `%s'"), arg); > case GRUB_INSTALL_OPTIONS_GRUB_MKIMAGE: > return 1; > + case GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE: > + grub_errno = 0; > + appsig_size = grub_strtol(arg, &end, 10); > + if (grub_errno) > + return 0; > + return 1; > default: > return 0; > } > @@ -661,10 +669,11 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix, > " --output '%s' " > " --dtb '%s' " > "--sbat '%s' " > - "--format '%s' --compression '%s' %s %s %s\n", > + "--format '%s' --compression '%s' " > + "--appended-signature-size %zu %s %s %s\n", > dir, prefix, > outname, dtb ? : "", sbat ? : "", mkimage_target, > - compnames[compression], note ? "--note" : "", > + compnames[compression], appsig_size, note ? "--note" : "", > disable_shim_lock ? "--disable-shim-lock" : "", s); > free (s); > > @@ -675,7 +684,7 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix, > grub_install_generate_image (dir, prefix, fp, outname, > modules.entries, memdisk_path, > pubkeys, npubkeys, config_path, tgt, > - note, compression, dtb, sbat, > + note, appsig_size, compression, dtb, sbat, > disable_shim_lock); > while (dc--) > grub_install_pop_module (); > diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c > index c0d559937020..d01eaeb8443a 100644 > --- a/util/grub-mkimage.c > +++ b/util/grub-mkimage.c > @@ -84,6 +84,7 @@ static struct argp_option options[] = { > {"sbat", 's', N_("FILE"), 0, N_("SBAT metadata"), 0}, > {"disable-shim-lock", GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK, 0, 0, N_("disable shim_lock verifier"), 0}, > {"verbose", 'v', 0, 0, N_("print verbose messages."), 0}, > + {"appended-signature-size", 'S', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0}, > { 0, 0, 0, 0, 0, 0 } > }; > > @@ -128,6 +129,7 @@ struct arguments > char *sbat; > int note; > int disable_shim_lock; > + size_t appsig_size; > const struct grub_install_image_target_desc *image_target; > grub_compression_t comp; > }; > @@ -138,6 +140,7 @@ argp_parser (int key, char *arg, struct argp_state *state) > /* Get the input argument from argp_parse, which we > know is a pointer to our arguments structure. */ > struct arguments *arguments = state->input; > + const char* end; Nit: char* end -> char *end; Otherwise looks good to me. > > switch (key) > { > @@ -170,6 +173,13 @@ argp_parser (int key, char *arg, struct argp_state *state) > arguments->note = 1; > break; > > + case 'S': > + grub_errno = 0; > + arguments->appsig_size = grub_strtol(arg, &end, 10); > + if (grub_errno) > + return 0; > + break; > + > case 'm': > if (arguments->memdisk) > free (arguments->memdisk); > @@ -324,6 +334,7 @@ main (int argc, char *argv[]) > arguments.memdisk, arguments.pubkeys, > arguments.npubkeys, arguments.config, > arguments.image_target, arguments.note, > + arguments.appsig_size, > arguments.comp, arguments.dtb, > arguments.sbat, arguments.disable_shim_lock); > > diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c > index d78fa3e53308..393119486d3f 100644 > --- a/util/grub-mkimagexx.c > +++ b/util/grub-mkimagexx.c > @@ -84,6 +84,15 @@ struct grub_ieee1275_note > struct grub_ieee1275_note_desc descriptor; > }; > > +#define GRUB_APPENDED_SIGNATURE_NOTE_NAME "Appended-Signature" > +#define GRUB_APPENDED_SIGNATURE_NOTE_TYPE 0x41536967 /* "ASig" */ > + > +struct grub_appended_signature_note > +{ > + Elf32_Nhdr header; > + char name[ALIGN_UP(sizeof (GRUB_APPENDED_SIGNATURE_NOTE_NAME), 4)]; > +}; > + > #define GRUB_XEN_NOTE_NAME "Xen" > > struct fixup_block_list > @@ -207,7 +216,7 @@ grub_arm_reloc_jump24 (grub_uint32_t *target, Elf32_Addr sym_addr) > > void > SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc *image_target, > - int note, char **core_img, size_t *core_size, > + int note, size_t appsig_size, char **core_img, size_t *core_size, > Elf_Addr target_addr, > struct grub_mkimage_layout *layout) > { > @@ -221,6 +230,12 @@ SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc > int shnum = 4; > int string_size = sizeof (".text") + sizeof ("mods") + 1; > > + if (appsig_size) > + { > + phnum++; > + footer_size += ALIGN_UP(sizeof (struct grub_appended_signature_note) + appsig_size, 4); > + } > + > if (image_target->id != IMAGE_LOONGSON_ELF) > phnum += 2; > > @@ -484,6 +499,28 @@ SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc > phdr->p_offset = grub_host_to_target32 (header_size + program_size); > } > > + if (appsig_size) { > + int note_size = ALIGN_UP(sizeof (struct grub_appended_signature_note) + appsig_size, 4); > + struct grub_appended_signature_note *note_ptr = (struct grub_appended_signature_note *) > + (elf_img + program_size + header_size + (note ? sizeof (struct grub_ieee1275_note) : 0)); > + > + note_ptr->header.n_namesz = grub_host_to_target32 (sizeof (GRUB_APPENDED_SIGNATURE_NOTE_NAME)); > + /* needs to sit at the end, so we round this up and sign some zero padding */ > + note_ptr->header.n_descsz = grub_host_to_target32 (ALIGN_UP(appsig_size, 4)); > + note_ptr->header.n_type = grub_host_to_target32 (GRUB_APPENDED_SIGNATURE_NOTE_TYPE); > + strcpy (note_ptr->name, GRUB_APPENDED_SIGNATURE_NOTE_NAME); > + > + phdr++; > + phdr->p_type = grub_host_to_target32 (PT_NOTE); > + phdr->p_flags = grub_host_to_target32 (PF_R); > + phdr->p_align = grub_host_to_target32 (image_target->voidp_sizeof); > + phdr->p_vaddr = 0; > + phdr->p_paddr = 0; > + phdr->p_filesz = grub_host_to_target32 (note_size); > + phdr->p_memsz = 0; > + phdr->p_offset = grub_host_to_target32 (header_size + program_size + (note ? sizeof (struct grub_ieee1275_note) : 0)); > + } > + > { > char *str_start = (elf_img + sizeof (*ehdr) + phnum * sizeof (*phdr) > + shnum * sizeof (*shdr)); > diff --git a/util/mkimage.c b/util/mkimage.c > index a26cf76f72f2..d2cb33883557 100644 > --- a/util/mkimage.c > +++ b/util/mkimage.c > @@ -869,8 +869,9 @@ grub_install_generate_image (const char *dir, const char *prefix, > char *memdisk_path, char **pubkey_paths, > size_t npubkeys, char *config_path, > const struct grub_install_image_target_desc *image_target, > - int note, grub_compression_t comp, const char *dtb_path, > - const char *sbat_path, int disable_shim_lock) > + int note, size_t appsig_size, grub_compression_t comp, > + const char *dtb_path, const char *sbat_path, > + int disable_shim_lock) > { > char *kernel_img, *core_img; > size_t total_module_size, core_size; > @@ -1773,11 +1774,11 @@ grub_install_generate_image (const char *dir, const char *prefix, > else > target_addr = image_target->link_addr; > if (image_target->voidp_sizeof == 4) > - grub_mkimage_generate_elf32 (image_target, note, &core_img, &core_size, > - target_addr, &layout); > + grub_mkimage_generate_elf32 (image_target, note, appsig_size, &core_img, > + &core_size, target_addr, &layout); > else > - grub_mkimage_generate_elf64 (image_target, note, &core_img, &core_size, > - target_addr, &layout); > + grub_mkimage_generate_elf64 (image_target, note, appsig_size, &core_img, > + &core_size, target_addr, &layout); > } > break; > }