All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Roger Pau Monné via Grub-devel" <grub-devel@gnu.org>
To: Ross Lagerwall <ross.lagerwall@citrix.com>
Cc: "Roger Pau Monné" <roger.pau@citrix.com>,
	"Jan Beulich" <jbeulich@suse.com>,
	xen-devel@lists.xenproject.org,
	"Andrew Cooper" <andrew.cooper3@citrix.com>,
	"Daniel Kiper" <daniel.kiper@oracle.com>,
	grub-devel@gnu.org
Subject: Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type
Date: Tue, 19 Mar 2024 13:12:20 +0100	[thread overview]
Message-ID: <ZfmBJKJVXcTBzgDr@macbook> (raw)
In-Reply-To: <CAG7k0EoHs7WZrgL4ixZWvfc1VUv40pQe=qt8WTLMdQhBv54ngA@mail.gmail.com>

On Thu, Mar 14, 2024 at 02:24:31PM +0000, Ross Lagerwall wrote:
> On Thu, Mar 14, 2024 at 1:37 PM Jan Beulich <jbeulich@suse.com> wrote:
> >
> > On 14.03.2024 10:30, Ross Lagerwall wrote:
> > > On Thu, Mar 14, 2024 at 7:24 AM Jan Beulich <jbeulich@suse.com> wrote:
> > >>
> > >> On 13.03.2024 16:07, Ross Lagerwall wrote:
> > >>> In addition to the existing address and ELF load types, specify a new
> > >>> optional PE binary load type. This new type is a useful addition since
> > >>> PE binaries can be signed and verified (i.e. used with Secure Boot).
> > >>
> > >> And the consideration to have ELF signable (by whatever extension to
> > >> the ELF spec) went nowhere?
> > >>
> > >
> > > I'm not sure if you're referring to some ongoing work to create signable
> > > ELFs that I'm not aware of.
> >
> > Something must have been invented already to make Linux modules signable.
> 
> Linux module signatures operate outside of the ELF container. In fact,
> AFAIK the actual signed content could be anything. The file format is:
> 
> * Content (i.e. ELF binary)
> * Signature of content in PKCS7 format
> * Signature info, including signature length
> * Magic marker: "~Module signature appended~\n"
> 
> This kind of arrangement does indeed work but it is fragile. Since the
> signature is on the entire contents and tools that understand ELF don't
> parse the signature, any transformation of the binary (e.g. to
> strip out debuginfo) will cause the signature to be lost / invalidated.
> 
> Nevertheless, this could still be an option for Xen if this is
> deemed to be a preferred solution by others. It would be good to hear
> some opinions on this.

No, IMO the PE route is likely the best one, as there's already all
the tooling around it, and it's what other OSes use to perform secure
boot.

It would have been nice for ELF to grow an extension to the spec for
image integrity data, but I don't see myself doing the work TBH.

Thanks, Roger.

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

WARNING: multiple messages have this Message-ID (diff)
From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Ross Lagerwall <ross.lagerwall@citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>,
	xen-devel@lists.xenproject.org,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Daniel Kiper <daniel.kiper@oracle.com>,
	grub-devel@gnu.org
Subject: Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type
Date: Tue, 19 Mar 2024 13:12:20 +0100	[thread overview]
Message-ID: <ZfmBJKJVXcTBzgDr@macbook> (raw)
In-Reply-To: <CAG7k0EoHs7WZrgL4ixZWvfc1VUv40pQe=qt8WTLMdQhBv54ngA@mail.gmail.com>

On Thu, Mar 14, 2024 at 02:24:31PM +0000, Ross Lagerwall wrote:
> On Thu, Mar 14, 2024 at 1:37 PM Jan Beulich <jbeulich@suse.com> wrote:
> >
> > On 14.03.2024 10:30, Ross Lagerwall wrote:
> > > On Thu, Mar 14, 2024 at 7:24 AM Jan Beulich <jbeulich@suse.com> wrote:
> > >>
> > >> On 13.03.2024 16:07, Ross Lagerwall wrote:
> > >>> In addition to the existing address and ELF load types, specify a new
> > >>> optional PE binary load type. This new type is a useful addition since
> > >>> PE binaries can be signed and verified (i.e. used with Secure Boot).
> > >>
> > >> And the consideration to have ELF signable (by whatever extension to
> > >> the ELF spec) went nowhere?
> > >>
> > >
> > > I'm not sure if you're referring to some ongoing work to create signable
> > > ELFs that I'm not aware of.
> >
> > Something must have been invented already to make Linux modules signable.
> 
> Linux module signatures operate outside of the ELF container. In fact,
> AFAIK the actual signed content could be anything. The file format is:
> 
> * Content (i.e. ELF binary)
> * Signature of content in PKCS7 format
> * Signature info, including signature length
> * Magic marker: "~Module signature appended~\n"
> 
> This kind of arrangement does indeed work but it is fragile. Since the
> signature is on the entire contents and tools that understand ELF don't
> parse the signature, any transformation of the binary (e.g. to
> strip out debuginfo) will cause the signature to be lost / invalidated.
> 
> Nevertheless, this could still be an option for Xen if this is
> deemed to be a preferred solution by others. It would be good to hear
> some opinions on this.

No, IMO the PE route is likely the best one, as there's already all
the tooling around it, and it's what other OSes use to perform secure
boot.

It would have been nice for ELF to grow an extension to the spec for
image integrity data, but I don't see myself doing the work TBH.

Thanks, Roger.


  parent reply	other threads:[~2024-03-19 12:13 UTC|newest]

Thread overview: 51+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-13 15:07 [PATCH 0/7] GRUB: Supporting Secure Boot of xen.gz Ross Lagerwall via Grub-devel
2024-03-13 15:07 ` Ross Lagerwall
2024-03-13 15:07 ` [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type Ross Lagerwall via Grub-devel
2024-03-13 15:07   ` Ross Lagerwall
2024-03-14  7:24   ` Jan Beulich via Grub-devel
2024-03-14  7:24     ` Jan Beulich
2024-03-14  8:12     ` Damien Zammit via Grub-devel
2024-03-14  8:12       ` Damien Zammit
2024-03-14  8:49     ` Vladimir 'phcoder' Serbinenko
2024-03-14  9:30     ` Ross Lagerwall via Grub-devel
2024-03-14  9:30       ` Ross Lagerwall
2024-03-14 13:37       ` Jan Beulich via Grub-devel
2024-03-14 13:37         ` Jan Beulich
2024-03-14 14:24         ` Ross Lagerwall via Grub-devel
2024-03-14 14:24           ` Ross Lagerwall
2024-03-14 14:33           ` Jan Beulich via Grub-devel
2024-03-14 14:33             ` Jan Beulich
2024-03-19 12:12           ` Roger Pau Monné via Grub-devel [this message]
2024-03-19 12:12             ` Roger Pau Monné
2024-03-19 13:18   ` Roger Pau Monné via Grub-devel
2024-03-19 13:18     ` Roger Pau Monné
2024-03-19 14:46     ` Ross Lagerwall via Grub-devel
2024-03-19 14:46       ` Ross Lagerwall
2024-03-20 11:04       ` Roger Pau Monné via Grub-devel
2024-03-20 11:04         ` Roger Pau Monné
2024-03-13 15:07 ` [PATCH 2/7] multiboot2: Allow 64-bit entry tags Ross Lagerwall via Grub-devel
2024-03-13 15:07   ` Ross Lagerwall
2024-03-19 10:07   ` Roger Pau Monné via Grub-devel
2024-03-19 10:07     ` Roger Pau Monné
2024-03-28 15:05     ` Ross Lagerwall via Grub-devel
2024-03-28 15:05       ` Ross Lagerwall
2024-03-28 15:41       ` Roger Pau Monné via Grub-devel
2024-03-28 15:41         ` Roger Pau Monné
2024-03-13 15:07 ` [PATCH 3/7] multiboot2: Add support for the load type header tag Ross Lagerwall via Grub-devel
2024-03-13 15:07   ` Ross Lagerwall
2024-03-15  7:30   ` Vladimir 'phcoder' Serbinenko
2024-03-15  7:30     ` Vladimir 'phcoder' Serbinenko
2024-03-28 14:58     ` Ross Lagerwall via Grub-devel
2024-03-28 14:58       ` Ross Lagerwall
2024-03-13 15:07 ` [PATCH 4/7] multiboot2: Add PE load support Ross Lagerwall via Grub-devel
2024-03-13 15:07   ` Ross Lagerwall
2024-03-13 15:07 ` [PATCH 5/7] multiboot2: Add support for 64-bit entry addresses Ross Lagerwall via Grub-devel
2024-03-13 15:07   ` Ross Lagerwall
2024-03-13 15:07 ` [PATCH 6/7] efi: Allow loading multiboot modules without verification Ross Lagerwall via Grub-devel
2024-03-13 15:07   ` Ross Lagerwall
2024-03-13 15:07 ` [PATCH 7/7] verifiers: Verify after decompression Ross Lagerwall via Grub-devel
2024-03-13 15:07   ` Ross Lagerwall
2024-03-15  3:50   ` Michael Chang via Grub-devel
2024-03-15  3:50     ` Michael Chang
2024-03-15  7:25   ` Vladimir 'phcoder' Serbinenko
2024-03-28 14:55     ` Ross Lagerwall via Grub-devel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZfmBJKJVXcTBzgDr@macbook \
    --to=grub-devel@gnu.org \
    --cc=andrew.cooper3@citrix.com \
    --cc=daniel.kiper@oracle.com \
    --cc=jbeulich@suse.com \
    --cc=roger.pau@citrix.com \
    --cc=ross.lagerwall@citrix.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.