[PATCH v0] Support to disable reed-solomon codes

[PATCH v0] Support to disable reed-solomon codes

[Jon McCune]

 * new grub-*-setup flag to disable insertion of reed solomon codes
 * grub-install support for option --no-rs-codes

Signed-off-by: Jon McCune <jonmccune@google.com>
---
 include/grub/util/install.h |  4 ++--
 util/grub-install.in        |  7 ++++++-
 util/grub-setup.c           | 12 +++++++++++-
 util/setup.c                | 48 +++++++++++++++++++++++----------------------
 4 files changed, 44 insertions(+), 27 deletions(-)

diff --git a/include/grub/util/install.h b/include/grub/util/install.h
index 7eb6141..9b33368 100644
--- a/include/grub/util/install.h
+++ b/include/grub/util/install.h
@@ -53,12 +53,12 @@ void
 grub_util_bios_setup (const char *dir,
 		      const char *boot_file, const char *core_file,
 		      const char *dest, int force,
-		      int fs_probe, int allow_floppy);
+		      int fs_probe, int allow_floppy, int no_rs_codes);
 void
 grub_util_sparc_setup (const char *dir,
 		       const char *boot_file, const char *core_file,
 		       const char *dest, int force,
-		       int fs_probe, int allow_floppy);
+		       int fs_probe, int allow_floppy, int no_rs_codes);
 
 char *
 grub_install_get_image_targets_string (void);
diff --git a/util/grub-install.in b/util/grub-install.in
index 7cd089b..79d103f 100644
--- a/util/grub-install.in
+++ b/util/grub-install.in
@@ -87,6 +87,7 @@ usage () {
     print_option_help  "--removable" "$(gettext "the installation device is removable. This option is only available on EFI.")"
     print_option_help  "--bootloader-id=$(gettext "ID")" "$(gettext "the ID of bootloader. This option is only available on EFI.")"
     print_option_help "--efi-directory=$(gettext "DIR")" "$(gettext "use DIR as the EFI System Partition root.")"
+    print_option_help "--no-rs-codes" "$(gettext "Do not apply any reed-solomon codes, even if there is enough space.")"
 echo
 gettext "INSTALL_DEVICE must be system device filename.";echo
 echo
@@ -100,6 +101,7 @@ gettext "Report bugs to <bug-grub@gnu.org>."; echo
 allow_floppy=""
 force_file_id=
 efidir=
+no_rs_codes=""
 
 # Check the arguments.
 while test $# -gt 0
@@ -199,6 +201,9 @@ do
     --no-nvram)
 	update_nvram=no ;;
 
+    --no-rs-codes)
+	no_rs_codes="--no-rs-codes" ;;
+
     # This is an undocumented feature...
     --debug)
 	debug=yes ;;
@@ -680,7 +685,7 @@ fi
 # Perform the grub_modinfo_platform-dependent install
 if [ "${grub_modinfo_target_cpu}-${grub_modinfo_platform}" = "i386-pc" ] || [ "${grub_modinfo_target_cpu}-${grub_modinfo_platform}" = "sparc64-ieee1275" ] ; then
     # Now perform the installation.
-    "$grub_setup" ${allow_floppy} ${setup_verbose} ${setup_force} --directory="${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform" \
+    "$grub_setup" ${allow_floppy} ${setup_verbose} ${setup_force} ${no_rs_codes} --directory="${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform" \
 	--device-map="${device_map}" "${install_device}" || exit 1
 elif [ "${grub_modinfo_target_cpu}-${grub_modinfo_platform}" = "i386-ieee1275" ] || [ "${grub_modinfo_target_cpu}-${grub_modinfo_platform}" = "powerpc-ieee1275" ]; then
 
diff --git a/util/grub-setup.c b/util/grub-setup.c
index 90b9de0..088efcf 100644
--- a/util/grub-setup.c
+++ b/util/grub-setup.c
@@ -83,6 +83,10 @@ static struct argp_option options[] = {
       likely to make the install unbootable from HDD.  */
    N_("make the drive also bootable as floppy (default for fdX devices). May break on some BIOSes."), 0},
 
+  {"no-rs-codes", 'n', 0,      0,
+   N_("Do not apply any reed-solomon codes, even if there is enough space."), 0},
+
+
   { 0, 0, 0, 0, 0, 0 }
 };
 
@@ -118,6 +122,7 @@ struct arguments
   int  fs_probe;
   int allow_floppy;
   char *device;
+  int no_rs_codes;
 };
 
 static error_t
@@ -173,6 +178,10 @@ argp_parser (int key, char *arg, struct argp_state *state)
         verbosity++;
         break;
 
+      case 'n':
+        arguments->no_rs_codes = 1;
+        break;
+
       case ARGP_KEY_ARG:
         if (state->arg_num == 0)
           arguments->device = xstrdup(arg);
@@ -292,7 +301,8 @@ main (int argc, char *argv[])
 		   arguments.boot_file ? : DEFAULT_BOOT_FILE,
 		   arguments.core_file ? : DEFAULT_CORE_FILE,
 		   dest_dev, arguments.force,
-		   arguments.fs_probe, arguments.allow_floppy);
+		   arguments.fs_probe, arguments.allow_floppy,
+		   arguments.no_rs_codes);
 
   /* Free resources.  */
   grub_fini_all ();
diff --git a/util/setup.c b/util/setup.c
index 5b7c384..95f173e 100644
--- a/util/setup.c
+++ b/util/setup.c
@@ -241,7 +241,7 @@ void
 SETUP (const char *dir,
        const char *boot_file, const char *core_file,
        const char *dest, int force,
-       int fs_probe, int allow_floppy)
+       int fs_probe, int allow_floppy, int no_rs_codes)
 {
   char *core_path;
   char *boot_img, *core_img, *boot_path;
@@ -540,27 +540,29 @@ SETUP (const char *dir,
     bl.first_block = (struct grub_boot_blocklist *) (core_img
 						     + GRUB_DISK_SECTOR_SIZE
 						     - sizeof (*bl.block));
-
-    grub_size_t no_rs_length;
-    grub_set_unaligned32 ((core_img + GRUB_DISK_SECTOR_SIZE
-			   + GRUB_KERNEL_I386_PC_REED_SOLOMON_REDUNDANCY),
-			  grub_host_to_target32 (nsec * GRUB_DISK_SECTOR_SIZE - core_size));
-    no_rs_length = grub_target_to_host16 
-      (grub_get_unaligned16 (core_img
-			     + GRUB_DISK_SECTOR_SIZE
-			     + GRUB_KERNEL_I386_PC_NO_REED_SOLOMON_LENGTH));
-
-    if (no_rs_length == 0xffff)
-      grub_util_error ("%s", _("core.img version mismatch"));
-
-    void *tmp = xmalloc (core_size);
-    grub_memcpy (tmp, core_img, core_size);
-    grub_reed_solomon_add_redundancy (core_img + no_rs_length + GRUB_DISK_SECTOR_SIZE,
-				      core_size - no_rs_length - GRUB_DISK_SECTOR_SIZE,
-				      nsec * GRUB_DISK_SECTOR_SIZE
-				      - core_size);
-    assert (grub_memcmp (tmp, core_img, core_size) == 0);
-    free (tmp);
+    if (!no_rs_codes)
+      {
+        grub_size_t no_rs_length;
+        grub_set_unaligned32 ((core_img + GRUB_DISK_SECTOR_SIZE
+                               + GRUB_KERNEL_I386_PC_REED_SOLOMON_REDUNDANCY),
+                              grub_host_to_target32 (nsec * GRUB_DISK_SECTOR_SIZE - core_size));
+        no_rs_length = grub_target_to_host16
+            (grub_get_unaligned16 (core_img
+                                   + GRUB_DISK_SECTOR_SIZE
+                                   + GRUB_KERNEL_I386_PC_NO_REED_SOLOMON_LENGTH));
+
+        if (no_rs_length == 0xffff)
+          grub_util_error ("%s", _("core.img version mismatch"));
+
+        void *tmp = xmalloc (core_size);
+        grub_memcpy (tmp, core_img, core_size);
+        grub_reed_solomon_add_redundancy (core_img + no_rs_length + GRUB_DISK_SECTOR_SIZE,
+                                          core_size - no_rs_length - GRUB_DISK_SECTOR_SIZE,
+                                          nsec * GRUB_DISK_SECTOR_SIZE
+                                          - core_size);
+        assert (grub_memcmp (tmp, core_img, core_size) == 0);
+        free (tmp);
+      }
 
     /* Write the core image onto the disk.  */
     for (i = 0; i < nsec; i++)
@@ -574,7 +576,7 @@ SETUP (const char *dir,
   }
 
 unable_to_embed:
-#endif
+#endif  /* ifdef GRUB_SETUP_BIOS */
 
   if (dest_dev->disk->dev->id != root_dev->disk->dev->id)
     grub_util_error ("%s", _("embedding is not possible, but this is required for "
-- 
1.8.4.1

Re: [PATCH v0] Support to disable reed-solomon codes

[Andrey Borzenkov]

В Fri,  1 Nov 2013 17:04:00 -0700
Jon McCune <jonmccune@google.com> пишет:

>  * new grub-*-setup flag to disable insertion of reed solomon codes
>  * grub-install support for option --no-rs-codes
> 

What problem does it solve?

> Signed-off-by: Jon McCune <jonmccune@google.com>
> ---
>  include/grub/util/install.h |  4 ++--
>  util/grub-install.in        |  7 ++++++-
>  util/grub-setup.c           | 12 +++++++++++-
>  util/setup.c                | 48 +++++++++++++++++++++++----------------------
>  4 files changed, 44 insertions(+), 27 deletions(-)
> 
> diff --git a/include/grub/util/install.h b/include/grub/util/install.h
> index 7eb6141..9b33368 100644
> --- a/include/grub/util/install.h
> +++ b/include/grub/util/install.h
> @@ -53,12 +53,12 @@ void
>  grub_util_bios_setup (const char *dir,
>  		      const char *boot_file, const char *core_file,
>  		      const char *dest, int force,
> -		      int fs_probe, int allow_floppy);
> +		      int fs_probe, int allow_floppy, int no_rs_codes);
>  void
>  grub_util_sparc_setup (const char *dir,
>  		       const char *boot_file, const char *core_file,
>  		       const char *dest, int force,
> -		       int fs_probe, int allow_floppy);
> +		       int fs_probe, int allow_floppy, int no_rs_codes);
>  
>  char *
>  grub_install_get_image_targets_string (void);
> diff --git a/util/grub-install.in b/util/grub-install.in
> index 7cd089b..79d103f 100644
> --- a/util/grub-install.in
> +++ b/util/grub-install.in
> @@ -87,6 +87,7 @@ usage () {
>      print_option_help  "--removable" "$(gettext "the installation device is removable. This option is only available on EFI.")"
>      print_option_help  "--bootloader-id=$(gettext "ID")" "$(gettext "the ID of bootloader. This option is only available on EFI.")"
>      print_option_help "--efi-directory=$(gettext "DIR")" "$(gettext "use DIR as the EFI System Partition root.")"
> +    print_option_help "--no-rs-codes" "$(gettext "Do not apply any reed-solomon codes, even if there is enough space.")"
>  echo
>  gettext "INSTALL_DEVICE must be system device filename.";echo
>  echo
> @@ -100,6 +101,7 @@ gettext "Report bugs to <bug-grub@gnu.org>."; echo
>  allow_floppy=""
>  force_file_id=
>  efidir=
> +no_rs_codes=""
>  
>  # Check the arguments.
>  while test $# -gt 0
> @@ -199,6 +201,9 @@ do
>      --no-nvram)
>  	update_nvram=no ;;
>  
> +    --no-rs-codes)
> +	no_rs_codes="--no-rs-codes" ;;
> +
>      # This is an undocumented feature...
>      --debug)
>  	debug=yes ;;
> @@ -680,7 +685,7 @@ fi
>  # Perform the grub_modinfo_platform-dependent install
>  if [ "${grub_modinfo_target_cpu}-${grub_modinfo_platform}" = "i386-pc" ] || [ "${grub_modinfo_target_cpu}-${grub_modinfo_platform}" = "sparc64-ieee1275" ] ; then
>      # Now perform the installation.
> -    "$grub_setup" ${allow_floppy} ${setup_verbose} ${setup_force} --directory="${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform" \
> +    "$grub_setup" ${allow_floppy} ${setup_verbose} ${setup_force} ${no_rs_codes} --directory="${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform" \
>  	--device-map="${device_map}" "${install_device}" || exit 1
>  elif [ "${grub_modinfo_target_cpu}-${grub_modinfo_platform}" = "i386-ieee1275" ] || [ "${grub_modinfo_target_cpu}-${grub_modinfo_platform}" = "powerpc-ieee1275" ]; then
>  
> diff --git a/util/grub-setup.c b/util/grub-setup.c
> index 90b9de0..088efcf 100644
> --- a/util/grub-setup.c
> +++ b/util/grub-setup.c
> @@ -83,6 +83,10 @@ static struct argp_option options[] = {
>        likely to make the install unbootable from HDD.  */
>     N_("make the drive also bootable as floppy (default for fdX devices). May break on some BIOSes."), 0},
>  
> +  {"no-rs-codes", 'n', 0,      0,
> +   N_("Do not apply any reed-solomon codes, even if there is enough space."), 0},
> +
> +
>    { 0, 0, 0, 0, 0, 0 }
>  };
>  
> @@ -118,6 +122,7 @@ struct arguments
>    int  fs_probe;
>    int allow_floppy;
>    char *device;
> +  int no_rs_codes;
>  };
>  
>  static error_t
> @@ -173,6 +178,10 @@ argp_parser (int key, char *arg, struct argp_state *state)
>          verbosity++;
>          break;
>  
> +      case 'n':
> +        arguments->no_rs_codes = 1;
> +        break;
> +
>        case ARGP_KEY_ARG:
>          if (state->arg_num == 0)
>            arguments->device = xstrdup(arg);
> @@ -292,7 +301,8 @@ main (int argc, char *argv[])
>  		   arguments.boot_file ? : DEFAULT_BOOT_FILE,
>  		   arguments.core_file ? : DEFAULT_CORE_FILE,
>  		   dest_dev, arguments.force,
> -		   arguments.fs_probe, arguments.allow_floppy);
> +		   arguments.fs_probe, arguments.allow_floppy,
> +		   arguments.no_rs_codes);
>  
>    /* Free resources.  */
>    grub_fini_all ();
> diff --git a/util/setup.c b/util/setup.c
> index 5b7c384..95f173e 100644
> --- a/util/setup.c
> +++ b/util/setup.c
> @@ -241,7 +241,7 @@ void
>  SETUP (const char *dir,
>         const char *boot_file, const char *core_file,
>         const char *dest, int force,
> -       int fs_probe, int allow_floppy)
> +       int fs_probe, int allow_floppy, int no_rs_codes)
>  {
>    char *core_path;
>    char *boot_img, *core_img, *boot_path;
> @@ -540,27 +540,29 @@ SETUP (const char *dir,
>      bl.first_block = (struct grub_boot_blocklist *) (core_img
>  						     + GRUB_DISK_SECTOR_SIZE
>  						     - sizeof (*bl.block));
> -
> -    grub_size_t no_rs_length;
> -    grub_set_unaligned32 ((core_img + GRUB_DISK_SECTOR_SIZE
> -			   + GRUB_KERNEL_I386_PC_REED_SOLOMON_REDUNDANCY),
> -			  grub_host_to_target32 (nsec * GRUB_DISK_SECTOR_SIZE - core_size));
> -    no_rs_length = grub_target_to_host16 
> -      (grub_get_unaligned16 (core_img
> -			     + GRUB_DISK_SECTOR_SIZE
> -			     + GRUB_KERNEL_I386_PC_NO_REED_SOLOMON_LENGTH));
> -
> -    if (no_rs_length == 0xffff)
> -      grub_util_error ("%s", _("core.img version mismatch"));
> -
> -    void *tmp = xmalloc (core_size);
> -    grub_memcpy (tmp, core_img, core_size);
> -    grub_reed_solomon_add_redundancy (core_img + no_rs_length + GRUB_DISK_SECTOR_SIZE,
> -				      core_size - no_rs_length - GRUB_DISK_SECTOR_SIZE,
> -				      nsec * GRUB_DISK_SECTOR_SIZE
> -				      - core_size);
> -    assert (grub_memcmp (tmp, core_img, core_size) == 0);
> -    free (tmp);
> +    if (!no_rs_codes)
> +      {
> +        grub_size_t no_rs_length;
> +        grub_set_unaligned32 ((core_img + GRUB_DISK_SECTOR_SIZE
> +                               + GRUB_KERNEL_I386_PC_REED_SOLOMON_REDUNDANCY),
> +                              grub_host_to_target32 (nsec * GRUB_DISK_SECTOR_SIZE - core_size));
> +        no_rs_length = grub_target_to_host16
> +            (grub_get_unaligned16 (core_img
> +                                   + GRUB_DISK_SECTOR_SIZE
> +                                   + GRUB_KERNEL_I386_PC_NO_REED_SOLOMON_LENGTH));
> +
> +        if (no_rs_length == 0xffff)
> +          grub_util_error ("%s", _("core.img version mismatch"));
> +
> +        void *tmp = xmalloc (core_size);
> +        grub_memcpy (tmp, core_img, core_size);
> +        grub_reed_solomon_add_redundancy (core_img + no_rs_length + GRUB_DISK_SECTOR_SIZE,
> +                                          core_size - no_rs_length - GRUB_DISK_SECTOR_SIZE,
> +                                          nsec * GRUB_DISK_SECTOR_SIZE
> +                                          - core_size);
> +        assert (grub_memcmp (tmp, core_img, core_size) == 0);
> +        free (tmp);
> +      }
>  
>      /* Write the core image onto the disk.  */
>      for (i = 0; i < nsec; i++)
> @@ -574,7 +576,7 @@ SETUP (const char *dir,
>    }
>  
>  unable_to_embed:
> -#endif
> +#endif  /* ifdef GRUB_SETUP_BIOS */
>  
>    if (dest_dev->disk->dev->id != root_dev->disk->dev->id)
>      grub_util_error ("%s", _("embedding is not possible, but this is required for "

Re: [PATCH v0] Support to disable reed-solomon codes

[Jonathan McCune]

[-- Attachment #1: Type: text/plain, Size: 2044 bytes --]

On Fri, Nov 1, 2013 at 8:13 PM, Andrey Borzenkov <arvidjaar@gmail.com>wrote:

> В Fri,  1 Nov 2013 17:04:00 -0700
> Jon McCune <jonmccune@google.com> пишет:
>
> >  * new grub-*-setup flag to disable insertion of reed solomon codes
> >  * grub-install support for option --no-rs-codes
>
> What problem does it solve?


A simple motivation is the desire to run the bare minimum amount of code
required to boot a machine.

However, the high-level problem I'm trying to address is to make the binary
part of GRUB (core.img + boot.img or similar) easier to verify
cryptographically.

First, if a hash or signature checks out, then the bits are known to be
correct and there's no need for the redundancy of the RS codes.

Second, I am not a fan of verification mechanisms that require "just
install it, then look at what is installed and assume it is correct, and
then sign that."  I think it should be possible to generate all the
necessary signatures at *build time* instead of *install time* (modulo
knowledge of the install target's partition table layout), to eliminate any
target-specific configuration weirdness that's not accounted for at build
time.

I think it also helps to think about this problem by working backwards.
 Build GRUB on machine A, and install it on machine B (assume same
architecture everywhere, but it doesn't really matter).  Given the contents
of B's disk (e.g., MBR + contents of embedding area), and the build output
of A, how do we know if machine B indeed has all the right bits installed?

It's not too hard to run the same grub-mkimage command everywhere so as to
generate a consistent core.img (and whatever .img makes sense for the MBR)
doing the verification, and it's not too hard to take knowledge of B's
partition table layout to make the necessary changes to those .img files.
But, the reed-solomon codes that util/setup.c adds into the embedding area
are yet another step that would need to be backed out.

This patch just adds a flag. :)

Thanks,
-Jon

[-- Attachment #2: Type: text/html, Size: 2780 bytes --]

Re: [PATCH v0] Support to disable reed-solomon codes

[Richard Laager]

[-- Attachment #1: Type: text/plain, Size: 1070 bytes --]

I'm not at all familiar with this part of GRUB, so take this with a big
grain of salt.

On Sat, 2013-11-02 at 20:05 -0700, Jonathan McCune wrote:
> I think it should be possible to generate all the necessary signatures
> at *build time* instead of *install time*

If I understand your email correctly, you're saying that at build time,
grub builds core.img. Then at install time, it calculates:
  "core.img.rs" = Reed-Solomon(core.img)
Then it writes the "core.img.rs" data to disk. At boot time, GRUB reads
the "core.img.rs" data from disk, corrects errors, to reproduce
core.img, which is executed.

If you want to verify at boot time, you just do it after the error
correction step. But it sounds like you want to verify the bits on disk
from the host environment. Rather than "backing out" the Reed-Solomon
coding, why not do it the other way around? Verify core.img, then
re-encode the known good copy (for which code already exists as part of
the installation procedure) and then just compare that to what is
actually on disk?

-- 
Richard

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [PATCH v0] Support to disable reed-solomon codes

[Jonathan McCune]

[-- Attachment #1: Type: text/plain, Size: 2229 bytes --]

On Sat, Nov 2, 2013 at 8:33 PM, Richard Laager <rlaager@wiktel.com> wrote:

> I'm not at all familiar with this part of GRUB, so take this with a big
> grain of salt.


Thanks for taking the time.


> On Sat, 2013-11-02 at 20:05 -0700, Jonathan McCune wrote:
> > I think it should be possible to generate all the necessary signatures
> > at *build time* instead of *install time*
>
> If I understand your email correctly, you're saying that at build time,
> grub builds core.img. Then at install time, it calculates:
>   "core.img.rs" = Reed-Solomon(core.img)
> Then it writes the "core.img.rs" data to disk. At boot time, GRUB reads
> the "core.img.rs" data from disk, corrects errors, to reproduce
> core.img, which is executed.
>

Yes, this is consistent with my current understanding.


> If you want to verify at boot time, you just do it after the error
> correction step.


This causes the problem to recurse, requiring something (e.g., Coreboot) to
first verify the error-correcting software, and then something (presumably
either a smarter initial something, or another feature of the
error-correcting software) to verify the corrected GRUB.  I don't think
GRUB is could support this very easily, and it's my opinion that changing
it to do so would not be worth the effort.


> But it sounds like you want to verify the bits on disk
> from the host environment.


I think a simple, transparent verification scheme should enable
verification from at least 3 places: build environment, host environment,
and whatever-is-checking-GRUB-at-boot-time.  The security arguments for
these various environments are subtle and complicated, but it's hard to
have confidence in something that is difficult to test and peak inside.


> Rather than "backing out" the Reed-Solomon
> coding, why not do it the other way around? Verify core.img, then
> re-encode the known good copy (for which code already exists as part of
> the installation procedure) and then just compare that to what is
> actually on disk?
>

This is feasible, but seems unnecessarily complicated.  Given that the RS
codes are adding limited value in the case of trying to achieve a verified
boot, I thought it better to just add an option to leave them out.

-Jon

[-- Attachment #2: Type: text/html, Size: 3461 bytes --]