From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1g7db8-0003SQ-TN for mharc-grub-devel@gnu.org; Wed, 03 Oct 2018 05:37:38 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54393) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g7db6-0003Rs-SR for grub-devel@gnu.org; Wed, 03 Oct 2018 05:37:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g7db1-0007ri-SC for grub-devel@gnu.org; Wed, 03 Oct 2018 05:37:36 -0400 Received: from userp2130.oracle.com ([156.151.31.86]:37122) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1g7day-0007lb-3A for grub-devel@gnu.org; Wed, 03 Oct 2018 05:37:29 -0400 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w939T3Y2011502; Wed, 3 Oct 2018 09:37:21 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id; s=corp-2018-07-02; bh=1mD3zKUxbhyzY4/ix5OxxO42FlCvj3tuuJvgILPvEmk=; b=jk+h+Y6mSMn0Sfl3eyO92jwClDtNcXgnJUkLAMuBmmeAfRSTO5JzfRVvJY0yrhUwTVsV W5qpunEB6Llgp2fSK7PsLO5+489UPOQa9bQPQsQFWVax0qRFnuXTcS0SVe3ydUAd0Q6z Mj9v66Wy4SX07U71jEpkjhZADo0ZxYDo0izUP0kB5cAkyeNQ9JlPbAqw1B0kbzcx5Zpe fy+TcaAsyRg/Fcv2UtwFhQK3YTBzMmp1DK7b92vMSCD1AlEnwlLMObL8DsysxBiZWHkF kYfX5XRHEMwukK5xgid3Ma9GtFPE2aI2PgdA1kozM5D3I6t/29u0imvIqdXI0F9itITQ ng== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2130.oracle.com with ESMTP id 2mt0tttru0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 03 Oct 2018 09:37:21 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w939bElC018266 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 3 Oct 2018 09:37:14 GMT Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w939bBRk030026; Wed, 3 Oct 2018 09:37:11 GMT Received: from olila.i.net-space.pl (/10.175.216.132) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 03 Oct 2018 09:37:11 +0000 From: Daniel Kiper To: grub-devel@gnu.org Cc: dpsmith.dev@gmail.com, eric.snowberg@oracle.com, javierm@redhat.com, jonmccune@google.com, kanth.ghatraju@oracle.com, keng-yu.lin@hpe.com, konrad.wilk@oracle.com, leif.lindholm@linaro.org, mjg59@srcf.ucam.org, phcoder@gmail.com, philip.b.tricca@intel.com, ross.philipson@oracle.com Subject: [PATCH v3 0/8] verifiers: Framework and EFI shim lock verifier Date: Wed, 3 Oct 2018 11:36:47 +0200 Message-Id: <1538559415-6233-1-git-send-email-daniel.kiper@oracle.com> X-Mailer: git-send-email 1.7.10.4 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9034 signatures=668707 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810030096 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-Received-From: 156.151.31.86 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2018 09:37:38 -0000 Hi all, Another stab at verifiers framework and EFI shim lock verifier. This time it is not an RFC because IMO it looks pretty well. There are still minor things to address like PGP code changes split from verifiers introduction (patch #2) and/or rename grub-core/commands/verify_helper.c to grub-core/commands/verifiers.c. Maybe something else but probably nothing major... Anyway, please take a look. Daniel docs/grub-dev.texi | 57 ++ grub-core/Makefile.core.def | 15 +- grub-core/commands/acpi.c | 2 +- grub-core/commands/blocklist.c | 4 +- grub-core/commands/cat.c | 2 +- grub-core/commands/cmp.c | 4 +- grub-core/commands/efi/loadbios.c | 4 +- grub-core/commands/efi/shim_lock.c | 140 ++++ grub-core/commands/file.c | 5 +- grub-core/commands/hashsum.c | 22 +- grub-core/commands/hexdump.c | 2 +- grub-core/commands/i386/pc/play.c | 2 +- grub-core/commands/keylayouts.c | 2 +- grub-core/commands/legacycfg.c | 2 +- grub-core/commands/loadenv.c | 24 +- grub-core/commands/ls.c | 8 +- grub-core/commands/minicmd.c | 5 +- grub-core/commands/nativedisk.c | 3 +- grub-core/commands/parttool.c | 2 +- grub-core/commands/pgp.c | 1018 +++++++++++++++++++++++++ grub-core/commands/search.c | 4 +- grub-core/commands/test.c | 4 +- grub-core/commands/testload.c | 2 +- grub-core/commands/testspeed.c | 2 +- grub-core/commands/verify.c | 1042 -------------------------- grub-core/commands/verify_helper.c | 228 ++++++ grub-core/disk/loopback.c | 3 +- grub-core/efiemu/main.c | 2 +- grub-core/font/font.c | 4 +- grub-core/fs/zfs/zfscrypt.c | 2 +- grub-core/gettext/gettext.c | 2 +- grub-core/gfxmenu/theme_loader.c | 2 +- grub-core/io/bufio.c | 10 +- grub-core/io/gzio.c | 5 +- grub-core/io/lzopio.c | 6 +- grub-core/io/offset.c | 7 +- grub-core/io/xzio.c | 6 +- grub-core/kern/dl.c | 2 +- grub-core/kern/elf.c | 4 +- grub-core/kern/file.c | 22 +- grub-core/lib/cmdline.c | 9 +- grub-core/lib/syslinux_parse.c | 2 +- grub-core/loader/arm/linux.c | 8 +- grub-core/loader/arm64/linux.c | 10 +- grub-core/loader/efi/chainloader.c | 2 +- grub-core/loader/i386/bsd.c | 22 +- grub-core/loader/i386/coreboot/chainloader.c | 2 +- grub-core/loader/i386/linux.c | 18 +- grub-core/loader/i386/multiboot_mbi.c | 16 +- grub-core/loader/i386/pc/chainloader.c | 4 +- grub-core/loader/i386/pc/freedos.c | 2 +- grub-core/loader/i386/pc/linux.c | 15 +- grub-core/loader/i386/pc/ntldr.c | 2 +- grub-core/loader/i386/pc/plan9.c | 13 +- grub-core/loader/i386/pc/pxechainloader.c | 2 +- grub-core/loader/i386/pc/truecrypt.c | 2 +- grub-core/loader/i386/xen.c | 14 +- grub-core/loader/i386/xen_file.c | 2 +- grub-core/loader/i386/xnu.c | 2 +- grub-core/loader/ia64/efi/linux.c | 7 + grub-core/loader/linux.c | 6 +- grub-core/loader/macho.c | 4 +- grub-core/loader/mips/linux.c | 10 +- grub-core/loader/multiboot.c | 8 +- grub-core/loader/multiboot_mbi2.c | 13 +- grub-core/loader/powerpc/ieee1275/linux.c | 5 +- grub-core/loader/sparc64/ieee1275/linux.c | 5 +- grub-core/loader/xnu.c | 25 +- grub-core/loader/xnu_resume.c | 4 +- grub-core/normal/autofs.c | 11 +- grub-core/normal/crypto.c | 2 +- grub-core/normal/dyncmd.c | 2 +- grub-core/normal/main.c | 2 +- grub-core/normal/term.c | 2 +- grub-core/video/readers/jpeg.c | 2 +- grub-core/video/readers/png.c | 2 +- grub-core/video/readers/tga.c | 2 +- include/grub/bufio.h | 6 +- include/grub/dl.h | 13 + include/grub/elfload.h | 2 +- include/grub/file.h | 153 ++-- include/grub/lib/cmdline.h | 5 +- include/grub/list.h | 1 + include/grub/machoload.h | 3 +- include/grub/verify.h | 77 ++ util/grub-fstest.c | 6 +- util/grub-mount.c | 6 +- 87 files changed, 1931 insertions(+), 1282 deletions(-) Daniel Kiper (4): verifiers: Add possibility to defer verification to other verifiers verifiers: Rename verify module to pgp module dl: Add support for persistent modules efi: Add EFI shim lock verifier Vladimir Serbinenko (4): verifiers: File type for fine-grained signature-verification controlling verifiers: Framework core verifiers: Add possibility to verify kernel and modules command lines verifiers: Add the documentation