[PATCH v10 12/22] appended signatures: Introducing key management environment variable

From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
To: grub-devel@gnu.org
Cc: dja@axtens.net, jan.setjeeilers@oracle.com,
	julian.klode@canonical.com, mate.kukri@canonical.com,
	pjones@redhat.com, msuchanek@suse.com, mlewando@redhat.com,
	stefanb@linux.ibm.com, avnish@linux.ibm.com, nayna@linux.ibm.com,
	ssrish@linux.ibm.com, Sudhakar Kuppusamy <sudhakar@linux.ibm.com>,
	sridharm@linux.ibm.com
Subject: [PATCH v10 12/22] appended signatures: Introducing key management environment variable
Date: Tue,  9 Sep 2025 17:15:20 +0530	[thread overview]
Message-ID: <20250909114530.36863-13-sudhakar@linux.ibm.com> (raw)
In-Reply-To: <20250909114530.36863-1-sudhakar@linux.ibm.com>

Introducing the appended signature key management environment variable.
It is automatically set to either "static" or "dynamic" based on the
Platform KeyStore.

"static": Enforce static key management signature verification.
          This is the default. When the GRUB is locked down,
          user cannot change the value by setting the appendedsig_key_mgmt
          variable back to "dynamic".

"dynamic": Enforce dynamic key management signature verification.
           When the GRUB is locked down, user cannot change the value
           by setting the appendedsig_key_mgmt variable back to "static".

Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
---
 grub-core/commands/appendedsig/appendedsig.c | 75 ++++++++++++++++++++
 1 file changed, 75 insertions(+)

diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
index cffacb77f..e8ccf05fc 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -33,6 +33,7 @@
 #include <libtasn1.h>
 #include <grub/env.h>
 #include <grub/lockdown.h>
+#include <grub/powerpc/ieee1275/platform_keystore.h>
 
 #include "appendedsig.h"
 
@@ -94,6 +95,16 @@ static sb_database_t db = {.certs = NULL, .cert_entries = 0};
  */
 static bool check_sigs = false;
 
+/*
+ * append_key_mgmt: Key Management Modes
+ * False: Static key management (use built-in Keys). This is default.
+ * True: Dynamic key management (use Platform KeySotre).
+ */
+static bool append_key_mgmt = false;
+
+/* Platform KeyStore db and dbx. */
+static grub_pks_t *pks_keystore;
+
 static grub_ssize_t
 pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
 {
@@ -475,6 +486,46 @@ grub_env_write_sec (struct grub_env_var *var __attribute__ ((unused)), const cha
   return ret;
 }
 
+static const char *
+grub_env_read_key_mgmt (struct grub_env_var *var __attribute__ ((unused)),
+                        const char *val __attribute__ ((unused)))
+{
+  if (append_key_mgmt == true)
+    return "dynamic";
+
+  return "static";
+}
+
+static char *
+grub_env_write_key_mgmt (struct grub_env_var *var __attribute__ ((unused)), const char *val)
+{
+  char *ret;
+
+  /*
+   * Do not allow the value to be changed if signature verification is
+   * (check_sigs is set to enforce) enabled and GRUB is locked down.
+   */
+  if (check_sigs == true && grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
+    {
+      ret = grub_strdup (grub_env_read_key_mgmt (NULL, NULL));
+      if (ret == NULL)
+        grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+      return ret;
+    }
+
+  if ((*val == '1') || (*val == 'd'))
+    append_key_mgmt = true;
+  else if ((*val == '0') || (*val == 's'))
+    append_key_mgmt = false;
+
+  ret = grub_strdup (grub_env_read_key_mgmt (NULL, NULL));
+  if (ret == NULL)
+    grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+  return ret;
+}
+
 static grub_err_t
 appendedsig_init (grub_file_t io __attribute__ ((unused)), enum grub_file_type type,
                   void **context __attribute__ ((unused)), enum grub_verify_flags *flags)
@@ -546,6 +597,11 @@ GRUB_MOD_INIT (appendedsig)
   if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
     check_sigs = true;
 
+  /* If PKS keystore is available, use dynamic key management. */
+  pks_keystore = grub_pks_get_keystore ();
+  if (pks_keystore != NULL)
+    append_key_mgmt = true;
+
   /*
    * This is appended signature verification environment variable.
    * It is automatically set to either "no" or "enforce" based on the
@@ -560,6 +616,23 @@ GRUB_MOD_INIT (appendedsig)
   grub_register_variable_hook ("check_appended_signatures", grub_env_read_sec, grub_env_write_sec);
   grub_env_export ("check_appended_signatures");
 
+  /*
+   * This is appended signature key management environment variable.
+   * It is automatically set to either "static" or "dynamic" based on the
+   * Platform KeyStore.
+   *
+   * "static": Enforce static key management signature verification.
+   *           This is the default. When the GRUB is locked down,
+   *           user cannot change the value by setting the
+   *           appendedsig_key_mgmt variable back to "dynamic".
+   *
+   * "dynamic": Enforce dynamic key management signature verification.
+   *            When the GRUB is locked down, user cannot change the value
+   *            by setting the appendedsig_key_mgmt variable back to "static".
+   */
+  grub_register_variable_hook ("appendedsig_key_mgmt", grub_env_read_key_mgmt, grub_env_write_key_mgmt);
+  grub_env_export ("appendedsig_key_mgmt");
+
   rc = grub_asn1_init ();
   if (rc != ASN1_SUCCESS)
     grub_fatal ("error initing ASN.1 data structures: %d: %s\n", rc, asn1_strerror (rc));
@@ -583,5 +656,7 @@ GRUB_MOD_FINI (appendedsig)
   free_db_list ();
   grub_register_variable_hook ("check_appended_signatures", NULL, NULL);
   grub_env_unset ("check_appended_signatures");
+  grub_register_variable_hook ("appendedsig_key_mgmt", NULL, NULL);
+  grub_env_unset ("appendedsig_key_mgmt");
   grub_verifier_unregister (&grub_appendedsig_verifier);
 }
-- 
2.39.5 (Apple Git-154)


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
