From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B5F99CCA471 for ; Tue, 30 Sep 2025 11:50:19 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v3Ypq-0001db-Rh; Tue, 30 Sep 2025 07:47:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v3Yoi-0000yr-J1 for grub-devel@gnu.org; Tue, 30 Sep 2025 07:46:48 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v3YoY-0006HR-3O for grub-devel@gnu.org; Tue, 30 Sep 2025 07:46:47 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58U5ZDpS028057; Tue, 30 Sep 2025 11:46:27 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=VAA/pE tJqWUGnYvoKpyHVB9hdLxG5MFP+RCRn2A7xi4=; b=QyrqdIUo/rfQONhas6aNQY z6VFRE9iQQt5vF0lPbjOluZ77mby5teDaOSC+t5X7c1+mtH8iJ/+g+iX1f65EZkr HnnzERNmvbwSKKCsDN5gRgw8/bEsew4wiAhlycR1eqaurhzx1oG6YLsy6flL8dl9 +xUPvGhaPCdEVreAdWTOPwH+WN+mnXq3sonqfefvHmSBWrl4Dqo1TVsIvqApgrBo jnZhJqn7KTR4ua3Wc6ArgO1gCKbcy6KfzBEygrhGGIddFZXELv4tJMUZ4akcscO9 3OOlI/AaKgrzwRi52yP1ZkGpLszJjTlLLptVBASaOmyQCTbENIQbBmjZNBSLRbhQ == Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 49e5bqrc35-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Sep 2025 11:46:26 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58U9PCaB007313; Tue, 30 Sep 2025 11:46:26 GMT Received: from smtprelay02.fra02v.mail.ibm.com ([9.218.2.226]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 49eurju36k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Sep 2025 11:46:26 +0000 Received: from smtpav01.fra02v.mail.ibm.com (smtpav01.fra02v.mail.ibm.com [10.20.54.100]) by smtprelay02.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58UBkMo050856208 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 30 Sep 2025 11:46:22 GMT Received: from smtpav01.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 279862004B; Tue, 30 Sep 2025 11:46:22 +0000 (GMT) Received: from smtpav01.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 708A520040; Tue, 30 Sep 2025 11:46:19 +0000 (GMT) Received: from localhost.localdomain (unknown [9.39.16.143]) by smtpav01.fra02v.mail.ibm.com (Postfix) with ESMTP; Tue, 30 Sep 2025 11:46:19 +0000 (GMT) From: Sudhakar Kuppusamy To: grub-devel@gnu.org Cc: dja@axtens.net, jan.setjeeilers@oracle.com, julian.klode@canonical.com, mate.kukri@canonical.com, pjones@redhat.com, msuchanek@suse.com, mlewando@redhat.com, stefanb@linux.ibm.com, avnish@linux.ibm.com, nayna@linux.ibm.com, ssrish@linux.ibm.com, Sudhakar Kuppusamy , sridharm@linux.ibm.com, Daniel Kiper Subject: [PATCH v13 12/20] appended signatures: Introducing key management environment variable Date: Tue, 30 Sep 2025 17:10:06 +0530 Message-ID: <20250930114018.78215-13-sudhakar@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250930114018.78215-1-sudhakar@linux.ibm.com> References: <20250930114018.78215-1-sudhakar@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTI2MDIxNCBTYWx0ZWRfXzUUrFJ8pOwhx pJGnDTg+jpBTXigRddcjUfEjE9bEMHyJOvUWopcB4zuBKu3519/O2nCp0L6CEf4rltzv6b5iJHH PYyovzbASCjciLh7RNijKBUKM8sYX0FV1nowo8uheM3cQZFErDIIijk8okL09ivfQijhE9Yqhhw nVVhCOZM0gdaeyCNlizlf/nOo5db9dM5witbW9nFHjNsUufMzm4na5B9I9wiRz3vns0kMKqE5dd 4HefoWxRaqWxDQUoF/49yQH1KN7P3Pm0jSPcG6+N9oA/SP3MJYg64RDTSOPeCpDGrStKovkpVhY RXjFDU/ZExPiIhMDAwoE/OqXhr3ZGI+fgm5Eu15LLZyg2QMAC9H+TQlX3ujALhvjPYoVn+GMvGP AcbRe181C1NMTGf1uuhfDshlNAm6Lw== X-Proofpoint-GUID: I54RbTdZA9qnpSWdnUD3Wmw91MuMNEbj X-Authority-Analysis: v=2.4 cv=LLZrgZW9 c=1 sm=1 tr=0 ts=68dbc312 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=qf4gfuq51q0A:10 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=yPCof4ZbAAAA:8 a=QbWet5Pj97AjEwyA9QAA:9 a=3ZKOabzyN94A:10 a=k40Crp0UdiQA:10 a=cPQSjfK2_nFv0Q5t_7PE:22 X-Proofpoint-ORIG-GUID: I54RbTdZA9qnpSWdnUD3Wmw91MuMNEbj X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-30_02,2025-09-29_04,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 impostorscore=0 bulkscore=0 malwarescore=0 suspectscore=0 clxscore=1015 priorityscore=1501 phishscore=0 lowpriorityscore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2509150000 definitions=main-2509260214 Received-SPF: pass client-ip=148.163.158.5; envelope-from=sudhakar@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: The development of GNU GRUB Content-Type: multipart/mixed; boundary="===============4847932398941634383==" Errors-To: grub-devel-bounces+grub-devel=archiver.kernel.org@gnu.org Sender: grub-devel-bounces+grub-devel=archiver.kernel.org@gnu.org --===============4847932398941634383== Content-Type: text/plain; charset=y Content-Transfer-Encoding: 8bit Introducing the appended signature key management environment variable. It is automatically set to either "static" or "dynamic" based on the Platform KeyStore. "static": Enforce static key management signature verification. This is the default. When the GRUB is locked down, user cannot change the value by setting the appendedsig_key_mgmt variable back to "dynamic". "dynamic": Enforce dynamic key management signature verification. When the GRUB is locked down, user cannot change the value by setting the appendedsig_key_mgmt variable back to "static". Signed-off-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper --- grub-core/commands/appendedsig/appendedsig.c | 75 ++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c index e53efd2da..ca54c90fa 100644 --- a/grub-core/commands/appendedsig/appendedsig.c +++ b/grub-core/commands/appendedsig/appendedsig.c @@ -33,6 +33,7 @@ #include #include #include +#include #include "appendedsig.h" @@ -94,6 +95,16 @@ static sb_database_t db = {.certs = NULL, .cert_entries = 0}; */ static bool check_sigs = false; +/* + * append_key_mgmt: Key Management Modes + * False: Static key management (use built-in Keys). This is default. + * True: Dynamic key management (use Platform KeySotre). + */ +static bool append_key_mgmt = false; + +/* Platform KeyStore db and dbx. */ +static grub_pks_t *pks_keystore; + static grub_ssize_t pseudo_read (struct grub_file *file, char *buf, grub_size_t len) { @@ -469,6 +480,46 @@ grub_env_write_sec (struct grub_env_var *var __attribute__ ((unused)), const cha return ret; } +static const char * +grub_env_read_key_mgmt (struct grub_env_var *var __attribute__ ((unused)), + const char *val __attribute__ ((unused))) +{ + if (append_key_mgmt == true) + return "dynamic"; + + return "static"; +} + +static char * +grub_env_write_key_mgmt (struct grub_env_var *var __attribute__ ((unused)), const char *val) +{ + char *ret; + + /* + * Do not allow the value to be changed if signature verification is enabled + * (check_sigs is set to true) and GRUB is locked down. + */ + if (check_sigs == true && grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) + { + ret = grub_strdup (grub_env_read_key_mgmt (NULL, NULL)); + if (ret == NULL) + grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory"); + + return ret; + } + + if (grub_strcmp (val, "dynamic") == 0) + append_key_mgmt = true; + else if (grub_strcmp (val, "static") == 0) + append_key_mgmt = false; + + ret = grub_strdup (grub_env_read_key_mgmt (NULL, NULL)); + if (ret == NULL) + grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory"); + + return ret; +} + static grub_err_t appendedsig_init (grub_file_t io __attribute__ ((unused)), enum grub_file_type type, void **context __attribute__ ((unused)), enum grub_verify_flags *flags) @@ -540,6 +591,11 @@ GRUB_MOD_INIT (appendedsig) if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) check_sigs = true; + /* If PKS keystore is available, use dynamic key management. */ + pks_keystore = grub_pks_get_keystore (); + if (pks_keystore != NULL) + append_key_mgmt = true; + /* * This is appended signature verification environment variable. It is * automatically set to either "no" or "yes" based on the ’ibm,secure-boot’ @@ -554,6 +610,23 @@ GRUB_MOD_INIT (appendedsig) grub_register_variable_hook ("check_appended_signatures", grub_env_read_sec, grub_env_write_sec); grub_env_export ("check_appended_signatures"); + /* + * This is appended signature key management environment variable. It is + * automatically set to either "static" or "dynamic" based on the + * Platform KeyStore. + * + * "static": Enforce static key management signature verification. This is + * the default. When the GRUB is locked down, user cannot change + * the value by setting the appendedsig_key_mgmt variable back to + * "dynamic". + * + * "dynamic": Enforce dynamic key management signature verification. When the + * GRUB is locked down, user cannot change the value by setting the + * appendedsig_key_mgmt variable back to "static". + */ + grub_register_variable_hook ("appendedsig_key_mgmt", grub_env_read_key_mgmt, grub_env_write_key_mgmt); + grub_env_export ("appendedsig_key_mgmt"); + rc = grub_asn1_init (); if (rc != ASN1_SUCCESS) grub_fatal ("error initing ASN.1 data structures: %d: %s\n", rc, asn1_strerror (rc)); @@ -577,5 +650,7 @@ GRUB_MOD_FINI (appendedsig) free_db_list (); grub_register_variable_hook ("check_appended_signatures", NULL, NULL); grub_env_unset ("check_appended_signatures"); + grub_register_variable_hook ("appendedsig_key_mgmt", NULL, NULL); + grub_env_unset ("appendedsig_key_mgmt"); grub_verifier_unregister (&grub_appendedsig_verifier); } -- 2.50.1 (Apple Git-155) --===============4847932398941634383== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KR3J1Yi1kZXZl bCBtYWlsaW5nIGxpc3QKR3J1Yi1kZXZlbEBnbnUub3JnCmh0dHBzOi8vbGlzdHMuZ251Lm9yZy9t YWlsbWFuL2xpc3RpbmZvL2dydWItZGV2ZWwK --===============4847932398941634383==--