grub-devel.gnu.org archive mirror
 help / color / mirror / Atom feed
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
To: Daniel Kiper <dkiper@net-space.pl>
Cc: grub-devel@gnu.org, dja@axtens.net, jan.setjeeilers@oracle.com,
	julian.klode@canonical.com, mate.kukri@canonical.com,
	pjones@redhat.com, msuchanek@suse.com, mlewando@redhat.com,
	stefanb@linux.ibm.com, avnish@linux.ibm.com, nayna@linux.ibm.com,
	ssrish@linux.ibm.com
Subject: Re: [PATCH v6 10/20] appended signatures: Support verifying appended signatures
Date: Wed, 13 Aug 2025 20:18:51 +0530	[thread overview]
Message-ID: <20392367-ED09-4DBB-9A2D-520CD2567115@linux.ibm.com> (raw)
In-Reply-To: <20250813143342.d5chkvslcjkfbque@tomti.i.net-space.pl>



> On 13 Aug 2025, at 8:03 PM, Daniel Kiper <dkiper@net-space.pl> wrote:
> 
> On Tue, Aug 12, 2025 at 05:16:22PM +0530, Sudhakar Kuppusamy wrote:
>>> On 12 Aug 2025, at 5:00 PM, Daniel Kiper <dkiper@net-space.pl> wrote:
>>> On Tue, Aug 12, 2025 at 10:30:55AM +0530, Sudhakar Kuppusamy wrote:
>>>> Thank you Daniel.
>>>> 
>>>>> On 11 Aug 2025, at 9:24 PM, Daniel Kiper <dkiper@net-space.pl> wrote:
>>>>> On Tue, Jul 29, 2025 at 08:21:46PM +0530, Sudhakar Kuppusamy wrote:
>>> 
>>> [...]
>>> 
>>>>>> +  if (is_cert_removed_from_db (cert) == false)
>>>>>> +    err = grub_error (GRUB_ERR_EOF,
>>>>>> +                      "not found certificate with CN:%s in the db list", cert->subject);
>>>>> 
>>>>> First of all, I am not convinced the cert should be removed automatically
>>>>> from the db. I think it would be better if it is documented it should be
>>>>> done manually. However, if you convince me it should be done automatically
>>>>> here then lack of cert in the db should not trigger an error...
>>>> 
>>>> It is not automatically removing the cert from the db but does it manually
>>>> when user try to remove distrusted cert via append_rm_dbx_cert command.
>>> 
>>> So, I mean it should not happen then...
>> 
>> The removal of certificate here is not persist accross the boots, it is only for the current boot.
> 
> Ahhh... OK... You can ignore my comment then. Though I think it means
> comments and/or code should be more clear about it...

Sure. Will add clear comments.
> 
>> Also, this command accepts only signed certificates when secure boot is set to enabled.
>> 
>> I do not understand “automatic" and “manual” from your previous comments.
>> Could you please elabarate it.
> 
> When I say "automatic" I mean here the command at once inserts a given
> cert into dbx and removes it from the db.

Thank you Daniel.
> 
> Daniel



_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

  reply	other threads:[~2025-08-13 14:49 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-29 14:51 [PATCH v6 00/20] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 01/20] powerpc-ieee1275: Add support for signing GRUB with an appended signature Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 02/20] crypto: Move storage for grub_crypto_pk_* to crypto.c Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 03/20] pgp: Rename OBJ_TYPE_PUBKEY to OBJ_TYPE_GPG_PUBKEY Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 04/20] grub-install: Support embedding x509 certificates Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 05/20] appended signatures: Import GNUTLS's ASN.1 description files Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 06/20] appended signatures: Parse ASN1 node Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 07/20] appended signatures: Parse PKCS#7 signedData Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 08/20] appended signatures: Parse X.509 certificates Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 09/20] powerpc_ieee1275: Enter lockdown based on /ibm, secure-boot Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 10/20] appended signatures: Support verifying appended signatures Sudhakar Kuppusamy
2025-08-11 15:54   ` Daniel Kiper
2025-08-12  5:00     ` Sudhakar Kuppusamy
2025-08-12 11:30       ` Daniel Kiper
2025-08-12 11:46         ` Sudhakar Kuppusamy
2025-08-13 14:33           ` Daniel Kiper
2025-08-13 14:48             ` Sudhakar Kuppusamy [this message]
2025-07-29 14:51 ` [PATCH v6 11/20] powerpc_ieee1275: Read the db and dbx secure boot variables Sudhakar Kuppusamy
2025-08-11 16:24   ` Daniel Kiper
2025-08-11 16:40     ` Sudhakar Kuppusamy
2025-08-12 11:39       ` Daniel Kiper
2025-07-29 14:51 ` [PATCH v6 12/20] appended signatures: Create db and dbx lists Sudhakar Kuppusamy
2025-08-11 17:21   ` Daniel Kiper
2025-08-11 17:34     ` Sudhakar Kuppusamy
2025-08-12 11:50       ` Daniel Kiper
2025-07-29 14:51 ` [PATCH v6 13/20] appended signatures: Using db and dbx lists for signature verification Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 14/20] powerpc_ieee1275: Introduce use_static_keys flag Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 15/20] appended signatures: Read default db keys from the ELF Note Sudhakar Kuppusamy
2025-08-13 14:43   ` Daniel Kiper
2025-08-13 14:49     ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 16/20] appended signatures: Introduce GRUB commands to access db and dbx Sudhakar Kuppusamy
2025-08-13 15:42   ` Daniel Kiper
2025-08-14  6:22     ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 17/20] appended signatures: Verification tests Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 18/20] docs/grub: Document signing GRUB under UEFI Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 19/20] docs/grub: Document signing GRUB with an appended signature Sudhakar Kuppusamy
2025-08-13 16:45   ` Daniel Kiper
2025-08-14  6:54     ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 20/20] docs/grub: Document " Sudhakar Kuppusamy
2025-08-14 14:20   ` Daniel Kiper
2025-08-14 18:33     ` Sudhakar Kuppusamy
  -- strict thread matches above, loose matches on Subject: below --
2025-07-29 12:36 [PATCH v6 00/20] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2025-07-29 12:36 ` [PATCH v6 10/20] appended signatures: Support verifying appended signatures Sudhakar Kuppusamy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20392367-ED09-4DBB-9A2D-520CD2567115@linux.ibm.com \
    --to=sudhakar@linux.ibm.com \
    --cc=avnish@linux.ibm.com \
    --cc=dja@axtens.net \
    --cc=dkiper@net-space.pl \
    --cc=grub-devel@gnu.org \
    --cc=jan.setjeeilers@oracle.com \
    --cc=julian.klode@canonical.com \
    --cc=mate.kukri@canonical.com \
    --cc=mlewando@redhat.com \
    --cc=msuchanek@suse.com \
    --cc=nayna@linux.ibm.com \
    --cc=pjones@redhat.com \
    --cc=ssrish@linux.ibm.com \
    --cc=stefanb@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).