From: "Vladimir 'φ-coder/phcoder' Serbinenko" <phcoder@gmail.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Subject: Re: [PATCH v0] Additional security-relevant documentation
Date: Thu, 17 Oct 2013 23:44:14 +0200 [thread overview]
Message-ID: <52605A2E.4010107@gmail.com> (raw)
In-Reply-To: <CADtfRCVgUFWkTLnr7fXczvZZk5a5+Oi-rf==v+7-TRXmJhydkQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1867 bytes --]
On 17.10.2013 20:03, Jonathan McCune wrote:
> grub-mkimage is internal implementation detail. It should not be
> mentioned here.
>
>
> I tend to agree, but right now it's necessary to understand this. When
> grub-install support for --pubkey matures, this can be removed.
>
>
> > This
> > +can be done using the @code{--pubkey} option to
> @command{grub-mkimage}
> > +and manually specifying that the modules required for signature
> > +verification be embedded in @file{core.img}. For example:
> > +
> > +@example
> > +# First, wrap grub-mkimage to include your public key(s).
> > +cat <<EOF > /root/grub-mkimage-pubkey.sh
> > +#!/bin/sh
> > +/usr/bin/grub-mkimage --pubkey=/boot/pubkey.gpg $@@
> > +EOF
> > +chmod +x /root/grub-mkimage-pubkey.sh
> > +# Then, invoke grub-install, explicitly including the `verify'
> > +# module and its dependencies (as verify cannot signature-check
> > +# itself).
> > +grub-install \
> > + --grub-mkimage=/root/grub-mkimage-pubkey.sh \
> > + --modules="verify gcry_rsa gcry_dsa gcry_sha256 hashsum"\
> > +"gcry_sha1 mpi echo loadenv" \
> > + /dev/sda
> > +@end example
> > +
>
> Nor should this example really be included.
>
>
> Same thoughts as above. This should get dropped as part of some future
> cleanup, but for the moment I think it's necessary. It's also already
> committed so somewhat moot.
Not true
a) This part was removed
b) I actually forgot Andrey's message when I committed your patch. Sorry
for this. Most of problems he mentions are valid and should be fixed.
Also, interestingly, I removed most of parts he had problem with even
though I didn't look at his email at that time.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 291 bytes --]
prev parent reply other threads:[~2013-10-17 21:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-27 17:00 [PATCH v0] Additional security-relevant documentation Jon McCune
2013-09-29 9:29 ` Andrey Borzenkov
2013-10-17 18:03 ` Jonathan McCune
2013-10-17 21:44 ` Vladimir 'φ-coder/phcoder' Serbinenko [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52605A2E.4010107@gmail.com \
--to=phcoder@gmail.com \
--cc=grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).