From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.71)
	id 1VWvMt-0000yZ-LV
	for mharc-grub-devel@gnu.org; Thu, 17 Oct 2013 17:44:31 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41405)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <phcoder@gmail.com>) id 1VWvMm-0000rs-Hw
	for grub-devel@gnu.org; Thu, 17 Oct 2013 17:44:31 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <phcoder@gmail.com>) id 1VWvMf-0004Uv-W5
	for grub-devel@gnu.org; Thu, 17 Oct 2013 17:44:24 -0400
Received: from mail-ea0-x230.google.com ([2a00:1450:4013:c01::230]:34661)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <phcoder@gmail.com>) id 1VWvMf-0004U0-P6
	for grub-devel@gnu.org; Thu, 17 Oct 2013 17:44:17 -0400
Received: by mail-ea0-f176.google.com with SMTP id q16so1440636ead.35
	for <grub-devel@gnu.org>; Thu, 17 Oct 2013 14:44:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:date:from:user-agent:mime-version:to:subject:references
	:in-reply-to:content-type;
	bh=/BJKr99+tMmqZ6ohzGieod808GWSA5iVpDS/uTrkOpI=;
	b=s6QIhaOpSizebS8v/pkUL+OoqWHs0Arq7QjbyYwdspHiHBnP8d66DvS9DjPOsbY1vx
	jF0woVGI0aiq0WwU1x2WFyd6T7uiJ+TAGS7AFy5hVrl50V6/myzkAMW18NCNuP+QUQDi
	QxYmfhoMeVUE3XyDuChOw7F7gtm40Q6kBOfWtL++HW5V2dAYKgQqUJ9qfXi6b48uOZ0f
	aQtH9rDNHU5i2NkQHiDjdxTsGwAv3TVvDkpYCkJt7uJZpRqzvfBIOCOpOIed7Ub5xSoA
	XFraRJvkOsQ+HTqJuK+Harxjt2GvhHJWqZdhekNeatvuDNx1SlWpzTiGRFDJlSNZXL5U
	wMrw==
X-Received: by 10.14.32.196 with SMTP id o44mr11165420eea.43.1382046256916;
	Thu, 17 Oct 2013 14:44:16 -0700 (PDT)
Received: from [192.168.42.243] (236-224.197-178.cust.bluewin.ch.
	[178.197.224.236]) by mx.google.com with ESMTPSA id
	a6sm198109364eei.10.1969.12.31.16.00.00
	(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Thu, 17 Oct 2013 14:44:16 -0700 (PDT)
Message-ID: <52605A2E.4010107@gmail.com>
Date: Thu, 17 Oct 2013 23:44:14 +0200
From: =?UTF-8?B?VmxhZGltaXIgJ8+GLWNvZGVyL3BoY29kZXInIFNlcmJpbmVua28=?=
	<phcoder@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:17.0) Gecko/20131005 Icedove/17.0.9
MIME-Version: 1.0
To: The development of GNU GRUB <grub-devel@gnu.org>
Subject: Re: [PATCH v0] Additional security-relevant documentation
References: <1380301237-19071-1-git-send-email-jonmccune@google.com>
	<20130929132921.4b0d9a76@opensuse.site>
	<CADtfRCVgUFWkTLnr7fXczvZZk5a5+Oi-rf==v+7-TRXmJhydkQ@mail.gmail.com>
In-Reply-To: <CADtfRCVgUFWkTLnr7fXczvZZk5a5+Oi-rf==v+7-TRXmJhydkQ@mail.gmail.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature";
	boundary="----enig2ICHTWOPIWBFXNLXXPMVE"
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
	(bad octet value).
X-Received-From: 2a00:1450:4013:c01::230
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: The development of GNU GRUB <grub-devel@gnu.org>
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2013 21:44:31 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2ICHTWOPIWBFXNLXXPMVE
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 17.10.2013 20:03, Jonathan McCune wrote:
>     grub-mkimage is internal implementation detail. It should not be
>     mentioned here.
>=20
>=20
> I tend to agree, but right now it's necessary to understand this.  When=

> grub-install support for --pubkey matures, this can be removed.
> =20
>=20
>     >                                                                  =
This
>     > +can be done using the @code{--pubkey} option to
>     @command{grub-mkimage}
>     > +and manually specifying that the modules required for signature
>     > +verification be embedded in @file{core.img}.  For example:
>     > +
>     > +@example
>     > +# First, wrap grub-mkimage to include your public key(s).
>     > +cat <<EOF > /root/grub-mkimage-pubkey.sh
>     > +#!/bin/sh
>     > +/usr/bin/grub-mkimage --pubkey=3D/boot/pubkey.gpg $@@
>     > +EOF
>     > +chmod +x /root/grub-mkimage-pubkey.sh
>     > +# Then, invoke grub-install, explicitly including the `verify'
>     > +# module and its dependencies (as verify cannot signature-check
>     > +# itself).
>     > +grub-install \
>     > +  --grub-mkimage=3D/root/grub-mkimage-pubkey.sh \
>     > +  --modules=3D"verify gcry_rsa gcry_dsa gcry_sha256 hashsum"\
>     > +"gcry_sha1 mpi echo loadenv" \
>     > +  /dev/sda
>     > +@end example
>     > +
>=20
>     Nor should this example really be included.
>=20
>=20
> Same thoughts as above.  This should get dropped as part of some future=

> cleanup, but for the moment I think it's necessary.  It's also already
> committed so somewhat moot.

Not true
a) This part was removed
b) I actually forgot Andrey's message when I committed your patch. Sorry
for this. Most of problems he mentions are valid and should be fixed.
Also, interestingly, I removed most of parts he had problem with even
though I didn't look at his email at that time.


------enig2ICHTWOPIWBFXNLXXPMVE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iF4EAREKAAYFAlJgWi4ACgkQNak7dOguQglzuwEAk4c6l5u2iy5CCWtKQezQ5wGP
I/TnoPoJkxFyA3gJHsIBAKZpmYq+o+47mUIpZRzjj22aUItSn0UJRneXDOh3qtOu
=OF90
-----END PGP SIGNATURE-----

------enig2ICHTWOPIWBFXNLXXPMVE--