From: Jonathan McCune <jonmccune@google.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Subject: Re: [PATCH v0] Support to disable reed-solomon codes
Date: Sat, 2 Nov 2013 20:05:35 -0700 [thread overview]
Message-ID: <CADtfRCUnHqFsi-RxEnxZ5hEHPtAk8C0NtDtzden_8pDs4BfnEg@mail.gmail.com> (raw)
In-Reply-To: <20131102071336.7cff1833@opensuse.site>
[-- Attachment #1: Type: text/plain, Size: 2044 bytes --]
On Fri, Nov 1, 2013 at 8:13 PM, Andrey Borzenkov <arvidjaar@gmail.com>wrote:
> В Fri, 1 Nov 2013 17:04:00 -0700
> Jon McCune <jonmccune@google.com> пишет:
>
> > * new grub-*-setup flag to disable insertion of reed solomon codes
> > * grub-install support for option --no-rs-codes
>
> What problem does it solve?
A simple motivation is the desire to run the bare minimum amount of code
required to boot a machine.
However, the high-level problem I'm trying to address is to make the binary
part of GRUB (core.img + boot.img or similar) easier to verify
cryptographically.
First, if a hash or signature checks out, then the bits are known to be
correct and there's no need for the redundancy of the RS codes.
Second, I am not a fan of verification mechanisms that require "just
install it, then look at what is installed and assume it is correct, and
then sign that." I think it should be possible to generate all the
necessary signatures at *build time* instead of *install time* (modulo
knowledge of the install target's partition table layout), to eliminate any
target-specific configuration weirdness that's not accounted for at build
time.
I think it also helps to think about this problem by working backwards.
Build GRUB on machine A, and install it on machine B (assume same
architecture everywhere, but it doesn't really matter). Given the contents
of B's disk (e.g., MBR + contents of embedding area), and the build output
of A, how do we know if machine B indeed has all the right bits installed?
It's not too hard to run the same grub-mkimage command everywhere so as to
generate a consistent core.img (and whatever .img makes sense for the MBR)
doing the verification, and it's not too hard to take knowledge of B's
partition table layout to make the necessary changes to those .img files.
But, the reed-solomon codes that util/setup.c adds into the embedding area
are yet another step that would need to be backed out.
This patch just adds a flag. :)
Thanks,
-Jon
[-- Attachment #2: Type: text/html, Size: 2780 bytes --]
next prev parent reply other threads:[~2013-11-03 3:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-02 0:04 [PATCH v0] Support to disable reed-solomon codes Jon McCune
2013-11-02 3:13 ` Andrey Borzenkov
2013-11-03 3:05 ` Jonathan McCune [this message]
2013-11-03 3:33 ` Richard Laager
2013-11-03 22:57 ` Jonathan McCune
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CADtfRCUnHqFsi-RxEnxZ5hEHPtAk8C0NtDtzden_8pDs4BfnEg@mail.gmail.com \
--to=jonmccune@google.com \
--cc=grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).