[RFC] Grub2 lock and password implementation

[Julien Ranc]

Some months ago, I started working on this part, but it didn't go far,
and I abandonned it mainly because of a lack of time.
I'd like to take some time to work on it again, this time until it
(hopefully) gets accepted into Grub2.
I'll try in this mail to describe how I propose to implement these 2 features.
All comments, remarks will be highly appreciated.

What is needed / wanted ?

All functions of Grub legacy should be offered. The authentication
should be made extensible, in order to easily support various kind of
authentication: password-based, network-based, two-factor, or any
fancy authentication method one would think of.

In order to achieve this, I propose to implement the following infrastructure:

An "authentication" module. It would be in charge of:
 - (un)registering authentication methods,
 - managing user authentication state,
 - storing defined authentication data. This module would manage only
one authentication challenge at a time.
 - asking the authentication method for user credential to check
against authentication data when and as required.

Several "authentication method".
These modules would implement various authentication methods. An
authentication method would be in charge of storing authentication
data (whatever it is), asking user credentials, comparing user input
to authentication data and deciding whether the user succeeded or
failed. I am thinking of implementing, as a start:
 - Plain text password: insecure, but very easy to implement, and can
be useful for tests, and would ensure compatibility with Grub Legacy.
 - MD5 summed password. More secure, and required for compatibility
with Grub Legacy
 - probably also SHA-256: Even more secure since MD5 collisions exist.

An "authentication_data" structure,
It would store data relative to the authentication challenge (data
used by the authentication module, and opaque data used and controlled
by the authentication method). For example: plain text password, MD5
hash, a public RSA key read from a file specified in the grub
configuration file, etc)

Two new Grub 2 commands: lock and password. These commands, along with
parameters, and use cases are describes below.

The password command:

This command would register an authentication challenge in the
authentication module. The call to this command in transparent to the
user (nothing displayed on screen, no user interaction needed). The
command parameters would be:
password --type AUTH_METHOD_NAME [authentication method parameters]
The AUTH_METHOD_NAME parameter is used to call the authentication
method handler that registered with this name. It could be, for
example "plain" for plain texts, "md5", "sha256", etc.
Then, the authentication method would be called to set up an
"authentication_data" structure. It would be passed all the
[authentication method parameters] in order to fill the opaque data in
the structure.

The lock command:
This command would block the execution of the script until the user
correctly authenticate. If the user correctly authenticated
previously, and the password had not been changed (via a password
command) since, then the lock command would return without locking the
user again.
I imagine two uses of the lock command: Firstly alone, with no
additional parameter. This would use the latest defined authentication
data. Or with the same exact syntax as the password command. This
would lead to the following syntax:
lock [--type AUTH_METHOD_NAME [authentication method parameters]]


--
Julien RANC
address@hidden