Re: Signature verification in GRUB

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Signature verification in GRUB

From:	Vladimir 'φ-coder/phcoder' Serbinenko
Subject:	Re: Signature verification in GRUB
Date:	Sat, 13 Oct 2012 12:36:11 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:10.0.7) Gecko/20120922 Icedove/10.0.7

On 10.10.2012 00:54, Geoffrey Thomas wrote:

> Hi GRUB list,
> 
> I'm working on adding verified boot / Secure Boot support to my
> company's OS-level product (MokaFive BareMetal). As background, we use
> whole-image updates to help with reliable unattended upgrades and for
> debugging; an upgrade is delivered as a new ISO image, and we have GRUB
> configuration to loop-mount the ISO and load further configuration, a
> kernel, and an initrd.
> 
> First, does GRUB has a mechanism for me to validate a digitally-signed
> file of some sort? This could be e.g. a PGP-signed file or something
> from `openssl dgst -sign`. I see that GRUB has all the relevant crypto
> primitives to do this, but I can't find a command to invoke them. (As
> far as I can tell, gcrypt is only used for PBKDF2 and cryptodisk support?)
> 

I have some code dating from about a year ago but because of my current
personal situation it's put on hold for some time.

> If not, I'd like to add a command to verify a signature on a file, or
> possibly to verify a signature on a GRUB configuration file and execute
> it if it validates. Does this seem like a reasonable thing to add?
> 
> Secondarily, I'm curious if anyone has done work towards porting verity
> or some similar signed (but not encrypted) disk support to GRUB. Since
> we're already planning on using dm-verity once the kernel is booted, I
> think the simplest solution will be to have a signature on the verity
> root hash, mount the ISO using verity, and load the GRUB configuration /
> kernel / initrd from the resulting block device. Does this support exist
> already? (I've also asked this question on the dm-crypt list.)
> 

Is there some doc on dm-verify? It may be interesting.

> Finally, if there's an easier way to do verified boot with GRUB or some
> existing effort along these lines that I should be helping out with, let
> me know.
> 
> Thanks,



-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Signature verification in GRUB, Geoffrey Thomas, 2012/10/09
- Re: Signature verification in GRUB, Chris Murphy, 2012/10/09
  - Re: Signature verification in GRUB, Geoffrey Thomas, 2012/10/09
  - Re: Signature verification in GRUB, Matthew Garrett, 2012/10/10
    - Re: Signature verification in GRUB, Chris Murphy, 2012/10/10
- Re: Signature verification in GRUB, Vladimir 'φ-coder/phcoder' Serbinenko <=
  - Re: Signature verification in GRUB, Geoffrey Thomas, 2012/10/15
    - Re: Signature verification in GRUB, Vladimir 'φ-coder/phcoder' Serbinenko, 2012/10/18
    - Re: Signature verification in GRUB, Geoffrey Thomas, 2012/10/18

Prev by Date: [PATCH] Incorrect initrd minimum address calculation
Next by Date: Re: [PATCH] Ignore symlink traversal failures in grub-mount readdir
Previous by thread: Re: Signature verification in GRUB
Next by thread: Re: Signature verification in GRUB
Index(es):
- Date
- Thread