Re: [PATCH v0] Additional security-relevant documentation

[Vladimir 'φ-coder/phcoder' Serbinenko]

On 17.10.2013 20:03, Jonathan McCune wrote:
>     grub-mkimage is internal implementation detail. It should not be
>     mentioned here.
> 
> 
> I tend to agree, but right now it's necessary to understand this.  When
> grub-install support for --pubkey matures, this can be removed.
>  
> 
>     >                                                                  This
>     > +can be done using the @code{--pubkey} option to
>     @command{grub-mkimage}
>     > +and manually specifying that the modules required for signature
>     > +verification be embedded in @file{core.img}.  For example:
>     > +
>     > address@hidden
>     > +# First, wrap grub-mkimage to include your public key(s).
>     > +cat <<EOF > /root/grub-mkimage-pubkey.sh
>     > +#!/bin/sh
>     > +/usr/bin/grub-mkimage --pubkey=/boot/pubkey.gpg $@@
>     > +EOF
>     > +chmod +x /root/grub-mkimage-pubkey.sh
>     > +# Then, invoke grub-install, explicitly including the `verify'
>     > +# module and its dependencies (as verify cannot signature-check
>     > +# itself).
>     > +grub-install \
>     > +  --grub-mkimage=/root/grub-mkimage-pubkey.sh \
>     > +  --modules="verify gcry_rsa gcry_dsa gcry_sha256 hashsum"\
>     > +"gcry_sha1 mpi echo loadenv" \
>     > +  /dev/sda
>     > address@hidden example
>     > +
> 
>     Nor should this example really be included.
> 
> 
> Same thoughts as above.  This should get dropped as part of some future
> cleanup, but for the moment I think it's necessary.  It's also already
> committed so somewhat moot.

Not true
a) This part was removed
b) I actually forgot Andrey's message when I committed your patch. Sorry
for this. Most of problems he mentions are valid and should be fixed.
Also, interestingly, I removed most of parts he had problem with even
though I didn't look at his email at that time.

signature.asc
Description: OpenPGP digital signature