[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 3/3] docs/grub: Document signing grub with an appended signat
|
From: |
Michael Chang |
|
Subject: |
Re: [PATCH 3/3] docs/grub: Document signing grub with an appended signature |
|
Date: |
Tue, 20 Oct 2020 13:58:46 +0800 |
|
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Tue, Oct 20, 2020 at 03:51:11PM +1100, Daniel Axtens wrote:
> Hi Michael,
>
> >> +@section Signing GRUB with an appended signature
> >> +
> >> +The @file{core.img} itself can be signed with a Linux kernel module-style
> >> +appended signature.
> >> +
> >> +To support IEEE1275 platforms where the boot image is often loaded
> >> directly
> >> +from a disk partition rather than from a file system, the @file{core.img}
> >
> > Maybe `core.elf` should be used for embedded image on ieee1275 platform?
> > The core.img is more pc bios specific IMHO, and hence would be edited
> > on-the-fly during the grub-install/grub-bios-setup process for keeping
> > or adding some records, making it not a good example to the proposed
> > procedure here as the image on filesysetm and partition may differ.
>
> Sure, I will change this in v2.
>
> >> +can specify the size and location of the appended signature with an ELF
> >> +note added by @command{grub-install}.
> >> +
> >> +An image can be signed this way using the @command{sign-file} command from
> >> +the Linux kernel:
> >> +
> >> +@example
> >> +@group
> >> +# grub.key is your private key and certificate.der is your public key
> >> +
> >> +# Determine the size of the appended signature. It depends on the signing
> >> +# certificate and the hash algorithm
> >> +touch empty
> >> +sign-file SHA256 grub.key certificate.der empty empty.sig
> >> +SIG_SIZE=`stat -c '%s' empty.sig`
> >> +rm empty empty.sig
> >> +
> >> +# Build a grub image with $SIG_SIZE reserved for the signature
> >> +grub-install --appended-signature-size $SIG_SIZE --modules="..." ...
> >> +
> >> +# Replace the reserved size with a signature:
> >> +# cut off the last $SIG_SIZE bytes with truncate's minus modifier
> >> +truncate -s -$SIG_SIZE /boot/grub/powerpc-ieee1275/core.elf
> >> core.elf.unsigned
> >> +# sign the trimmed file with an appended signature, restoring the correct
> >> size
> >> +sign-file SHA256 grub.key certificate.der core.elf.unsigned
> >> core.elf.signed
> >> +
> >> +# Don't forget to install the signed image as required
> >> +# (e.g. on powerpc-ieee1275, to the PReP partition)
> >
> > Could you please provide more indication on how to install the signed
> > image afterwards ? I suppose it is 'dd' for writing the core.elf.signed
> > to the PReP partition but not really sure that is correct.
>
> At the moment, yes, dd.
>
> Firmware loads raw bytes off the PReP partition and expects them to be a
> 32-bit BE ELF binary. Therefore any method that can put raw bytes on
> disk will work, and dd is the classic tool for the job.
>
> I'll improve this for v2 on the basis of how the discussions on Michal's
> proposal to do away with the ELF note go.
>
> > It also looked to me that the entire process can be integrated to
> > grub-install so the user can get less hassle to setting it up. For that
> > matters we could work out new grub-install options to accept user's
> > private key and public key certicate to compose signed image with
> > appended signature and install it on the fly. Is there anything that
> > I could have missed here ?
>
> We'd need to add a dependency on OpenSSL (or maybe GNUTLS) to grub-install,
> as there's no support in grub to generate PKCS#7 messages. I don't know
> if that's acceptable?
I think it is acceptable if we invoke utility like openssl in
grub-install as there has been some utilities got invoked for different
purpose. (Remember, grub-install used to be written as script :))
> One of the reasons I didn't go down that road initially is that I
> imagine that most signed images are going to be signed by distros prior
> to installation. Maybe grub-mkimage would be a better place to add this
> feature. I think this is something we'll need to revisit once we resolve
> the discussion about the ELF note generally.
Yes. That sounds reasonable as long as the distro would have to work out
the signed core.efi via grub-mkimage in a way that can handle different
installation setup without resorting to any setup work performed by the
user to the image itself (ie running grub-install). The `dd` should just
work and the right thing to do so.
Thanks,
Michael
>
> Kind regards,
> Daniel
>
> >
> > Thanks,
> > Michael
> >
> >> +@end group
> >> +@end example
> >> +
> >> +As with UEFI secure boot, it is necessary to build in the required
> >> modules,
> >> +or sign them separately.
> >> +
> >> +
> >> @node Platform limitations
> >> @chapter Platform limitations
> >>
> >> --
> >> 2.25.1
> >>
> >>
> >> _______________________________________________
> >> Grub-devel mailing list
> >> Grub-devel@gnu.org
> >> https://lists.gnu.org/mailman/listinfo/grub-devel
>