[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 00/18] Verify appended signatures from grub
|
From: |
Daniel Kiper |
|
Subject: |
Re: [PATCH v2 00/18] Verify appended signatures from grub |
|
Date: |
Wed, 18 Nov 2020 19:18:50 +0100 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
Hi Daniel,
On Wed, Oct 28, 2020 at 12:57:17PM +1100, Daniel Axtens wrote:
> v2: fix the grub-mkimage bug. I haven't changed any libtasn1 licensing
> because I don't think we reached any conclusion on whether anything
> was needed, and if so what.
>
> Part of a secure boot chain is allowing grub to verify the boot
> kernel. For UEFI platforms, this is usually delegated to the shim: see
> shim_lock.c. However, for platforms that do not implement UEFI, an
> alternative scheme is required.
>
> This series teaches grub how to verify Linux kernel-style 'appended
> signatures'. I talked about this in my recent Linux Plumbers talk:
> https://linuxplumbersconf.org/event/7/contributions/738/ and
> https://youtu.be/IJUNxHnopH4?t=510
>
> In very short, an appended signature is a 'dumb' signature over the
> contents of a file. (It is distinct from schemes like Authenticode
> that are aware of the structure of the file and only sign certain
> parts.) The signature is wrapped in a PKCS#7 message, and is appended
> to the signed file along with some metadata and a magic string. The
> signatures are validated against a public key which is usually
> provided as an x509 certificate. Kernels on powerpc are already signed
> with this scheme and can be verified by IMA for kexec.
Sounds interesting. Unfortunately I am not able to take it because the
GRUB is in code freeze state. I have just reviewed two patches which
fixes the docs and I will take them. I will take closer look at the rest
of the patch series after release. I hope this is not a problem for you...
Daniel
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [PATCH v2 00/18] Verify appended signatures from grub,
Daniel Kiper <=