[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 15/19] appended signatures: parse PKCS#7 signedData and X.
Re: [PATCH v3 15/19] appended signatures: parse PKCS#7 signedData and X.509 certificates
Thu, 21 Apr 2022 21:32:41 +1000
>> This code allows us to parse:
>> - PKCS#7 signedData messages. Only a single signerInfo is supported,
>> which is all that the Linux sign-file utility supports creating
>> out-of-the-box. Only RSA, SHA-256 and SHA-512 are supported.
>> Any certificate embedded in the PKCS#7 message will be ignored.
>> - X.509 certificates: at least enough to verify the signatures on the
>> PKCS#7 messages. We expect that the certificates embedded in grub will
>> be leaf certificates, not CA certificates. The parser enforces this.
> Doesn't grub support CA certificates for EFI?
For EFI, the verification isn't done by grub, it's done by either the
shim or by firmware. They do - per the spec - support certificate
chaining. So you could validly put a CA cert into db or MokList and have
a signature on an Authenticode signature chain back to that.
> Why limit to leaf certificates here?
Conventionally, appended signatures don't include embedded certificates
whereas Authenticode signatures do. There's nothing stopping you putting
one into the PKCS#7 message for an appended signature - it's just not
the way they are used on kernel modules or kernel binaries. So if
there's not an embedded certificate that can chain back to a CA
certificate, grub has to have access to the leaf certificate.
> If this is technical limitation of the code in question could you fail
> the build when CA certificate is used rather than crashing the
> bootloader when it boots?
I guess. I think IBM has been reasonably open in saying that static key
secure boot is not the end of the road for Power, so we expect that
ultimately keys could be loaded from somewhere other than the binary
like firmware storage. So even if we added this check in grub-mkimage,
we'd still need to keep it at runtime as well.
>> - X.509 certificates support the Extended Key Usage extension and handle
>> it by verifying that the certificate has a single purpose, that is code
> This should be updated I suppose.
So this is - surprisingly - still accurate! We still only support 1
_Extended_ Key Usage. The change that we made as a result of SUSE's bug
report was to support additional regular, non-extended key
usages. Here's the change broken out:
Author: Daniel Axtens <firstname.lastname@example.org>
Date: Tue Nov 30 15:00:57 2021 +1100
x509: allow Digitial Signature plus other Key Usages
Currently the x509 certificate parser for appended signature
verification requires that the certificate have the Digitial Signature
key usage and _only_ the Digitial Signature use. This is overly strict
and becomes policy enforcement rather than a security property.
Require that the Digitial Signature usage is present, but do not
require that it is the only usage present.
Reported-by: Michal Suchanek <email@example.com>
Signed-off-by: Daniel Axtens <firstname.lastname@example.org>
diff --git a/grub-core/commands/appendedsig/x509.c
index 70480aa73c9d..6ae985b30ff8 100644
@@ -547,7 +547,7 @@ cleanup:
* Verify the Key Usage extension.
- * We only permit the Digital signature usage.
+ * We require the Digital signature usage.
verify_key_usage (grub_uint8_t *value, int value_size)
@@ -586,10 +586,10 @@ verify_key_usage (grub_uint8_t *value, int value_size)
- if (usage != digitalSignatureUsage)
+ if (!(usage & digitalSignatureUsage))
- grub_error (GRUB_ERR_BAD_FILE_TYPE, "Unexpected Key Usage value: %x",
+ grub_error (GRUB_ERR_BAD_FILE_TYPE, "Key Usage (0x%x) missing Digital
- [PATCH v3 02/19] docs/grub: Document signing grub under UEFI, (continued)
- [PATCH v3 02/19] docs/grub: Document signing grub under UEFI, Daniel Axtens, 2022/04/21
- [PATCH v3 09/19] libtasn1: disable code not needed in grub, Daniel Axtens, 2022/04/21
- [PATCH v3 08/19] libtasn1: import libtasn1-4.18.0, Daniel Axtens, 2022/04/21
- [PATCH v3 13/19] grub-install: support embedding x509 certificates, Daniel Axtens, 2022/04/21
- [PATCH v3 12/19] test_asn1: test module for libtasn1, Daniel Axtens, 2022/04/21
- [PATCH v3 11/19] libtasn1: compile into asn1 module, Daniel Axtens, 2022/04/21
- [PATCH v3 14/19] appended signatures: import GNUTLS's ASN.1 description files, Daniel Axtens, 2022/04/21
- [PATCH v3 16/19] appended signatures: support verifying appended signatures, Daniel Axtens, 2022/04/21
- [PATCH v3 15/19] appended signatures: parse PKCS#7 signedData and X.509 certificates, Daniel Axtens, 2022/04/21
- [PATCH v3 18/19] appended signatures: documentation, Daniel Axtens, 2022/04/21
- [PATCH v3 17/19] appended signatures: verification tests, Daniel Axtens, 2022/04/21
- [PATCH v3 19/19] ieee1275: enter lockdown based on /ibm,secure-boot, Daniel Axtens, 2022/04/21