Re: [PATCH 7/7] verifiers: Verify after decompression
On Fri, Mar 15, 2024 at 7:26 AM Vladimir 'phcoder' Serbinenko wrote: > > Verifying after decompression is a bad security practice. It relies on > decompression having no security holes. Given how complex decompression is, > this is almost guaranteed to be false. > Point taken... I'll drop this patch as it is not essential to the goal of booting Secure Booting Xen via GRUB. Thanks, Ross ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH 7/7] verifiers: Verify after decompression
Verifying after decompression is a bad security practice. It relies on decompression having no security holes. Given how complex decompression is, this is almost guaranteed to be false. Le mer. 13 mars 2024, 18:08, Ross Lagerwall via Grub-devel < grub-devel@gnu.org> a écrit : > It is convenient and common to have binaries stored in gzip archives > (e.g. xen.gz). Verification should be run after decompression rather > than before so reorder the file filter list as appropriate. > > Signed-off-by: Ross Lagerwall > --- > include/grub/file.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/grub/file.h b/include/grub/file.h > index a5bf3a792d6f..a1ef3582bc7b 100644 > --- a/include/grub/file.h > +++ b/include/grub/file.h > @@ -182,10 +182,10 @@ extern grub_disk_read_hook_t > EXPORT_VAR(grub_file_progress_hook); > /* Filters with lower ID are executed first. */ > typedef enum grub_file_filter_id >{ > -GRUB_FILE_FILTER_VERIFY, > GRUB_FILE_FILTER_GZIO, > GRUB_FILE_FILTER_XZIO, > GRUB_FILE_FILTER_LZOPIO, > +GRUB_FILE_FILTER_VERIFY, > GRUB_FILE_FILTER_MAX, > GRUB_FILE_FILTER_COMPRESSION_FIRST = GRUB_FILE_FILTER_GZIO, > GRUB_FILE_FILTER_COMPRESSION_LAST = GRUB_FILE_FILTER_LZOPIO, > -- > 2.43.0 > > > ___ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel > ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH 7/7] verifiers: Verify after decompression
On Wed, Mar 13, 2024 at 03:07:48PM +, Ross Lagerwall via Grub-devel wrote: > It is convenient and common to have binaries stored in gzip archives > (e.g. xen.gz). Verification should be run after decompression rather > than before so reorder the file filter list as appropriate. The proposed change would result in the disruption of the tpm and pgp clients within the verifier framework. Specifically, the tpm pcr prediction software relies on the integrity of raw files rather than decompressed ones. Additionally, pgp detached signatures are designed to target original files, thus necessitating the current structure to maintain functionality. Thanks, Michael > > Signed-off-by: Ross Lagerwall > --- > include/grub/file.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/grub/file.h b/include/grub/file.h > index a5bf3a792d6f..a1ef3582bc7b 100644 > --- a/include/grub/file.h > +++ b/include/grub/file.h > @@ -182,10 +182,10 @@ extern grub_disk_read_hook_t > EXPORT_VAR(grub_file_progress_hook); > /* Filters with lower ID are executed first. */ > typedef enum grub_file_filter_id >{ > -GRUB_FILE_FILTER_VERIFY, > GRUB_FILE_FILTER_GZIO, > GRUB_FILE_FILTER_XZIO, > GRUB_FILE_FILTER_LZOPIO, > +GRUB_FILE_FILTER_VERIFY, > GRUB_FILE_FILTER_MAX, > GRUB_FILE_FILTER_COMPRESSION_FIRST = GRUB_FILE_FILTER_GZIO, > GRUB_FILE_FILTER_COMPRESSION_LAST = GRUB_FILE_FILTER_LZOPIO, > -- > 2.43.0 > > > ___ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH 7/7] verifiers: Verify after decompression
It is convenient and common to have binaries stored in gzip archives (e.g. xen.gz). Verification should be run after decompression rather than before so reorder the file filter list as appropriate. Signed-off-by: Ross Lagerwall --- include/grub/file.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/grub/file.h b/include/grub/file.h index a5bf3a792d6f..a1ef3582bc7b 100644 --- a/include/grub/file.h +++ b/include/grub/file.h @@ -182,10 +182,10 @@ extern grub_disk_read_hook_t EXPORT_VAR(grub_file_progress_hook); /* Filters with lower ID are executed first. */ typedef enum grub_file_filter_id { -GRUB_FILE_FILTER_VERIFY, GRUB_FILE_FILTER_GZIO, GRUB_FILE_FILTER_XZIO, GRUB_FILE_FILTER_LZOPIO, +GRUB_FILE_FILTER_VERIFY, GRUB_FILE_FILTER_MAX, GRUB_FILE_FILTER_COMPRESSION_FIRST = GRUB_FILE_FILTER_GZIO, GRUB_FILE_FILTER_COMPRESSION_LAST = GRUB_FILE_FILTER_LZOPIO, -- 2.43.0 ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel