I'm not at all familiar with this part of GRUB, so take this with a big grain of salt.
On Sat, 2013-11-02 at 20:05 -0700, Jonathan McCune wrote: > I think it should be possible to generate all the necessary signatures > at *build time* instead of *install time* If I understand your email correctly, you're saying that at build time, grub builds core.img. Then at install time, it calculates: "core.img.rs" = Reed-Solomon(core.img) Then it writes the "core.img.rs" data to disk. At boot time, GRUB reads the "core.img.rs" data from disk, corrects errors, to reproduce core.img, which is executed. If you want to verify at boot time, you just do it after the error correction step. But it sounds like you want to verify the bits on disk from the host environment. Rather than "backing out" the Reed-Solomon coding, why not do it the other way around? Verify core.img, then re-encode the known good copy (for which code already exists as part of the installation procedure) and then just compare that to what is actually on disk? -- Richard
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
