This patch demonstrates how secure boot on pseries machines could be linked to the appended signature verification I sent earlier.
It's a pretty big hammer at the moment - I am posting it so we can discuss whether this is something that would be acceptable in upstream grub. If it acceptable in theory I'm happy to rework it to be less invasive. (The rest of this cover letter concerns testing the entire end-to-end setup - signing grub, verifying signatures in grub and enforcing secure boot.) You can experiement with this using entirely free software. You need the following trees: https://github.com/daxtens/qemu branch pseries-secboot https://github.com/daxtens/SLOF branch ibm,secure-boot https://github.com/daxtens/grub branch ibm,secure-boot You also need: - a key to sign grub, and accompanying DER certificate - a key to sign linux, and accompanying DER certificate Both should have keyUsage=digitalSignature and not be CAs. Lastly you will need a working a ppc64(le) vm. Then: - build qemu. You need qemu-system-ppc64. - use xxd to convert the certificate for verifying grub into a header file, and copy it in to SLOF/lib/libcrypto/certificate.h. It must create variables certificate_der and certificate_der_len. - build SLOF for qemu (make qemu) - verify that you can boot your VM with new SLOF and stock grub. To boot with new SLOF, pass -bios ./SLOF/boot_rom.bin . It should boot with new slof in non-secure (default) mode. To enable secure boot, add ",secure-boot" to your machine parameter, e.g. "-M pseries,secure-boot". This should now refuse to boot with an error in SLOF. (Note that the SLOF verfication is a bit lackadaisical, it doesn't stop you dropping to the all-powerful OF prompt, and it only requires signatures on 32-bit binaries. -kernel vmlinux should still work even in SB mode, for example. I haven't tested netbooting.) - Build grub in your VM. - Build the signing key into grub, along with the appendedsig module. The following incantation should give you a working but non-portable grub, assuming you have grub installed on /dev/sda1: touch empty sign-file SHA256 grub-signing.key grub-signing-certificate.der \ empty empty.signed SIG_SIZE=`stat -c '%s' empty.signed` echo "Detected signature size: $SIG_SIZE bytes" rm empty empty.signed GRUB_MODULES="appendedsig gcry_sha256 all_video boot btrfs cat configfile echo ext2 fat font gfxmenu gfxterm gzio halt hfsplus http iso9660 jpeg loadenv loopback linux lvm mdraid09 mdraid1x minicmd net normal part_apple part_msdos part_gpt password_pbkdf2 png reboot regexp search search_fs_uuid search_fs_file search_label serial sleep syslinuxcfg test tftp video xfs" ./grub-install --appended-signature-size $SIG_SIZE --modules="$GRUB_MODULES" \ -d ./grub-core/ /dev/sda1 -x linux-signing-certificate.der cp /boot/grub/powerpc-ieee1275/core.elf core.elf truncate -s -$SIG_SIZE core.elf sign-file SHA256 grub-signing.key grub-signing-certificate.der \ core.elf core.elf.signed dd if=core.elf.signed of=/dev/sda1 - Sign your kernel, e.g.: sign-file SHA256 linux-signing.key linux-signing-certificate.der \ /boot/vmlinux /boot/vmlinux.signed - You should now be able to boot with new SLOF and qemu in secure-boot mode. Daniel Axtens (1): ieee1275: link appended-signature enforcement to /ibm,secure-boot grub-core/commands/appendedsig/appendedsig.c | 44 +++++++++++++++----- grub-core/kern/ieee1275/init.c | 26 ++++++++++++ 2 files changed, 60 insertions(+), 10 deletions(-) -- 2.25.1 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
