This patch set contains a consolidated version of the patch sets sent
for secure boot using appended signatures on powerpc, rebased on top
of 2.06~rc1. This has required some changes, mostly around lockdown
and the change to shim handling. I have also extended the X.509 parser
to support printableString as well as utf8String. I don't think there
are any other major changes.
The series consists of 3 main parts:
1) Patches 1-3: signing grub.elf with an appended signature
Part of a secure boot chain is allowing boot firmware to verify the
grub core image. For UEFI platforms, this is done by signing the PE
binary with a tool like pesign or sb-sign. However, for platforms that
don't implement UEFI, an alternative scheme is required.
These patches provide some infrastructure and documentation for
signing grub's core.elf with a Linux-kernel-module style appended
signature.
An appended signature is a 'dumb' signature over the contents of a
file. (It is distinct from schemes like Authenticode that are aware of
the structure of the file and only sign certain parts.) The signature
is wrapped in a PKCS#7 message, and is appended to the signed file
along with some metadata and a magic string. The signatures are
validated against a public key which is usually provided as an x509
certificate.
Because some platforms, such as powerpc-ieee1275, may load grub from a
raw disk partition rather than a filesystem, we extend grub-install to
add an ELF note that allows us to specify the size and location of the
signature.
This has attracted some controversy in the past, with suggestions that
we could avoid the ELF note by placing the signature at the end of
core.elf if the image was loaded from a filesystem or network, and by
placing it at the end of the PReP partition if it is loaded from
there. This is not currently supported by either proprietary or open
source firmware, but the current solution does not preclude this
solution being added in the future.
There was also a suggestion of allowing grub-{install,mkimage} to call
out to openssl directly to sign itself. I'm not opposed to doing this,
but as I expect signing to mostly be something done by distros rather
than the average grub-install user, I'm interested to hear any
thoughts on whether that's actually going to be useful.
2) Patches 4 - 18: Teach grub to verify appended signatures
Part of a secure boot chain is allowing grub to verify the boot
kernel. For UEFI platforms, this is usually delegated to the
shim. However, for platforms that do not implement UEFI, an
alternative scheme is required.
This part teaches grub how to verify Linux kernel-style appended
signatures. Kernels on powerpc are already signed with this scheme and
can be verified by IMA for kexec.
As PKCS#7 messages and x509 certificates are both based on ASN.1, we
import libtasn1 to parse them. Because ASN.1 isn't self-documenting,
we import from GNUTLS the information we need to navigate their
structure.
This section is composed of the following patches:
- patch 4 is a small fix to allow persistent modules to work on the
emu target.
- patches 5 and 6 are small refactorings.
- patch 7 prepares posix_wrap for importing libtasn1
- patches 8 through 12 import libtasn1 and add tests. I've taken a
different approach from gcrypt. We import gcrypt via a script that
transforms the code into something that works for grub. Rather than
taking that approach, we import libtasn1 through first just copying
a subset of the code in (patch 8), then disabling parts we don't
need for grub (patch 9), making changes for grub compatibility
(patch 10) and then compiling it into a module (patch 11) and
testing it (patch 12).
This means that should we want to upgrade our version of libtasn1,
we should be able to copy the new files in (repeat the process in
patch 8) and then just cherry-pick/reapply patches 9 and 10 to
repeat the process of disabling unused code and making grub
compatiblity fixes. Hopefully that makes sense!
- patch 13 allows x509 certificates to be built in to the grub core
in much the same way as PGP keys.
- patch 14 brings in the code from GNUTLS that allows us to parse
PKCS#7 and x509 with libtasn1.
- patch 15 is our PKCS#7 and x509 parser. They're minimal and fairly
strict parsers that extract only the bits we need to verify the
signatures.
- patch 16 is the guts of the appended signature verifier. It uses
the verifier infrastructure like pgp, and adds a number of
user-friendly commands that mirror the pgp module.
- patch 17 adds tests, and patch 18 adds documentation.
3) Patch 19: Enter lockdown if in powerpc secure boot
This is now a much neater and nicer solution than before - it detects
if the DT property advertising SB is set, and enters lockdown if it
is. The main appended signature series now tests for lockdown to enter
'forced' mode.
I've pushed this all to
https://github.com/daxtens/grub/tree/appendedsig-2.06
This patch series is easy to experiment with. In particular, the
appended signature verifier doesn't require any particular
platform. It works under emu and passes tests under x86_64-efi.
(Ironically, if you want to experiment with it on powerpc, you will
need another patch to allocate more than 32MB of memory. You can
expand HEAP_MAX_SIZE and HEAP_MAX_ADDR in
grub-core/kern/ieee1275/init.c - see
https://lists.gnu.org/archive/html/grub-devel/2020-10/msg00151.html
Or there's an even crazier patch in my github branch that just grabs
~half of all available memory. We're still working on what the 'right'
solution is and will send a followup patch.)
I have some information about testing all the parts together at
https://gist.github.com/daxtens/cfc0a7e15614b0383e0c57f308cacdd1
It's largely unchanged from
https://lists.gnu.org/archive/html/grub-devel/2020-10/msg00048.html
Kind regards,
Daniel
Alastair D'Silva (1):
grub-install: support embedding x509 certificates
Daniel Axtens (17):
docs/grub: Document signing grub under UEFI
docs/grub: Document signing grub with an appended signature
dl: provide a fake grub_dl_set_persistent for the emu target
pgp: factor out rsa_pad
crypto: move storage for grub_crypto_pk_* to crypto.c
posix_wrap: tweaks in preparation for libtasn1
libtasn1: import libtasn1-4.16.0
libtasn1: disable code not needed in grub
libtasn1: changes for grub compatibility
libtasn1: compile into asn1 module
test_asn1: test module for libtasn1
appended signatures: import GNUTLS's ASN.1 description files
appended signatures: parse PKCS#7 signedData and X.509 certificates
appended signatures: support verifying appended signatures
appended signatures: verification tests
appended signatures: documentation
ieee1275: enter lockdown based on /ibm,secure-boot
Rashmica Gupta (1):
Add suport for signing grub with an appended signature
.gitignore | 1 +
Makefile.util.def | 6 +
docs/grub.texi | 259 +-
grub-core/Makefile.core.def | 55 +
grub-core/commands/appendedsig/appendedsig.c | 645 +++++
grub-core/commands/appendedsig/appendedsig.h | 110 +
grub-core/commands/appendedsig/asn1util.c | 102 +
.../commands/appendedsig/gnutls_asn1_tab.c | 121 +
grub-core/commands/appendedsig/pkcs7.c | 305 ++
.../commands/appendedsig/pkix_asn1_tab.c | 484 ++++
grub-core/commands/appendedsig/x509.c | 972 +++++++
grub-core/commands/pgp.c | 34 +-
grub-core/kern/ieee1275/init.c | 27 +
grub-core/lib/crypto.c | 4 +
grub-core/lib/libtasn1/LICENSE | 16 +
grub-core/lib/libtasn1/README.md | 91 +
grub-core/lib/libtasn1/lib/coding.c | 1423 ++++++++++
grub-core/lib/libtasn1/lib/decoding.c | 2481 +++++++++++++++++
grub-core/lib/libtasn1/lib/element.c | 1112 ++++++++
grub-core/lib/libtasn1/lib/element.h | 40 +
grub-core/lib/libtasn1/lib/errors.c | 103 +
grub-core/lib/libtasn1/lib/gstr.c | 74 +
grub-core/lib/libtasn1/lib/gstr.h | 47 +
grub-core/lib/libtasn1/lib/int.h | 221 ++
grub-core/lib/libtasn1/lib/parser_aux.c | 1174 ++++++++
grub-core/lib/libtasn1/lib/parser_aux.h | 172 ++
grub-core/lib/libtasn1/lib/structure.c | 1222 ++++++++
grub-core/lib/libtasn1/lib/structure.h | 45 +
.../tests/CVE-2018-1000654-1_asn1_tab.h | 32 +
.../tests/CVE-2018-1000654-2_asn1_tab.h | 36 +
.../libtasn1_wrap/tests/CVE-2018-1000654.c | 61 +
.../lib/libtasn1_wrap/tests/Test_overflow.c | 138 +
.../lib/libtasn1_wrap/tests/Test_simple.c | 207 ++
.../lib/libtasn1_wrap/tests/Test_strings.c | 150 +
.../libtasn1_wrap/tests/object-id-decoding.c | 116 +
.../libtasn1_wrap/tests/object-id-encoding.c | 120 +
.../lib/libtasn1_wrap/tests/octet-string.c | 211 ++
.../lib/libtasn1_wrap/tests/reproducers.c | 81 +
grub-core/lib/libtasn1_wrap/wrap.c | 26 +
grub-core/lib/libtasn1_wrap/wrap_tests.c | 75 +
grub-core/lib/libtasn1_wrap/wrap_tests.h | 38 +
grub-core/lib/pkcs1_v15.c | 59 +
grub-core/lib/posix_wrap/limits.h | 1 +
grub-core/lib/posix_wrap/stdlib.h | 8 +
grub-core/lib/posix_wrap/sys/types.h | 1 +
grub-core/tests/appended_signature_test.c | 281 ++
grub-core/tests/appended_signatures.h | 557 ++++
grub-core/tests/lib/functional_test.c | 1 +
include/grub/dl.h | 11 +
include/grub/file.h | 2 +
include/grub/kernel.h | 3 +-
include/grub/libtasn1.h | 589 ++++
include/grub/lockdown.h | 3 +-
include/grub/pkcs1_v15.h | 27 +
include/grub/util/install.h | 15 +-
include/grub/util/mkimage.h | 4 +-
tests/test_asn1.in | 12 +
util/grub-install-common.c | 37 +-
util/grub-mkimage.c | 26 +-
util/grub-mkimagexx.c | 39 +-
util/mkimage.c | 54 +-
61 files changed, 14293 insertions(+), 74 deletions(-)
create mode 100644 grub-core/commands/appendedsig/appendedsig.c
create mode 100644 grub-core/commands/appendedsig/appendedsig.h
create mode 100644 grub-core/commands/appendedsig/asn1util.c
create mode 100644 grub-core/commands/appendedsig/gnutls_asn1_tab.c
create mode 100644 grub-core/commands/appendedsig/pkcs7.c
create mode 100644 grub-core/commands/appendedsig/pkix_asn1_tab.c
create mode 100644 grub-core/commands/appendedsig/x509.c
create mode 100644 grub-core/lib/libtasn1/LICENSE
create mode 100644 grub-core/lib/libtasn1/README.md
create mode 100644 grub-core/lib/libtasn1/lib/coding.c
create mode 100644 grub-core/lib/libtasn1/lib/decoding.c
create mode 100644 grub-core/lib/libtasn1/lib/element.c
create mode 100644 grub-core/lib/libtasn1/lib/element.h
create mode 100644 grub-core/lib/libtasn1/lib/errors.c
create mode 100644 grub-core/lib/libtasn1/lib/gstr.c
create mode 100644 grub-core/lib/libtasn1/lib/gstr.h
create mode 100644 grub-core/lib/libtasn1/lib/int.h
create mode 100644 grub-core/lib/libtasn1/lib/parser_aux.c
create mode 100644 grub-core/lib/libtasn1/lib/parser_aux.h
create mode 100644 grub-core/lib/libtasn1/lib/structure.c
create mode 100644 grub-core/lib/libtasn1/lib/structure.h
create mode 100644
grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654-1_asn1_tab.h
create mode 100644
grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654-2_asn1_tab.h
create mode 100644 grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_overflow.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_simple.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_strings.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/object-id-decoding.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/object-id-encoding.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/octet-string.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/reproducers.c
create mode 100644 grub-core/lib/libtasn1_wrap/wrap.c
create mode 100644 grub-core/lib/libtasn1_wrap/wrap_tests.c
create mode 100644 grub-core/lib/libtasn1_wrap/wrap_tests.h
create mode 100644 grub-core/lib/pkcs1_v15.c
create mode 100644 grub-core/tests/appended_signature_test.c
create mode 100644 grub-core/tests/appended_signatures.h
create mode 100644 include/grub/libtasn1.h
create mode 100644 include/grub/pkcs1_v15.h
create mode 100644 tests/test_asn1.in
--
2.27.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
