Thank you Daniel.
> On 11 Aug 2025, at 9:24 PM, Daniel Kiper <dki...@net-space.pl> wrote:
>
> On Tue, Jul 29, 2025 at 08:21:46PM +0530, Sudhakar Kuppusamy wrote:
>> Building on the parsers and the ability to embed X.509 certificates, as
>> well as the existing gcrypt functionality, add a module for verifying
>> appended signatures.
>>
>> This includes a verifier that requires that Linux kernels and
>> GRUB modules have appended signatures, and commands to manage the
>> list of trusted certificates for verification.
>>
>> Verification must be enabled by setting check_appended_signatures. If
>> secure boot is enabled with enforced mode when the module is loaded,
>> verification will be enabled and locked automatically. If verification
>> is enabled, extract trusted keys from the GRUB ELF Note and store them in
>> the db.
>>
>> As with the PGP verifier, it is not a complete secure-boot solution:
>> other mechanisms, such as a password or lockdown, must be used to ensure
>> that a user cannot drop to the GRUB shell and disable verification.
>>
>> Introducing the following GRUB commands.
>>
>> 1. append_list_db:
>> Show the list of trusted certificates from the db list
>> 2. append_add_db_cert:
>> Add the trusted certificate to the db list
>> 3. append_rm_dbx_cert:
>> Remove the distrusted certificate from the db list
>> 4. append_verify:
>> Verify the signed file using db list
>>
>> Signed-off-by: Daniel Axtens <d...@axtens.net>
>> Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
>> Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
>> Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
>
> [...]
>
>> +static bool
>> +is_cert_removed_from_db (const struct x509_certificate *cert)
>
> s/is_cert_removed_from_db/remove_cert_from_db/
>
> And then I would return grub_err_t, GRUB_ERR_NONE/GRUB_ERR_FILE_NOT_FOUND,
> or even void... More details below...
Sure. Will do it.
>
>> +{
>> + int i = 1;
>> + struct x509_certificate *curr_cert, *prev_cert;
>> +
>> + for (curr_cert = prev_cert = db; curr_cert != NULL; curr_cert =
>> curr_cert->next)
>> + {
>> + if (is_cert_match (curr_cert, cert) == true)
>> + {
>> + if (i == 1) /* Match with first certificate in the db list. */
>> + db = curr_cert->next;
>> + else
>> + prev_cert->next = curr_cert->next;
>> +
>> + grub_dprintf ("appendedsig",
>> + "removed certificate with CN: %s from the db
>> list\n", curr_cert->subject);
>> + curr_cert->next = NULL;
>> + certificate_release (curr_cert);
>> + grub_free (curr_cert);
>> + return true;
>> + }
>> + else
>> + prev_cert = curr_cert;
>> +
>> + i++;
>> + }
>> +
>> + return false;
>> +}
>
> [...]
>
>> +static grub_err_t
>> +grub_cmd_dbx_cert (grub_command_t cmd __attribute__ ((unused)), int argc,
>> char **args)
>> +{
>> + grub_err_t err;
>> + grub_file_t cert_file;
>> + struct x509_certificate *cert = NULL;
>> +
>> + if (argc != 1)
>> + return grub_error (GRUB_ERR_BAD_ARGUMENT,
>> + "a distrusted X.509 certificate file is expected in
>> DER format\n"
>> + "Example:\n\tappend_rm_dbx_cert
>> <X509_CERTIFICATE>\n");
>> +
>> + if (*args == NULL)
>> + return grub_error (GRUB_ERR_BAD_FILENAME, "missing distrusted X.509
>> certificate file");
>> +
>> + cert_file = grub_file_open (args[0],
>> + GRUB_FILE_TYPE_CERTIFICATE_TRUST |
>> GRUB_FILE_TYPE_NO_DECOMPRESS);
>> + if (cert_file == NULL)
>> + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "could not open %s file",
>> args[0]);
>> +
>> + err = read_cert_from_file (cert_file, &cert);
>> + grub_file_close (cert_file);
>> + if (err != GRUB_ERR_NONE)
>> + grub_free (cert);
>> +
>> + if (is_cert_removed_from_db (cert) == false)
>> + err = grub_error (GRUB_ERR_EOF,
>> + "not found certificate with CN:%s in the db list",
>> cert->subject);
>
> First of all, I am not convinced the cert should be removed automatically
> from the db. I think it would be better if it is documented it should be
> done manually. However, if you convince me it should be done automatically
> here then lack of cert in the db should not trigger an error...
It is not automatically removing the cert from the db but does it manually when
user try to remove distrusted cert via append_rm_dbx_cert command.
Thanks,
Sudhakar
>
> Daniel
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
