Introducing the appended signature key management environment variable.
It is automatically set to either "static" or "dynamic" based on the
Platform KeyStore.
"static": Enforce static key management signature verification.
This is the default. When the GRUB is locked down,
user cannot change the value by setting the appendedsig_key_mgmt
variable back to "dynamic".
"dynamic": Enforce dynamic key management signature verification.
When the GRUB is locked down, user cannot change the value
by setting the appendedsig_key_mgmt variable back to "static".
Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
---
grub-core/commands/appendedsig/appendedsig.c | 75 ++++++++++++++++++++
1 file changed, 75 insertions(+)
diff --git a/grub-core/commands/appendedsig/appendedsig.c
b/grub-core/commands/appendedsig/appendedsig.c
index 288b7339a..30d453007 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -33,6 +33,7 @@
#include <libtasn1.h>
#include <grub/env.h>
#include <grub/lockdown.h>
+#include <grub/powerpc/ieee1275/platform_keystore.h>
#include "appendedsig.h"
@@ -94,6 +95,16 @@ static sb_database_t db = {.certs = NULL, .cert_entries = 0};
*/
static bool check_sigs = false;
+/*
+ * append_key_mgmt: Key Management Modes
+ * False: Static key management (use built-in Keys). This is default.
+ * True: Dynamic key management (use Platform KeySotre).
+ */
+static bool append_key_mgmt = false;
+
+/* Platform KeyStore db and dbx. */
+static grub_pks_t *pks_keystore;
+
static grub_ssize_t
pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
{
@@ -475,6 +486,46 @@ grub_env_write_sec (struct grub_env_var *var __attribute__
((unused)), const cha
return ret;
}
+static const char *
+grub_env_read_key_mgmt (struct grub_env_var *var __attribute__ ((unused)),
+ const char *val __attribute__ ((unused)))
+{
+ if (append_key_mgmt == true)
+ return "dynamic";
+
+ return "static";
+}
+
+static char *
+grub_env_write_key_mgmt (struct grub_env_var *var __attribute__ ((unused)),
const char *val)
+{
+ char *ret;
+
+ /*
+ * Do not allow the value to be changed if signature verification is
+ * (check_sigs is set to enforce) enabled and GRUB is locked down.
+ */
+ if (check_sigs == true && grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
+ {
+ ret = grub_strdup (grub_env_read_key_mgmt (NULL, NULL));
+ if (ret == NULL)
+ grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+ return ret;
+ }
+
+ if ((*val == '1') || (*val == 'd'))
+ append_key_mgmt = true;
+ else if ((*val == '0') || (*val == 's'))
+ append_key_mgmt = false;
+
+ ret = grub_strdup (grub_env_read_key_mgmt (NULL, NULL));
+ if (ret == NULL)
+ grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+ return ret;
+}
+
static grub_err_t
appendedsig_init (grub_file_t io __attribute__ ((unused)), enum grub_file_type
type,
void **context __attribute__ ((unused)), enum
grub_verify_flags *flags)
@@ -546,6 +597,11 @@ GRUB_MOD_INIT (appendedsig)
if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
check_sigs = true;
+ /* If PKS keystore is available, use dynamic key management. */
+ pks_keystore = grub_pks_get_keystore ();
+ if (pks_keystore != NULL)
+ append_key_mgmt = true;
+
/*
* This is appended signature verification environment variable.
* It is automatically set to either "no" or "enforce" based on the
@@ -560,6 +616,23 @@ GRUB_MOD_INIT (appendedsig)
grub_register_variable_hook ("check_appended_signatures", grub_env_read_sec,
grub_env_write_sec);
grub_env_export ("check_appended_signatures");
+ /*
+ * This is appended signature key management environment variable.
+ * It is automatically set to either "static" or "dynamic" based on the
+ * Platform KeyStore.
+ *
+ * "static": Enforce static key management signature verification.
+ * This is the default. When the GRUB is locked down,
+ * user cannot change the value by setting the
+ * appendedsig_key_mgmt variable back to "dynamic".
+ *
+ * "dynamic": Enforce dynamic key management signature verification.
+ * When the GRUB is locked down, user cannot change the value
+ * by setting the appendedsig_key_mgmt variable back to "static".
+ */
+ grub_register_variable_hook ("appendedsig_key_mgmt", grub_env_read_key_mgmt,
grub_env_write_key_mgmt);
+ grub_env_export ("appendedsig_key_mgmt");
+
rc = grub_asn1_init ();
if (rc != ASN1_SUCCESS)
grub_fatal ("error initing ASN.1 data structures: %d: %s\n", rc,
asn1_strerror (rc));
@@ -583,5 +656,7 @@ GRUB_MOD_FINI (appendedsig)
free_db_list ();
grub_register_variable_hook ("check_appended_signatures", NULL, NULL);
grub_env_unset ("check_appended_signatures");
+ grub_register_variable_hook ("appendedsig_key_mgmt", NULL, NULL);
+ grub_env_unset ("appendedsig_key_mgmt");
grub_verifier_unregister (&grub_appendedsig_verifier);
}
--
2.39.5 (Apple Git-154)
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
