Issues with Linux loading code

code? -- Matthew Garrett | mj...@srcf.ucam.org ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH 1/3] Update the Linux boot protocol

a/ChangeLog b/ChangeLog index e5a5d72..028691d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2012-02-03 Matthew Garrett m...@redhat.com + + * include/grub/i386/linux.h (linux_kernel_header): Update to + boot protocol 2.10. + (linux_kernel_params): Likewise + 2012-02-03

[PATCH 2/3] Add support for avoiding firmware inr elocations

--- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,15 @@ 2012-02-03 Matthew Garrett m...@redhat.com + * grub-core/lib/efi/relocator.c (grub_relocator_alloc_chunk_addr): + Add argument to fail allocation when target address overlaps + firmware regions. All users updated. + * grub-core

[PATCH V2 1/3] Update the Linux boot protocol

a/ChangeLog b/ChangeLog index 313d135..943efe1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2012-02-06 Matthew Garrett m...@redhat.com + + * include/grub/i386/linux.h (linux_kernel_header): Update to + boot protocol 2.10. + (linux_kernel_params): Likewise + 2012-02-05 Vladimir

[PATCH 2/4] Add grub_efi_get_variable

changed, 44 insertions(+), 1 deletions(-) diff --git a/ChangeLog b/ChangeLog index ca07786..e662f3d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ 2012-02-08 Matthew Garrett m...@redhat.com + * grub-core/kern/efi/efi.c (grub_efi_get_variable): Add new function

[PATCH 4/4] Add support for getting EDID via EFI

+ 2 files changed, 77 insertions(+), 0 deletions(-) diff --git a/ChangeLog b/ChangeLog index 26d779b..d46b3d1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,13 @@ 2012-02-08 Matthew Garrett m...@redhat.com + * grub-core/video/efi_gop.c

[PATCH 3/4] Prefer GOP devices which implement the pci_io protocol

changed, 42 insertions(+), 1 deletions(-) diff --git a/ChangeLog b/ChangeLog index e662f3d..26d779b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,10 @@ 2012-02-08 Matthew Garrett m...@redhat.com + * grub-core/video/efi_gop.c (check_protocol): Prefer GOP devices which + implement

[PATCH 1/4] Add PCI protocols

--git a/ChangeLog b/ChangeLog index ede7f8e..ca07786 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2012-02-08 Matthew Garrett m...@redhat.com + + * include/grub/efi/pci.h: New file to define EFI PCI protocols. + 2012-02-07 Vladimir Serbinenko phco...@gmail.com * grub

Some improvements to EFI GOP support

Add support for grabbing the EDID on GOP devices, along with picking the better GOP device when we have more than one (Thanks, Apple). ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH V3 3/3] Update Linux loader to follow the kernel's preferences

+ grub-core/loader/i386/linux.c | 67 ++-- 2 files changed, 65 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8bef256..162f82b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,13 @@ 2012-02-08 Matthew Garrett m...@redhat.com

[PATCH V3 1/3] Update the Linux boot protocol

a/ChangeLog b/ChangeLog index ede7f8e..2bdb3a0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2012-02-08 Matthew Garrett m...@redhat.com + + * include/grub/i386/linux.h (linux_kernel_header): Update to + boot protocol 2.10. + (linux_kernel_params): Likewise + 2012-02-07 Vladimir

Re: [PATCH 2/4] Add grub_efi_get_variable

((GRUB_MAX_UTF16_PER_UTF8 * length + 1) * sizeof (var16[0])) That's not currently exported. Any problem with changing that? -- Matthew Garrett | mj...@srcf.ucam.org ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub

Re: [PATCH 2/4] Add grub_efi_get_variable

On Wed, Feb 08, 2012 at 09:09:23PM +0100, Vladimir 'φ-coder/phcoder' Serbinenko wrote: On 08.02.2012 21:04, Matthew Garrett wrote: On Wed, Feb 08, 2012 at 08:55:39PM +0100, Vladimir 'φ-coder/phcoder' Serbinenko wrote: + for (i=0; i(int)grub_strlen((char *)var); i++) +var16[i] = var[i

Re: Signature verification in GRUB

to Microsoft every time we update grub. -- Matthew Garrett | mj...@srcf.ucam.org ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel

Re: EFI and multiboot2 devlopment work for Xen

in MOK. 2) grub will read the kernel, but the kernel will have to read the initramfs using EFI calls. That means your initramfs must be on a FAT partition. If you're happy with those limitations then just use the chainloader command. If you're not, use the linuxefi command. -- Matthew Garrett | mj

Re: [PATCH] Add linuxefi module

; +}; + Is it relevant for arm64-efi? Not at the moment - it still requires architecture-specific knowledge of the boot protocol, and I don't think that's well-defined for arm64-efi yet. -- Matthew Garrett matthew.garr...@nebula.com ___ Grub-devel mailing

Re: Support for TPM measurements on UEFI systems

g else. -- Matthew Garrett | mj...@srcf.ucam.org ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel

Re: Support for TPM measurements on UEFI systems

executed gives us some further assurance in that respect. Calculating the expected values is still pretty easy, and if they're logged then you can have a regex-based engine for remote validation. -- Matthew Garrett | mj...@srcf.ucam.org ___ Grub-de

Re: Support for TPM measurements on UEFI systems

On Mon, Feb 06, 2017 at 07:58:37PM +, Vladimir 'phcoder' Serbinenko wrote: > On Mon, 6 Feb 2017, 17:44 Matthew Garrett <mj...@srcf.ucam.org> wrote: > > > On Sun, Feb 05, 2017 at 01:28:20PM +, Vladimir 'phcoder' Serbinenko > > wrote: > > > See verify.h fo

Re: Support for TPM measurements on UEFI systems

On Fri, Jan 27, 2017 at 09:08:33PM +, Vladimir 'phcoder' Serbinenko wrote: > I must have accidentally deleted it on the server. I'll reupload it when > I'll have access to the laptop in question on Monday Hi, Did you have any luck digging this up? -- Matthew Garrett | mj...@srcf.uc

[PATCH] Add fwconfig command

Add a command to read values from the qemu fwcfg store. This allows data to be passed from the qemu command line to grub. Example use: echo '(hd0,1)' >rootdev qemu -fw_cfg opt/rootdev,file=rootdev fwconfig opt/rootdev root --- docs/grub.texi| 6 +++

Re: Support for TPM measurements on UEFI systems

On Mon, Jan 23, 2017 at 5:29 PM, Vladimir 'phcoder' Serbinenko wrote: > For policy reasons we can't put any TPM code into GNU project. Can we use > verifiers framework for this rather than custom hooks? This would allow your > code to be a single module that can be put into a

Misc network boot patches

Various patches that we're using to support network boot in our setup. Only number 3 is a bugfix. ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH 3/7] Rework linux16 command

We want a single buffer that contains the entire kernel image in order to perform a TPM measurement. Allocate one and copy the entire kernel int it before pulling out the individual blocks later on. --- grub-core/loader/i386/pc/linux.c | 34 +- 1 file changed, 21

[PATCH 4/7] Measure kernel and initrd

Measure the kernel and initrd at load time --- grub-core/loader/i386/linux.c| 6 ++ grub-core/loader/i386/pc/linux.c | 4 grub-core/loader/linux.c | 3 +++ 3 files changed, 13 insertions(+) diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c index

[PATCH 6/7] Measure commands

From: Matthew Garrett <mj...@srcf.ucam.org> Measure each command executed by grub, which includes script execution. --- grub-core/script/execute.c | 25 +++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/grub-core/script/execute.c b/grub-core/

[PATCH 2/7] Rework linux command

We want a single buffer that contains the entire kernel image in order to perform a TPM measurement. Allocate one and copy the entire kernel into it before pulling out the individual blocks later on. --- grub-core/loader/i386/linux.c | 34 +- 1 file changed, 21

[PATCH 1/7] Core TPM support

Add support for performing basic TPM measurements. Right now this only supports extending PCRs statically and only on UEFI and BIOS systems, but will measure all modules as they're loaded. --- grub-core/Makefile.am| 1 + grub-core/Makefile.core.def | 3 + grub-core/kern/dl.c

[PATCH 7/7] Measure multiboot images and modules

--- grub-core/loader/i386/multiboot_mbi.c | 4 grub-core/loader/multiboot.c | 3 +++ grub-core/loader/multiboot_mbi2.c | 4 3 files changed, 11 insertions(+) diff --git a/grub-core/loader/i386/multiboot_mbi.c b/grub-core/loader/i386/multiboot_mbi.c index fd7b41b..42372bf

Support for TPM measurements on UEFI systems

This patchset adds support for measuring components of grub and what it's loading into the TPM. It supports both TPM 1.2 and 2.0 devices via the standard UEFI protocols. ___ Grub-devel mailing list Grub-devel@gnu.org

[PATCH] Add efi getenv command

Add a command to obtain the contents of EFI firmware variables. --- docs/grub.texi | 7 ++ grub-core/Makefile.core.def | 7 ++ grub-core/commands/efi/getenv.c | 153 3 files changed, 167 insertions(+) create mode 100644

[PATCH 5/7] Measure the kernel commandline

Measure the kernel commandline to ensure that it hasn't been modified --- grub-core/lib/cmdline.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/grub-core/lib/cmdline.c b/grub-core/lib/cmdline.c index d5e10ee..055b7aa 100644 --- a/grub-core/lib/cmdline.c +++

[PATCH 3/4] Don't allocate a new address buffer if we receive multiple DNS responses

The current logic in the DNS resolution code allocates an address buffer based on the number of addresses in the response packet. If we receive multiple response packets in response to a single query packet, this means that we will reallocate a new buffer large enough for only the addresses in

[PATCH 2/4] Send a user class identifier in bootp requests and tag it as DHCP discover

It's helpful to determine that a request was sent by grub in order to permit the server to provide different information at different stages of the boot process. Send GRUB2 as a type 77 DHCP option when sending bootp packets in order to make this possible and tag the request as a DHCP discover to

[PATCH 4/4] Allow protocol to be separated from host with a semicolon

Some DHCP servers (such as dnsmasq) tokenise parameters with commas, making it impossible to pass boot files with commas in them. Allow using a semicolon to separate the protocol from host if a comma wasn't found. --- grub-core/net/net.c | 4 1 file changed, 4 insertions(+) diff --git

[PATCH 1/4] Allow non-default ports for HTTP requests

Add support for passing ports in HTTP requests. This takes the form of: (http,serverip:portnum)/file --- grub-core/net/http.c | 8 ++-- grub-core/net/net.c | 10 +- include/grub/net.h | 1 + 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/grub-core/net/http.c

Re: Support for TPM measurements on UEFI systems

On Mon, Jan 23, 2017 at 6:03 PM, Vladimir 'phcoder' Serbinenko wrote: > Ok. Good. Still, can we use verifiers framework ? We can adjust it if > needed. Also it's still post-release material Where's the branch? I wasn't able to find it on Savannah.

[PATCH 2/7] Rework linux command

We want a single buffer that contains the entire kernel image in order to perform a TPM measurement. Allocate one and copy the entire kernel into it before pulling out the individual blocks later on. --- grub-core/loader/i386/linux.c | 34 +- 1 file changed, 21

[PATCH 3/4] Don't allocate a new address buffer if we receive multiple DNS responses

The current logic in the DNS resolution code allocates an address buffer based on the number of addresses in the response packet. If we receive multiple response packets in response to a single query packet, this means that we will reallocate a new buffer large enough for only the addresses in

[PATCH] Add efi getenv command

Add a command to obtain the contents of EFI firmware variables. --- docs/grub.texi | 7 ++ grub-core/Makefile.core.def | 7 ++ grub-core/commands/efi/getenv.c | 153 3 files changed, 167 insertions(+) create mode 100644

[PATCH 4/7] Measure kernel and initrd

Measure the kernel and initrd at load time --- grub-core/loader/i386/linux.c| 6 ++ grub-core/loader/i386/pc/linux.c | 4 grub-core/loader/linux.c | 3 +++ 3 files changed, 13 insertions(+) diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c index

Add support for TPM measurements on UEFI systems

This patchset adds support for measuring grub components and commands into TPMs on UEFI systems. It supports both the original TPM and the new TPM 2.0 protocols. Grub will measure each module it loads, along with any Linux kernels and initrds, multiboot images, the command line passed to Linux and

[PATCH 5/7] Measure the kernel commandline

Measure the kernel commandline to ensure that it hasn't been modified --- grub-core/lib/cmdline.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/grub-core/lib/cmdline.c b/grub-core/lib/cmdline.c index d5e10ee..055b7aa 100644 --- a/grub-core/lib/cmdline.c +++

[PATCH 7/7] Measure multiboot images and modules

--- grub-core/loader/i386/multiboot_mbi.c | 4 grub-core/loader/multiboot.c | 3 +++ grub-core/loader/multiboot_mbi2.c | 4 3 files changed, 11 insertions(+) diff --git a/grub-core/loader/i386/multiboot_mbi.c b/grub-core/loader/i386/multiboot_mbi.c index fd7b41b..42372bf

[PATCH 2/4] Send a user class identifier in bootp requests and tag it as DHCP discover

It's helpful to determine that a request was sent by grub in order to permit the server to provide different information at different stages of the boot process. Send GRUB2 as a type 77 DHCP option when sending bootp packets in order to make this possible and tag the request as a DHCP discover to

[PATCH 1/4] Allow non-default ports for HTTP requests

Add support for passing ports in HTTP requests. This takes the form of: (http,serverip:portnum)/file --- grub-core/net/http.c | 8 ++-- grub-core/net/net.c | 10 +- include/grub/net.h | 1 + 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/grub-core/net/http.c

[PATCH 6/7] Measure commands

From: Matthew Garrett <mj...@srcf.ucam.org> Measure each command executed by grub, which includes script execution. --- grub-core/script/execute.c | 25 +++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/grub-core/script/execute.c b/grub-core/

[PATCH] Add fwconfig command

Add a command to read values from the qemu fwcfg store. This allows data to be passed from the qemu command line to grub. Example use: echo '(hd0,1)' >rootdev qemu -fw_cfg opt/rootdev,file=rootdev fwconfig opt/rootdev root --- docs/grub.texi| 6 +++

[PATCH 1/7] Core TPM support

Add support for performing basic TPM measurements. Right now this only supports extending PCRs statically and only on UEFI and BIOS systems, but will measure all modules as they're loaded. --- grub-core/Makefile.am| 1 + grub-core/Makefile.core.def | 3 + grub-core/kern/dl.c

[PATCH 3/7] Rework linux16 command

We want a single buffer that contains the entire kernel image in order to perform a TPM measurement. Allocate one and copy the entire kernel int it before pulling out the individual blocks later on. --- grub-core/loader/i386/pc/linux.c | 34 +- 1 file changed, 21

[PATCH 4/4] Allow protocol to be separated from host with a semicolon

Some DHCP servers (such as dnsmasq) tokenise parameters with commas, making it impossible to pass boot files with commas in them. Allow using a semicolon to separate the protocol from host if a comma wasn't found. --- grub-core/net/net.c | 4 1 file changed, 4 insertions(+) diff --git

Re: [PATCH 4/4] Allow protocol to be separated from host with a semicolon

On Mon, Jan 23, 2017 at 8:02 PM, Andrei Borzenkov <arvidj...@gmail.com> wrote: > 24.01.2017 03:36, Matthew Garrett пишет: >> Some DHCP servers (such as dnsmasq) tokenise parameters with commas, making >> it impossible to pass boot files with commas in them. Allow usin

Re: [PATCH 3/4] Don't allocate a new address buffer if we receive multiple DNS responses

On Mon, Jan 23, 2017 at 7:55 PM, Andrei Borzenkov wrote: > This was noted previously by Josef, we discussed it and my position is > that resolver code requires redesign to correctly merge multiple answers > and prioritize A vs requests. > > Do you get actual errors with

Re: [PATCH 4/4] Allow protocol to be separated from host with a semicolon

On Wed, Jan 25, 2017 at 12:35 AM, Michael Chang <mch...@suse.com> wrote: > On Tue, Jan 24, 2017 at 10:21:22PM -0800, Matthew Garrett wrote: >> We're passing the bootfile to grub in order to obtain further >> configuration, so the firmware isn't relevant here. > &g

Re: [PATCH 4/4] Allow protocol to be separated from host with a semicolon

On Tue, Jan 24, 2017 at 11:37 PM, Andrei Borzenkov <arvidj...@gmail.com> wrote: > On Wed, Jan 25, 2017 at 10:16 AM, Matthew Garrett <mj...@coreos.com> wrote: >> My experience is that configfile (http,example.com)grub/config works >> as you'd expect it t

Re: [PATCH 4/4] Allow protocol to be separated from host with a semicolon

On Tue, Jan 24, 2017 at 8:15 PM, Andrei Borzenkov <arvidj...@gmail.com> wrote: > 25.01.2017 07:06, Matthew Garrett пишет: >> I don't understand - grub_net_open_real() already handles this case: > > Because bootfile from DHCP packet is not used to set device part of > $

Re: [PATCH 4/4] Allow protocol to be separated from host with a semicolon

On Tue, Jan 24, 2017 at 10:18 PM, Michael Chang <mch...@suse.com> wrote: > On Tue, Jan 24, 2017 at 12:50:37PM -0800, Matthew Garrett wrote: >> The DHCP server will return a string in the boot_file field. If you >> want to indicate that this file should be obtained over htt

Re: [PATCH 4/4] Allow protocol to be separated from host with a semicolon

On Tue, Jan 24, 2017 at 10:56 PM, Andrei Borzenkov <arvidj...@gmail.com> wrote: > On Wed, Jan 25, 2017 at 7:25 AM, Matthew Garrett <mj...@coreos.com> wrote: >> If prefix isn't set then won't bootfile be interpreted as the device plus >> file? >> > > N

Re: [PATCH 4/4] Allow protocol to be separated from host with a semicolon

On Wed, Jan 25, 2017 at 9:30 AM, Andrei Borzenkov <arvidj...@gmail.com> wrote: > 24.01.2017 23:50, Matthew Garrett пишет: >> The DHCP server will return a string in the boot_file field. If you >> want to indicate that this file should be obtained over http, the >

Re: [PATCH 4/4] Allow protocol to be separated from host with a semicolon

On Tue, Jan 24, 2017 at 7:48 PM, Andrei Borzenkov <arvidj...@gmail.com> wrote: > 24.01.2017 23:50, Matthew Garrett пишет: >> On Mon, Jan 23, 2017 at 8:02 PM, Andrei Borzenkov <arvidj...@gmail.com> >> wrote: >>> 24.01.2017 03:36, Matthew Garrett пишет: >

Re: Add TPM measured boot support

On Wed, Jul 05, 2017 at 02:19:55PM -0700, Matthew Garrett wrote: > This patchset extends the verifier framework to support verifying commands > executed by Grub, and makes use of this to add support for measuring files > and commands executed by grub into the TPM on UEFI-based syst

Re: [PATCH 1/2] Verify commands executed by grub

On Fri, Jul 21, 2017 at 7:39 AM, Vladimir 'phcoder' Serbinenko wrote: > This omits all separators. So it considers e.g. ab and a b to be the same. > Can we have a better array serialization? I.a. following 3 need to be > distinguished: > ab > a b > "a b" It inserts a space

Re: [PATCH 2/2] Core TPM support

Thanks, fixed those up. ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel

Add TPM measured boot support

This patchset extends the verifier framework to support verifying commands executed by Grub, and makes use of this to add support for measuring files and commands executed by grub into the TPM on UEFI-based systems. ___ Grub-devel mailing list

[PATCH 1/2] Verify commands executed by grub

Pass commands to the verification code. We want to be able to log these in the TPM verification case. --- grub-core/script/execute.c | 27 --- include/grub/verify.h | 1 + 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/grub-core/script/execute.c

[PATCH 2/2] Core TPM support

Add support for performing basic TPM measurements. Right now this only supports extending PCRs statically and only on UEFI. --- grub-core/Makefile.core.def| 7 + grub-core/commands/efi/tpm.c | 282 + grub-core/commands/tpm.c | 87

Re: [PATCH 1/3] Move verifiers to the kernel

On Thu, Jun 15, 2017 at 01:52:14AM +, Vladimir 'phcoder' Serbinenko wrote: > On Thu, Jun 15, 2017, 03:49 Matthew Garrett <mj...@srcf.ucam.org> wrote: > > if you're making the ordering significant, > > it's far too easy for someone to mess up and end up with an insecure &

[PATCH 1/3] Move verifiers to the kernel

We want to be able to measure stuff right from the very beginning of grub execution, so it makes sense for the core verifiers code to be present in-kernel rather than having it as an external module. --- grub-core/Makefile.am | 1 + grub-core/Makefile.core.def

Add TPM support

This patchset reworks my earlier TPM support to use the verifiers framework. It only includes UEFI support right now due to the unclear copyright situation on the BIOS code from trusted-grub. ___ Grub-devel mailing list Grub-devel@gnu.org

[PATCH 3/3] Core TPM support

Add support for performing basic TPM measurements. Right now this only supports extending PCRs statically and only on UEFI. --- grub-core/Makefile.am | 1 + grub-core/Makefile.core.def| 2 + grub-core/kern/efi/tpm.c | 282 +

[PATCH 2/3] Verify commands executed by grub

Pass commands to the verification code. We want to be able to log these in the TPM verification case. --- grub-core/script/execute.c | 27 --- include/grub/verify.h | 1 + 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/grub-core/script/execute.c

[PATCH 2/3] Verify commands executed by grub

Pass commands to the verification code. We want to be able to log these in the TPM verification case. --- grub-core/script/execute.c | 27 --- include/grub/verify.h | 1 + 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/grub-core/script/execute.c

Add TPM support

Port the TPM code to use the verifiers framework. I'm only including UEFI support since it's still unclear what the copyright situation is over the BIOS code, and demand for BIOS support for this has somewhat tailed off anyway. ___ Grub-devel mailing

[PATCH 3/3] Core TPM support

Add support for performing basic TPM measurements. Right now this only supports extending PCRs statically and only on UEFI. --- grub-core/Makefile.am | 1 + grub-core/Makefile.core.def| 2 + grub-core/kern/efi/tpm.c | 282 +

[PATCH 1/3] Move verifiers to the kernel

We want to be able to measure stuff right from the very beginning of grub execution, so it makes sense for the core verifiers code to be present in-kernel rather than having it as an external module. --- grub-core/Makefile.am | 1 + grub-core/Makefile.core.def

Re: [PATCH 1/3] Move verifiers to the kernel

al module, so they need to be built into the core image in any case (otherwise an attacker just replaces the verifier module…). And if you're making the ordering significant, it's far too easy for someone to mess up and end up with an insecure system as a result. -- Matthew Garrett | mj...@srcf

Re: [PATCH 3/3] Core TPM support

AML). So > that would > be similar to the TPM1.2 TCPA ACPI table. I guess Linux should need support > for both? I really hope that there are no implementations where there's a difference between the information in ACPI and any other source, but I guess we'll find out. That's going to end up

Re: [PATCH RFC v2 1/5] verifiers: File type for fine-grained signature-verification controlling

On Fri, Aug 03, 2018 at 03:39:54PM +0200, Daniel Kiper wrote: > +++ b/grub-core/commands/i386/nthibr.c Should this be a separate patch? It seems to be unrelated new functionality. -- Matthew Garrett | mj...@srcf.ucam.org ___ Grub-devel mailing l

Re: [PATCH RFC v2 0/5] verifiers: Framework and EFI shim lock verifier

g order somehow. However, this > can be difficult and not reliable. Yeah, I think standalone images are going to be the right solution for most users here. -- Matthew Garrett | mj...@srcf.ucam.org ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel

Re: TPM support within Grub2

works for us, and delay being able to provide functionality that people would like to take advantage of. I think some real-world use would make the process easier. -- Matthew Garrett | mj...@srcf.ucam.org ___ Grub-devel mailing list Grub-devel@gnu.org

Re: Add TPM measured boot support

On Tue, Jan 23, 2018 at 12:45:14PM +0100, Daniel Kiper wrote: > Sadly yes. Sorry about that. However, this is still on my radar. I hope that > I come back to work on this in a few weeks. Hi Daniel, Any news on this front? Thanks! -- Matthew Garrett | mj...@srcf.uc

[PATCH 1/3] verifiers: Verify commands executed by grub

From: Matthew Garrett Pass all commands executed by grub to the verifiers layer. Most verifiers will ignore this, but some (such as the TPM verifier) want to be able to measure and log each command executed in order to ensure that the boot state is as expected. --- grub-core/script/execute.c

[PATCH 2/3] verifiers: Core TPM support

From: Matthew Garrett Add support for performing basic TPM measurements. Right now this only supports extending PCRs statically and only on UEFI. In future we might want to have some sort of mechanism for choosing which events get logged to which PCRs, but this seems like a good default policy

[PATCH 3/3] verifiers: Add TPM documentation

Describe the behaviour of grub when the TPM module is in use. --- docs/grub.texi | 38 ++ 1 file changed, 38 insertions(+) diff --git a/docs/grub.texi b/docs/grub.texi index 471d97c95..6bd3783a4 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -5545,6

[PATCH 1/3] verifiers: Verify commands executed by grub

From: Matthew Garrett Pass all commands executed by grub to the verifiers layer. Most verifiers will ignore this, but some (such as the TPM verifier) want to be able to measure and log each command executed in order to ensure that the boot state is as expected. --- grub-core/script/execute.c

[PATCH 2/3] verifiers: Core TPM support

From: Matthew Garrett Add support for performing basic TPM measurements. Right now this only supports extending PCRs statically and only on UEFI. In future we might want to have some sort of mechanism for choosing which events get logged to which PCRs, but this seems like a good default policy

[PATCH 3/3] verifiers: Add TPM documentation

Describe the behaviour of grub when the TPM module is in use. --- docs/grub.texi | 38 ++ 1 file changed, 38 insertions(+) diff --git a/docs/grub.texi b/docs/grub.texi index 471d97c95..6bd3783a4 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -5545,6

Re: [PATCH 2/3] verifiers: Core TPM support

On Thu, Nov 15, 2018 at 6:39 AM Daniel Kiper wrote: > Could you be more C-ish? E.g. s/Major/major/, s/Minor/minor/, etc. These are the spec-defined member names, so I've a mild preference for keeping them that way - it makes it easier to compare with the spec and update stuff with later spec

[PATCH V2 2/3] verifiers: Core TPM support

From: Matthew Garrett Add support for performing basic TPM measurements. Right now this only supports extending PCRs statically and only on UEFI. In future we might want to have some sort of mechanism for choosing which events get logged to which PCRs, but this seems like a good default policy

[PATCH V2 1/3] verifiers: Verify commands executed by grub

From: Matthew Garrett Pass all commands executed by grub to the verifiers layer. Most verifiers will ignore this, but some (such as the TPM verifier) want to be able to measure and log each command executed in order to ensure that the boot state is as expected. Signed-off-by: Matthew Garrett

Re: [PATCH 1/3] verifiers: Verify commands executed by grub

On Thu, Nov 15, 2018 at 5:45 AM Daniel Kiper wrote: > Except lack of SOB patch LGTM. May I add your SOB before pushing this > patch. Or you can repost it with Feel free to add my SOB. ___ Grub-devel mailing list Grub-devel@gnu.org

Re: TPM/Verifiers testing bug?

On Tue, Jan 15, 2019 at 3:58 AM Daniel Kiper wrote: > > On Mon, Jan 14, 2019 at 11:42:21AM -0800, Matthew Garrett wrote: > > On Mon, Jan 14, 2019 at 6:09 AM 'Max Tottenham' via mjg59 > > wrote: > > > > > I went ahead and did some debugging. Below is a patch t

Re: TPM/Verifiers testing bug?

On Mon, Jan 14, 2019 at 6:09 AM 'Max Tottenham' via mjg59 wrote: > I went ahead and did some debugging. Below is a patch that seems to fix > my problem. Although those calls to grub_efi_open_protocol() in the tpm > module should probably check their return value and do something sane if > 0x0 is

Re: [PATCH V3 3/3] verifiers: Add TPM documentation

On Wed, Dec 12, 2018 at 6:31 AM Daniel Kiper wrote: > > On Mon, Dec 03, 2018 at 03:48:17PM +0100, Daniel Kiper wrote: > > On Thu, Nov 29, 2018 at 11:28:10AM -0800, Matthew Garrett wrote: > > > Describe the behaviour of grub when the TPM module is in use. > > > > &

[PATCH V3 3/3] verifiers: Add TPM documentation

Describe the behaviour of grub when the TPM module is in use. Signed-off-by: Matthew Garrett --- docs/grub.texi | 38 ++ 1 file changed, 38 insertions(+) diff --git a/docs/grub.texi b/docs/grub.texi index 471d97c95..6bd3783a4 100644 --- a/docs/grub.texi

[PATCH V3 2/3] verifiers: Core TPM support

From: Matthew Garrett Add support for performing basic TPM measurements. Right now this only supports extending PCRs statically and only on UEFI. In future we might want to have some sort of mechanism for choosing which events get logged to which PCRs, but this seems like a good default policy

[PATCH V3 1/3] verifiers: Verify commands executed by grub

From: Matthew Garrett Pass all commands executed by grub to the verifiers layer. Most verifiers will ignore this, but some (such as the TPM verifier) want to be able to measure and log each command executed in order to ensure that the boot state is as expected. Signed-off-by: Matthew Garrett

Re: [PATCH V2 2/3] verifiers: Core TPM support

On Mon, Nov 19, 2018 at 1:13 AM Daniel P. Smith wrote: > > It would be great if the TPM commands that are using EFI protocol and > exposed to TPM command module be name spaced under efi, e.g. > grub_efi_tpm_log_event. As I lay in a TIS implementation, I can mimic a > similar set of tis name

Re: [PATCH V2 2/3] verifiers: Core TPM support

On Mon, Nov 26, 2018 at 4:47 PM Daniel Kiper wrote: > I have a feeling that both UEFI and TIS TPM implementations can coexists > together even on UEFI platform. Of course, AIUI, UEFI TPM should be default > if we play with TPM 2.0. TIS implementation should be used with TPM 1.2 > or if UEFI is

Re: [PATCH V2 2/3] verifiers: Core TPM support

On Tue, Nov 20, 2018 at 10:59 AM Matthew Garrett wrote: > > On Mon, Nov 19, 2018 at 1:13 AM Daniel P. Smith wrote: > > > > It would be great if the TPM commands that are using EFI protocol and > > exposed to TPM command module be name spaced under efi, e.g. > > gr

  1   2   >