Re: GRUB trusted boot framework

[Jan Alsenz]

phcoder wrote:
>> - hooks for any disk read (not sure if write is necessary)
> This way how trusted grub does it is an ad-hoc solution which results in
> a MESS. They just try to hash and rehash everything without design. So
> if grub is instructed to load all modules in a directory and filesystem
> is reindexed then grub will load the same modules in a different order
> which results in a different hash. IMO we can't allow such thing to come
> to grub2 it's just against its basic design principles. Much better
> would be a layer similar to gzio:
> 
> grub_gnupg_open (const char *filename, int flags, struct grub_gnupg_info
> *info);
> Which internally checks the certificate. This layer can also
> encrypt/decrypt from gnupg containers
> Then all kernel and config loads would use this function instead of
> grub_gzio_open and grub_gnupg_open would check if its contents is
> gzipped. Flags can include:
> GRUB_GNUPG_FLAGS_ALLOW_UNSIGNED
> if signature can be checked later on (e.g. signed ELF)
> Then the behavior is controlled by an environment variable
> allow_unsigned=yes|no
> If grub_gnupg_open is invoked without GRUB_GNUPG_FLAGS_ALLOW_UNSIGNED
> and allow_unsigned=no and signature is broken or not present it should
> prompt for password (if it isn't supplied yet) and write something like
> File %s is unsigned. Are you sure you want to load it? Type "YES" if you
> do.

Ok, but your already talking of a specific solution here. My conclusion would
be: The hooks need to be able to determine the filename, that is currently read.

The reason why I want generic read hooks, is that I want it to inter operate
with everything else. So I should not need to figure out what files e.g. the
linux loader is going to read, or change it's code to do so.

Greets,

Jan

signature.asc
Description: OpenPGP digital signature