[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 00/22] appended signature secure boot support
|
From: |
Daniel Axtens |
|
Subject: |
[PATCH v2 00/22] appended signature secure boot support |
|
Date: |
Wed, 30 Jun 2021 18:40:09 +1000 |
This patch set contains v2 of the consolidated version of the patch
sets sent for secure boot using appended signatures on powerpc,
rebased on top of git HEAD.
The series consists of 4 main parts:
0) Patches 1-3: powerpc-ieee1275 memory enablement.
These patches have already been posted to the mailing list and are
unchanged. I have included them here as well to make this one
monolithic series of everything needed for full support for appended
signatures on powerpc-ieee1275.
1) Patches 4-6: signing grub.elf with an appended signature
Part of a secure boot chain is allowing boot firmware to verify the
grub core image. For UEFI platforms, this is done by signing the PE
binary with a tool like pesign or sb-sign. However, for platforms that
don't implement UEFI, an alternative scheme is required.
These patches provide some infrastructure and documentation for
signing grub's core.elf with a Linux-kernel-module style appended
signature.
An appended signature is a 'dumb' signature over the contents of a
file. (It is distinct from schemes like Authenticode that are aware of
the structure of the file and only sign certain parts.) The signature
is wrapped in a PKCS#7 message, and is appended to the signed file
along with some metadata and a magic string. The signatures are
validated against a public key which is usually provided as an x509
certificate.
Because some platforms, such as powerpc-ieee1275, may load grub from a
raw disk partition rather than a filesystem, we extend grub-install to
add an ELF note that allows us to specify the size and location of the
signature.
This has attracted some controversy in the past, with suggestions that
we could avoid the ELF note by placing the signature at the end of
core.elf if the image was loaded from a filesystem or network, and by
placing it at the end of the PReP partition if it is loaded from
there. This is not currently supported by either proprietary or open
source firmware, but the current solution does not preclude this
solution being added in the future.
There was also a suggestion of allowing grub-{install,mkimage} to call
out to openssl directly to sign itself. I'm not opposed to doing this,
but as I expect signing to mostly be something done by distros rather
than the average grub-install user, I'm interested to hear any
thoughts on whether that's actually going to be useful.
2) Patches 7 - 21: Teach grub to verify appended signatures
Part of a secure boot chain is allowing grub to verify the boot
kernel. For UEFI platforms, this is usually delegated to the
shim. However, for platforms that do not implement UEFI, an
alternative scheme is required.
This part teaches grub how to verify Linux kernel-style appended
signatures. Kernels on powerpc are already signed with this scheme and
can be verified by IMA for kexec.
As PKCS#7 messages and x509 certificates are both based on ASN.1, we
import libtasn1 to parse them. Because ASN.1 isn't self-documenting,
we import from GNUTLS the information we need to navigate their
structure.
This section is composed of the following patches:
- patch 7 is a small fix to allow persistent modules to work on the
emu target.
- patches 8 and 9 are small refactorings.
- patch 10 prepares posix_wrap for importing libtasn1
- patches 11 through 15 import libtasn1 and add tests. I've taken a
different approach from gcrypt. We import gcrypt via a script that
transforms the code into something that works for grub. Rather than
taking that approach, we import libtasn1 through first just copying
a subset of the code in (patch 11), then disabling parts we don't
need for grub (patch 12), making changes for grub compatibility
(patch 13) and then compiling it into a module (patch 14) and
testing it (patch 15).
This means that should we want to upgrade our version of libtasn1,
we should be able to copy the new files in (repeat the process in
patch 11) and then just cherry-pick/reapply patches 12 and 13 to
repeat the process of disabling unused code and making grub
compatiblity fixes. Hopefully that makes sense!
- patch 16 allows x509 certificates to be built in to the grub core
in much the same way as PGP keys.
- patch 17 brings in the code from GNUTLS that allows us to parse
PKCS#7 and x509 with libtasn1.
- patch 18 is our PKCS#7 and x509 parser. They're minimal and fairly
strict parsers that extract only the bits we need to verify the
signatures.
- patch 19 is the guts of the appended signature verifier. It uses
the verifier infrastructure like pgp, and adds a number of
user-friendly commands that mirror the pgp module.
- patch 20 adds tests, and patch 21 adds documentation.
This chunk is where all the v2 changes are. They're documented in the
patches themselves, but the big feature changes are: support for
Extended Key Usage, thanks to Javier Martinez; and support for
verifying a file with multiple signatures in the pkcs7 message. If any
trusted key can verify any signature, the file will be considered to
have passed verification.
3) Patch 22: Enter lockdown if in powerpc secure boot
This is now a much neater and nicer solution than before 2.06 - it
detects if the DT property advertising SB is set, and enters lockdown
if it is. The main appended signature series now tests for lockdown to
enter 'forced' mode.
Thanks to Nayna Jain and Stefan Berger for providing review comments
on v1.
I've pushed this all to
https://github.com/daxtens/grub/tree/appendedsig-2.11
This patch series is easy to experiment with. In particular, the
appended signature verifier doesn't require any particular
platform. It works under emu and passes tests under x86_64-efi.
I have some information about testing all the parts together at
https://gist.github.com/daxtens/cfc0a7e15614b0383e0c57f308cacdd1
It's largely unchanged from
https://lists.gnu.org/archive/html/grub-devel/2020-10/msg00048.html
Kind regards,
Daniel
Alastair D'Silva (1):
grub-install: support embedding x509 certificates
Daniel Axtens (20):
ieee1275: drop HEAP_MAX_ADDR, HEAP_MIN_SIZE
ieee1275: claim more memory
ieee1275: request memory with ibm,client-architecture-support
docs/grub: Document signing grub under UEFI
docs/grub: Document signing grub with an appended signature
dl: provide a fake grub_dl_set_persistent for the emu target
pgp: factor out rsa_pad
crypto: move storage for grub_crypto_pk_* to crypto.c
posix_wrap: tweaks in preparation for libtasn1
libtasn1: import libtasn1-4.16.0
libtasn1: disable code not needed in grub
libtasn1: changes for grub compatibility
libtasn1: compile into asn1 module
test_asn1: test module for libtasn1
appended signatures: import GNUTLS's ASN.1 description files
appended signatures: parse PKCS#7 signedData and X.509 certificates
appended signatures: support verifying appended signatures
appended signatures: verification tests
appended signatures: documentation
ieee1275: enter lockdown based on /ibm,secure-boot
Rashmica Gupta (1):
Add suport for signing grub with an appended signature
.gitignore | 1 +
Makefile.util.def | 6 +
docs/grub-dev.texi | 6 +-
docs/grub.texi | 259 +-
grub-core/Makefile.core.def | 57 +
grub-core/commands/appendedsig/appendedsig.c | 669 +++++
grub-core/commands/appendedsig/appendedsig.h | 118 +
grub-core/commands/appendedsig/asn1util.c | 103 +
.../commands/appendedsig/gnutls_asn1_tab.c | 121 +
grub-core/commands/appendedsig/pkcs7.c | 509 ++++
.../commands/appendedsig/pkix_asn1_tab.c | 484 ++++
grub-core/commands/appendedsig/x509.c | 1079 +++++++
grub-core/commands/pgp.c | 34 +-
grub-core/kern/ieee1275/cmain.c | 3 +
grub-core/kern/ieee1275/init.c | 265 +-
grub-core/lib/crypto.c | 4 +
grub-core/lib/libtasn1/LICENSE | 16 +
grub-core/lib/libtasn1/README.md | 91 +
grub-core/lib/libtasn1/lib/coding.c | 1423 ++++++++++
grub-core/lib/libtasn1/lib/decoding.c | 2481 +++++++++++++++++
grub-core/lib/libtasn1/lib/element.c | 1112 ++++++++
grub-core/lib/libtasn1/lib/element.h | 40 +
grub-core/lib/libtasn1/lib/errors.c | 103 +
grub-core/lib/libtasn1/lib/gstr.c | 74 +
grub-core/lib/libtasn1/lib/gstr.h | 47 +
grub-core/lib/libtasn1/lib/int.h | 221 ++
grub-core/lib/libtasn1/lib/parser_aux.c | 1174 ++++++++
grub-core/lib/libtasn1/lib/parser_aux.h | 172 ++
grub-core/lib/libtasn1/lib/structure.c | 1222 ++++++++
grub-core/lib/libtasn1/lib/structure.h | 45 +
.../tests/CVE-2018-1000654-1_asn1_tab.h | 32 +
.../tests/CVE-2018-1000654-2_asn1_tab.h | 36 +
.../libtasn1_wrap/tests/CVE-2018-1000654.c | 61 +
.../lib/libtasn1_wrap/tests/Test_overflow.c | 138 +
.../lib/libtasn1_wrap/tests/Test_simple.c | 207 ++
.../lib/libtasn1_wrap/tests/Test_strings.c | 150 +
.../libtasn1_wrap/tests/object-id-decoding.c | 116 +
.../libtasn1_wrap/tests/object-id-encoding.c | 120 +
.../lib/libtasn1_wrap/tests/octet-string.c | 211 ++
.../lib/libtasn1_wrap/tests/reproducers.c | 81 +
grub-core/lib/libtasn1_wrap/wrap.c | 26 +
grub-core/lib/libtasn1_wrap/wrap_tests.c | 75 +
grub-core/lib/libtasn1_wrap/wrap_tests.h | 38 +
grub-core/lib/pkcs1_v15.c | 59 +
grub-core/lib/posix_wrap/limits.h | 1 +
grub-core/lib/posix_wrap/stdlib.h | 8 +
grub-core/lib/posix_wrap/sys/types.h | 1 +
grub-core/tests/appended_signature_test.c | 273 ++
grub-core/tests/appended_signatures.h | 975 +++++++
grub-core/tests/lib/functional_test.c | 1 +
include/grub/dl.h | 11 +
include/grub/file.h | 2 +
include/grub/ieee1275/ieee1275.h | 6 +
include/grub/kernel.h | 3 +-
include/grub/libtasn1.h | 589 ++++
include/grub/lockdown.h | 3 +-
include/grub/pkcs1_v15.h | 27 +
include/grub/util/install.h | 15 +-
include/grub/util/mkimage.h | 4 +-
tests/test_asn1.in | 12 +
util/grub-install-common.c | 37 +-
util/grub-mkimage.c | 26 +-
util/grub-mkimagexx.c | 39 +-
util/mkimage.c | 54 +-
64 files changed, 15267 insertions(+), 109 deletions(-)
create mode 100644 grub-core/commands/appendedsig/appendedsig.c
create mode 100644 grub-core/commands/appendedsig/appendedsig.h
create mode 100644 grub-core/commands/appendedsig/asn1util.c
create mode 100644 grub-core/commands/appendedsig/gnutls_asn1_tab.c
create mode 100644 grub-core/commands/appendedsig/pkcs7.c
create mode 100644 grub-core/commands/appendedsig/pkix_asn1_tab.c
create mode 100644 grub-core/commands/appendedsig/x509.c
create mode 100644 grub-core/lib/libtasn1/LICENSE
create mode 100644 grub-core/lib/libtasn1/README.md
create mode 100644 grub-core/lib/libtasn1/lib/coding.c
create mode 100644 grub-core/lib/libtasn1/lib/decoding.c
create mode 100644 grub-core/lib/libtasn1/lib/element.c
create mode 100644 grub-core/lib/libtasn1/lib/element.h
create mode 100644 grub-core/lib/libtasn1/lib/errors.c
create mode 100644 grub-core/lib/libtasn1/lib/gstr.c
create mode 100644 grub-core/lib/libtasn1/lib/gstr.h
create mode 100644 grub-core/lib/libtasn1/lib/int.h
create mode 100644 grub-core/lib/libtasn1/lib/parser_aux.c
create mode 100644 grub-core/lib/libtasn1/lib/parser_aux.h
create mode 100644 grub-core/lib/libtasn1/lib/structure.c
create mode 100644 grub-core/lib/libtasn1/lib/structure.h
create mode 100644
grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654-1_asn1_tab.h
create mode 100644
grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654-2_asn1_tab.h
create mode 100644 grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_overflow.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_simple.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_strings.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/object-id-decoding.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/object-id-encoding.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/octet-string.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/reproducers.c
create mode 100644 grub-core/lib/libtasn1_wrap/wrap.c
create mode 100644 grub-core/lib/libtasn1_wrap/wrap_tests.c
create mode 100644 grub-core/lib/libtasn1_wrap/wrap_tests.h
create mode 100644 grub-core/lib/pkcs1_v15.c
create mode 100644 grub-core/tests/appended_signature_test.c
create mode 100644 grub-core/tests/appended_signatures.h
create mode 100644 include/grub/libtasn1.h
create mode 100644 include/grub/pkcs1_v15.h
create mode 100644 tests/test_asn1.in
--
2.30.2
- [PATCH v2 00/22] appended signature secure boot support,
Daniel Axtens <=
- [PATCH v2 01/22] ieee1275: drop HEAP_MAX_ADDR, HEAP_MIN_SIZE, Daniel Axtens, 2021/06/30
- [PATCH v2 02/22] ieee1275: claim more memory, Daniel Axtens, 2021/06/30
- [PATCH v2 03/22] ieee1275: request memory with ibm, client-architecture-support, Daniel Axtens, 2021/06/30
- [PATCH v2 04/22] Add suport for signing grub with an appended signature, Daniel Axtens, 2021/06/30
- [PATCH v2 05/22] docs/grub: Document signing grub under UEFI, Daniel Axtens, 2021/06/30
- [PATCH v2 06/22] docs/grub: Document signing grub with an appended signature, Daniel Axtens, 2021/06/30
- [PATCH v2 07/22] dl: provide a fake grub_dl_set_persistent for the emu target, Daniel Axtens, 2021/06/30
- [PATCH v2 08/22] pgp: factor out rsa_pad, Daniel Axtens, 2021/06/30
- [PATCH v2 09/22] crypto: move storage for grub_crypto_pk_* to crypto.c, Daniel Axtens, 2021/06/30
- [PATCH v2 10/22] posix_wrap: tweaks in preparation for libtasn1, Daniel Axtens, 2021/06/30