[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v1 15/21] ieee1275: Read the DB and DBX secure boot variables
|
From: |
Stefan Berger |
|
Subject: |
Re: [PATCH v1 15/21] ieee1275: Read the DB and DBX secure boot variables |
|
Date: |
Mon, 30 Dec 2024 18:01:44 -0500 |
|
User-agent: |
Mozilla Thunderbird |
On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:
If secure boot is enabled with PKS, it will read secure boot variables
such as db and dbx from PKS and extract certificates from ESL.
It would be saved in the platform keystore buffer, and
the appendedsig (module) would read it later to extract
the certificate's details.
In the following scenarios, static key mode will be activated:
1. When secure boot is enabled with static
2. When SB Version is unavailable but Secure Boot is enabled
3. When PKS support is unavailable but secure boot is enabled
Note:-
SB Version - secure boot mode
1 - PKS
0 - static key (embeded key)
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 1 +
grub-core/kern/ieee1275/init.c | 14 +-
grub-core/kern/ieee1275/platform_keystore.c | 337 ++++++++++++++++++++
include/grub/platform_keystore.h | 233 ++++++++++++++
5 files changed, 584 insertions(+), 2 deletions(-)
create mode 100644 grub-core/kern/ieee1275/platform_keystore.c
create mode 100644 include/grub/platform_keystore.h
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index e50db8106..afb25dc4f 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -79,6 +79,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/file.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/platform_keystore.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 1ed55b0e3..2fd060123 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -170,6 +170,7 @@ kernel = {
ieee1275 = kern/ieee1275/openfw.c;
ieee1275 = term/ieee1275/console.c;
ieee1275 = kern/ieee1275/init.c;
+ ieee1275 = kern/ieee1275/platform_keystore.c;
This now becomes a file shared with other ieee1275 platforms, such as
sparc64, as well. Also here maybe it should be
powerpc_ieee1275 = kern/ieee1275/platform_keystore.c
or
powerpc_ieee1275 = kern/powerpc/ieee1275/platform_keystore.c ?
uboot = disk/uboot/ubootdisk.c;
uboot = kern/uboot/uboot.c;
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
index 59984b605..7d96c38f3 100644
--- a/grub-core/kern/ieee1275/init.c
+++ b/grub-core/kern/ieee1275/init.c
@@ -50,6 +50,7 @@
#include <grub/ieee1275/alloc.h>
#endif
#include <grub/lockdown.h>
+#include <grub/platform_keystore.h>
/* The maximum heap size we're going to claim at boot. Not used by sparc. */
#ifdef __i386__
@@ -959,7 +960,7 @@ grub_get_ieee1275_secure_boot (void)
{
grub_ieee1275_phandle_t root;
int rc;
- grub_uint32_t is_sb;
+ grub_uint32_t is_sb = 0;
grub_ieee1275_finddevice ("/", &root);
@@ -976,7 +977,16 @@ grub_get_ieee1275_secure_boot (void)
* We only support enforce.
*/
if (rc >= 0 && is_sb >= 2)
- grub_lockdown ();
+ {
+ grub_printf ("secure boot enabled\n");
+ rc = grub_platform_keystore_init ();
+ if (rc != GRUB_ERR_NONE)
+ grub_printf ("Warning: initialization of the platform keystore
failed!\n");
+
+ grub_lockdown ();
+ }
+ else
+ grub_printf ("secure boot disabled\n");
}
grub_addr_t grub_modbase;
diff --git a/grub-core/kern/ieee1275/platform_keystore.c
b/grub-core/kern/ieee1275/platform_keystore.c
new file mode 100644
index 000000000..1c564d5da
--- /dev/null
+++ b/grub-core/kern/ieee1275/platform_keystore.c
@@ -0,0 +1,337 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2024 Free Software Foundation, Inc.
+ * Copyright (C) 2024 IBM Corporation
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/mm.h>
+#include <grub/ieee1275/ieee1275.h>
+#include <grub/types.h>
+#include <grub/misc.h>
+#include <grub/lockdown.h>
+#include <grub/platform_keystore.h>
+
+#define PKS_CONSUMER_FW 1
+#define SB_VERSION_KEY_NAME ((grub_uint8_t *) "SB_VERSION")
+#define SB_VERSION_KEY_LEN 10
+#define DB 1
+#define DBX 2
+#define PKS_OBJECT_NOT_FOUND ((grub_err_t) -7)
+
+/* Platform Keystore */
+static grub_size_t pks_max_object_size;
+grub_uint8_t grub_use_platform_keystore = 0;
+grub_pks_t grub_platform_keystore = { .db = NULL, .dbx = NULL, .db_entries =
0, .dbx_entries = 0 };
+
+/* converts the esl data into the ESL */
+static grub_esl_t *
+grub_convert_to_esl (const grub_uint8_t *esl_data, const grub_size_t
esl_data_size)
+{
+ grub_esl_t *esl = NULL;
+
+ if (esl_data_size < sizeof (grub_esl_t) || esl_data == NULL)
+ return esl;
+
+ esl = (grub_esl_t *) esl_data;
+
+ return esl;
+}
+
+/*
+ * imports the GUID, esd, and its size into the pks sd buffer and
+ * pks sd entries from the EFI signature list.
+ */
+static grub_err_t
+grub_esd_from_esl (const grub_uint8_t *esl_data, grub_size_t esl_size,
+ const grub_size_t signature_size, const grub_uuid_t *guid,
+ grub_pks_sd_t **pks_sd, grub_size_t *pks_sd_entries)
+{
+ grub_esd_t *esd = NULL;
+ grub_pks_sd_t *signature = *pks_sd;
+ grub_size_t entries = *pks_sd_entries;
+ grub_size_t data_size = 0, offset = 0;
+
+ /* reads the esd from esl */
+ while (esl_size > 0)
+ {
+ esd = (grub_esd_t *) (esl_data + offset);
+ data_size = signature_size - sizeof (grub_esd_t);
+
+ if (signature != NULL)
+ signature = grub_realloc (signature, (entries + 1) * sizeof
(grub_pks_sd_t));
+ else
+ signature = grub_malloc (sizeof (grub_pks_sd_t));
grub_realloc knows how to handle the case when first parameter is NULL.
+
+ if (signature == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+ signature[entries].data = grub_malloc (data_size * sizeof
(grub_uint8_t));
+ if (signature[entries].data == NULL)
+ {
+ /*
+ * allocated memory will be freed by
+ * grub_release_platform_keystore
+ */
+ *pks_sd = signature;
+ *pks_sd_entries = entries + 1;
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+ }
+
+ grub_memcpy (signature[entries].data, esd->signaturedata, data_size);
+ signature[entries].data_size = data_size;
+ signature[entries].guid = *guid;
+ entries++;
+ esl_size -= signature_size;
+ offset += signature_size;
+ }
+
+ *pks_sd = signature;
+ *pks_sd_entries = entries;
+
+ return GRUB_ERR_NONE;
+}
+
+/*
+ * extracts the esd after removing the esl header from esl.
+ */
+static grub_err_t
+grub_esl_to_esd (const grub_uint8_t *esl_data, grub_size_t *next_esl,
+ grub_pks_sd_t **pks_sd, grub_size_t *pks_sd_entries)
+{
+ grub_uuid_t guid = { 0 };
+ grub_esl_t *esl = NULL;
+ grub_size_t offset = 0, esl_size = 0,
+ signature_size = 0, signature_header_size = 0;
+
+ esl = grub_convert_to_esl (esl_data, *next_esl);
+ if (esl == NULL)
+ return grub_error (GRUB_ERR_BUG, "invalid ESL");
+
+ esl_size = grub_le_to_cpu32 (esl->signaturelistsize);
+ signature_header_size = grub_le_to_cpu32 (esl->signatureheadersize);
+ signature_size = grub_le_to_cpu32 (esl->signaturesize);
+ guid = esl->signaturetype;
+
+ if (esl_size < sizeof (grub_esl_t) || esl_size > *next_esl)
+ return grub_error (GRUB_ERR_BUG, "invalid ESL size (%u)\n", esl_size);
+
+ *next_esl = esl_size;
+ offset = sizeof (grub_esl_t) + signature_header_size;
+ esl_size = esl_size - offset;
+
+ return grub_esd_from_esl (esl_data + offset, esl_size, signature_size, &guid,
+ pks_sd, pks_sd_entries);
+}
+
+/*
+ * imports the EFI signature data and the number of esd from the esl
+ * into the pks sd buffer and pks sd entries.
+ */
+static grub_err_t
+grub_pks_sd_from_esl (const grub_uint8_t *esl_data, grub_size_t esl_size,
+ grub_pks_sd_t **pks_sd, grub_size_t *pks_sd_entries)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_size_t next_esl = esl_size;
+
+ do
+ {
+ rc = grub_esl_to_esd (esl_data, &next_esl, pks_sd, pks_sd_entries);
+ if (rc != GRUB_ERR_NONE)
+ break;
+
+ esl_data += next_esl;
+ esl_size -= next_esl;
+ next_esl = esl_size;
+ }
+ while (esl_size > 0);
+
+ return rc;
+}
+
+/*
+ * reads the secure boot version from PKS as an object.
+ * caller must free result
+ */
+static grub_err_t
+grub_read_sbversion_from_pks (grub_uint8_t **out, grub_size_t *outlen,
grub_size_t *policy)
+{
+ *out = grub_malloc (pks_max_object_size);
+ if (*out == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+ return grub_ieee1275_pks_read_object (PKS_CONSUMER_FW, SB_VERSION_KEY_NAME,
+ SB_VERSION_KEY_LEN, *out,
pks_max_object_size,
+ outlen, policy);
+}
+
+/*
+ * reads the secure boot variable from PKS.
+ * caller must free result
+ */
+static grub_err_t
+grub_read_sbvar_from_pks (const grub_uint8_t sbvarflags, const grub_uint8_t
sbvartype,
+ grub_uint8_t **out, grub_size_t *outlen)
+{
+ *out = grub_malloc (pks_max_object_size);
+ if (*out == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+ return grub_ieee1275_pks_read_sbvar (sbvarflags, sbvartype, *out,
+ pks_max_object_size, outlen);
+}
+
+/* Test the availability of PKS support. */
+static grub_err_t
+grub_is_support_pks (void)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_ieee1275_cell_t missing = 0;
+
+ rc = grub_ieee1275_test ("pks-max-object-size", &missing);
+ if (rc != GRUB_ERR_NONE || (int) missing == -1)
+ grub_printf ("Warning: doesn't have PKS support!\n");
Firmware doesn't have ... ?
+ else
+ {
+ rc = grub_ieee1275_pks_max_object_size (&pks_max_object_size);
+ if (rc != GRUB_ERR_NONE)
+ grub_printf ("Warning: PKS support is there but it has zero
objects!\n");
+ }
+
+ return rc;
+}
+
+/*
+ * retrieves the secure boot variable from PKS, unpacks it, reads the esd
+ * from ESL, and stores the information in the pks sd buffer.
+ */
+static grub_err_t
+grub_read_secure_boot_variables (const grub_uint8_t sbvarflags, const
grub_uint8_t sbvartype,
+ grub_pks_sd_t **pks_sd, grub_size_t
*pks_sd_entries)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_uint8_t *esl_data = NULL;
+ grub_size_t esl_data_size = 0;
+
+ rc = grub_read_sbvar_from_pks (sbvarflags, sbvartype, &esl_data,
&esl_data_size);
+ /*
+ * at this point we have SB_VERSION, so any error is worth
+ * at least some user-visible info
+ */
+ if (rc != GRUB_ERR_NONE)
+ rc = grub_error (rc, "secure boot variable %s reading (%d)",
+ (sbvartype == DB ? "db" : "dbx"), rc);
+ else if (esl_data_size != 0)
+ rc = grub_pks_sd_from_esl ((const grub_uint8_t *) esl_data, esl_data_size,
+ pks_sd, pks_sd_entries);
+ grub_free (esl_data);
+
+ return rc;
+}
+
+/* reads secure boot version (SB_VERSION) */
+static grub_err_t
+grub_get_secure_boot_version (void)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_uint8_t *data = NULL;
+ grub_size_t len = 0, policy = 0;
+
+ rc = grub_read_sbversion_from_pks (&data, &len, &policy);
+ if (rc != GRUB_ERR_NONE)
+ grub_printf ("Warning: SB version read failed! (%d)\n", rc);
+ else if (len != 1 || (*data != 1 && *data != 0))
same as (*data >= 2) ?
+ {
+ grub_printf ("Warning: found unexpected SB version! (%d)\n", *data);
+ rc = GRUB_ERR_INVALID_COMMAND;
+ }
+
+ if (rc != GRUB_ERR_NONE)
+ {
+ grub_printf ("Warning: switch to static key!\n");
+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
+ grub_fatal ("Secure Boot locked down");
+ }
+ else
+ grub_use_platform_keystore = *data;
+
+ grub_free (data);
+
+ return rc;
+}
+
+/* releasing allocated memory */
+void
+grub_release_platform_keystore (void)
+{
+ grub_size_t i = 0;
+
+ for (i = 0; i < grub_platform_keystore.db_entries; i++)
+ grub_free (grub_platform_keystore.db[i].data);
+
+ for (i = 0; i < grub_platform_keystore.dbx_entries; i++)
+ grub_free (grub_platform_keystore.dbx[i].data);
+
+ grub_free (grub_platform_keystore.db);
+ grub_free (grub_platform_keystore.dbx);
+ grub_memset (&grub_platform_keystore, 0x00, sizeof (grub_pks_t));
s/0x00/0
+}
+
+/* initialization of the Platform Keystore */
+grub_err_t
+grub_platform_keystore_init (void)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+
+ grub_printf ("trying to load Platform Keystore\n");
+
+ rc = grub_is_support_pks ();
+ if (rc != GRUB_ERR_NONE)
+ {
+ grub_printf ("Warning: switch to static key!\n");
+ return rc;
+ }
+
+ /* SB_VERSION */
+ rc = grub_get_secure_boot_version ();
+ if (rc != GRUB_ERR_NONE)
+ return rc;
+
+ if (grub_use_platform_keystore)
+ {
+ grub_memset (&grub_platform_keystore, 0x00, sizeof (grub_pks_t));
s/0x00/0
+ /* DB */
+ rc = grub_read_secure_boot_variables (0, DB, &grub_platform_keystore.db,
+
&grub_platform_keystore.db_entries);
+ if (rc == GRUB_ERR_NONE)
+ {
+ /* DBX */
+ rc = grub_read_secure_boot_variables (0, DBX,
&grub_platform_keystore.dbx,
+
&grub_platform_keystore.dbx_entries);
+ if (rc == PKS_OBJECT_NOT_FOUND)
+ {
+ grub_printf ("Warning: dbx is not found!\n");
+ rc = GRUB_ERR_NONE;
+ }
+ }
+
+ }
+
+ if (rc != GRUB_ERR_NONE)
+ grub_release_platform_keystore ();
+
+ return rc;
+}
diff --git a/include/grub/platform_keystore.h b/include/grub/platform_keystore.h
new file mode 100644
index 000000000..7a7378926
--- /dev/null
+++ b/include/grub/platform_keystore.h
@@ -0,0 +1,233 @@
+/*
+ * Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved. This
+ * program and the accompanying materials are licensed and made available
+ * under the terms and conditions of the 2-Clause BSD License which
+ * accompanies this distribution.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ *
+ * https://github.com/tianocore/edk2-staging (edk2-staging repo of tianocore),
+ * the ImageAuthentication.h file under it, and here's the copyright and
license.
+ *
+ * MdePkg/Include/Guid/ImageAuthentication.h
+ *
+ * Copyright 2024 IBM Corp.
+ */
+
+#ifndef __PLATFORM_KEYSTORE_H__
+#define __PLATFORM_KEYSTORE_H__
+
+#include <grub/symbol.h>
+#include <grub/mm.h>
+#include <grub/types.h>
+
+#if __GNUC__ >= 9
+#pragma GCC diagnostic ignored "-Waddress-of-packed-member"
+#endif
+
+#define GRUB_UUID_SIZE 16
grub/types.h ?
+#define GRUB_MAX_HASH_SIZE 64
+
+typedef struct grub_uuid grub_uuid_t;
grub/types.h ?
+typedef struct grub_esd grub_esd_t;
+typedef struct grub_esl grub_esl_t;
+
+/* The structure of a UUID.*/
+struct grub_uuid
+{
+ grub_uint8_t b[GRUB_UUID_SIZE];
+};
grub/types.h ?
+
+/*
+ * It is derived from EFI_SIGNATURE_DATA
+ *
https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
+ *
+ * The structure of an EFI signature database (ESD).*/
+struct grub_esd
+{
+ /*
+ * An identifier which identifies the agent which added
+ * the signature to the list.
+ */
+ grub_uuid_t signatureowner;
+ /* The format of the signature is defined by the SignatureType.*/
+ grub_uint8_t signaturedata[];
+} GRUB_PACKED;
+
+/*
+ * It is derived from EFI_SIGNATURE_LIST
+ *
https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
+ *
+ * The structure of an EFI signature list (ESL).*/
+struct grub_esl
+{
+ /* Type of the signature. GUID signature types are defined in below.*/
+ grub_uuid_t signaturetype;
+ /* Total size of the signature list, including this header.*/
+ grub_uint32_t signaturelistsize;
+ /*
+ * Size of the signature header which precedes
+ * the array of signatures.
+ */
+ grub_uint32_t signatureheadersize;
+ /* Size of each signature.*/
+ grub_uint32_t signaturesize;
+} GRUB_PACKED;
+
+/*
+ * It is derived from EFI_CERT_X509_GUID
+ *
https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
+ */
+#define GRUB_PKS_CERT_X509_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0xa1, 0x59, 0xc0, 0xa5, 0xe4, 0x94, \
+ 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, \
+ 0x5c, 0x2b, 0xf0, 0x72 \
+ } \
+ }
+
+/*
+ * It is derived from EFI_CERT_SHA256_GUID
+ *
https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
+ */
+#define GRUB_PKS_CERT_SHA256_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0x26, 0x16, 0xc4, 0xc1, 0x4c, 0x50, \
+ 0x92, 0x40, 0xac, 0xa9, 0x41, 0xf9, \
+ 0x36, 0x93, 0x43, 0x28 \
+ } \
+ }
+
+/*
+ * It is derived from EFI_CERT_SHA384_GUID
+ *
https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
+ */
+#define GRUB_PKS_CERT_SHA384_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0x07, 0x53, 0x3e, 0xff, 0xd0, 0x9f, \
+ 0xc9, 0x48, 0x85, 0xf1, 0x8a, 0xd5, \
+ 0x6c, 0x70, 0x1e, 0x1 \
+ } \
+ }
+
+/*
+ * It is derived from EFI_CERT_SHA512_GUID
+ *
https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
+ */
+#define GRUB_PKS_CERT_SHA512_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0xae, 0x0f, 0x3e, 0x09, 0xc4, 0xa6, \
+ 0x50, 0x4f, 0x9f, 0x1b, 0xd4, 0x1e, \
+ 0x2b, 0x89, 0xc1, 0x9a \
+ } \
+ }
+
+/*
+ * It is derived from EFI_CERT_X509_SHA256_GUID
+ *
https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
+ */
+#define GRUB_PKS_CERT_X509_SHA256_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0x92, 0xa4, 0xd2, 0x3b, 0xc0, 0x96, \
+ 0x79, 0x40, 0xb4, 0x20, 0xfc, 0xf9, \
+ 0x8e, 0xf1, 0x03, 0xed \
+ } \
+ }
+
+/*
+ * It is derived from EFI_CERT_X509_SHA384_GUID
+ *
https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
+ */
+#define GRUB_PKS_CERT_X509_SHA384_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0x6e, 0x87, 0x76, 0x70, 0xc2, 0x80, \
+ 0xe6, 0x4e, 0xaa, 0xd2, 0x28, 0xb3, \
+ 0x49, 0xa6, 0x86, 0x5b \
+ } \
+ }
+
+/*
+ * It is derived from EFI_CERT_X509_SHA512_GUID
+ *
https://github.com/tianocore/edk2-staging/blob/master/MdePkg/Include/Guid/ImageAuthentication.h
+ */
+#define GRUB_PKS_CERT_X509_SHA512_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0x63, 0xbf, 0x6d, 0x44, 0x02, 0x25, \
+ 0xda, 0x4c, 0xbc, 0xfa, 0x24, 0x65, \
+ 0xd2, 0xb0, 0xfe, 0x9d \
+ } \
+ }
+
+typedef struct grub_pks_sd grub_pks_sd_t;
+typedef struct grub_pks grub_pks_t;
+
+/* The structure of a PKS signature data.*/
+struct grub_pks_sd
+{
+ grub_uuid_t guid; /* signature type */
+ grub_uint8_t *data; /* signature data */
+ grub_size_t data_size; /* size of signature data */
+} GRUB_PACKED;
+
+/* The structure of a PKS.*/
+struct grub_pks
+{
+ grub_pks_sd_t *db; /* signature database */
+ grub_pks_sd_t *dbx; /* forbidden signature database */
+ grub_size_t db_entries; /* size of signature database */
+ grub_size_t dbx_entries; /* size of forbidden signature database */
+} GRUB_PACKED;
+
+#ifdef __powerpc__
+
+/* initialization of the Platform Keystore */
+grub_err_t grub_platform_keystore_init (void);
+/* releasing allocated memory */
+void EXPORT_FUNC(grub_release_platform_keystore) (void);
+extern grub_uint8_t EXPORT_VAR(grub_use_platform_keystore);
+extern grub_pks_t EXPORT_VAR(grub_platform_keystore);
+
+#else
+
+#define grub_use_platform_keystore 0
+grub_pks_t grub_platform_keystore = {NULL, NULL, 0, 0};
+void grub_release_platform_keystore (void);
+
+#endif
+
+#endif
- Re: [PATCH v1 06/21] crypto: move storage for grub_crypto_pk_* to crypto.c, (continued)
- [PATCH v1 07/21] grub-install: support embedding x509 certificates, Sudhakar Kuppusamy, 2024/12/18
- [PATCH v1 09/21] appended signatures: parse PKCS#7 signedData and X.509 certificates, Sudhakar Kuppusamy, 2024/12/18
- [PATCH v1 08/21] appended signatures: import GNUTLS's ASN.1 description files, Sudhakar Kuppusamy, 2024/12/18
- [PATCH v1 14/21] ieee1275: Platform Keystore (PKS) Support, Sudhakar Kuppusamy, 2024/12/18
- [PATCH v1 15/21] ieee1275: Read the DB and DBX secure boot variables, Sudhakar Kuppusamy, 2024/12/18
- [PATCH v1 10/21] appended signatures: support verifying appended signatures, Sudhakar Kuppusamy, 2024/12/18
- [PATCH v1 12/21] appended signatures: documentation, Sudhakar Kuppusamy, 2024/12/18
- [PATCH v1 11/21] appended signatures: verification tests, Sudhakar Kuppusamy, 2024/12/18
- [PATCH v1 13/21] ieee1275: enter lockdown based on /ibm,secure-boot, Sudhakar Kuppusamy, 2024/12/18
- [PATCH v1 16/21] appendedsig: The creation of trusted and distrusted lists, Sudhakar Kuppusamy, 2024/12/18