[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Signature verification in GRUB
From: |
Vladimir 'φ-coder/phcoder' Serbinenko |
Subject: |
Re: Signature verification in GRUB |
Date: |
Sat, 13 Oct 2012 12:36:11 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.7) Gecko/20120922 Icedove/10.0.7 |
On 10.10.2012 00:54, Geoffrey Thomas wrote:
> Hi GRUB list,
>
> I'm working on adding verified boot / Secure Boot support to my
> company's OS-level product (MokaFive BareMetal). As background, we use
> whole-image updates to help with reliable unattended upgrades and for
> debugging; an upgrade is delivered as a new ISO image, and we have GRUB
> configuration to loop-mount the ISO and load further configuration, a
> kernel, and an initrd.
>
> First, does GRUB has a mechanism for me to validate a digitally-signed
> file of some sort? This could be e.g. a PGP-signed file or something
> from `openssl dgst -sign`. I see that GRUB has all the relevant crypto
> primitives to do this, but I can't find a command to invoke them. (As
> far as I can tell, gcrypt is only used for PBKDF2 and cryptodisk support?)
>
I have some code dating from about a year ago but because of my current
personal situation it's put on hold for some time.
> If not, I'd like to add a command to verify a signature on a file, or
> possibly to verify a signature on a GRUB configuration file and execute
> it if it validates. Does this seem like a reasonable thing to add?
>
> Secondarily, I'm curious if anyone has done work towards porting verity
> or some similar signed (but not encrypted) disk support to GRUB. Since
> we're already planning on using dm-verity once the kernel is booted, I
> think the simplest solution will be to have a signature on the verity
> root hash, mount the ISO using verity, and load the GRUB configuration /
> kernel / initrd from the resulting block device. Does this support exist
> already? (I've also asked this question on the dm-crypt list.)
>
Is there some doc on dm-verify? It may be interesting.
> Finally, if there's an easier way to do verified boot with GRUB or some
> existing effort along these lines that I should be helping out with, let
> me know.
>
> Thanks,
--
Regards
Vladimir 'φ-coder/phcoder' Serbinenko
signature.asc
Description: OpenPGP digital signature