|
From: | Geoffrey Thomas |
Subject: | Re: Signature verification in GRUB |
Date: | Mon, 15 Oct 2012 14:33:03 -0700 |
User-agent: | Alpine 2.02 (DEB 1266 2009-07-14) |
On Sat, 13 Oct 2012, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
First, does GRUB has a mechanism for me to validate a digitally-signed file of some sort? This could be e.g. a PGP-signed file or something from `openssl dgst -sign`. I see that GRUB has all the relevant crypto primitives to do this, but I can't find a command to invoke them. (As far as I can tell, gcrypt is only used for PBKDF2 and cryptodisk support?)I have some code dating from about a year ago but because of my current personal situation it's put on hold for some time.
Do you have something I can start from that you could drop somewhere? I haven't begun implementing this yet, and I suspect that starting from your code would be helpful for getting this done faster and also doing it in a style compatible with upstream.
Also, a slightly more generic question -- what's a reasonable format here? I'm kind of surprised to find that openssl has no generic command to sign a file or verify it's signatures. I could use PGP, but we're already using SSL-style certificates for Authenticode, so I'd prefer not generate another key with a completely different format. That said, if more people will find PGP verification useful, I can implement that.
Is there some doc on dm-verify? It may be interesting.
http://code.google.com/p/cryptsetup/wiki/DMVerity is the official documentation.Briefly, you generate a salted hash tree of each block (and in turn of the blocks containing the hashes) until you get a root hash. So with a trusted way to get the root hash, the original device, and a device/file containing the hashes, you can generate a new (read-only) device that validates hashes up to the root, and throws an IO error if the data has been tampered with.
The "veritysetup" command in sbin in recent cryptsetup versions can generate the hash tree and print out the root hash.
-- Geoffrey Thomas address@hidden
[Prev in Thread] | Current Thread | [Next in Thread] |