You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
256 lines
9.2 KiB
256 lines
9.2 KiB
10 months ago
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Alastair D'Silva <alastair@d-silva.org>
|
||
|
Date: Mon, 6 Jul 2020 13:33:04 +1000
|
||
|
Subject: [PATCH] grub-install: support embedding x509 certificates
|
||
|
|
||
|
To support verification of appended signatures, we need a way to
|
||
|
embed the necessary public keys. Existing appended signature schemes
|
||
|
in the Linux kernel use X.509 certificates, so allow certificates to
|
||
|
be embedded in the grub core image in the same way as PGP keys.
|
||
|
|
||
|
Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
|
||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||
|
---
|
||
|
grub-core/commands/pgp.c | 2 +-
|
||
|
util/grub-install-common.c | 23 ++++++++++++++++++++++-
|
||
|
util/grub-mkimage.c | 15 +++++++++++++--
|
||
|
util/mkimage.c | 41 ++++++++++++++++++++++++++++++++++++++---
|
||
|
include/grub/kernel.h | 3 ++-
|
||
|
include/grub/util/install.h | 7 +++++--
|
||
|
6 files changed, 81 insertions(+), 10 deletions(-)
|
||
|
|
||
|
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
||
|
index 75de32c2a..55d354be0 100644
|
||
|
--- a/grub-core/commands/pgp.c
|
||
|
+++ b/grub-core/commands/pgp.c
|
||
|
@@ -944,7 +944,7 @@ GRUB_MOD_INIT(pgp)
|
||
|
grub_memset (&pseudo_file, 0, sizeof (pseudo_file));
|
||
|
|
||
|
/* Not an ELF module, skip. */
|
||
|
- if (header->type != OBJ_TYPE_PUBKEY)
|
||
|
+ if (header->type != OBJ_TYPE_GPG_PUBKEY)
|
||
|
continue;
|
||
|
|
||
|
pseudo_file.fs = &pseudo_fs;
|
||
|
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
|
||
|
index 561e671ff..fa6b65347 100644
|
||
|
--- a/util/grub-install-common.c
|
||
|
+++ b/util/grub-install-common.c
|
||
|
@@ -302,6 +302,8 @@ handle_install_list (struct install_list *il, const char *val,
|
||
|
|
||
|
static char **pubkeys;
|
||
|
static size_t npubkeys;
|
||
|
+static char **x509keys;
|
||
|
+static size_t nx509keys;
|
||
|
static grub_compression_t compression;
|
||
|
static size_t appsig_size;
|
||
|
|
||
|
@@ -334,6 +336,12 @@ grub_install_parse (int key, char *arg)
|
||
|
* (npubkeys + 1));
|
||
|
pubkeys[npubkeys++] = xstrdup (arg);
|
||
|
return 1;
|
||
|
+ case 'x':
|
||
|
+ x509keys = xrealloc (x509keys,
|
||
|
+ sizeof (x509keys[0])
|
||
|
+ * (nx509keys + 1));
|
||
|
+ x509keys[nx509keys++] = xstrdup (arg);
|
||
|
+ return 1;
|
||
|
|
||
|
case GRUB_INSTALL_OPTIONS_VERBOSITY:
|
||
|
verbosity++;
|
||
|
@@ -460,6 +468,9 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||
|
for (pk = pubkeys; pk < pubkeys + npubkeys; pk++)
|
||
|
slen += 20 + grub_strlen (*pk);
|
||
|
|
||
|
+ for (pk = x509keys; pk < x509keys + nx509keys; pk++)
|
||
|
+ slen += 10 + grub_strlen (*pk);
|
||
|
+
|
||
|
for (md = modules.entries; *md; md++)
|
||
|
{
|
||
|
slen += 10 + grub_strlen (*md);
|
||
|
@@ -488,6 +499,14 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||
|
*p++ = ' ';
|
||
|
}
|
||
|
|
||
|
+ for (pk = x509keys; pk < x509keys + nx509keys; pk++)
|
||
|
+ {
|
||
|
+ p = grub_stpcpy (p, "--x509 '");
|
||
|
+ p = grub_stpcpy (p, *pk);
|
||
|
+ *p++ = '\'';
|
||
|
+ *p++ = ' ';
|
||
|
+ }
|
||
|
+
|
||
|
for (md = modules.entries; *md; md++)
|
||
|
{
|
||
|
*p++ = '\'';
|
||
|
@@ -515,7 +534,9 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||
|
|
||
|
grub_install_generate_image (dir, prefix, fp, outname,
|
||
|
modules.entries, memdisk_path,
|
||
|
- pubkeys, npubkeys, config_path, tgt,
|
||
|
+ pubkeys, npubkeys,
|
||
|
+ x509keys, nx509keys,
|
||
|
+ config_path, tgt,
|
||
|
note, appsig_size, compression, dtb);
|
||
|
while (dc--)
|
||
|
grub_install_pop_module ();
|
||
|
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
|
||
|
index 65a015d8a..394d2dc5f 100644
|
||
|
--- a/util/grub-mkimage.c
|
||
|
+++ b/util/grub-mkimage.c
|
||
|
@@ -75,7 +75,8 @@ static struct argp_option options[] = {
|
||
|
/* TRANSLATORS: "embed" is a verb (command description). "*/
|
||
|
{"config", 'c', N_("FILE"), 0, N_("embed FILE as an early config"), 0},
|
||
|
/* TRANSLATORS: "embed" is a verb (command description). "*/
|
||
|
- {"pubkey", 'k', N_("FILE"), 0, N_("embed FILE as public key for signature checking"), 0},
|
||
|
+ {"pubkey", 'k', N_("FILE"), 0, N_("embed FILE as public key for PGP signature checking"), 0},
|
||
|
+ {"x509", 'x', N_("FILE"), 0, N_("embed FILE as an x509 certificate for appended signature checking"), 0},
|
||
|
/* TRANSLATORS: NOTE is a name of segment. */
|
||
|
{"note", 'n', 0, 0, N_("add NOTE segment for CHRP IEEE1275"), 0},
|
||
|
{"output", 'o', N_("FILE"), 0, N_("output a generated image to FILE [default=stdout]"), 0},
|
||
|
@@ -122,6 +123,8 @@ struct arguments
|
||
|
char *dtb;
|
||
|
char **pubkeys;
|
||
|
size_t npubkeys;
|
||
|
+ char **x509keys;
|
||
|
+ size_t nx509keys;
|
||
|
char *font;
|
||
|
char *config;
|
||
|
int note;
|
||
|
@@ -202,6 +205,13 @@ argp_parser (int key, char *arg, struct argp_state *state)
|
||
|
arguments->pubkeys[arguments->npubkeys++] = xstrdup (arg);
|
||
|
break;
|
||
|
|
||
|
+ case 'x':
|
||
|
+ arguments->x509keys = xrealloc (arguments->x509keys,
|
||
|
+ sizeof (arguments->x509keys[0])
|
||
|
+ * (arguments->nx509keys + 1));
|
||
|
+ arguments->x509keys[arguments->nx509keys++] = xstrdup (arg);
|
||
|
+ break;
|
||
|
+
|
||
|
case 'c':
|
||
|
if (arguments->config)
|
||
|
free (arguments->config);
|
||
|
@@ -317,7 +327,8 @@ main (int argc, char *argv[])
|
||
|
grub_install_generate_image (arguments.dir, arguments.prefix, fp,
|
||
|
arguments.output, arguments.modules,
|
||
|
arguments.memdisk, arguments.pubkeys,
|
||
|
- arguments.npubkeys, arguments.config,
|
||
|
+ arguments.npubkeys, arguments.x509keys,
|
||
|
+ arguments.nx509keys, arguments.config,
|
||
|
arguments.image_target, arguments.note,
|
||
|
arguments.appsig_size,
|
||
|
arguments.comp, arguments.dtb);
|
||
|
diff --git a/util/mkimage.c b/util/mkimage.c
|
||
|
index a81120f26..2529de4bb 100644
|
||
|
--- a/util/mkimage.c
|
||
|
+++ b/util/mkimage.c
|
||
|
@@ -774,8 +774,10 @@ grub_install_get_image_targets_string (void)
|
||
|
void
|
||
|
grub_install_generate_image (const char *dir, const char *prefix,
|
||
|
FILE *out, const char *outname, char *mods[],
|
||
|
- char *memdisk_path, char **pubkey_paths,
|
||
|
- size_t npubkeys, char *config_path,
|
||
|
+ char *memdisk_path,
|
||
|
+ char **pubkey_paths, size_t npubkeys,
|
||
|
+ char **x509key_paths, size_t nx509keys,
|
||
|
+ char *config_path,
|
||
|
const struct grub_install_image_target_desc *image_target,
|
||
|
int note, size_t appsig_size, grub_compression_t comp, const char *dtb_path)
|
||
|
{
|
||
|
@@ -819,6 +821,19 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
+ {
|
||
|
+ size_t i;
|
||
|
+ for (i = 0; i < nx509keys; i++)
|
||
|
+ {
|
||
|
+ size_t curs;
|
||
|
+ curs = ALIGN_ADDR (grub_util_get_image_size (x509key_paths[i]));
|
||
|
+ grub_util_info ("the size of x509 public key %u is 0x%"
|
||
|
+ GRUB_HOST_PRIxLONG_LONG,
|
||
|
+ (unsigned) i, (unsigned long long) curs);
|
||
|
+ total_module_size += curs + sizeof (struct grub_module_header);
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
if (memdisk_path)
|
||
|
{
|
||
|
memdisk_size = ALIGN_UP(grub_util_get_image_size (memdisk_path), 512);
|
||
|
@@ -933,7 +948,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||
|
curs = grub_util_get_image_size (pubkey_paths[i]);
|
||
|
|
||
|
header = (struct grub_module_header *) (kernel_img + offset);
|
||
|
- header->type = grub_host_to_target32 (OBJ_TYPE_PUBKEY);
|
||
|
+ header->type = grub_host_to_target32 (OBJ_TYPE_GPG_PUBKEY);
|
||
|
header->size = grub_host_to_target32 (curs + sizeof (*header));
|
||
|
offset += sizeof (*header);
|
||
|
|
||
|
@@ -942,6 +957,26 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
+ {
|
||
|
+ size_t i;
|
||
|
+ for (i = 0; i < nx509keys; i++)
|
||
|
+ {
|
||
|
+ size_t curs;
|
||
|
+ struct grub_module_header *header;
|
||
|
+
|
||
|
+ curs = grub_util_get_image_size (x509key_paths[i]);
|
||
|
+
|
||
|
+ header = (struct grub_module_header *) (kernel_img + offset);
|
||
|
+ header->type = grub_host_to_target32 (OBJ_TYPE_X509_PUBKEY);
|
||
|
+ header->size = grub_host_to_target32 (curs + sizeof (*header));
|
||
|
+ offset += sizeof (*header);
|
||
|
+
|
||
|
+ grub_util_load_image (x509key_paths[i], kernel_img + offset);
|
||
|
+ offset += ALIGN_ADDR (curs);
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+
|
||
|
if (memdisk_path)
|
||
|
{
|
||
|
struct grub_module_header *header;
|
||
|
diff --git a/include/grub/kernel.h b/include/grub/kernel.h
|
||
|
index 9548d552a..75a057d46 100644
|
||
|
--- a/include/grub/kernel.h
|
||
|
+++ b/include/grub/kernel.h
|
||
|
@@ -28,7 +28,8 @@ enum
|
||
|
OBJ_TYPE_MEMDISK,
|
||
|
OBJ_TYPE_CONFIG,
|
||
|
OBJ_TYPE_PREFIX,
|
||
|
- OBJ_TYPE_PUBKEY,
|
||
|
+ OBJ_TYPE_GPG_PUBKEY,
|
||
|
+ OBJ_TYPE_X509_PUBKEY,
|
||
|
OBJ_TYPE_DTB
|
||
|
};
|
||
|
|
||
|
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
|
||
|
index ba5e6a2ea..95059285b 100644
|
||
|
--- a/include/grub/util/install.h
|
||
|
+++ b/include/grub/util/install.h
|
||
|
@@ -63,6 +63,8 @@
|
||
|
/* TRANSLATORS: "embed" is a verb (command description). "*/ \
|
||
|
{ "pubkey", 'k', N_("FILE"), 0, \
|
||
|
N_("embed FILE as public key for signature checking"), 0}, \
|
||
|
+ { "x509key", 'x', N_("FILE"), 0, \
|
||
|
+ N_("embed FILE as an x509 certificate for signature checking"), 0}, \
|
||
|
{ "appended-signature-size", GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,\
|
||
|
"SIZE", 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), \
|
||
|
1}, \
|
||
|
@@ -179,8 +181,9 @@ void
|
||
|
grub_install_generate_image (const char *dir, const char *prefix,
|
||
|
FILE *out,
|
||
|
const char *outname, char *mods[],
|
||
|
- char *memdisk_path, char **pubkey_paths,
|
||
|
- size_t npubkeys,
|
||
|
+ char *memdisk_path,
|
||
|
+ char **pubkey_paths, size_t npubkeys,
|
||
|
+ char **x509key_paths, size_t nx509keys,
|
||
|
char *config_path,
|
||
|
const struct grub_install_image_target_desc *image_target,
|
||
|
int note, size_t appsig_size,
|