254 lines
9.2 KiB
254 lines
9.2 KiB
3 months ago
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Alastair D'Silva <alastair@d-silva.org>
|
||
|
Date: Mon, 6 Jul 2020 13:33:04 +1000
|
||
|
Subject: [PATCH] grub-install: support embedding x509 certificates
|
||
|
|
||
|
To support verification of appended signatures, we need a way to
|
||
|
embed the necessary public keys. Existing appended signature schemes
|
||
|
in the Linux kernel use X.509 certificates, so allow certificates to
|
||
|
be embedded in the grub core image in the same way as PGP keys.
|
||
|
|
||
|
Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
|
||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||
|
---
|
||
|
grub-core/commands/pgp.c | 2 +-
|
||
|
util/grub-install-common.c | 23 ++++++++++++++++++++++-
|
||
|
util/grub-mkimage.c | 15 +++++++++++++--
|
||
|
util/mkimage.c | 38 ++++++++++++++++++++++++++++++++++++--
|
||
|
include/grub/kernel.h | 4 +++-
|
||
|
include/grub/util/install.h | 7 +++++--
|
||
|
6 files changed, 80 insertions(+), 9 deletions(-)
|
||
|
|
||
|
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
||
|
index 355a43844a..b81ac0ae46 100644
|
||
|
--- a/grub-core/commands/pgp.c
|
||
|
+++ b/grub-core/commands/pgp.c
|
||
|
@@ -944,7 +944,7 @@ GRUB_MOD_INIT(pgp)
|
||
|
grub_memset (&pseudo_file, 0, sizeof (pseudo_file));
|
||
|
|
||
|
/* Not an ELF module, skip. */
|
||
|
- if (header->type != OBJ_TYPE_PUBKEY)
|
||
|
+ if (header->type != OBJ_TYPE_GPG_PUBKEY)
|
||
|
continue;
|
||
|
|
||
|
pseudo_file.fs = &pseudo_fs;
|
||
|
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
|
||
|
index a74fee16e2..c603f5b308 100644
|
||
|
--- a/util/grub-install-common.c
|
||
|
+++ b/util/grub-install-common.c
|
||
|
@@ -460,6 +460,8 @@ static char **pubkeys;
|
||
|
static size_t npubkeys;
|
||
|
static char *sbat;
|
||
|
static int disable_shim_lock;
|
||
|
+static char **x509keys;
|
||
|
+static size_t nx509keys;
|
||
|
static grub_compression_t compression;
|
||
|
static size_t appsig_size;
|
||
|
|
||
|
@@ -501,6 +503,12 @@ grub_install_parse (int key, char *arg)
|
||
|
case GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK:
|
||
|
disable_shim_lock = 1;
|
||
|
return 1;
|
||
|
+ case 'x':
|
||
|
+ x509keys = xrealloc (x509keys,
|
||
|
+ sizeof (x509keys[0])
|
||
|
+ * (nx509keys + 1));
|
||
|
+ x509keys[nx509keys++] = xstrdup (arg);
|
||
|
+ return 1;
|
||
|
|
||
|
case GRUB_INSTALL_OPTIONS_VERBOSITY:
|
||
|
verbosity++;
|
||
|
@@ -627,6 +635,9 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||
|
for (pk = pubkeys; pk < pubkeys + npubkeys; pk++)
|
||
|
slen += 20 + grub_strlen (*pk);
|
||
|
|
||
|
+ for (pk = x509keys; pk < x509keys + nx509keys; pk++)
|
||
|
+ slen += 10 + grub_strlen (*pk);
|
||
|
+
|
||
|
for (md = modules.entries; *md; md++)
|
||
|
{
|
||
|
slen += 10 + grub_strlen (*md);
|
||
|
@@ -655,6 +666,14 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||
|
*p++ = ' ';
|
||
|
}
|
||
|
|
||
|
+ for (pk = x509keys; pk < x509keys + nx509keys; pk++)
|
||
|
+ {
|
||
|
+ p = grub_stpcpy (p, "--x509 '");
|
||
|
+ p = grub_stpcpy (p, *pk);
|
||
|
+ *p++ = '\'';
|
||
|
+ *p++ = ' ';
|
||
|
+ }
|
||
|
+
|
||
|
for (md = modules.entries; *md; md++)
|
||
|
{
|
||
|
*p++ = '\'';
|
||
|
@@ -684,7 +703,9 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||
|
|
||
|
grub_install_generate_image (dir, prefix, fp, outname,
|
||
|
modules.entries, memdisk_path,
|
||
|
- pubkeys, npubkeys, config_path, tgt,
|
||
|
+ pubkeys, npubkeys,
|
||
|
+ x509keys, nx509keys,
|
||
|
+ config_path, tgt,
|
||
|
note, appsig_size, compression, dtb, sbat,
|
||
|
disable_shim_lock);
|
||
|
while (dc--)
|
||
|
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
|
||
|
index 8a53310548..e1f1112784 100644
|
||
|
--- a/util/grub-mkimage.c
|
||
|
+++ b/util/grub-mkimage.c
|
||
|
@@ -75,7 +75,8 @@ static struct argp_option options[] = {
|
||
|
/* TRANSLATORS: "embed" is a verb (command description). "*/
|
||
|
{"config", 'c', N_("FILE"), 0, N_("embed FILE as an early config"), 0},
|
||
|
/* TRANSLATORS: "embed" is a verb (command description). "*/
|
||
|
- {"pubkey", 'k', N_("FILE"), 0, N_("embed FILE as public key for signature checking"), 0},
|
||
|
+ {"pubkey", 'k', N_("FILE"), 0, N_("embed FILE as public key for PGP signature checking"), 0},
|
||
|
+ {"x509", 'x', N_("FILE"), 0, N_("embed FILE as an x509 certificate for appended signature checking"), 0},
|
||
|
/* TRANSLATORS: NOTE is a name of segment. */
|
||
|
{"note", 'n', 0, 0, N_("add NOTE segment for CHRP IEEE1275"), 0},
|
||
|
{"output", 'o', N_("FILE"), 0, N_("output a generated image to FILE [default=stdout]"), 0},
|
||
|
@@ -124,6 +125,8 @@ struct arguments
|
||
|
char *dtb;
|
||
|
char **pubkeys;
|
||
|
size_t npubkeys;
|
||
|
+ char **x509keys;
|
||
|
+ size_t nx509keys;
|
||
|
char *font;
|
||
|
char *config;
|
||
|
char *sbat;
|
||
|
@@ -206,6 +209,13 @@ argp_parser (int key, char *arg, struct argp_state *state)
|
||
|
arguments->pubkeys[arguments->npubkeys++] = xstrdup (arg);
|
||
|
break;
|
||
|
|
||
|
+ case 'x':
|
||
|
+ arguments->x509keys = xrealloc (arguments->x509keys,
|
||
|
+ sizeof (arguments->x509keys[0])
|
||
|
+ * (arguments->nx509keys + 1));
|
||
|
+ arguments->x509keys[arguments->nx509keys++] = xstrdup (arg);
|
||
|
+ break;
|
||
|
+
|
||
|
case 'c':
|
||
|
if (arguments->config)
|
||
|
free (arguments->config);
|
||
|
@@ -332,7 +342,8 @@ main (int argc, char *argv[])
|
||
|
grub_install_generate_image (arguments.dir, arguments.prefix, fp,
|
||
|
arguments.output, arguments.modules,
|
||
|
arguments.memdisk, arguments.pubkeys,
|
||
|
- arguments.npubkeys, arguments.config,
|
||
|
+ arguments.npubkeys, arguments.x509keys,
|
||
|
+ arguments.nx509keys, arguments.config,
|
||
|
arguments.image_target, arguments.note,
|
||
|
arguments.appsig_size, arguments.comp,
|
||
|
arguments.dtb, arguments.sbat,
|
||
|
diff --git a/util/mkimage.c b/util/mkimage.c
|
||
|
index bab1227601..8319e8dfbd 100644
|
||
|
--- a/util/mkimage.c
|
||
|
+++ b/util/mkimage.c
|
||
|
@@ -867,7 +867,8 @@ void
|
||
|
grub_install_generate_image (const char *dir, const char *prefix,
|
||
|
FILE *out, const char *outname, char *mods[],
|
||
|
char *memdisk_path, char **pubkey_paths,
|
||
|
- size_t npubkeys, char *config_path,
|
||
|
+ size_t npubkeys, char **x509key_paths,
|
||
|
+ size_t nx509keys, char *config_path,
|
||
|
const struct grub_install_image_target_desc *image_target,
|
||
|
int note, size_t appsig_size, grub_compression_t comp,
|
||
|
const char *dtb_path, const char *sbat_path,
|
||
|
@@ -913,6 +914,19 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
+ {
|
||
|
+ size_t i;
|
||
|
+ for (i = 0; i < nx509keys; i++)
|
||
|
+ {
|
||
|
+ size_t curs;
|
||
|
+ curs = ALIGN_ADDR (grub_util_get_image_size (x509key_paths[i]));
|
||
|
+ grub_util_info ("the size of x509 public key %u is 0x%"
|
||
|
+ GRUB_HOST_PRIxLONG_LONG,
|
||
|
+ (unsigned) i, (unsigned long long) curs);
|
||
|
+ total_module_size += curs + sizeof (struct grub_module_header);
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
if (memdisk_path)
|
||
|
{
|
||
|
memdisk_size = ALIGN_UP(grub_util_get_image_size (memdisk_path), 512);
|
||
|
@@ -1034,7 +1048,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||
|
curs = grub_util_get_image_size (pubkey_paths[i]);
|
||
|
|
||
|
header = (struct grub_module_header *) (kernel_img + offset);
|
||
|
- header->type = grub_host_to_target32 (OBJ_TYPE_PUBKEY);
|
||
|
+ header->type = grub_host_to_target32 (OBJ_TYPE_GPG_PUBKEY);
|
||
|
header->size = grub_host_to_target32 (curs + sizeof (*header));
|
||
|
offset += sizeof (*header);
|
||
|
|
||
|
@@ -1043,6 +1057,26 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
+ {
|
||
|
+ size_t i;
|
||
|
+ for (i = 0; i < nx509keys; i++)
|
||
|
+ {
|
||
|
+ size_t curs;
|
||
|
+ struct grub_module_header *header;
|
||
|
+
|
||
|
+ curs = grub_util_get_image_size (x509key_paths[i]);
|
||
|
+
|
||
|
+ header = (struct grub_module_header *) (kernel_img + offset);
|
||
|
+ header->type = grub_host_to_target32 (OBJ_TYPE_X509_PUBKEY);
|
||
|
+ header->size = grub_host_to_target32 (curs + sizeof (*header));
|
||
|
+ offset += sizeof (*header);
|
||
|
+
|
||
|
+ grub_util_load_image (x509key_paths[i], kernel_img + offset);
|
||
|
+ offset += ALIGN_ADDR (curs);
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+
|
||
|
if (memdisk_path)
|
||
|
{
|
||
|
struct grub_module_header *header;
|
||
|
diff --git a/include/grub/kernel.h b/include/grub/kernel.h
|
||
|
index 55849777ea..98edc0863f 100644
|
||
|
--- a/include/grub/kernel.h
|
||
|
+++ b/include/grub/kernel.h
|
||
|
@@ -30,7 +30,9 @@ enum
|
||
|
OBJ_TYPE_PREFIX,
|
||
|
OBJ_TYPE_PUBKEY,
|
||
|
OBJ_TYPE_DTB,
|
||
|
- OBJ_TYPE_DISABLE_SHIM_LOCK
|
||
|
+ OBJ_TYPE_DISABLE_SHIM_LOCK,
|
||
|
+ OBJ_TYPE_GPG_PUBKEY,
|
||
|
+ OBJ_TYPE_X509_PUBKEY,
|
||
|
};
|
||
|
|
||
|
/* The module header. */
|
||
|
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
|
||
|
index cf4531e02b..51f3b13ac1 100644
|
||
|
--- a/include/grub/util/install.h
|
||
|
+++ b/include/grub/util/install.h
|
||
|
@@ -67,6 +67,8 @@
|
||
|
N_("SBAT metadata"), 0 }, \
|
||
|
{ "disable-shim-lock", GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK, 0, 0, \
|
||
|
N_("disable shim_lock verifier"), 0 }, \
|
||
|
+ { "x509key", 'x', N_("FILE"), 0, \
|
||
|
+ N_("embed FILE as an x509 certificate for signature checking"), 0}, \
|
||
|
{ "appended-signature-size", GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,\
|
||
|
"SIZE", 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), \
|
||
|
1}, \
|
||
|
@@ -188,8 +190,9 @@ void
|
||
|
grub_install_generate_image (const char *dir, const char *prefix,
|
||
|
FILE *out,
|
||
|
const char *outname, char *mods[],
|
||
|
- char *memdisk_path, char **pubkey_paths,
|
||
|
- size_t npubkeys,
|
||
|
+ char *memdisk_path,
|
||
|
+ char **pubkey_paths, size_t npubkeys,
|
||
|
+ char **x509key_paths, size_t nx509keys,
|
||
|
char *config_path,
|
||
|
const struct grub_install_image_target_desc *image_target,
|
||
|
int note, size_t appsig_size,
|