[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Signature verification in GRUB

From: Vladimir 'φ-coder/phcoder' Serbinenko
Subject: Re: Signature verification in GRUB
Date: Sat, 13 Oct 2012 12:36:11 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.7) Gecko/20120922 Icedove/10.0.7

On 10.10.2012 00:54, Geoffrey Thomas wrote:

> Hi GRUB list,
> I'm working on adding verified boot / Secure Boot support to my
> company's OS-level product (MokaFive BareMetal). As background, we use
> whole-image updates to help with reliable unattended upgrades and for
> debugging; an upgrade is delivered as a new ISO image, and we have GRUB
> configuration to loop-mount the ISO and load further configuration, a
> kernel, and an initrd.
> First, does GRUB has a mechanism for me to validate a digitally-signed
> file of some sort? This could be e.g. a PGP-signed file or something
> from `openssl dgst -sign`. I see that GRUB has all the relevant crypto
> primitives to do this, but I can't find a command to invoke them. (As
> far as I can tell, gcrypt is only used for PBKDF2 and cryptodisk support?)

I have some code dating from about a year ago but because of my current
personal situation it's put on hold for some time.

> If not, I'd like to add a command to verify a signature on a file, or
> possibly to verify a signature on a GRUB configuration file and execute
> it if it validates. Does this seem like a reasonable thing to add?
> Secondarily, I'm curious if anyone has done work towards porting verity
> or some similar signed (but not encrypted) disk support to GRUB. Since
> we're already planning on using dm-verity once the kernel is booted, I
> think the simplest solution will be to have a signature on the verity
> root hash, mount the ISO using verity, and load the GRUB configuration /
> kernel / initrd from the resulting block device. Does this support exist
> already? (I've also asked this question on the dm-crypt list.)

Is there some doc on dm-verify? It may be interesting.

> Finally, if there's an easier way to do verified boot with GRUB or some
> existing effort along these lines that I should be helping out with, let
> me know.
> Thanks,

Vladimir 'φ-coder/phcoder' Serbinenko

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]