[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Signature verification in GRUB

From: Geoffrey Thomas
Subject: Re: Signature verification in GRUB
Date: Mon, 15 Oct 2012 14:33:03 -0700
User-agent: Alpine 2.02 (DEB 1266 2009-07-14)

On Sat, 13 Oct 2012, Vladimir 'φ-coder/phcoder' Serbinenko wrote:

First, does GRUB has a mechanism for me to validate a digitally-signed
file of some sort? This could be e.g. a PGP-signed file or something
from `openssl dgst -sign`. I see that GRUB has all the relevant crypto
primitives to do this, but I can't find a command to invoke them. (As
far as I can tell, gcrypt is only used for PBKDF2 and cryptodisk support?)

I have some code dating from about a year ago but because of my current
personal situation it's put on hold for some time.

Do you have something I can start from that you could drop somewhere? I haven't begun implementing this yet, and I suspect that starting from your code would be helpful for getting this done faster and also doing it in a style compatible with upstream.

Also, a slightly more generic question -- what's a reasonable format here? I'm kind of surprised to find that openssl has no generic command to sign a file or verify it's signatures. I could use PGP, but we're already using SSL-style certificates for Authenticode, so I'd prefer not generate another key with a completely different format. That said, if more people will find PGP verification useful, I can implement that.

Is there some doc on dm-verify? It may be interesting.
is the official documentation.

Briefly, you generate a salted hash tree of each block (and in turn of the blocks containing the hashes) until you get a root hash. So with a trusted way to get the root hash, the original device, and a device/file containing the hashes, you can generate a new (read-only) device that validates hashes up to the root, and throws an IO error if the data has been tampered with.

The "veritysetup" command in sbin in recent cryptsetup versions can generate the hash tree and print out the root hash.

Geoffrey Thomas

reply via email to

[Prev in Thread] Current Thread [Next in Thread]