[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 0/1] RFC: ieee1275: link appended-signature enforcement to secure

From: Daniel Axtens
Subject: [PATCH 0/1] RFC: ieee1275: link appended-signature enforcement to secure boot
Date: Thu, 8 Oct 2020 01:21:15 +1100

This patch demonstrates how secure boot on pseries machines could be
linked to the appended signature verification I sent earlier.

It's a pretty big hammer at the moment - I am posting it so we can
discuss whether this is something that would be acceptable in upstream
grub. If it acceptable in theory I'm happy to rework it to be less

(The rest of this cover letter concerns testing the entire end-to-end
setup - signing grub, verifying signatures in grub and enforcing
secure boot.)

You can experiement with this using entirely free software.

You need the following trees: branch pseries-secboot branch ibm,secure-boot branch ibm,secure-boot

You also need:
 - a key to sign grub, and accompanying DER certificate
 - a key to sign linux, and accompanying DER certificate
Both should have keyUsage=digitalSignature and not be CAs.

Lastly you will need a working a ppc64(le) vm.


 - build qemu. You need qemu-system-ppc64.

 - use xxd to convert the certificate for verifying grub into a header
   file, and copy it in to SLOF/lib/libcrypto/certificate.h. It must
   create variables certificate_der and certificate_der_len.

 - build SLOF for qemu (make qemu)

 - verify that you can boot your VM with new SLOF and stock grub.

   To boot with new SLOF, pass -bios ./SLOF/boot_rom.bin . It should
   boot with new slof in non-secure (default) mode.

   To enable secure boot, add ",secure-boot" to your machine
   parameter, e.g. "-M pseries,secure-boot". This should now refuse to
   boot with an error in SLOF.

   (Note that the SLOF verfication is a bit lackadaisical, it doesn't
    stop you dropping to the all-powerful OF prompt, and it only
    requires signatures on 32-bit binaries. -kernel vmlinux should
    still work even in SB mode, for example. I haven't tested

 - Build grub in your VM.

 - Build the signing key into grub, along with the appendedsig
   module. The following incantation should give you a working but
   non-portable grub, assuming you have grub installed on /dev/sda1:

touch empty
sign-file SHA256 grub-signing.key grub-signing-certificate.der \
                 empty empty.signed
SIG_SIZE=`stat -c '%s' empty.signed`
echo "Detected signature size: $SIG_SIZE bytes"
rm empty empty.signed

GRUB_MODULES="appendedsig gcry_sha256 all_video boot btrfs cat configfile echo 
ext2 fat font gfxmenu gfxterm gzio halt hfsplus http iso9660 jpeg loadenv 
loopback linux lvm mdraid09 mdraid1x minicmd net normal part_apple part_msdos 
part_gpt password_pbkdf2 png reboot regexp search search_fs_uuid search_fs_file 
search_label serial sleep syslinuxcfg test tftp video xfs"

./grub-install --appended-signature-size $SIG_SIZE --modules="$GRUB_MODULES" \
               -d ./grub-core/ /dev/sda1 -x linux-signing-certificate.der

cp /boot/grub/powerpc-ieee1275/core.elf core.elf
truncate -s -$SIG_SIZE core.elf
sign-file SHA256 grub-signing.key grub-signing-certificate.der \
                 core.elf core.elf.signed

dd if=core.elf.signed of=/dev/sda1 

 - Sign your kernel, e.g.:

   sign-file SHA256 linux-signing.key linux-signing-certificate.der \
                    /boot/vmlinux /boot/vmlinux.signed

 - You should now be able to boot with new SLOF and qemu in
   secure-boot mode.

Daniel Axtens (1):
  ieee1275: link appended-signature enforcement to /ibm,secure-boot

 grub-core/commands/appendedsig/appendedsig.c | 44 +++++++++++++++-----
 grub-core/kern/ieee1275/init.c               | 26 ++++++++++++
 2 files changed, 60 insertions(+), 10 deletions(-)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]