[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 00/18] Verify appended signatures from grub

From: Daniel Kiper
Subject: Re: [PATCH v2 00/18] Verify appended signatures from grub
Date: Wed, 18 Nov 2020 19:18:50 +0100
User-agent: NeoMutt/20170113 (1.7.2)

Hi Daniel,

On Wed, Oct 28, 2020 at 12:57:17PM +1100, Daniel Axtens wrote:
> v2: fix the grub-mkimage bug. I haven't changed any libtasn1 licensing
> because I don't think we reached any conclusion on whether anything
> was needed, and if so what.
> Part of a secure boot chain is allowing grub to verify the boot
> kernel. For UEFI platforms, this is usually delegated to the shim: see
> shim_lock.c. However, for platforms that do not implement UEFI, an
> alternative scheme is required.
> This series teaches grub how to verify Linux kernel-style 'appended
> signatures'. I talked about this in my recent Linux Plumbers talk:
> and
> In very short, an appended signature is a 'dumb' signature over the
> contents of a file. (It is distinct from schemes like Authenticode
> that are aware of the structure of the file and only sign certain
> parts.) The signature is wrapped in a PKCS#7 message, and is appended
> to the signed file along with some metadata and a magic string. The
> signatures are validated against a public key which is usually
> provided as an x509 certificate. Kernels on powerpc are already signed
> with this scheme and can be verified by IMA for kexec.

Sounds interesting. Unfortunately I am not able to take it because the
GRUB is in code freeze state. I have just reviewed two patches which
fixes the docs and I will take them. I will take closer look at the rest
of the patch series after release. I hope this is not a problem for you...


reply via email to

[Prev in Thread] Current Thread [Next in Thread]