grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v3 0/2] Secure Boot Advanced Targeting (SBAT) support on powerpc


From: Sudhakar Kuppusamy
Subject: [PATCH v3 0/2] Secure Boot Advanced Targeting (SBAT) support on powerpc
Date: Fri, 13 Sep 2024 16:57:57 +0530

In powerpc,  PE format Binary are not supported and can't use shim 
(https://github.com/rhboot/shim/blob/main/SBAT.md).
However, ELF binary are supported. So, we created new ELF note for SBAT in ELF 
binary which store the SBAT data and
SBAT verifier will be there in firmware to read SBAT data from ELF note and 
validate it.

this patch series consists of 2 parts:

 1) Patch 1: create new ELF Note for SBAT
    
    In order to store the SBAT data, we create a new ELF note. The string 
"Secure-Boot-Advanced-Targeting",
    zero-padded to 4 byte alignment, shall be entered in the name field.
    The string "sbat"'s ASCII values, 0x41536967, should be entered in the type 
field.

 2) Patch 2: adding sbat metadata into sbat ELF Note
    
    The SBAT metadata, which is read from .csv file and transformed into an ELF 
    note,is made into an image using the -s option.


(The rest of this cover letter concerns testing the entire end-to-end setup - 
SBAT.)

You can experiement with this using entirely free software.

You need the following trees:

https://github.com/SudhakarKuppusamy1/qemu branch sbat
https://github.com/SudhakarKuppusamy1/SLOF branch sbat
https://github.com/SudhakarKuppusamy1/grub branch sbat

You also need:
 - the SBAT metadata (.csv file)
 - the SBAT Variable (.csv file)
Both should followed the SBAT specification 
(https://github.com/rhboot/shim/blob/main/SBAT.md)

Example: https://github.com/SudhakarKuppusamy1/testing/sbat
   
   sbat_metadata.csv
   sbat_var.csv 

Lastly you will need a working a ppc64(le) vm.

sample vm: https://github.com/SudhakarKuppusamy1/testing/vm

   pseries-ubuntu-20.04.6.qcow2

Then:

 - build qemu (./configure --target-list=ppc64-softmmu && make).
   You need qemu-system-ppc64.

 - use xxd (ex: xxd -i sbat_var.csv sbat_var.h) to convert the SBAT Variable
   for verifying grub into a header file, and copy it in to 
SLOF/lib/libcrypto/sbat_var.h.
   It must create variables sbat_var_csv and sbat_var_csv_len.

 - build SLOF for qemu (make qemu)

 - verify that you can boot your VM with new SLOF and stock grub.

   To boot with new SLOF, pass -bios ./SLOF/boot_rom.bin . It should
   boot with new slof in secure boot mode.

   sudo ./build/qemu-system-ppc64 -m 8192 -M 
pseries-2.12,accel=kvm,cap-ail-mode-3=off,secure-boot=on -nographic -vga none 
   -smp 4 -hdd pseries-ubuntu-20.04.6.qcow2 -bios ./boot_rom.bin

 - Build grub in your VM.

 - Build the SBAT metadata into grub.The following incantation should give you 
   a working but non-portable grub, assuming you have grub installed on 
/dev/sda2:

   GRUB_MODULES="all_video boot btrfs cat configfile echo ext2 fat font gfxmenu 
   gfxterm gzio halt hfsplus http iso9660 jpeg loadenv loopback linux lvm 
mdraid09 
   mdraid1x minicmd net normal part_apple part_msdos part_gpt password_pbkdf2 
png 
   reboot regexp search search_fs_uuid search_fs_file search_label serial sleep 
   syslinuxcfg test tftp video xfs"

   sudo ./grub-install --modules "$GRUB_MODULES" -d ./grub-core/ -v "/dev/sda2" 
   --sbat=./sbat_metadata.csv

   dd if=/boot/grub/powerpc-ieee1275/core.elf of=/dev/sda2

Sudhakar Kuppusamy (2):
  mkimage: create new ELF Note for SBAT
  mkimage: adding sbat metadata into sbat ELF Note on powerpc

 include/grub/util/mkimage.h |  4 +--
 util/grub-mkimagexx.c       | 51 +++++++++++++++++++++++++++++++++++--
 util/mkimage.c              | 17 ++++++++++---
 3 files changed, 64 insertions(+), 8 deletions(-)

-- 
2.43.5




reply via email to

[Prev in Thread] Current Thread [Next in Thread]