[PATCH v1 19/21] appendedsig: Reads the default DB keys from ELF Note

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v1 19/21] appendedsig: Reads the default DB keys from ELF Note

From:	Sudhakar Kuppusamy
Subject:	[PATCH v1 19/21] appendedsig: Reads the default DB keys from ELF Note
Date:	Wed, 18 Dec 2024 20:26:45 +0530

if secure boot enabled with PKS and set use_static_keys flag, it
reads the DB default keys from ELF Note and store it in trusted list buffer.

Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
---
 grub-core/commands/appendedsig/appendedsig.c | 58 ++++++++++++++------
 1 file changed, 41 insertions(+), 17 deletions(-)

diff --git a/grub-core/commands/appendedsig/appendedsig.c 
b/grub-core/commands/appendedsig/appendedsig.c
index 8b084087e..9a9f4ef1c 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -1082,7 +1082,7 @@ grub_create_distrusted_list (void)
  * parses it, and adds it to the trusted list.
  */
 static grub_err_t
-grub_build_static_trusted_list (const struct grub_module_header *header)
+grub_build_static_trusted_list (const struct grub_module_header *header, const 
grub_bool_t mode)
 {
   grub_err_t err = GRUB_ERR_NONE;
   struct grub_file pseudo_file;
@@ -1101,7 +1101,14 @@ grub_build_static_trusted_list (const struct 
grub_module_header *header)
   if (err != GRUB_ERR_NONE)
     return err;
 
-  err = grub_add_certificate (cert_data, cert_data_size, &grub_db, 1);
+  if (mode)
+    {
+      err = grub_is_distrusted_cert_hash (cert_data, cert_data_size);
+      if (err != GRUB_ERR_NONE)
+        return err;
+    }
+
+  err = grub_add_certificate (cert_data, cert_data_size, &grub_db, mode);
   if (cert_data != NULL)
     grub_free (cert_data);
 
@@ -1154,6 +1161,20 @@ grub_release_distrusted_list (void)
   grub_memset (&grub_dbx, 0x00, sizeof (grub_dbx));
 }
 
+static grub_err_t
+grub_load_static_keys (const struct grub_module_header *header, const 
grub_bool_t mode)
+{
+  int rc = GRUB_ERR_NONE;
+  FOR_MODULES (header)
+    {
+      /* Not an ELF module, skip.  */
+      if (header->type != OBJ_TYPE_X509_PUBKEY)
+        continue;
+      rc = grub_build_static_trusted_list (header, mode);
+    }
+  return rc;
+}
+
 GRUB_MOD_INIT (appendedsig)
 {
   int rc;
@@ -1172,26 +1193,29 @@ GRUB_MOD_INIT (appendedsig)
 
   if (!grub_use_platform_keystore && check_sigs == check_sigs_forced)
     {
-      FOR_MODULES (header)
+      rc = grub_load_static_keys (header, 0);
+      if (rc != GRUB_ERR_NONE)
         {
-          /* Not an ELF module, skip.  */
-          if (header->type != OBJ_TYPE_X509_PUBKEY)
-            continue;
-
-          rc = grub_build_static_trusted_list (header);
-          if (rc != GRUB_ERR_NONE)
-            {
-              grub_release_trusted_list ();
-              grub_error (rc, "static trusted list creation failed");
-            }
-          else
-            grub_printf ("appendedsig: the trusted list now has %" 
PRIuGRUB_SIZE " static keys\n",
-                         grub_db.key_entries);
+          grub_release_trusted_list ();
+          grub_error (rc, "static trusted list creation failed");
         }
+      else
+        grub_printf ("appendedsig: the trusted list now has %" PRIuGRUB_SIZE " 
static keys\n",
+                     grub_db.key_entries);
+
     }
   else if (grub_use_platform_keystore && check_sigs == check_sigs_forced)
     {
-      rc = grub_create_trusted_list ();
+
+      if (grub_platform_keystore.use_static_keys == 1)
+        {
+          grub_printf ("Warning: db variable is not available at PKS and using 
a static keys "
+                       "as a default key in trusted list\n");
+          rc = grub_load_static_keys (header, 1);
+        }
+      else
+        rc = grub_create_trusted_list ();
+
       if (rc != GRUB_ERR_NONE)
         {
           grub_release_trusted_list ();
-- 
2.43.5

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH v1 10/21] appended signatures: support verifying appended signatures, (continued)
- [PATCH v1 12/21] appended signatures: documentation, Sudhakar Kuppusamy, 2024/12/18
  - Re: [PATCH v1 12/21] appended signatures: documentation, Stefan Berger, 2024/12/30
- [PATCH v1 11/21] appended signatures: verification tests, Sudhakar Kuppusamy, 2024/12/18
  - Re: [PATCH v1 11/21] appended signatures: verification tests, Stefan Berger, 2024/12/30
- [PATCH v1 13/21] ieee1275: enter lockdown based on /ibm,secure-boot, Sudhakar Kuppusamy, 2024/12/18
  - Re: [PATCH v1 13/21] ieee1275: enter lockdown based on /ibm,secure-boot, Stefan Berger, 2024/12/30
- [PATCH v1 16/21] appendedsig: The creation of trusted and distrusted lists, Sudhakar Kuppusamy, 2024/12/18
- [PATCH v1 17/21] appendedsig: While verifying the kernel, use trusted and distrusted lists, Sudhakar Kuppusamy, 2024/12/18
- [PATCH v1 18/21] ieee1275: set use_static_keys flag, Sudhakar Kuppusamy, 2024/12/18
- [PATCH v1 19/21] appendedsig: Reads the default DB keys from ELF Note, Sudhakar Kuppusamy <=
- [PATCH v1 20/21] appendedsig: The grub command's trusted and distrusted support, Sudhakar Kuppusamy, 2024/12/18
- [PATCH v1 21/21] appendedsig: documentation, Sudhakar Kuppusamy, 2024/12/18

Prev by Date: [PATCH v1 18/21] ieee1275: set use_static_keys flag
Next by Date: [PATCH v1 20/21] appendedsig: The grub command's trusted and distrusted support
Previous by thread: [PATCH v1 18/21] ieee1275: set use_static_keys flag
Next by thread: [PATCH v1 20/21] appendedsig: The grub command's trusted and distrusted support
Index(es):
- Date
- Thread