[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GRUB trusted boot framework
From: |
phcoder |
Subject: |
Re: GRUB trusted boot framework |
Date: |
Sun, 22 Feb 2009 14:56:18 +0100 |
User-agent: |
Thunderbird 2.0.0.19 (X11/20090105) |
- hooks for any disk read (not sure if write is necessary)
This way how trusted grub does it is an ad-hoc solution which results in
a MESS. They just try to hash and rehash everything without design. So
if grub is instructed to load all modules in a directory and filesystem
is reindexed then grub will load the same modules in a different order
which results in a different hash. IMO we can't allow such thing to come
to grub2 it's just against its basic design principles. Much better
would be a layer similar to gzio:
grub_gnupg_open (const char *filename, int flags, struct grub_gnupg_info
*info);
Which internally checks the certificate. This layer can also
encrypt/decrypt from gnupg containers
Then all kernel and config loads would use this function instead of
grub_gzio_open and grub_gnupg_open would check if its contents is
gzipped. Flags can include:
GRUB_GNUPG_FLAGS_ALLOW_UNSIGNED
if signature can be checked later on (e.g. signed ELF)
Then the behavior is controlled by an environment variable
allow_unsigned=yes|no
If grub_gnupg_open is invoked without GRUB_GNUPG_FLAGS_ALLOW_UNSIGNED
and allow_unsigned=no and signature is broken or not present it should
prompt for password (if it isn't supplied yet) and write something like
File %s is unsigned. Are you sure you want to load it? Type "YES" if you do.
Regards
Vladimir 'phcoder' Serbinenko
Re: GRUB trusted boot framework, Vesa Jääskeläinen, 2009/02/22