[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 0/1] RFC: ieee1275: link appended-signature enforcement to secure
From: |
Daniel Axtens |
Subject: |
[PATCH 0/1] RFC: ieee1275: link appended-signature enforcement to secure boot |
Date: |
Thu, 8 Oct 2020 01:21:15 +1100 |
This patch demonstrates how secure boot on pseries machines could be
linked to the appended signature verification I sent earlier.
It's a pretty big hammer at the moment - I am posting it so we can
discuss whether this is something that would be acceptable in upstream
grub. If it acceptable in theory I'm happy to rework it to be less
invasive.
(The rest of this cover letter concerns testing the entire end-to-end
setup - signing grub, verifying signatures in grub and enforcing
secure boot.)
You can experiement with this using entirely free software.
You need the following trees:
https://github.com/daxtens/qemu branch pseries-secboot
https://github.com/daxtens/SLOF branch ibm,secure-boot
https://github.com/daxtens/grub branch ibm,secure-boot
You also need:
- a key to sign grub, and accompanying DER certificate
- a key to sign linux, and accompanying DER certificate
Both should have keyUsage=digitalSignature and not be CAs.
Lastly you will need a working a ppc64(le) vm.
Then:
- build qemu. You need qemu-system-ppc64.
- use xxd to convert the certificate for verifying grub into a header
file, and copy it in to SLOF/lib/libcrypto/certificate.h. It must
create variables certificate_der and certificate_der_len.
- build SLOF for qemu (make qemu)
- verify that you can boot your VM with new SLOF and stock grub.
To boot with new SLOF, pass -bios ./SLOF/boot_rom.bin . It should
boot with new slof in non-secure (default) mode.
To enable secure boot, add ",secure-boot" to your machine
parameter, e.g. "-M pseries,secure-boot". This should now refuse to
boot with an error in SLOF.
(Note that the SLOF verfication is a bit lackadaisical, it doesn't
stop you dropping to the all-powerful OF prompt, and it only
requires signatures on 32-bit binaries. -kernel vmlinux should
still work even in SB mode, for example. I haven't tested
netbooting.)
- Build grub in your VM.
- Build the signing key into grub, along with the appendedsig
module. The following incantation should give you a working but
non-portable grub, assuming you have grub installed on /dev/sda1:
touch empty
sign-file SHA256 grub-signing.key grub-signing-certificate.der \
empty empty.signed
SIG_SIZE=`stat -c '%s' empty.signed`
echo "Detected signature size: $SIG_SIZE bytes"
rm empty empty.signed
GRUB_MODULES="appendedsig gcry_sha256 all_video boot btrfs cat configfile echo
ext2 fat font gfxmenu gfxterm gzio halt hfsplus http iso9660 jpeg loadenv
loopback linux lvm mdraid09 mdraid1x minicmd net normal part_apple part_msdos
part_gpt password_pbkdf2 png reboot regexp search search_fs_uuid search_fs_file
search_label serial sleep syslinuxcfg test tftp video xfs"
./grub-install --appended-signature-size $SIG_SIZE --modules="$GRUB_MODULES" \
-d ./grub-core/ /dev/sda1 -x linux-signing-certificate.der
cp /boot/grub/powerpc-ieee1275/core.elf core.elf
truncate -s -$SIG_SIZE core.elf
sign-file SHA256 grub-signing.key grub-signing-certificate.der \
core.elf core.elf.signed
dd if=core.elf.signed of=/dev/sda1
- Sign your kernel, e.g.:
sign-file SHA256 linux-signing.key linux-signing-certificate.der \
/boot/vmlinux /boot/vmlinux.signed
- You should now be able to boot with new SLOF and qemu in
secure-boot mode.
Daniel Axtens (1):
ieee1275: link appended-signature enforcement to /ibm,secure-boot
grub-core/commands/appendedsig/appendedsig.c | 44 +++++++++++++++-----
grub-core/kern/ieee1275/init.c | 26 ++++++++++++
2 files changed, 60 insertions(+), 10 deletions(-)
--
2.25.1
- [PATCH 0/1] RFC: ieee1275: link appended-signature enforcement to secure boot,
Daniel Axtens <=