From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Date: Mon, 6 Oct 2025 12:54:57 +0530
Subject: [PATCH] appended signatures: Introducing key management environment
 variable

Introducing the appended signature key management environment variable. It is
automatically set to either "static" or "dynamic" based on the Platform KeyStore.

"static": Enforce static key management signature verification. This is the
          default. When the GRUB is locked down, user cannot change the value
          by setting the appendedsig_key_mgmt variable back to "dynamic".

"dynamic": Enforce dynamic key management signature verification. When the GRUB
           is locked down, user cannot change the value by setting the
           appendedsig_key_mgmt variable back to "static".

Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/commands/appendedsig/appendedsig.c | 75 ++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)

diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
index e53efd2..ca54c90 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -33,6 +33,7 @@
 #include <libtasn1.h>
 #include <grub/env.h>
 #include <grub/lockdown.h>
+#include <grub/powerpc/ieee1275/platform_keystore.h>
 
 #include "appendedsig.h"
 
@@ -94,6 +95,16 @@ static sb_database_t db = {.certs = NULL, .cert_entries = 0};
  */
 static bool check_sigs = false;
 
+/*
+ * append_key_mgmt: Key Management Modes
+ * False: Static key management (use built-in Keys). This is default.
+ * True: Dynamic key management (use Platform KeySotre).
+ */
+static bool append_key_mgmt = false;
+
+/* Platform KeyStore db and dbx. */
+static grub_pks_t *pks_keystore;
+
 static grub_ssize_t
 pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
 {
@@ -469,6 +480,46 @@ grub_env_write_sec (struct grub_env_var *var __attribute__ ((unused)), const cha
   return ret;
 }
 
+static const char *
+grub_env_read_key_mgmt (struct grub_env_var *var __attribute__ ((unused)),
+                        const char *val __attribute__ ((unused)))
+{
+  if (append_key_mgmt == true)
+    return "dynamic";
+
+  return "static";
+}
+
+static char *
+grub_env_write_key_mgmt (struct grub_env_var *var __attribute__ ((unused)), const char *val)
+{
+  char *ret;
+
+  /*
+   * Do not allow the value to be changed if signature verification is enabled
+   * (check_sigs is set to true) and GRUB is locked down.
+   */
+  if (check_sigs == true && grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
+    {
+      ret = grub_strdup (grub_env_read_key_mgmt (NULL, NULL));
+      if (ret == NULL)
+        grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+      return ret;
+    }
+
+  if (grub_strcmp (val, "dynamic") == 0)
+    append_key_mgmt = true;
+  else if (grub_strcmp (val, "static") == 0)
+    append_key_mgmt = false;
+
+  ret = grub_strdup (grub_env_read_key_mgmt (NULL, NULL));
+  if (ret == NULL)
+    grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+  return ret;
+}
+
 static grub_err_t
 appendedsig_init (grub_file_t io __attribute__ ((unused)), enum grub_file_type type,
                   void **context __attribute__ ((unused)), enum grub_verify_flags *flags)
@@ -540,6 +591,11 @@ GRUB_MOD_INIT (appendedsig)
   if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
     check_sigs = true;
 
+  /* If PKS keystore is available, use dynamic key management. */
+  pks_keystore = grub_pks_get_keystore ();
+  if (pks_keystore != NULL)
+    append_key_mgmt = true;
+
   /*
    * This is appended signature verification environment variable. It is
    * automatically set to either "no" or "yes" based on the ’ibm,secure-boot’
@@ -554,6 +610,23 @@ GRUB_MOD_INIT (appendedsig)
   grub_register_variable_hook ("check_appended_signatures", grub_env_read_sec, grub_env_write_sec);
   grub_env_export ("check_appended_signatures");
 
+  /*
+   * This is appended signature key management environment variable. It is
+   * automatically set to either "static" or "dynamic" based on the
+   * Platform KeyStore.
+   *
+   * "static": Enforce static key management signature verification. This is
+   *           the default. When the GRUB is locked down, user cannot change
+   *           the value by setting the appendedsig_key_mgmt variable back to
+   *           "dynamic".
+   *
+   * "dynamic": Enforce dynamic key management signature verification. When the
+   *            GRUB is locked down, user cannot change the value by setting the
+   *            appendedsig_key_mgmt variable back to "static".
+   */
+  grub_register_variable_hook ("appendedsig_key_mgmt", grub_env_read_key_mgmt, grub_env_write_key_mgmt);
+  grub_env_export ("appendedsig_key_mgmt");
+
   rc = grub_asn1_init ();
   if (rc != ASN1_SUCCESS)
     grub_fatal ("error initing ASN.1 data structures: %d: %s\n", rc, asn1_strerror (rc));
@@ -577,5 +650,7 @@ GRUB_MOD_FINI (appendedsig)
   free_db_list ();
   grub_register_variable_hook ("check_appended_signatures", NULL, NULL);
   grub_env_unset ("check_appended_signatures");
+  grub_register_variable_hook ("appendedsig_key_mgmt", NULL, NULL);
+  grub_env_unset ("appendedsig_key_mgmt");
   grub_verifier_unregister (&grub_appendedsig_verifier);
 }