rpms/grub2
6
0
Fork 0
Code Issues Pull Requests Releases Activity
17ffd9b3e0
grub2/0390-grub-install-Support-embedding-x509-certificates.patch
Nicolas Frayer 17ffd9b3e0 powerpc: Add appended signature feature 
Resolves: #RHEL-24510
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-11-27 14:40:11 +01:00

211 lines
8.1 KiB
Diff
Raw Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Date: Mon, 6 Oct 2025 12:54:49 +0530
Subject: [PATCH] grub-install: Support embedding x509 certificates
To support verification of appended signatures, we need a way to embed the
necessary public keys. Existing appended signature schemes in the Linux kernel
use X.509 certificates, so allow certificates to be embedded in the GRUB core
image in the same way as PGP keys.
Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
include/grub/kernel.h | 2 +-
include/grub/util/install.h | 9 ++++-----
util/grub-install-common.c | 18 ++++++++----------
util/grub-mkimage.c | 6 +++---
util/mkimage.c | 38 +++++++++++++++++++++-----------------
5 files changed, 37 insertions(+), 36 deletions(-)
diff --git a/include/grub/kernel.h b/include/grub/kernel.h
index 8fdbde2b0613..05f141201c61 100644
--- a/include/grub/kernel.h
+++ b/include/grub/kernel.h
@@ -29,9 +29,9 @@ enum
OBJ_TYPE_CONFIG,
OBJ_TYPE_PREFIX,
OBJ_TYPE_GPG_PUBKEY,
+ OBJ_TYPE_X509_PUBKEY,
OBJ_TYPE_DTB,
OBJ_TYPE_DISABLE_SHIM_LOCK,
- OBJ_TYPE_X509_PUBKEY,
OBJ_TYPE_DISABLE_CLI
};
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
index dbf3c216d413..93c1f0ed4e0d 100644
--- a/include/grub/util/install.h
+++ b/include/grub/util/install.h
@@ -67,13 +67,12 @@
N_("SBAT metadata"), 0 }, \
{ "disable-shim-lock", GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK, 0, 0, \
N_("disable shim_lock verifier"), 0 }, \
- { "x509key", 'x', N_("FILE"), 0, \
- N_("embed FILE as an x509 certificate for signature checking"), 0}, \
- { "appended-signature-size", GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,\
- "SIZE", 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), \
- 1}, \
{ "disable-cli", GRUB_INSTALL_OPTIONS_DISABLE_CLI, 0, 0, \
N_("disabled command line interface access"), 0 }, \
+ { "x509key", 'x', N_("FILE"), 0, \
+ N_("embed FILE as an x509 certificate for appended signature checking"), 0}, \
+ { "appended-signature-size", GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE, \
+ "SIZE", 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 1}, \
{ "verbose", 'v', 0, 0, \
N_("print verbose messages."), 1 }
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
index 42aec141e444..41251cee798b 100644
--- a/util/grub-install-common.c
+++ b/util/grub-install-common.c
@@ -463,10 +463,10 @@ handle_install_list (struct install_list *il, const char *val,
static char **pubkeys;
static size_t npubkeys;
-static char *sbat;
-static int disable_shim_lock;
static char **x509keys;
static size_t nx509keys;
+static char *sbat;
+static int disable_shim_lock;
static grub_compression_t compression;
static size_t appsig_size;
static int disable_cli;
@@ -509,15 +509,13 @@ grub_install_parse (int key, char *arg)
case GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK:
disable_shim_lock = 1;
return 1;
- case 'x':
- x509keys = xrealloc (x509keys,
- sizeof (x509keys[0])
- * (nx509keys + 1));
- x509keys[nx509keys++] = xstrdup (arg);
- return 1;
case GRUB_INSTALL_OPTIONS_DISABLE_CLI:
disable_cli = 1;
return 1;
+ case 'x':
+ x509keys = xrealloc (x509keys, sizeof (x509keys[0]) * (nx509keys + 1));
+ x509keys[nx509keys++] = xstrdup (arg);
+ return 1;
case GRUB_INSTALL_OPTIONS_VERBOSITY:
verbosity++;
@@ -649,7 +647,7 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
slen += sizeof (" --pubkey ''") + grub_strlen (*pk);
for (pk = x509keys; pk < x509keys + nx509keys; pk++)
- slen += 10 + grub_strlen (*pk);
+ slen += sizeof (" --x509key ''") + grub_strlen (*pk);
for (md = modules.entries; *md; md++)
slen += sizeof (" ''") + grub_strlen (*md);
@@ -693,7 +691,7 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
for (pk = x509keys; pk < x509keys + nx509keys; pk++)
{
- p = grub_stpcpy (p, "--x509 '");
+ p = grub_stpcpy (p, "--x509key '");
p = grub_stpcpy (p, *pk);
*p++ = '\'';
*p++ = ' ';
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
index 13bdc6cf0397..89ca81ce6b10 100644
--- a/util/grub-mkimage.c
+++ b/util/grub-mkimage.c
@@ -76,7 +76,7 @@ static struct argp_option options[] = {
{"config", 'c', N_("FILE"), 0, N_("embed FILE as an early config"), 0},
/* TRANSLATORS: "embed" is a verb (command description). "*/
{"pubkey", 'k', N_("FILE"), 0, N_("embed FILE as public key for PGP signature checking"), 0},
- {"x509", 'x', N_("FILE"), 0, N_("embed FILE as an x509 certificate for appended signature checking"), 0},
+ {"x509key", 'x', N_("FILE"), 0, N_("embed FILE as an x509 certificate for appended signature checking"), 0},
/* TRANSLATORS: NOTE is a name of segment. */
{"note", 'n', 0, 0, N_("add NOTE segment for CHRP IEEE1275"), 0},
{"output", 'o', N_("FILE"), 0, N_("output a generated image to FILE [default=stdout]"), 0},
@@ -213,11 +213,11 @@ argp_parser (int key, char *arg, struct argp_state *state)
case 'x':
arguments->x509keys = xrealloc (arguments->x509keys,
- sizeof (arguments->x509keys[0])
- * (arguments->nx509keys + 1));
+ sizeof (arguments->x509keys[0]) * (arguments->nx509keys + 1));
arguments->x509keys[arguments->nx509keys++] = xstrdup (arg);
break;
+
case 'c':
if (arguments->config)
free (arguments->config);
diff --git a/util/mkimage.c b/util/mkimage.c
index f92949d1df25..8ae58ccef868 100644
--- a/util/mkimage.c
+++ b/util/mkimage.c
@@ -930,16 +930,21 @@ grub_install_generate_image (const char *dir, const char *prefix,
}
}
+ if (nx509keys != 0 && image_target->id != IMAGE_PPC)
+ grub_util_error (_("x509 public key can be support only to appended signature"
+ " with powerpc-ieee1275 images"));
+
{
size_t i;
+
for (i = 0; i < nx509keys; i++)
{
- size_t curs;
- curs = ALIGN_ADDR (grub_util_get_image_size (x509key_paths[i]));
- grub_util_info ("the size of x509 public key %u is 0x%"
- GRUB_HOST_PRIxLONG_LONG,
- (unsigned) i, (unsigned long long) curs);
- total_module_size += curs + sizeof (struct grub_module_header);
+ size_t curs;
+
+ curs = ALIGN_ADDR (grub_util_get_image_size (x509key_paths[i]));
+ grub_util_info ("the size of x509 public key %u is 0x%" GRUB_HOST_PRIxLONG_LONG,
+ (unsigned) i, (unsigned long long) curs);
+ total_module_size += curs + sizeof (struct grub_module_header);
}
}
@@ -1078,24 +1083,23 @@ grub_install_generate_image (const char *dir, const char *prefix,
{
size_t i;
+
for (i = 0; i < nx509keys; i++)
{
- size_t curs;
- struct grub_module_header *header;
+ size_t curs;
+ struct grub_module_header *header;
- curs = grub_util_get_image_size (x509key_paths[i]);
+ curs = grub_util_get_image_size (x509key_paths[i]);
+ header = (struct grub_module_header *) (kernel_img + offset);
+ header->type = grub_host_to_target32 (OBJ_TYPE_X509_PUBKEY);
+ header->size = grub_host_to_target32 (curs + sizeof (*header));
- header = (struct grub_module_header *) (kernel_img + offset);
- header->type = grub_host_to_target32 (OBJ_TYPE_X509_PUBKEY);
- header->size = grub_host_to_target32 (curs + sizeof (*header));
- offset += sizeof (*header);
-
- grub_util_load_image (x509key_paths[i], kernel_img + offset);
- offset += ALIGN_ADDR (curs);
+ offset += sizeof (*header);
+ grub_util_load_image (x509key_paths[i], kernel_img + offset);
+ offset += ALIGN_ADDR (curs);
}
}
-
if (memdisk_path)
{
struct grub_module_header *header;
Reference in New Issue View Git Blame Copy Permalink