|
| From: | Geoffrey Thomas |
| Subject: | Signature verification in GRUB |
| Date: | Tue, 9 Oct 2012 15:54:26 -0700 |
| User-agent: | Alpine 2.02 (DEB 1266 2009-07-14) |
Hi GRUB list,I'm working on adding verified boot / Secure Boot support to my company's OS-level product (MokaFive BareMetal). As background, we use whole-image updates to help with reliable unattended upgrades and for debugging; an upgrade is delivered as a new ISO image, and we have GRUB configuration to loop-mount the ISO and load further configuration, a kernel, and an initrd.
First, does GRUB has a mechanism for me to validate a digitally-signed file of some sort? This could be e.g. a PGP-signed file or something from `openssl dgst -sign`. I see that GRUB has all the relevant crypto primitives to do this, but I can't find a command to invoke them. (As far as I can tell, gcrypt is only used for PBKDF2 and cryptodisk support?)
If not, I'd like to add a command to verify a signature on a file, or possibly to verify a signature on a GRUB configuration file and execute it if it validates. Does this seem like a reasonable thing to add?
Secondarily, I'm curious if anyone has done work towards porting verity or some similar signed (but not encrypted) disk support to GRUB. Since we're already planning on using dm-verity once the kernel is booted, I think the simplest solution will be to have a signature on the verity root hash, mount the ISO using verity, and load the GRUB configuration / kernel / initrd from the resulting block device. Does this support exist already? (I've also asked this question on the dm-crypt list.)
Finally, if there's an easier way to do verified boot with GRUB or some existing effort along these lines that I should be helping out with, let me know.
Thanks, -- Geoffrey Thomas address@hidden
| [Prev in Thread] | Current Thread | [Next in Thread] |