|
|
5593c8 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
5593c8 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
5593c8 |
Date: Thu, 30 Jul 2020 01:35:43 +1000
|
|
|
5593c8 |
Subject: [PATCH] appended signatures: support verifying appended signatures
|
|
|
5593c8 |
|
|
|
5593c8 |
Building on the parsers and the ability to embed x509 certificates, as
|
|
|
5593c8 |
well as the existing gcrypt functionality, add a module for verifying
|
|
|
5593c8 |
appended signatures.
|
|
|
5593c8 |
|
|
|
5593c8 |
This includes a verifier that requires that Linux kernels and grub modules
|
|
|
5593c8 |
have appended signatures, and commands to manage the list of trusted
|
|
|
5593c8 |
certificates for verification.
|
|
|
5593c8 |
|
|
|
5593c8 |
Verification must be enabled by setting check_appended_signatures. If
|
|
|
5593c8 |
GRUB is locked down when the module is loaded, verification will be
|
|
|
5593c8 |
enabled and locked automatically.
|
|
|
5593c8 |
|
|
|
5593c8 |
As with the PGP verifier, it is not a complete secure-boot solution:
|
|
|
5593c8 |
other mechanisms, such as a password or lockdown, must be used to ensure
|
|
|
5593c8 |
that a user cannot drop to the grub shell and disable verification.
|
|
|
5593c8 |
|
|
|
5593c8 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
5593c8 |
---
|
|
|
5593c8 |
grub-core/Makefile.core.def | 12 +
|
|
|
5593c8 |
grub-core/commands/appendedsig/appendedsig.c | 645 +++++++++++++++++++++++++++
|
|
|
5593c8 |
include/grub/file.h | 2 +
|
|
|
5593c8 |
3 files changed, 659 insertions(+)
|
|
|
5593c8 |
create mode 100644 grub-core/commands/appendedsig/appendedsig.c
|
|
|
5593c8 |
|
|
|
5593c8 |
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
|
|
5593c8 |
index b4aaccf7b57..77321d218c8 100644
|
|
|
5593c8 |
--- a/grub-core/Makefile.core.def
|
|
|
5593c8 |
+++ b/grub-core/Makefile.core.def
|
|
|
5593c8 |
@@ -980,6 +980,18 @@ module = {
|
|
|
5593c8 |
cppflags = '-I$(srcdir)/lib/posix_wrap';
|
|
|
5593c8 |
};
|
|
|
5593c8 |
|
|
|
5593c8 |
+module = {
|
|
|
5593c8 |
+ name = appendedsig;
|
|
|
5593c8 |
+ common = commands/appendedsig/appendedsig.c;
|
|
|
5593c8 |
+ common = commands/appendedsig/x509.c;
|
|
|
5593c8 |
+ common = commands/appendedsig/pkcs7.c;
|
|
|
5593c8 |
+ common = commands/appendedsig/asn1util.c;
|
|
|
5593c8 |
+ common = commands/appendedsig/gnutls_asn1_tab.c;
|
|
|
5593c8 |
+ common = commands/appendedsig/pkix_asn1_tab.c;
|
|
|
5593c8 |
+ cflags = '$(CFLAGS_POSIX)';
|
|
|
5593c8 |
+ cppflags = '-I$(srcdir)/lib/posix_wrap';
|
|
|
5593c8 |
+};
|
|
|
5593c8 |
+
|
|
|
5593c8 |
module = {
|
|
|
5593c8 |
name = hdparm;
|
|
|
5593c8 |
common = commands/hdparm.c;
|
|
|
5593c8 |
diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
|
|
|
5593c8 |
new file mode 100644
|
|
|
5593c8 |
index 00000000000..dc294cd339e
|
|
|
5593c8 |
--- /dev/null
|
|
|
5593c8 |
+++ b/grub-core/commands/appendedsig/appendedsig.c
|
|
|
5593c8 |
@@ -0,0 +1,645 @@
|
|
|
5593c8 |
+/*
|
|
|
5593c8 |
+ * GRUB -- GRand Unified Bootloader
|
|
|
5593c8 |
+ * Copyright (C) 2020-2021 IBM Corporation.
|
|
|
5593c8 |
+ *
|
|
|
5593c8 |
+ * GRUB is free software: you can redistribute it and/or modify
|
|
|
5593c8 |
+ * it under the terms of the GNU General Public License as published by
|
|
|
5593c8 |
+ * the Free Software Foundation, either version 3 of the License, or
|
|
|
5593c8 |
+ * (at your option) any later version.
|
|
|
5593c8 |
+ *
|
|
|
5593c8 |
+ * GRUB is distributed in the hope that it will be useful,
|
|
|
5593c8 |
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
5593c8 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
5593c8 |
+ * GNU General Public License for more details.
|
|
|
5593c8 |
+ *
|
|
|
5593c8 |
+ * You should have received a copy of the GNU General Public License
|
|
|
5593c8 |
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
|
|
5593c8 |
+ */
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+#include <grub/types.h>
|
|
|
5593c8 |
+#include <grub/misc.h>
|
|
|
5593c8 |
+#include <grub/mm.h>
|
|
|
5593c8 |
+#include <grub/err.h>
|
|
|
5593c8 |
+#include <grub/dl.h>
|
|
|
5593c8 |
+#include <grub/file.h>
|
|
|
5593c8 |
+#include <grub/command.h>
|
|
|
5593c8 |
+#include <grub/crypto.h>
|
|
|
5593c8 |
+#include <grub/pkcs1_v15.h>
|
|
|
5593c8 |
+#include <grub/i18n.h>
|
|
|
5593c8 |
+#include <grub/gcrypt/gcrypt.h>
|
|
|
5593c8 |
+#include <grub/kernel.h>
|
|
|
5593c8 |
+#include <grub/extcmd.h>
|
|
|
5593c8 |
+#include <grub/verify.h>
|
|
|
5593c8 |
+#include <grub/libtasn1.h>
|
|
|
5593c8 |
+#include <grub/env.h>
|
|
|
5593c8 |
+#include <grub/lockdown.h>
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+#include "appendedsig.h"
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+const char magic[] = "~Module signature appended~\n";
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+/*
|
|
|
5593c8 |
+ * This structure is extracted from scripts/sign-file.c in the linux kernel
|
|
|
5593c8 |
+ * source. It was licensed as LGPLv2.1+, which is GPLv3+ compatible.
|
|
|
5593c8 |
+ */
|
|
|
5593c8 |
+struct module_signature
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ grub_uint8_t algo; /* Public-key crypto algorithm [0] */
|
|
|
5593c8 |
+ grub_uint8_t hash; /* Digest algorithm [0] */
|
|
|
5593c8 |
+ grub_uint8_t id_type; /* Key identifier type [PKEY_ID_PKCS7] */
|
|
|
5593c8 |
+ grub_uint8_t signer_len; /* Length of signer's name [0] */
|
|
|
5593c8 |
+ grub_uint8_t key_id_len; /* Length of key identifier [0] */
|
|
|
5593c8 |
+ grub_uint8_t __pad[3];
|
|
|
5593c8 |
+ grub_uint32_t sig_len; /* Length of signature data */
|
|
|
5593c8 |
+} GRUB_PACKED;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+/* This represents an entire, parsed, appended signature */
|
|
|
5593c8 |
+struct grub_appended_signature
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ grub_size_t signature_len; /* Length of PKCS#7 data +
|
|
|
5593c8 |
+ * metadata + magic */
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ struct module_signature sig_metadata; /* Module signature metadata */
|
|
|
5593c8 |
+ struct pkcs7_signedData pkcs7; /* Parsed PKCS#7 data */
|
|
|
5593c8 |
+};
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+/* Trusted certificates for verifying appended signatures */
|
|
|
5593c8 |
+struct x509_certificate *grub_trusted_key;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+/*
|
|
|
5593c8 |
+ * Force gcry_rsa to be a module dependency.
|
|
|
5593c8 |
+ *
|
|
|
5593c8 |
+ * If we use grub_crypto_pk_rsa, then then the gcry_rsa module won't be built
|
|
|
5593c8 |
+ * in if you add 'appendedsig' to grub-install --modules. You would need to
|
|
|
5593c8 |
+ * add 'gcry_rsa' too. That's confusing and seems suboptimal, especially when
|
|
|
5593c8 |
+ * we only support RSA.
|
|
|
5593c8 |
+ *
|
|
|
5593c8 |
+ * Dynamic loading also causes some concerns. We can't load gcry_rsa from the
|
|
|
5593c8 |
+ * the filesystem after we install the verifier - we won't be able to verify
|
|
|
5593c8 |
+ * it without having it already present. We also shouldn't load it before we
|
|
|
5593c8 |
+ * install the verifier, because that would mean it wouldn't be verified - an
|
|
|
5593c8 |
+ * attacker could insert any code they wanted into the module.
|
|
|
5593c8 |
+ *
|
|
|
5593c8 |
+ * So instead, reference the internal symbol from gcry_rsa. That creates a
|
|
|
5593c8 |
+ * direct dependency on gcry_rsa, so it will be built in when this module
|
|
|
5593c8 |
+ * is built in. Being built in (assuming the core image is itself signed!)
|
|
|
5593c8 |
+ * also resolves our concerns about loading from the filesystem.
|
|
|
5593c8 |
+ */
|
|
|
5593c8 |
+extern gcry_pk_spec_t _gcry_pubkey_spec_rsa;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static int check_sigs = 0;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static const char *
|
|
|
5593c8 |
+grub_env_read_sec (struct grub_env_var *var __attribute__ ((unused)),
|
|
|
5593c8 |
+ const char *val __attribute__ ((unused)))
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ if (check_sigs == 2)
|
|
|
5593c8 |
+ return "forced";
|
|
|
5593c8 |
+ else if (check_sigs == 1)
|
|
|
5593c8 |
+ return "enforce";
|
|
|
5593c8 |
+ else
|
|
|
5593c8 |
+ return "no";
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static char *
|
|
|
5593c8 |
+grub_env_write_sec (struct grub_env_var *var __attribute__((unused)),
|
|
|
5593c8 |
+ const char *val)
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ /* Do not allow the value to be changed if set to forced */
|
|
|
5593c8 |
+ if (check_sigs == 2)
|
|
|
5593c8 |
+ return grub_strdup ("forced");
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if ((*val == '2') || (*val == 'f'))
|
|
|
5593c8 |
+ check_sigs = 2;
|
|
|
5593c8 |
+ else if ((*val == '1') || (*val == 'e'))
|
|
|
5593c8 |
+ check_sigs = 1;
|
|
|
5593c8 |
+ else if ((*val == '0') || (*val == 'n'))
|
|
|
5593c8 |
+ check_sigs = 0;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ return grub_strdup (grub_env_read_sec (NULL, NULL));
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static grub_err_t
|
|
|
5593c8 |
+read_cert_from_file (grub_file_t f, struct x509_certificate *certificate)
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ grub_err_t err;
|
|
|
5593c8 |
+ grub_uint8_t *buf = NULL;
|
|
|
5593c8 |
+ grub_ssize_t read_size;
|
|
|
5593c8 |
+ grub_off_t total_read_size = 0;
|
|
|
5593c8 |
+ grub_off_t file_size = grub_file_size (f);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if (file_size == GRUB_FILE_SIZE_UNKNOWN)
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
|
|
5593c8 |
+ N_("Cannot parse a certificate file of unknown size"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ buf = grub_zalloc (file_size);
|
|
|
5593c8 |
+ if (!buf)
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
|
|
5593c8 |
+ N_("Could not allocate buffer for certificate file contents"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ while (total_read_size < file_size)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ read_size =
|
|
|
5593c8 |
+ grub_file_read (f, &buf[total_read_size],
|
|
|
5593c8 |
+ file_size - total_read_size);
|
|
|
5593c8 |
+ if (read_size < 0)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ err = grub_error (GRUB_ERR_READ_ERROR,
|
|
|
5593c8 |
+ N_("Error reading certificate file"));
|
|
|
5593c8 |
+ goto cleanup_buf;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+ total_read_size += read_size;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ err = certificate_import (buf, total_read_size, certificate);
|
|
|
5593c8 |
+ if (err != GRUB_ERR_NONE)
|
|
|
5593c8 |
+ goto cleanup_buf;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ return GRUB_ERR_NONE;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+cleanup_buf:
|
|
|
5593c8 |
+ grub_free (buf);
|
|
|
5593c8 |
+ return err;
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static grub_err_t
|
|
|
5593c8 |
+extract_appended_signature (grub_uint8_t * buf, grub_size_t bufsize,
|
|
|
5593c8 |
+ struct grub_appended_signature *sig)
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ grub_err_t err;
|
|
|
5593c8 |
+ grub_size_t pkcs7_size;
|
|
|
5593c8 |
+ grub_size_t remaining_len;
|
|
|
5593c8 |
+ grub_uint8_t *appsigdata = buf + bufsize - grub_strlen (magic);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if (bufsize < grub_strlen (magic))
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
|
|
5593c8 |
+ N_("File too short for signature magic"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if (grub_memcmp (appsigdata, (grub_uint8_t *) magic, grub_strlen (magic)))
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
|
|
5593c8 |
+ N_("Missing or invalid signature magic"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ remaining_len = bufsize - grub_strlen (magic);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if (remaining_len < sizeof (struct module_signature))
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
|
|
5593c8 |
+ N_("File too short for signature metadata"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ appsigdata -= sizeof (struct module_signature);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ /* extract the metadata */
|
|
|
5593c8 |
+ grub_memcpy (&(sig->sig_metadata), appsigdata,
|
|
|
5593c8 |
+ sizeof (struct module_signature));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ remaining_len -= sizeof (struct module_signature);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if (sig->sig_metadata.id_type != 2)
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("Wrong signature type"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+#ifdef GRUB_TARGET_WORDS_BIGENDIAN
|
|
|
5593c8 |
+ pkcs7_size = sig->sig_metadata.sig_len;
|
|
|
5593c8 |
+#else
|
|
|
5593c8 |
+ pkcs7_size = __builtin_bswap32 (sig->sig_metadata.sig_len);
|
|
|
5593c8 |
+#endif
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if (pkcs7_size > remaining_len)
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
|
|
5593c8 |
+ N_("File too short for PKCS#7 message"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ grub_dprintf ("appendedsig", "sig len %" PRIuGRUB_SIZE "\n", pkcs7_size);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ sig->signature_len =
|
|
|
5593c8 |
+ grub_strlen (magic) + sizeof (struct module_signature) + pkcs7_size;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ /* rewind pointer and parse pkcs7 data */
|
|
|
5593c8 |
+ appsigdata -= pkcs7_size;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ err = parse_pkcs7_signedData (appsigdata, pkcs7_size, &sig->pkcs7);
|
|
|
5593c8 |
+ if (err != GRUB_ERR_NONE)
|
|
|
5593c8 |
+ return err;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ return GRUB_ERR_NONE;
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static grub_err_t
|
|
|
5593c8 |
+grub_verify_appended_signature (grub_uint8_t * buf, grub_size_t bufsize)
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ grub_err_t err = GRUB_ERR_NONE;
|
|
|
5593c8 |
+ grub_size_t datasize;
|
|
|
5593c8 |
+ void *context;
|
|
|
5593c8 |
+ unsigned char *hash;
|
|
|
5593c8 |
+ gcry_mpi_t hashmpi;
|
|
|
5593c8 |
+ gcry_err_code_t rc;
|
|
|
5593c8 |
+ struct x509_certificate *pk;
|
|
|
5593c8 |
+ struct grub_appended_signature sig;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if (!grub_trusted_key)
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
|
|
5593c8 |
+ N_("No trusted keys to verify against"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ err = extract_appended_signature (buf, bufsize, &sig);
|
|
|
5593c8 |
+ if (err != GRUB_ERR_NONE)
|
|
|
5593c8 |
+ return err;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ datasize = bufsize - sig.signature_len;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ context = grub_zalloc (sig.pkcs7.hash->contextsize);
|
|
|
5593c8 |
+ if (!context)
|
|
|
5593c8 |
+ return grub_errno;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ sig.pkcs7.hash->init (context);
|
|
|
5593c8 |
+ sig.pkcs7.hash->write (context, buf, datasize);
|
|
|
5593c8 |
+ sig.pkcs7.hash->final (context);
|
|
|
5593c8 |
+ hash = sig.pkcs7.hash->read (context);
|
|
|
5593c8 |
+ grub_dprintf ("appendedsig",
|
|
|
5593c8 |
+ "data size %" PRIxGRUB_SIZE ", hash %02x%02x%02x%02x...\n",
|
|
|
5593c8 |
+ datasize, hash[0], hash[1], hash[2], hash[3]);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ err = GRUB_ERR_BAD_SIGNATURE;
|
|
|
5593c8 |
+ for (pk = grub_trusted_key; pk; pk = pk->next)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ rc = grub_crypto_rsa_pad (&hashmpi, hash, sig.pkcs7.hash, pk->mpis[0]);
|
|
|
5593c8 |
+ if (rc)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ err = grub_error (GRUB_ERR_BAD_SIGNATURE,
|
|
|
5593c8 |
+ N_("Error padding hash for RSA verification: %d"),
|
|
|
5593c8 |
+ rc);
|
|
|
5593c8 |
+ goto cleanup;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ rc = _gcry_pubkey_spec_rsa.verify (0, hashmpi, &sig.pkcs7.sig_mpi,
|
|
|
5593c8 |
+ pk->mpis, NULL, NULL);
|
|
|
5593c8 |
+ gcry_mpi_release (hashmpi);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if (rc == 0)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ grub_dprintf ("appendedsig", "verify with key '%s' succeeded\n",
|
|
|
5593c8 |
+ pk->subject);
|
|
|
5593c8 |
+ err = GRUB_ERR_NONE;
|
|
|
5593c8 |
+ break;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ grub_dprintf ("appendedsig", "verify with key '%s' failed with %d\n",
|
|
|
5593c8 |
+ pk->subject, rc);
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ /* If we didn't verify, provide a neat message */
|
|
|
5593c8 |
+ if (err != GRUB_ERR_NONE)
|
|
|
5593c8 |
+ err = grub_error (GRUB_ERR_BAD_SIGNATURE,
|
|
|
5593c8 |
+ N_("Failed to verify signature against a trusted key"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+cleanup:
|
|
|
5593c8 |
+ grub_free (context);
|
|
|
5593c8 |
+ pkcs7_signedData_release (&sig.pkcs7);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ return err;
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static grub_err_t
|
|
|
5593c8 |
+grub_cmd_verify_signature (grub_command_t cmd __attribute__((unused)),
|
|
|
5593c8 |
+ int argc, char **args)
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ grub_file_t f;
|
|
|
5593c8 |
+ grub_err_t err = GRUB_ERR_NONE;
|
|
|
5593c8 |
+ grub_uint8_t *data;
|
|
|
5593c8 |
+ grub_ssize_t read_size;
|
|
|
5593c8 |
+ grub_off_t file_size, total_read_size = 0;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if (argc < 1)
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ grub_dprintf ("appendedsig", "verifying %s\n", args[0]);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ f = grub_file_open (args[0], GRUB_FILE_TYPE_VERIFY_SIGNATURE);
|
|
|
5593c8 |
+ if (!f)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ err = grub_errno;
|
|
|
5593c8 |
+ goto cleanup;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ file_size = grub_file_size (f);
|
|
|
5593c8 |
+ if (file_size == GRUB_FILE_SIZE_UNKNOWN)
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
|
|
5593c8 |
+ N_("Cannot verify the signature of a file of unknown size"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ data = grub_malloc (file_size);
|
|
|
5593c8 |
+ if (!data)
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
|
|
5593c8 |
+ N_("Could not allocate data buffer size "
|
|
|
5593c8 |
+ PRIuGRUB_UINT64_T " for verification"), file_size);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ while (total_read_size < file_size)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ read_size =
|
|
|
5593c8 |
+ grub_file_read (f, &data[total_read_size],
|
|
|
5593c8 |
+ file_size - total_read_size);
|
|
|
5593c8 |
+ if (read_size < 0)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ err = grub_error (GRUB_ERR_READ_ERROR,
|
|
|
5593c8 |
+ N_("Error reading file to verify"));
|
|
|
5593c8 |
+ goto cleanup_data;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+ total_read_size += read_size;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ err = grub_verify_appended_signature (data, file_size);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+cleanup_data:
|
|
|
5593c8 |
+ grub_free (data);
|
|
|
5593c8 |
+cleanup:
|
|
|
5593c8 |
+ if (f)
|
|
|
5593c8 |
+ grub_file_close (f);
|
|
|
5593c8 |
+ return err;
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static grub_err_t
|
|
|
5593c8 |
+grub_cmd_distrust (grub_command_t cmd __attribute__((unused)),
|
|
|
5593c8 |
+ int argc, char **args)
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ unsigned long cert_num, i;
|
|
|
5593c8 |
+ struct x509_certificate *cert, *prev;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if (argc != 1)
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("One argument expected"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ grub_errno = GRUB_ERR_NONE;
|
|
|
5593c8 |
+ cert_num = grub_strtoul (args[0], NULL, 10);
|
|
|
5593c8 |
+ if (grub_errno != GRUB_ERR_NONE)
|
|
|
5593c8 |
+ return grub_errno;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if (cert_num < 1)
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
|
|
5593c8 |
+ N_("Certificate number too small - numbers start at 1"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if (cert_num == 1)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ cert = grub_trusted_key;
|
|
|
5593c8 |
+ grub_trusted_key = cert->next;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ certificate_release (cert);
|
|
|
5593c8 |
+ grub_free (cert);
|
|
|
5593c8 |
+ return GRUB_ERR_NONE;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+ i = 2;
|
|
|
5593c8 |
+ prev = grub_trusted_key;
|
|
|
5593c8 |
+ cert = grub_trusted_key->next;
|
|
|
5593c8 |
+ while (cert)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ if (i == cert_num)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ prev->next = cert->next;
|
|
|
5593c8 |
+ certificate_release (cert);
|
|
|
5593c8 |
+ grub_free (cert);
|
|
|
5593c8 |
+ return GRUB_ERR_NONE;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+ i++;
|
|
|
5593c8 |
+ prev = cert;
|
|
|
5593c8 |
+ cert = cert->next;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
|
|
5593c8 |
+ N_("No certificate number %d found - only %d certificates in the store"),
|
|
|
5593c8 |
+ cert_num, i - 1);
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static grub_err_t
|
|
|
5593c8 |
+grub_cmd_trust (grub_command_t cmd __attribute__((unused)),
|
|
|
5593c8 |
+ int argc, char **args)
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ grub_file_t certf;
|
|
|
5593c8 |
+ struct x509_certificate *cert = NULL;
|
|
|
5593c8 |
+ grub_err_t err;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ if (argc != 1)
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ certf = grub_file_open (args[0],
|
|
|
5593c8 |
+ GRUB_FILE_TYPE_CERTIFICATE_TRUST
|
|
|
5593c8 |
+ | GRUB_FILE_TYPE_NO_DECOMPRESS);
|
|
|
5593c8 |
+ if (!certf)
|
|
|
5593c8 |
+ return grub_errno;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ cert = grub_zalloc (sizeof (struct x509_certificate));
|
|
|
5593c8 |
+ if (!cert)
|
|
|
5593c8 |
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
|
|
5593c8 |
+ N_("Could not allocate memory for certificate"));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ err = read_cert_from_file (certf, cert);
|
|
|
5593c8 |
+ grub_file_close (certf);
|
|
|
5593c8 |
+ if (err != GRUB_ERR_NONE)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ grub_free (cert);
|
|
|
5593c8 |
+ return err;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+ grub_dprintf ("appendedsig", "Loaded certificate with CN: %s\n",
|
|
|
5593c8 |
+ cert->subject);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ cert->next = grub_trusted_key;
|
|
|
5593c8 |
+ grub_trusted_key = cert;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ return GRUB_ERR_NONE;
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static grub_err_t
|
|
|
5593c8 |
+grub_cmd_list (grub_command_t cmd __attribute__((unused)),
|
|
|
5593c8 |
+ int argc __attribute__((unused)),
|
|
|
5593c8 |
+ char **args __attribute__((unused)))
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ struct x509_certificate *cert;
|
|
|
5593c8 |
+ int cert_num = 1;
|
|
|
5593c8 |
+ grub_size_t i;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ for (cert = grub_trusted_key; cert; cert = cert->next)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ grub_printf (N_("Certificate %d:\n"), cert_num);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ grub_printf (N_("\tSerial: "));
|
|
|
5593c8 |
+ for (i = 0; i < cert->serial_len - 1; i++)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ grub_printf ("%02x:", cert->serial[i]);
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+ grub_printf ("%02x\n", cert->serial[cert->serial_len - 1]);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ grub_printf ("\tCN: %s\n\n", cert->subject);
|
|
|
5593c8 |
+ cert_num++;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ return GRUB_ERR_NONE;
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static grub_err_t
|
|
|
5593c8 |
+appendedsig_init (grub_file_t io __attribute__((unused)),
|
|
|
5593c8 |
+ enum grub_file_type type,
|
|
|
5593c8 |
+ void **context __attribute__((unused)),
|
|
|
5593c8 |
+ enum grub_verify_flags *flags)
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ if (!check_sigs)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
|
|
|
5593c8 |
+ return GRUB_ERR_NONE;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ switch (type & GRUB_FILE_TYPE_MASK)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ case GRUB_FILE_TYPE_CERTIFICATE_TRUST:
|
|
|
5593c8 |
+ /*
|
|
|
5593c8 |
+ * This is a certificate to add to trusted keychain.
|
|
|
5593c8 |
+ *
|
|
|
5593c8 |
+ * This needs to be verified or blocked. Ideally we'd write an x509
|
|
|
5593c8 |
+ * verifier, but we lack the hubris required to take this on. Instead,
|
|
|
5593c8 |
+ * require that it have an appended signature.
|
|
|
5593c8 |
+ */
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ /* Fall through */
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ case GRUB_FILE_TYPE_LINUX_KERNEL:
|
|
|
5593c8 |
+ case GRUB_FILE_TYPE_GRUB_MODULE:
|
|
|
5593c8 |
+ /*
|
|
|
5593c8 |
+ * Appended signatures are only defined for ELF binaries.
|
|
|
5593c8 |
+ * Out of an abundance of caution, we only verify Linux kernels and
|
|
|
5593c8 |
+ * GRUB modules at this point.
|
|
|
5593c8 |
+ */
|
|
|
5593c8 |
+ *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
|
|
|
5593c8 |
+ return GRUB_ERR_NONE;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ case GRUB_FILE_TYPE_ACPI_TABLE:
|
|
|
5593c8 |
+ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
|
|
|
5593c8 |
+ /*
|
|
|
5593c8 |
+ * It is possible to use appended signature verification without
|
|
|
5593c8 |
+ * lockdown - like the PGP verifier. When combined with an embedded
|
|
|
5593c8 |
+ * config file in a signed grub binary, this could still be a meaningful
|
|
|
5593c8 |
+ * secure-boot chain - so long as it isn't subverted by something like a
|
|
|
5593c8 |
+ * rouge ACPI table or DT image. Defer them explicitly.
|
|
|
5593c8 |
+ */
|
|
|
5593c8 |
+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
|
|
|
5593c8 |
+ return GRUB_ERR_NONE;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ default:
|
|
|
5593c8 |
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
|
|
|
5593c8 |
+ return GRUB_ERR_NONE;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static grub_err_t
|
|
|
5593c8 |
+appendedsig_write (void *ctxt __attribute__((unused)),
|
|
|
5593c8 |
+ void *buf, grub_size_t size)
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ return grub_verify_appended_signature (buf, size);
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+struct grub_file_verifier grub_appendedsig_verifier = {
|
|
|
5593c8 |
+ .name = "appendedsig",
|
|
|
5593c8 |
+ .init = appendedsig_init,
|
|
|
5593c8 |
+ .write = appendedsig_write,
|
|
|
5593c8 |
+};
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static grub_ssize_t
|
|
|
5593c8 |
+pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ grub_memcpy (buf, (grub_uint8_t *) file->data + file->offset, len);
|
|
|
5593c8 |
+ return len;
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+/* Filesystem descriptor. */
|
|
|
5593c8 |
+static struct grub_fs pseudo_fs = {
|
|
|
5593c8 |
+ .name = "pseudo",
|
|
|
5593c8 |
+ .fs_read = pseudo_read
|
|
|
5593c8 |
+};
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+static grub_command_t cmd_verify, cmd_list, cmd_distrust, cmd_trust;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+GRUB_MOD_INIT (appendedsig)
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ int rc;
|
|
|
5593c8 |
+ struct grub_module_header *header;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ /* If in lockdown, immediately enter forced mode */
|
|
|
5593c8 |
+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
|
|
|
5593c8 |
+ check_sigs = 2;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ grub_trusted_key = NULL;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ grub_register_variable_hook ("check_appended_signatures",
|
|
|
5593c8 |
+ grub_env_read_sec,
|
|
|
5593c8 |
+ grub_env_write_sec);
|
|
|
5593c8 |
+ grub_env_export ("check_appended_signatures");
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ rc = asn1_init ();
|
|
|
5593c8 |
+ if (rc)
|
|
|
5593c8 |
+ grub_fatal ("Error initing ASN.1 data structures: %d: %s\n", rc,
|
|
|
5593c8 |
+ asn1_strerror (rc));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ FOR_MODULES (header)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ struct grub_file pseudo_file;
|
|
|
5593c8 |
+ struct x509_certificate *pk = NULL;
|
|
|
5593c8 |
+ grub_err_t err;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ /* Not an ELF module, skip. */
|
|
|
5593c8 |
+ if (header->type != OBJ_TYPE_X509_PUBKEY)
|
|
|
5593c8 |
+ continue;
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ grub_memset (&pseudo_file, 0, sizeof (pseudo_file));
|
|
|
5593c8 |
+ pseudo_file.fs = &pseudo_fs;
|
|
|
5593c8 |
+ pseudo_file.size = header->size - sizeof (struct grub_module_header);
|
|
|
5593c8 |
+ pseudo_file.data = (char *) header + sizeof (struct grub_module_header);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ grub_dprintf ("appendedsig",
|
|
|
5593c8 |
+ "Found an x509 key, size=%" PRIuGRUB_UINT64_T "\n",
|
|
|
5593c8 |
+ pseudo_file.size);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ pk = grub_zalloc (sizeof (struct x509_certificate));
|
|
|
5593c8 |
+ if (!pk)
|
|
|
5593c8 |
+ {
|
|
|
5593c8 |
+ grub_fatal ("Out of memory loading initial certificates");
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ err = read_cert_from_file (&pseudo_file, pk);
|
|
|
5593c8 |
+ if (err != GRUB_ERR_NONE)
|
|
|
5593c8 |
+ grub_fatal ("Error loading initial key: %s", grub_errmsg);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ grub_dprintf ("appendedsig", "loaded certificate CN='%s'\n", pk->subject);
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ pk->next = grub_trusted_key;
|
|
|
5593c8 |
+ grub_trusted_key = pk;
|
|
|
5593c8 |
+ }
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ cmd_trust =
|
|
|
5593c8 |
+ grub_register_command ("trust_certificate", grub_cmd_trust,
|
|
|
5593c8 |
+ N_("X509_CERTIFICATE"),
|
|
|
5593c8 |
+ N_("Add X509_CERTIFICATE to trusted certificates."));
|
|
|
5593c8 |
+ cmd_list =
|
|
|
5593c8 |
+ grub_register_command ("list_certificates", grub_cmd_list, 0,
|
|
|
5593c8 |
+ N_("Show the list of trusted x509 certificates."));
|
|
|
5593c8 |
+ cmd_verify =
|
|
|
5593c8 |
+ grub_register_command ("verify_appended", grub_cmd_verify_signature,
|
|
|
5593c8 |
+ N_("FILE"),
|
|
|
5593c8 |
+ N_("Verify FILE against the trusted x509 certificates."));
|
|
|
5593c8 |
+ cmd_distrust =
|
|
|
5593c8 |
+ grub_register_command ("distrust_certificate", grub_cmd_distrust,
|
|
|
5593c8 |
+ N_("CERT_NUMBER"),
|
|
|
5593c8 |
+ N_("Remove CERT_NUMBER (as listed by list_certificates) from trusted certificates."));
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ grub_verifier_register (&grub_appendedsig_verifier);
|
|
|
5593c8 |
+ grub_dl_set_persistent (mod);
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+GRUB_MOD_FINI (appendedsig)
|
|
|
5593c8 |
+{
|
|
|
5593c8 |
+ /*
|
|
|
5593c8 |
+ * grub_dl_set_persistent should prevent this from actually running, but
|
|
|
5593c8 |
+ * it does still run under emu.
|
|
|
5593c8 |
+ */
|
|
|
5593c8 |
+
|
|
|
5593c8 |
+ grub_verifier_unregister (&grub_appendedsig_verifier);
|
|
|
5593c8 |
+ grub_unregister_command (cmd_verify);
|
|
|
5593c8 |
+ grub_unregister_command (cmd_list);
|
|
|
5593c8 |
+ grub_unregister_command (cmd_trust);
|
|
|
5593c8 |
+ grub_unregister_command (cmd_distrust);
|
|
|
5593c8 |
+}
|
|
|
5593c8 |
diff --git a/include/grub/file.h b/include/grub/file.h
|
|
|
5593c8 |
index 31567483ccf..96827a4f896 100644
|
|
|
5593c8 |
--- a/include/grub/file.h
|
|
|
5593c8 |
+++ b/include/grub/file.h
|
|
|
5593c8 |
@@ -80,6 +80,8 @@ enum grub_file_type
|
|
|
5593c8 |
GRUB_FILE_TYPE_PUBLIC_KEY,
|
|
|
5593c8 |
/* File holding public key to add to trused keys. */
|
|
|
5593c8 |
GRUB_FILE_TYPE_PUBLIC_KEY_TRUST,
|
|
|
5593c8 |
+ /* File holding x509 certificiate to add to trusted keys. */
|
|
|
5593c8 |
+ GRUB_FILE_TYPE_CERTIFICATE_TRUST,
|
|
|
5593c8 |
/* File of which we intend to print a blocklist to the user. */
|
|
|
5593c8 |
GRUB_FILE_TYPE_PRINT_BLOCKLIST,
|
|
|
5593c8 |
/* File we intend to use for test loading or testing speed. */
|