Blame SOURCES/0194-appended-signatures-support-verifying-appended-signa.patch

5593c8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
5593c8
From: Daniel Axtens <dja@axtens.net>
5593c8
Date: Thu, 30 Jul 2020 01:35:43 +1000
5593c8
Subject: [PATCH] appended signatures: support verifying appended signatures
5593c8
5593c8
Building on the parsers and the ability to embed x509 certificates, as
5593c8
well as the existing gcrypt functionality, add a module for verifying
5593c8
appended signatures.
5593c8
5593c8
This includes a verifier that requires that Linux kernels and grub modules
5593c8
have appended signatures, and commands to manage the list of trusted
5593c8
certificates for verification.
5593c8
5593c8
Verification must be enabled by setting check_appended_signatures. If
5593c8
GRUB is locked down when the module is loaded, verification will be
5593c8
enabled and locked automatically.
5593c8
5593c8
As with the PGP verifier, it is not a complete secure-boot solution:
5593c8
other mechanisms, such as a password or lockdown, must be used to ensure
5593c8
that a user cannot drop to the grub shell and disable verification.
5593c8
5593c8
Signed-off-by: Daniel Axtens <dja@axtens.net>
5593c8
---
5593c8
 grub-core/Makefile.core.def                  |  12 +
5593c8
 grub-core/commands/appendedsig/appendedsig.c | 645 +++++++++++++++++++++++++++
5593c8
 include/grub/file.h                          |   2 +
5593c8
 3 files changed, 659 insertions(+)
5593c8
 create mode 100644 grub-core/commands/appendedsig/appendedsig.c
5593c8
5593c8
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
d3c3ab
index b4aaccf7b57..77321d218c8 100644
5593c8
--- a/grub-core/Makefile.core.def
5593c8
+++ b/grub-core/Makefile.core.def
5593c8
@@ -980,6 +980,18 @@ module = {
5593c8
   cppflags = '-I$(srcdir)/lib/posix_wrap';
5593c8
 };
5593c8
 
5593c8
+module = {
5593c8
+  name = appendedsig;
5593c8
+  common = commands/appendedsig/appendedsig.c;
5593c8
+  common = commands/appendedsig/x509.c;
5593c8
+  common = commands/appendedsig/pkcs7.c;
5593c8
+  common = commands/appendedsig/asn1util.c;
5593c8
+  common = commands/appendedsig/gnutls_asn1_tab.c;
5593c8
+  common = commands/appendedsig/pkix_asn1_tab.c;
5593c8
+  cflags = '$(CFLAGS_POSIX)';
5593c8
+  cppflags = '-I$(srcdir)/lib/posix_wrap';
5593c8
+};
5593c8
+
5593c8
 module = {
5593c8
   name = hdparm;
5593c8
   common = commands/hdparm.c;
5593c8
diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
5593c8
new file mode 100644
d3c3ab
index 00000000000..dc294cd339e
5593c8
--- /dev/null
5593c8
+++ b/grub-core/commands/appendedsig/appendedsig.c
5593c8
@@ -0,0 +1,645 @@
5593c8
+/*
5593c8
+ *  GRUB  --  GRand Unified Bootloader
5593c8
+ *  Copyright (C) 2020-2021  IBM Corporation.
5593c8
+ *
5593c8
+ *  GRUB is free software: you can redistribute it and/or modify
5593c8
+ *  it under the terms of the GNU General Public License as published by
5593c8
+ *  the Free Software Foundation, either version 3 of the License, or
5593c8
+ *  (at your option) any later version.
5593c8
+ *
5593c8
+ *  GRUB is distributed in the hope that it will be useful,
5593c8
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
5593c8
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
5593c8
+ *  GNU General Public License for more details.
5593c8
+ *
5593c8
+ *  You should have received a copy of the GNU General Public License
5593c8
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
5593c8
+ */
5593c8
+
5593c8
+#include <grub/types.h>
5593c8
+#include <grub/misc.h>
5593c8
+#include <grub/mm.h>
5593c8
+#include <grub/err.h>
5593c8
+#include <grub/dl.h>
5593c8
+#include <grub/file.h>
5593c8
+#include <grub/command.h>
5593c8
+#include <grub/crypto.h>
5593c8
+#include <grub/pkcs1_v15.h>
5593c8
+#include <grub/i18n.h>
5593c8
+#include <grub/gcrypt/gcrypt.h>
5593c8
+#include <grub/kernel.h>
5593c8
+#include <grub/extcmd.h>
5593c8
+#include <grub/verify.h>
5593c8
+#include <grub/libtasn1.h>
5593c8
+#include <grub/env.h>
5593c8
+#include <grub/lockdown.h>
5593c8
+
5593c8
+#include "appendedsig.h"
5593c8
+
5593c8
+GRUB_MOD_LICENSE ("GPLv3+");
5593c8
+
5593c8
+const char magic[] = "~Module signature appended~\n";
5593c8
+
5593c8
+/*
5593c8
+ * This structure is extracted from scripts/sign-file.c in the linux kernel
5593c8
+ * source. It was licensed as LGPLv2.1+, which is GPLv3+ compatible.
5593c8
+ */
5593c8
+struct module_signature
5593c8
+{
5593c8
+  grub_uint8_t algo;		/* Public-key crypto algorithm [0] */
5593c8
+  grub_uint8_t hash;		/* Digest algorithm [0] */
5593c8
+  grub_uint8_t id_type;		/* Key identifier type [PKEY_ID_PKCS7] */
5593c8
+  grub_uint8_t signer_len;	/* Length of signer's name [0] */
5593c8
+  grub_uint8_t key_id_len;	/* Length of key identifier [0] */
5593c8
+  grub_uint8_t __pad[3];
5593c8
+  grub_uint32_t sig_len;	/* Length of signature data */
5593c8
+} GRUB_PACKED;
5593c8
+
5593c8
+
5593c8
+/* This represents an entire, parsed, appended signature */
5593c8
+struct grub_appended_signature
5593c8
+{
5593c8
+  grub_size_t signature_len;		/* Length of PKCS#7 data +
5593c8
+                                         * metadata + magic */
5593c8
+
5593c8
+  struct module_signature sig_metadata;	/* Module signature metadata */
5593c8
+  struct pkcs7_signedData pkcs7;	/* Parsed PKCS#7 data */
5593c8
+};
5593c8
+
5593c8
+/* Trusted certificates for verifying appended signatures */
5593c8
+struct x509_certificate *grub_trusted_key;
5593c8
+
5593c8
+/*
5593c8
+ * Force gcry_rsa to be a module dependency.
5593c8
+ *
5593c8
+ * If we use grub_crypto_pk_rsa, then then the gcry_rsa module won't be built
5593c8
+ * in if you add 'appendedsig' to grub-install --modules. You would need to
5593c8
+ * add 'gcry_rsa' too. That's confusing and seems suboptimal, especially when
5593c8
+ * we only support RSA.
5593c8
+ *
5593c8
+ * Dynamic loading also causes some concerns. We can't load gcry_rsa from the
5593c8
+ * the filesystem after we install the verifier - we won't be able to verify
5593c8
+ * it without having it already present. We also shouldn't load it before we
5593c8
+ * install the verifier, because that would mean it wouldn't be verified - an
5593c8
+ * attacker could insert any code they wanted into the module.
5593c8
+ *
5593c8
+ * So instead, reference the internal symbol from gcry_rsa. That creates a
5593c8
+ * direct dependency on gcry_rsa, so it will be built in when this module
5593c8
+ * is built in. Being built in (assuming the core image is itself signed!)
5593c8
+ * also resolves our concerns about loading from the filesystem.
5593c8
+ */
5593c8
+extern gcry_pk_spec_t _gcry_pubkey_spec_rsa;
5593c8
+
5593c8
+static int check_sigs = 0;
5593c8
+
5593c8
+static const char *
5593c8
+grub_env_read_sec (struct grub_env_var *var __attribute__ ((unused)),
5593c8
+                   const char *val __attribute__ ((unused)))
5593c8
+{
5593c8
+  if (check_sigs == 2)
5593c8
+    return "forced";
5593c8
+  else if (check_sigs == 1)
5593c8
+    return "enforce";
5593c8
+  else
5593c8
+    return "no";
5593c8
+}
5593c8
+
5593c8
+static char *
5593c8
+grub_env_write_sec (struct grub_env_var *var __attribute__((unused)),
5593c8
+		    const char *val)
5593c8
+{
5593c8
+  /* Do not allow the value to be changed if set to forced */
5593c8
+  if (check_sigs == 2)
5593c8
+    return grub_strdup ("forced");
5593c8
+
5593c8
+  if ((*val == '2') || (*val == 'f'))
5593c8
+    check_sigs = 2;
5593c8
+  else if ((*val == '1') || (*val == 'e'))
5593c8
+    check_sigs = 1;
5593c8
+  else if ((*val == '0') || (*val == 'n'))
5593c8
+    check_sigs = 0;
5593c8
+
5593c8
+  return grub_strdup (grub_env_read_sec (NULL, NULL));
5593c8
+}
5593c8
+
5593c8
+static grub_err_t
5593c8
+read_cert_from_file (grub_file_t f, struct x509_certificate *certificate)
5593c8
+{
5593c8
+  grub_err_t err;
5593c8
+  grub_uint8_t *buf = NULL;
5593c8
+  grub_ssize_t read_size;
5593c8
+  grub_off_t total_read_size = 0;
5593c8
+  grub_off_t file_size = grub_file_size (f);
5593c8
+
5593c8
+
5593c8
+  if (file_size == GRUB_FILE_SIZE_UNKNOWN)
5593c8
+    return grub_error (GRUB_ERR_BAD_ARGUMENT,
5593c8
+		       N_("Cannot parse a certificate file of unknown size"));
5593c8
+
5593c8
+  buf = grub_zalloc (file_size);
5593c8
+  if (!buf)
5593c8
+    return grub_error (GRUB_ERR_OUT_OF_MEMORY,
5593c8
+		       N_("Could not allocate buffer for certificate file contents"));
5593c8
+
5593c8
+  while (total_read_size < file_size)
5593c8
+    {
5593c8
+      read_size =
5593c8
+	grub_file_read (f, &buf[total_read_size],
5593c8
+			file_size - total_read_size);
5593c8
+      if (read_size < 0)
5593c8
+	{
5593c8
+	  err = grub_error (GRUB_ERR_READ_ERROR,
5593c8
+			    N_("Error reading certificate file"));
5593c8
+	  goto cleanup_buf;
5593c8
+	}
5593c8
+      total_read_size += read_size;
5593c8
+    }
5593c8
+
5593c8
+  err = certificate_import (buf, total_read_size, certificate);
5593c8
+  if (err != GRUB_ERR_NONE)
5593c8
+    goto cleanup_buf;
5593c8
+
5593c8
+  return GRUB_ERR_NONE;
5593c8
+
5593c8
+cleanup_buf:
5593c8
+  grub_free (buf);
5593c8
+  return err;
5593c8
+}
5593c8
+
5593c8
+static grub_err_t
5593c8
+extract_appended_signature (grub_uint8_t * buf, grub_size_t bufsize,
5593c8
+			    struct grub_appended_signature *sig)
5593c8
+{
5593c8
+  grub_err_t err;
5593c8
+  grub_size_t pkcs7_size;
5593c8
+  grub_size_t remaining_len;
5593c8
+  grub_uint8_t *appsigdata = buf + bufsize - grub_strlen (magic);
5593c8
+
5593c8
+  if (bufsize < grub_strlen (magic))
5593c8
+    return grub_error (GRUB_ERR_BAD_SIGNATURE,
5593c8
+		       N_("File too short for signature magic"));
5593c8
+
5593c8
+  if (grub_memcmp (appsigdata, (grub_uint8_t *) magic, grub_strlen (magic)))
5593c8
+    return grub_error (GRUB_ERR_BAD_SIGNATURE,
5593c8
+		       N_("Missing or invalid signature magic"));
5593c8
+
5593c8
+  remaining_len = bufsize - grub_strlen (magic);
5593c8
+
5593c8
+  if (remaining_len < sizeof (struct module_signature))
5593c8
+    return grub_error (GRUB_ERR_BAD_SIGNATURE,
5593c8
+		       N_("File too short for signature metadata"));
5593c8
+
5593c8
+  appsigdata -= sizeof (struct module_signature);
5593c8
+
5593c8
+  /* extract the metadata */
5593c8
+  grub_memcpy (&(sig->sig_metadata), appsigdata,
5593c8
+	       sizeof (struct module_signature));
5593c8
+
5593c8
+  remaining_len -= sizeof (struct module_signature);
5593c8
+
5593c8
+  if (sig->sig_metadata.id_type != 2)
5593c8
+    return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("Wrong signature type"));
5593c8
+
5593c8
+#ifdef GRUB_TARGET_WORDS_BIGENDIAN
5593c8
+  pkcs7_size = sig->sig_metadata.sig_len;
5593c8
+#else
5593c8
+  pkcs7_size = __builtin_bswap32 (sig->sig_metadata.sig_len);
5593c8
+#endif
5593c8
+
5593c8
+  if (pkcs7_size > remaining_len)
5593c8
+    return grub_error (GRUB_ERR_BAD_SIGNATURE,
5593c8
+		       N_("File too short for PKCS#7 message"));
5593c8
+
5593c8
+  grub_dprintf ("appendedsig", "sig len %" PRIuGRUB_SIZE "\n", pkcs7_size);
5593c8
+
5593c8
+  sig->signature_len =
5593c8
+    grub_strlen (magic) + sizeof (struct module_signature) + pkcs7_size;
5593c8
+
5593c8
+  /* rewind pointer and parse pkcs7 data */
5593c8
+  appsigdata -= pkcs7_size;
5593c8
+
5593c8
+  err = parse_pkcs7_signedData (appsigdata, pkcs7_size, &sig->pkcs7);
5593c8
+  if (err != GRUB_ERR_NONE)
5593c8
+    return err;
5593c8
+
5593c8
+  return GRUB_ERR_NONE;
5593c8
+}
5593c8
+
5593c8
+static grub_err_t
5593c8
+grub_verify_appended_signature (grub_uint8_t * buf, grub_size_t bufsize)
5593c8
+{
5593c8
+  grub_err_t err = GRUB_ERR_NONE;
5593c8
+  grub_size_t datasize;
5593c8
+  void *context;
5593c8
+  unsigned char *hash;
5593c8
+  gcry_mpi_t hashmpi;
5593c8
+  gcry_err_code_t rc;
5593c8
+  struct x509_certificate *pk;
5593c8
+  struct grub_appended_signature sig;
5593c8
+
5593c8
+  if (!grub_trusted_key)
5593c8
+    return grub_error (GRUB_ERR_BAD_SIGNATURE,
5593c8
+		       N_("No trusted keys to verify against"));
5593c8
+
5593c8
+  err = extract_appended_signature (buf, bufsize, &sig);
5593c8
+  if (err != GRUB_ERR_NONE)
5593c8
+    return err;
5593c8
+
5593c8
+  datasize = bufsize - sig.signature_len;
5593c8
+
5593c8
+  context = grub_zalloc (sig.pkcs7.hash->contextsize);
5593c8
+  if (!context)
5593c8
+    return grub_errno;
5593c8
+
5593c8
+  sig.pkcs7.hash->init (context);
5593c8
+  sig.pkcs7.hash->write (context, buf, datasize);
5593c8
+  sig.pkcs7.hash->final (context);
5593c8
+  hash = sig.pkcs7.hash->read (context);
5593c8
+  grub_dprintf ("appendedsig",
5593c8
+		"data size %" PRIxGRUB_SIZE ", hash %02x%02x%02x%02x...\n",
5593c8
+		datasize, hash[0], hash[1], hash[2], hash[3]);
5593c8
+
5593c8
+  err = GRUB_ERR_BAD_SIGNATURE;
5593c8
+  for (pk = grub_trusted_key; pk; pk = pk->next)
5593c8
+    {
5593c8
+      rc = grub_crypto_rsa_pad (&hashmpi, hash, sig.pkcs7.hash, pk->mpis[0]);
5593c8
+      if (rc)
5593c8
+	{
5593c8
+	  err = grub_error (GRUB_ERR_BAD_SIGNATURE,
5593c8
+			    N_("Error padding hash for RSA verification: %d"),
5593c8
+			    rc);
5593c8
+	  goto cleanup;
5593c8
+	}
5593c8
+
5593c8
+      rc = _gcry_pubkey_spec_rsa.verify (0, hashmpi, &sig.pkcs7.sig_mpi,
5593c8
+					 pk->mpis, NULL, NULL);
5593c8
+      gcry_mpi_release (hashmpi);
5593c8
+
5593c8
+      if (rc == 0)
5593c8
+	{
5593c8
+	  grub_dprintf ("appendedsig", "verify with key '%s' succeeded\n",
5593c8
+			pk->subject);
5593c8
+	  err = GRUB_ERR_NONE;
5593c8
+	  break;
5593c8
+	}
5593c8
+
5593c8
+      grub_dprintf ("appendedsig", "verify with key '%s' failed with %d\n",
5593c8
+		    pk->subject, rc);
5593c8
+    }
5593c8
+
5593c8
+  /* If we didn't verify, provide a neat message */
5593c8
+  if (err != GRUB_ERR_NONE)
5593c8
+      err = grub_error (GRUB_ERR_BAD_SIGNATURE,
5593c8
+			N_("Failed to verify signature against a trusted key"));
5593c8
+
5593c8
+cleanup:
5593c8
+  grub_free (context);
5593c8
+  pkcs7_signedData_release (&sig.pkcs7);
5593c8
+
5593c8
+  return err;
5593c8
+}
5593c8
+
5593c8
+static grub_err_t
5593c8
+grub_cmd_verify_signature (grub_command_t cmd __attribute__((unused)),
5593c8
+			   int argc, char **args)
5593c8
+{
5593c8
+  grub_file_t f;
5593c8
+  grub_err_t err = GRUB_ERR_NONE;
5593c8
+  grub_uint8_t *data;
5593c8
+  grub_ssize_t read_size;
5593c8
+  grub_off_t file_size, total_read_size = 0;
5593c8
+
5593c8
+  if (argc < 1)
5593c8
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
5593c8
+
5593c8
+  grub_dprintf ("appendedsig", "verifying %s\n", args[0]);
5593c8
+
5593c8
+  f = grub_file_open (args[0], GRUB_FILE_TYPE_VERIFY_SIGNATURE);
5593c8
+  if (!f)
5593c8
+    {
5593c8
+      err = grub_errno;
5593c8
+      goto cleanup;
5593c8
+    }
5593c8
+
5593c8
+  file_size = grub_file_size (f);
5593c8
+  if (file_size == GRUB_FILE_SIZE_UNKNOWN)
5593c8
+    return grub_error (GRUB_ERR_BAD_ARGUMENT,
5593c8
+		       N_("Cannot verify the signature of a file of unknown size"));
5593c8
+
5593c8
+  data = grub_malloc (file_size);
5593c8
+  if (!data)
5593c8
+    return grub_error (GRUB_ERR_OUT_OF_MEMORY,
5593c8
+		       N_("Could not allocate data buffer size "
5593c8
+		       PRIuGRUB_UINT64_T " for verification"), file_size);
5593c8
+
5593c8
+  while (total_read_size < file_size)
5593c8
+    {
5593c8
+      read_size =
5593c8
+	grub_file_read (f, &data[total_read_size],
5593c8
+			file_size - total_read_size);
5593c8
+      if (read_size < 0)
5593c8
+	{
5593c8
+	  err = grub_error (GRUB_ERR_READ_ERROR,
5593c8
+			    N_("Error reading file to verify"));
5593c8
+	  goto cleanup_data;
5593c8
+	}
5593c8
+      total_read_size += read_size;
5593c8
+    }
5593c8
+
5593c8
+  err = grub_verify_appended_signature (data, file_size);
5593c8
+
5593c8
+cleanup_data:
5593c8
+  grub_free (data);
5593c8
+cleanup:
5593c8
+  if (f)
5593c8
+    grub_file_close (f);
5593c8
+  return err;
5593c8
+}
5593c8
+
5593c8
+static grub_err_t
5593c8
+grub_cmd_distrust (grub_command_t cmd __attribute__((unused)),
5593c8
+		   int argc, char **args)
5593c8
+{
5593c8
+  unsigned long cert_num, i;
5593c8
+  struct x509_certificate *cert, *prev;
5593c8
+
5593c8
+  if (argc != 1)
5593c8
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("One argument expected"));
5593c8
+
5593c8
+  grub_errno = GRUB_ERR_NONE;
5593c8
+  cert_num = grub_strtoul (args[0], NULL, 10);
5593c8
+  if (grub_errno != GRUB_ERR_NONE)
5593c8
+    return grub_errno;
5593c8
+
5593c8
+  if (cert_num < 1)
5593c8
+    return grub_error (GRUB_ERR_BAD_ARGUMENT,
5593c8
+		       N_("Certificate number too small - numbers start at 1"));
5593c8
+
5593c8
+  if (cert_num == 1)
5593c8
+    {
5593c8
+      cert = grub_trusted_key;
5593c8
+      grub_trusted_key = cert->next;
5593c8
+
5593c8
+      certificate_release (cert);
5593c8
+      grub_free (cert);
5593c8
+      return GRUB_ERR_NONE;
5593c8
+    }
5593c8
+  i = 2;
5593c8
+  prev = grub_trusted_key;
5593c8
+  cert = grub_trusted_key->next;
5593c8
+  while (cert)
5593c8
+    {
5593c8
+      if (i == cert_num)
5593c8
+	{
5593c8
+	  prev->next = cert->next;
5593c8
+	  certificate_release (cert);
5593c8
+	  grub_free (cert);
5593c8
+	  return GRUB_ERR_NONE;
5593c8
+	}
5593c8
+      i++;
5593c8
+      prev = cert;
5593c8
+      cert = cert->next;
5593c8
+    }
5593c8
+
5593c8
+  return grub_error (GRUB_ERR_BAD_ARGUMENT,
5593c8
+		     N_("No certificate number %d found - only %d certificates in the store"),
5593c8
+		     cert_num, i - 1);
5593c8
+}
5593c8
+
5593c8
+static grub_err_t
5593c8
+grub_cmd_trust (grub_command_t cmd __attribute__((unused)),
5593c8
+		int argc, char **args)
5593c8
+{
5593c8
+  grub_file_t certf;
5593c8
+  struct x509_certificate *cert = NULL;
5593c8
+  grub_err_t err;
5593c8
+
5593c8
+  if (argc != 1)
5593c8
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
5593c8
+
5593c8
+  certf = grub_file_open (args[0],
5593c8
+			  GRUB_FILE_TYPE_CERTIFICATE_TRUST
5593c8
+			  | GRUB_FILE_TYPE_NO_DECOMPRESS);
5593c8
+  if (!certf)
5593c8
+    return grub_errno;
5593c8
+
5593c8
+
5593c8
+  cert = grub_zalloc (sizeof (struct x509_certificate));
5593c8
+  if (!cert)
5593c8
+    return grub_error (GRUB_ERR_OUT_OF_MEMORY,
5593c8
+		       N_("Could not allocate memory for certificate"));
5593c8
+
5593c8
+  err = read_cert_from_file (certf, cert);
5593c8
+  grub_file_close (certf);
5593c8
+  if (err != GRUB_ERR_NONE)
5593c8
+    {
5593c8
+      grub_free (cert);
5593c8
+      return err;
5593c8
+    }
5593c8
+  grub_dprintf ("appendedsig", "Loaded certificate with CN: %s\n",
5593c8
+		cert->subject);
5593c8
+
5593c8
+  cert->next = grub_trusted_key;
5593c8
+  grub_trusted_key = cert;
5593c8
+
5593c8
+  return GRUB_ERR_NONE;
5593c8
+}
5593c8
+
5593c8
+static grub_err_t
5593c8
+grub_cmd_list (grub_command_t cmd __attribute__((unused)),
5593c8
+	       int argc __attribute__((unused)),
5593c8
+	       char **args __attribute__((unused)))
5593c8
+{
5593c8
+  struct x509_certificate *cert;
5593c8
+  int cert_num = 1;
5593c8
+  grub_size_t i;
5593c8
+
5593c8
+  for (cert = grub_trusted_key; cert; cert = cert->next)
5593c8
+    {
5593c8
+      grub_printf (N_("Certificate %d:\n"), cert_num);
5593c8
+
5593c8
+      grub_printf (N_("\tSerial: "));
5593c8
+      for (i = 0; i < cert->serial_len - 1; i++)
5593c8
+	{
5593c8
+	  grub_printf ("%02x:", cert->serial[i]);
5593c8
+	}
5593c8
+      grub_printf ("%02x\n", cert->serial[cert->serial_len - 1]);
5593c8
+
5593c8
+      grub_printf ("\tCN: %s\n\n", cert->subject);
5593c8
+      cert_num++;
5593c8
+
5593c8
+    }
5593c8
+
5593c8
+  return GRUB_ERR_NONE;
5593c8
+}
5593c8
+
5593c8
+static grub_err_t
5593c8
+appendedsig_init (grub_file_t io __attribute__((unused)),
5593c8
+		  enum grub_file_type type,
5593c8
+		  void **context __attribute__((unused)),
5593c8
+		  enum grub_verify_flags *flags)
5593c8
+{
5593c8
+  if (!check_sigs)
5593c8
+    {
5593c8
+      *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
5593c8
+      return GRUB_ERR_NONE;
5593c8
+    }
5593c8
+
5593c8
+  switch (type & GRUB_FILE_TYPE_MASK)
5593c8
+    {
5593c8
+    case GRUB_FILE_TYPE_CERTIFICATE_TRUST:
5593c8
+      /*
5593c8
+       * This is a certificate to add to trusted keychain.
5593c8
+       *
5593c8
+       * This needs to be verified or blocked. Ideally we'd write an x509
5593c8
+       * verifier, but we lack the hubris required to take this on. Instead,
5593c8
+       * require that it have an appended signature.
5593c8
+       */
5593c8
+
5593c8
+      /* Fall through */
5593c8
+
5593c8
+    case GRUB_FILE_TYPE_LINUX_KERNEL:
5593c8
+    case GRUB_FILE_TYPE_GRUB_MODULE:
5593c8
+      /*
5593c8
+       * Appended signatures are only defined for ELF binaries.
5593c8
+       * Out of an abundance of caution, we only verify Linux kernels and
5593c8
+       * GRUB modules at this point.
5593c8
+       */
5593c8
+      *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
5593c8
+      return GRUB_ERR_NONE;
5593c8
+
5593c8
+    case GRUB_FILE_TYPE_ACPI_TABLE:
5593c8
+    case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
5593c8
+      /*
5593c8
+       * It is possible to use appended signature verification without
5593c8
+       * lockdown - like the PGP verifier. When combined with an embedded
5593c8
+       * config file in a signed grub binary, this could still be a meaningful
5593c8
+       * secure-boot chain - so long as it isn't subverted by something like a
5593c8
+       * rouge ACPI table or DT image. Defer them explicitly.
5593c8
+       */
5593c8
+      *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
5593c8
+      return GRUB_ERR_NONE;
5593c8
+
5593c8
+    default:
5593c8
+      *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
5593c8
+      return GRUB_ERR_NONE;
5593c8
+    }
5593c8
+}
5593c8
+
5593c8
+static grub_err_t
5593c8
+appendedsig_write (void *ctxt __attribute__((unused)),
5593c8
+		   void *buf, grub_size_t size)
5593c8
+{
5593c8
+  return grub_verify_appended_signature (buf, size);
5593c8
+}
5593c8
+
5593c8
+struct grub_file_verifier grub_appendedsig_verifier = {
5593c8
+  .name = "appendedsig",
5593c8
+  .init = appendedsig_init,
5593c8
+  .write = appendedsig_write,
5593c8
+};
5593c8
+
5593c8
+static grub_ssize_t
5593c8
+pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
5593c8
+{
5593c8
+  grub_memcpy (buf, (grub_uint8_t *) file->data + file->offset, len);
5593c8
+  return len;
5593c8
+}
5593c8
+
5593c8
+/* Filesystem descriptor.  */
5593c8
+static struct grub_fs pseudo_fs = {
5593c8
+  .name = "pseudo",
5593c8
+  .fs_read = pseudo_read
5593c8
+};
5593c8
+
5593c8
+static grub_command_t cmd_verify, cmd_list, cmd_distrust, cmd_trust;
5593c8
+
5593c8
+GRUB_MOD_INIT (appendedsig)
5593c8
+{
5593c8
+  int rc;
5593c8
+  struct grub_module_header *header;
5593c8
+
5593c8
+  /* If in lockdown, immediately enter forced mode */
5593c8
+  if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
5593c8
+    check_sigs = 2;
5593c8
+
5593c8
+  grub_trusted_key = NULL;
5593c8
+
5593c8
+  grub_register_variable_hook ("check_appended_signatures",
5593c8
+  			       grub_env_read_sec,
5593c8
+			       grub_env_write_sec);
5593c8
+  grub_env_export ("check_appended_signatures");
5593c8
+
5593c8
+  rc = asn1_init ();
5593c8
+  if (rc)
5593c8
+    grub_fatal ("Error initing ASN.1 data structures: %d: %s\n", rc,
5593c8
+		asn1_strerror (rc));
5593c8
+
5593c8
+  FOR_MODULES (header)
5593c8
+  {
5593c8
+    struct grub_file pseudo_file;
5593c8
+    struct x509_certificate *pk = NULL;
5593c8
+    grub_err_t err;
5593c8
+
5593c8
+    /* Not an ELF module, skip.  */
5593c8
+    if (header->type != OBJ_TYPE_X509_PUBKEY)
5593c8
+      continue;
5593c8
+
5593c8
+    grub_memset (&pseudo_file, 0, sizeof (pseudo_file));
5593c8
+    pseudo_file.fs = &pseudo_fs;
5593c8
+    pseudo_file.size = header->size - sizeof (struct grub_module_header);
5593c8
+    pseudo_file.data = (char *) header + sizeof (struct grub_module_header);
5593c8
+
5593c8
+    grub_dprintf ("appendedsig",
5593c8
+		  "Found an x509 key, size=%" PRIuGRUB_UINT64_T "\n",
5593c8
+		  pseudo_file.size);
5593c8
+
5593c8
+    pk = grub_zalloc (sizeof (struct x509_certificate));
5593c8
+    if (!pk)
5593c8
+      {
5593c8
+	grub_fatal ("Out of memory loading initial certificates");
5593c8
+      }
5593c8
+
5593c8
+    err = read_cert_from_file (&pseudo_file, pk);
5593c8
+    if (err != GRUB_ERR_NONE)
5593c8
+      grub_fatal ("Error loading initial key: %s", grub_errmsg);
5593c8
+
5593c8
+    grub_dprintf ("appendedsig", "loaded certificate CN='%s'\n", pk->subject);
5593c8
+
5593c8
+    pk->next = grub_trusted_key;
5593c8
+    grub_trusted_key = pk;
5593c8
+  }
5593c8
+
5593c8
+  cmd_trust =
5593c8
+    grub_register_command ("trust_certificate", grub_cmd_trust,
5593c8
+			   N_("X509_CERTIFICATE"),
5593c8
+			   N_("Add X509_CERTIFICATE to trusted certificates."));
5593c8
+  cmd_list =
5593c8
+    grub_register_command ("list_certificates", grub_cmd_list, 0,
5593c8
+			   N_("Show the list of trusted x509 certificates."));
5593c8
+  cmd_verify =
5593c8
+    grub_register_command ("verify_appended", grub_cmd_verify_signature,
5593c8
+			   N_("FILE"),
5593c8
+			   N_("Verify FILE against the trusted x509 certificates."));
5593c8
+  cmd_distrust =
5593c8
+    grub_register_command ("distrust_certificate", grub_cmd_distrust,
5593c8
+			   N_("CERT_NUMBER"),
5593c8
+			   N_("Remove CERT_NUMBER (as listed by list_certificates) from trusted certificates."));
5593c8
+
5593c8
+  grub_verifier_register (&grub_appendedsig_verifier);
5593c8
+  grub_dl_set_persistent (mod);
5593c8
+}
5593c8
+
5593c8
+GRUB_MOD_FINI (appendedsig)
5593c8
+{
5593c8
+  /*
5593c8
+   * grub_dl_set_persistent should prevent this from actually running, but
5593c8
+   * it does still run under emu.
5593c8
+   */
5593c8
+
5593c8
+  grub_verifier_unregister (&grub_appendedsig_verifier);
5593c8
+  grub_unregister_command (cmd_verify);
5593c8
+  grub_unregister_command (cmd_list);
5593c8
+  grub_unregister_command (cmd_trust);
5593c8
+  grub_unregister_command (cmd_distrust);
5593c8
+}
5593c8
diff --git a/include/grub/file.h b/include/grub/file.h
d3c3ab
index 31567483ccf..96827a4f896 100644
5593c8
--- a/include/grub/file.h
5593c8
+++ b/include/grub/file.h
5593c8
@@ -80,6 +80,8 @@ enum grub_file_type
5593c8
     GRUB_FILE_TYPE_PUBLIC_KEY,
5593c8
     /* File holding public key to add to trused keys.  */
5593c8
     GRUB_FILE_TYPE_PUBLIC_KEY_TRUST,
5593c8
+    /* File holding x509 certificiate to add to trusted keys.  */
5593c8
+    GRUB_FILE_TYPE_CERTIFICATE_TRUST,
5593c8
     /* File of which we intend to print a blocklist to the user.  */
5593c8
     GRUB_FILE_TYPE_PRINT_BLOCKLIST,
5593c8
     /* File we intend to use for test loading or testing speed.  */