Blame SOURCES/0364-grub-install-support-embedding-x509-certificates.patch

80913e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
80913e
From: Alastair D'Silva <alastair@d-silva.org>
80913e
Date: Mon, 6 Jul 2020 13:33:04 +1000
80913e
Subject: [PATCH] grub-install: support embedding x509 certificates
80913e
80913e
To support verification of appended signatures, we need a way to
80913e
embed the necessary public keys. Existing appended signature schemes
80913e
in the Linux kernel use X.509 certificates, so allow certificates to
80913e
be embedded in the grub core image in the same way as PGP keys.
80913e
80913e
Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
80913e
Signed-off-by: Daniel Axtens <dja@axtens.net>
80913e
---
80913e
 grub-core/commands/pgp.c    |  2 +-
80913e
 util/grub-install-common.c  | 23 ++++++++++++++++++++++-
80913e
 util/grub-mkimage.c         | 15 +++++++++++++--
80913e
 util/mkimage.c              | 41 ++++++++++++++++++++++++++++++++++++++---
80913e
 include/grub/kernel.h       |  3 ++-
80913e
 include/grub/util/install.h |  7 +++++--
80913e
 6 files changed, 81 insertions(+), 10 deletions(-)
80913e
80913e
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
b32e65
index 75de32c2a..55d354be0 100644
80913e
--- a/grub-core/commands/pgp.c
80913e
+++ b/grub-core/commands/pgp.c
80913e
@@ -944,7 +944,7 @@ GRUB_MOD_INIT(pgp)
80913e
     grub_memset (&pseudo_file, 0, sizeof (pseudo_file));
80913e
 
80913e
     /* Not an ELF module, skip.  */
80913e
-    if (header->type != OBJ_TYPE_PUBKEY)
80913e
+    if (header->type != OBJ_TYPE_GPG_PUBKEY)
80913e
       continue;
80913e
 
80913e
     pseudo_file.fs = &pseudo_fs;
80913e
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
b32e65
index 561e671ff..fa6b65347 100644
80913e
--- a/util/grub-install-common.c
80913e
+++ b/util/grub-install-common.c
80913e
@@ -302,6 +302,8 @@ handle_install_list (struct install_list *il, const char *val,
80913e
 
80913e
 static char **pubkeys;
80913e
 static size_t npubkeys;
80913e
+static char **x509keys;
80913e
+static size_t nx509keys;
80913e
 static grub_compression_t compression;
80913e
 static size_t appsig_size;
80913e
 
80913e
@@ -334,6 +336,12 @@ grub_install_parse (int key, char *arg)
80913e
 			  * (npubkeys + 1));
80913e
       pubkeys[npubkeys++] = xstrdup (arg);
80913e
       return 1;
80913e
+    case 'x':
80913e
+      x509keys = xrealloc (x509keys,
80913e
+			  sizeof (x509keys[0])
80913e
+			  * (nx509keys + 1));
80913e
+      x509keys[nx509keys++] = xstrdup (arg);
80913e
+      return 1;
80913e
 
80913e
     case GRUB_INSTALL_OPTIONS_VERBOSITY:
80913e
       verbosity++;
80913e
@@ -460,6 +468,9 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
80913e
   for (pk = pubkeys; pk < pubkeys + npubkeys; pk++)
80913e
     slen += 20 + grub_strlen (*pk);
80913e
 
80913e
+  for (pk = x509keys; pk < x509keys + nx509keys; pk++)
80913e
+    slen += 10 + grub_strlen (*pk);
80913e
+
80913e
   for (md = modules.entries; *md; md++)
80913e
     {
80913e
       slen += 10 + grub_strlen (*md);
80913e
@@ -488,6 +499,14 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
80913e
       *p++ = ' ';
80913e
     }
80913e
 
80913e
+  for (pk = x509keys; pk < x509keys + nx509keys; pk++)
80913e
+    {
80913e
+      p = grub_stpcpy (p, "--x509 '");
80913e
+      p = grub_stpcpy (p, *pk);
80913e
+      *p++ = '\'';
80913e
+      *p++ = ' ';
80913e
+    }
80913e
+
80913e
   for (md = modules.entries; *md; md++)
80913e
     {
80913e
       *p++ = '\'';
80913e
@@ -515,7 +534,9 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
80913e
 
80913e
   grub_install_generate_image (dir, prefix, fp, outname,
80913e
 			       modules.entries, memdisk_path,
80913e
-			       pubkeys, npubkeys, config_path, tgt,
80913e
+			       pubkeys, npubkeys,
80913e
+			       x509keys, nx509keys,
80913e
+			       config_path, tgt,
80913e
 			       note, appsig_size, compression, dtb);
80913e
   while (dc--)
80913e
     grub_install_pop_module ();
80913e
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
b32e65
index 65a015d8a..394d2dc5f 100644
80913e
--- a/util/grub-mkimage.c
80913e
+++ b/util/grub-mkimage.c
80913e
@@ -75,7 +75,8 @@ static struct argp_option options[] = {
80913e
    /* TRANSLATORS: "embed" is a verb (command description).  "*/
80913e
   {"config",   'c', N_("FILE"), 0, N_("embed FILE as an early config"), 0},
80913e
    /* TRANSLATORS: "embed" is a verb (command description).  "*/
80913e
-  {"pubkey",   'k', N_("FILE"), 0, N_("embed FILE as public key for signature checking"), 0},
80913e
+  {"pubkey",   'k', N_("FILE"), 0, N_("embed FILE as public key for PGP signature checking"), 0},
80913e
+  {"x509",     'x', N_("FILE"), 0, N_("embed FILE as an x509 certificate for appended signature checking"), 0},
80913e
   /* TRANSLATORS: NOTE is a name of segment.  */
80913e
   {"note",   'n', 0, 0, N_("add NOTE segment for CHRP IEEE1275"), 0},
80913e
   {"output",  'o', N_("FILE"), 0, N_("output a generated image to FILE [default=stdout]"), 0},
80913e
@@ -122,6 +123,8 @@ struct arguments
80913e
   char *dtb;
80913e
   char **pubkeys;
80913e
   size_t npubkeys;
80913e
+  char **x509keys;
80913e
+  size_t nx509keys;
80913e
   char *font;
80913e
   char *config;
80913e
   int note;
80913e
@@ -202,6 +205,13 @@ argp_parser (int key, char *arg, struct argp_state *state)
80913e
       arguments->pubkeys[arguments->npubkeys++] = xstrdup (arg);
80913e
       break;
80913e
 
80913e
+    case 'x':
80913e
+      arguments->x509keys = xrealloc (arguments->x509keys,
80913e
+				      sizeof (arguments->x509keys[0])
80913e
+				      * (arguments->nx509keys + 1));
80913e
+      arguments->x509keys[arguments->nx509keys++] = xstrdup (arg);
80913e
+      break;
80913e
+
80913e
     case 'c':
80913e
       if (arguments->config)
80913e
 	free (arguments->config);
80913e
@@ -317,7 +327,8 @@ main (int argc, char *argv[])
80913e
   grub_install_generate_image (arguments.dir, arguments.prefix, fp,
80913e
 			       arguments.output, arguments.modules,
80913e
 			       arguments.memdisk, arguments.pubkeys,
80913e
-			       arguments.npubkeys, arguments.config,
80913e
+			       arguments.npubkeys, arguments.x509keys,
80913e
+			       arguments.nx509keys, arguments.config,
80913e
 			       arguments.image_target, arguments.note,
80913e
 			       arguments.appsig_size,
80913e
 			       arguments.comp, arguments.dtb);
80913e
diff --git a/util/mkimage.c b/util/mkimage.c
b32e65
index a81120f26..2529de4bb 100644
80913e
--- a/util/mkimage.c
80913e
+++ b/util/mkimage.c
80913e
@@ -774,8 +774,10 @@ grub_install_get_image_targets_string (void)
80913e
 void
80913e
 grub_install_generate_image (const char *dir, const char *prefix,
80913e
 			     FILE *out, const char *outname, char *mods[],
80913e
-			     char *memdisk_path, char **pubkey_paths,
80913e
-			     size_t npubkeys, char *config_path,
80913e
+			     char *memdisk_path,
80913e
+			     char **pubkey_paths, size_t npubkeys,
80913e
+			     char **x509key_paths, size_t nx509keys,
80913e
+			     char *config_path,
80913e
 			     const struct grub_install_image_target_desc *image_target,
80913e
 			     int note, size_t appsig_size, grub_compression_t comp, const char *dtb_path)
80913e
 {
80913e
@@ -819,6 +821,19 @@ grub_install_generate_image (const char *dir, const char *prefix,
80913e
       }
80913e
   }
80913e
 
80913e
+  {
80913e
+    size_t i;
80913e
+    for (i = 0; i < nx509keys; i++)
80913e
+      {
80913e
+	size_t curs;
80913e
+	curs = ALIGN_ADDR (grub_util_get_image_size (x509key_paths[i]));
80913e
+	grub_util_info ("the size of x509 public key %u is 0x%"
80913e
+			GRUB_HOST_PRIxLONG_LONG,
80913e
+			(unsigned) i, (unsigned long long) curs);
80913e
+	total_module_size += curs + sizeof (struct grub_module_header);
80913e
+      }
80913e
+  }
80913e
+
80913e
   if (memdisk_path)
80913e
     {
80913e
       memdisk_size = ALIGN_UP(grub_util_get_image_size (memdisk_path), 512);
80913e
@@ -933,7 +948,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
80913e
 	curs = grub_util_get_image_size (pubkey_paths[i]);
80913e
 
80913e
 	header = (struct grub_module_header *) (kernel_img + offset);
80913e
-	header->type = grub_host_to_target32 (OBJ_TYPE_PUBKEY);
80913e
+	header->type = grub_host_to_target32 (OBJ_TYPE_GPG_PUBKEY);
80913e
 	header->size = grub_host_to_target32 (curs + sizeof (*header));
80913e
 	offset += sizeof (*header);
80913e
 
80913e
@@ -942,6 +957,26 @@ grub_install_generate_image (const char *dir, const char *prefix,
80913e
       }
80913e
   }
80913e
 
80913e
+  {
80913e
+    size_t i;
80913e
+    for (i = 0; i < nx509keys; i++)
80913e
+      {
80913e
+	size_t curs;
80913e
+	struct grub_module_header *header;
80913e
+
80913e
+	curs = grub_util_get_image_size (x509key_paths[i]);
80913e
+
80913e
+	header = (struct grub_module_header *) (kernel_img + offset);
80913e
+	header->type = grub_host_to_target32 (OBJ_TYPE_X509_PUBKEY);
80913e
+	header->size = grub_host_to_target32 (curs + sizeof (*header));
80913e
+	offset += sizeof (*header);
80913e
+
80913e
+	grub_util_load_image (x509key_paths[i], kernel_img + offset);
80913e
+	offset += ALIGN_ADDR (curs);
80913e
+      }
80913e
+  }
80913e
+
80913e
+
80913e
   if (memdisk_path)
80913e
     {
80913e
       struct grub_module_header *header;
80913e
diff --git a/include/grub/kernel.h b/include/grub/kernel.h
b32e65
index 9548d552a..75a057d46 100644
80913e
--- a/include/grub/kernel.h
80913e
+++ b/include/grub/kernel.h
80913e
@@ -28,7 +28,8 @@ enum
80913e
   OBJ_TYPE_MEMDISK,
80913e
   OBJ_TYPE_CONFIG,
80913e
   OBJ_TYPE_PREFIX,
80913e
-  OBJ_TYPE_PUBKEY,
80913e
+  OBJ_TYPE_GPG_PUBKEY,
80913e
+  OBJ_TYPE_X509_PUBKEY,
80913e
   OBJ_TYPE_DTB
80913e
 };
80913e
 
80913e
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
b32e65
index ba5e6a2ea..95059285b 100644
80913e
--- a/include/grub/util/install.h
80913e
+++ b/include/grub/util/install.h
80913e
@@ -63,6 +63,8 @@
80913e
     /* TRANSLATORS: "embed" is a verb (command description).  "*/	\
80913e
   { "pubkey",   'k', N_("FILE"), 0,					\
80913e
       N_("embed FILE as public key for signature checking"), 0},	\
80913e
+  { "x509key",   'x', N_("FILE"), 0,					\
80913e
+      N_("embed FILE as an x509 certificate for signature checking"), 0}, \
80913e
   { "appended-signature-size", GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,\
80913e
     "SIZE", 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), \
80913e
     1},                                                                 \
80913e
@@ -179,8 +181,9 @@ void
80913e
 grub_install_generate_image (const char *dir, const char *prefix,
80913e
 			     FILE *out,
80913e
 			     const char *outname, char *mods[],
80913e
-			     char *memdisk_path, char **pubkey_paths,
80913e
-			     size_t npubkeys,
80913e
+			     char *memdisk_path,
80913e
+			     char **pubkey_paths, size_t npubkeys,
80913e
+			     char **x509key_paths, size_t nx509keys,
80913e
 			     char *config_path,
80913e
 			     const struct grub_install_image_target_desc *image_target,
80913e
 			     int note, size_t appsig_size,