tablet/grub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

pgp: Rename OBJ_TYPE_PUBKEY to OBJ_TYPE_GPG_PUBKEY

Browse Source 
Prior to the addition of the X.509 public key support for appended signature,
current PGP signature relied on the GPG public key. Changing the enum name
from "OBJ_TYPE_PUBKEY" to "OBJ_TYPE_GPG_PUBKEY" to differentiate between x509
certificate based appended signature and GPG certificate based PGP signature.

Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Sudhakar Kuppusamy 2025-10-06 12:54:48 +05:30 committed by Daniel Kiper
parent f826cc8b0e
commit aefe0de22e
5 changed files with 21 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
docs/grub.texi
View File

@ -3357,8 +3357,8 @@ entry when selected.
@node check_signatures @node check_signatures
@subsection check_signatures @subsection check_signatures
This variable controls whether GRUB enforces digital signature This variable controls whether GRUB enforces GPG-style digital signature
validation on loaded files. @xref{Using digital signatures}. validation on loaded files. @xref{Using GPG-style digital signatures}.
@node chosen @node chosen
@subsection chosen @subsection chosen
@ -7054,7 +7054,7 @@ These keys are used to validate signatures when environment variable
@code{check_signatures} is set to @code{enforce} @code{check_signatures} is set to @code{enforce}
(@pxref{check_signatures}), and by some invocations of (@pxref{check_signatures}), and by some invocations of
@command{verify_detached} (@pxref{verify_detached}). @xref{Using @command{verify_detached} (@pxref{verify_detached}). @xref{Using
digital signatures}, for more information. GPG-style digital signatures}, for more information.
@end deffn @end deffn
@node drivemap @node drivemap
@ -7470,7 +7470,7 @@ The output is in GPG's v4 key fingerprint format (i.e., the output of
@code{gpg --fingerprint}). The least significant four bytes (last @code{gpg --fingerprint}). The least significant four bytes (last
eight hexadecimal digits) can be used as an argument to eight hexadecimal digits) can be used as an argument to
@command{distrust} (@pxref{distrust}). @command{distrust} (@pxref{distrust}).
@xref{Using digital signatures}, for more information about uses for @xref{Using GPG-style digital signatures}, for more information about uses for
these keys. these keys.
@end deffn @end deffn
@ -7505,7 +7505,7 @@ When used with care, @option{--skip-sig} and the whitelist enable an
administrator to configure a system to boot only signed administrator to configure a system to boot only signed
configurations, but to allow the user to select from among multiple configurations, but to allow the user to select from among multiple
configurations, and to enable ``one-shot'' boot attempts and configurations, and to enable ``one-shot'' boot attempts and
``savedefault'' behavior. @xref{Using digital signatures}, for more ``savedefault'' behavior. @xref{Using GPG-style digital signatures}, for more
information. information.
@end deffn @end deffn
@ -7877,7 +7877,7 @@ read. It is possible to modify a digitally signed environment block
file from within GRUB using this command, such that its signature will file from within GRUB using this command, such that its signature will
no longer be valid on subsequent boots. Care should be taken in such no longer be valid on subsequent boots. Care should be taken in such
advanced configurations to avoid rendering the system advanced configurations to avoid rendering the system
unbootable. @xref{Using digital signatures}, for more information. unbootable. @xref{Using GPG-style digital signatures}, for more information.
@end deffn @end deffn
@ -8367,7 +8367,7 @@ signatures when environment variable @code{check_signatures} is set to
must itself be properly signed. The @option{--skip-sig} option can be must itself be properly signed. The @option{--skip-sig} option can be
used to disable signature-checking when reading @var{pubkey_file} used to disable signature-checking when reading @var{pubkey_file}
itself. It is expected that @option{--skip-sig} is useful for testing itself. It is expected that @option{--skip-sig} is useful for testing
and manual booting. @xref{Using digital signatures}, for more and manual booting. @xref{Using GPG-style digital signatures}, for more
information. information.
@end deffn @end deffn
@ -8440,7 +8440,7 @@ tried.
Exit code @code{$?} is set to 0 if the signature validates Exit code @code{$?} is set to 0 if the signature validates
successfully. If validation fails, it is set to a non-zero value. successfully. If validation fails, it is set to a non-zero value.
@xref{Using digital signatures}, for more information. @xref{Using GPG-style digital signatures}, for more information.
@end deffn @end deffn
@node videoinfo @node videoinfo
@ -8901,7 +8901,7 @@ environment variables and commands are listed in the same order.
@menu @menu
* Authentication and authorisation:: Users and access control * Authentication and authorisation:: Users and access control
* Using digital signatures:: Booting digitally signed code * Using GPG-style digital signatures:: Booting digitally signed code
* UEFI secure boot and shim:: Booting digitally signed PE files * UEFI secure boot and shim:: Booting digitally signed PE files
* Secure Boot Advanced Targeting:: Embedded information for generation number based revocation * Secure Boot Advanced Targeting:: Embedded information for generation number based revocation
* Measured Boot:: Measuring boot components * Measured Boot:: Measuring boot components
@ -8982,8 +8982,8 @@ generating configuration files with authentication. You can use
adding @kbd{set superusers=} and @kbd{password} or @kbd{password_pbkdf2} adding @kbd{set superusers=} and @kbd{password} or @kbd{password_pbkdf2}
commands. commands.
@node Using digital signatures @node Using GPG-style digital signatures
@section Using digital signatures in GRUB @section Using GPG-style digital signatures in GRUB
GRUB's @file{core.img} can optionally provide enforcement that all files GRUB's @file{core.img} can optionally provide enforcement that all files
subsequently read from disk are covered by a valid digital signature. subsequently read from disk are covered by a valid digital signature.

2
grub-core/commands/pgp.c
View File

@ -920,7 +920,7 @@ GRUB_MOD_INIT(pgp)
grub_memset (&pseudo_file, 0, sizeof (pseudo_file)); grub_memset (&pseudo_file, 0, sizeof (pseudo_file));
/* Not an ELF module, skip. */ /* Not an ELF module, skip. */
if (header->type != OBJ_TYPE_PUBKEY) if (header->type != OBJ_TYPE_GPG_PUBKEY)
continue; continue;
pseudo_file.fs = &pseudo_fs; pseudo_file.fs = &pseudo_fs;

2
include/grub/kernel.h
View File

@ -28,7 +28,7 @@ enum
OBJ_TYPE_MEMDISK, OBJ_TYPE_MEMDISK,
OBJ_TYPE_CONFIG, OBJ_TYPE_CONFIG,
OBJ_TYPE_PREFIX, OBJ_TYPE_PREFIX,
OBJ_TYPE_PUBKEY, OBJ_TYPE_GPG_PUBKEY,
OBJ_TYPE_DTB, OBJ_TYPE_DTB,
OBJ_TYPE_DISABLE_SHIM_LOCK, OBJ_TYPE_DISABLE_SHIM_LOCK,
OBJ_TYPE_DISABLE_CLI OBJ_TYPE_DISABLE_CLI

2
util/grub-mkimage.c
View File

@ -75,7 +75,7 @@ static struct argp_option options[] = {
/* TRANSLATORS: "embed" is a verb (command description). "*/ /* TRANSLATORS: "embed" is a verb (command description). "*/
{"config", 'c', N_("FILE"), 0, N_("embed FILE as an early config"), 0}, {"config", 'c', N_("FILE"), 0, N_("embed FILE as an early config"), 0},
/* TRANSLATORS: "embed" is a verb (command description). "*/ /* TRANSLATORS: "embed" is a verb (command description). "*/
{"pubkey", 'k', N_("FILE"), 0, N_("embed FILE as public key for signature checking"), 0}, {"pubkey", 'k', N_("FILE"), 0, N_("embed FILE as public key for PGP signature checking"), 0},
/* TRANSLATORS: NOTE is a name of segment. */ /* TRANSLATORS: NOTE is a name of segment. */
{"note", 'n', 0, 0, N_("add NOTE segment for CHRP IEEE1275"), 0}, {"note", 'n', 0, 0, N_("add NOTE segment for CHRP IEEE1275"), 0},
{"output", 'o', N_("FILE"), 0, N_("output a generated image to FILE [default=stdout]"), 0}, {"output", 'o', N_("FILE"), 0, N_("output a generated image to FILE [default=stdout]"), 0},

2
util/mkimage.c
View File

@ -1056,7 +1056,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
curs = grub_util_get_image_size (pubkey_paths[i]); curs = grub_util_get_image_size (pubkey_paths[i]);
header = (struct grub_module_header *) (kernel_img + offset); header = (struct grub_module_header *) (kernel_img + offset);
header->type = grub_host_to_target32 (OBJ_TYPE_PUBKEY); header->type = grub_host_to_target32 (OBJ_TYPE_GPG_PUBKEY);
header->size = grub_host_to_target32 (curs + sizeof (*header)); header->size = grub_host_to_target32 (curs + sizeof (*header));
offset += sizeof (*header); offset += sizeof (*header);