vbatts/grub
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Import gcrypt public-key cryptography and implement signature checking.

Browse source
This commit is contained in:
Vladimir 'phcoder' Serbinenko 2013-01-11 21:32:42 +01:00
parent 535714bdcf
commit 5e3b8dcbb5
238 changed files with 40500 additions and 417 deletions
Download patch file Download diff file Expand all files Collapse all files

50
util/grub-mkimage.c
View file

@ -701,8 +701,8 @@ struct fixup_block_list
static void
generate_image (const char *dir, const char *prefix,
FILE *out, const char *outname, char *mods[],
char *memdisk_path, char *config_path,
struct image_target_desc *image_target, int note,
char *memdisk_path, char **pubkey_paths, size_t npubkeys,
char *config_path, struct image_target_desc *image_target, int note,
grub_compression_t comp)
{
char *kernel_img, *core_img;
@ -734,6 +734,18 @@ generate_image (const char *dir, const char *prefix,
else
total_module_size = sizeof (struct grub_module_info32);
{
size_t i;
for (i = 0; i < npubkeys; i++)
{
size_t curs;
curs = ALIGN_ADDR (grub_util_get_image_size (pubkey_paths[i]));
grub_util_info ("the size of public key is 0x%llx",
(unsigned long long) pubkey_paths[i]);
total_module_size += curs + sizeof (struct grub_module_header);
}
}
if (memdisk_path)
{
memdisk_size = ALIGN_UP(grub_util_get_image_size (memdisk_path), 512);
@ -835,6 +847,26 @@ generate_image (const char *dir, const char *prefix,
offset += mod_size;
}
{
size_t i;
for (i = 0; i < npubkeys; i++)
{
size_t curs;
struct grub_module_header *header;
curs = grub_util_get_image_size (pubkey_paths[i]);
header = (struct grub_module_header *) (kernel_img + offset);
memset (header, 0, sizeof (struct grub_module_header));
header->type = grub_host_to_target32 (OBJ_TYPE_PUBKEY);
header->size = grub_host_to_target32 (curs + sizeof (*header));
offset += sizeof (*header);
grub_util_load_image (pubkey_paths[i], kernel_img + offset);
offset += ALIGN_ADDR (curs);
}
}
if (memdisk_path)
{
struct grub_module_header *header;
@ -1654,6 +1686,8 @@ static struct argp_option options[] = {
N_("embed FILE as a memdisk image"), 0},
/* TRANSLATORS: "embed" is a verb (command description). "*/
{"config", 'c', N_("FILE"), 0, N_("embed FILE as an early config"), 0},
/* TRANSLATORS: "embed" is a verb (command description). "*/
{"pubkey", 'k', N_("FILE"), 0, N_("embed FILE as public key for signature checking"), 0},
/* TRANSLATORS: NOTE is a name of segment. */
{"note", 'n', 0, 0, N_("add NOTE segment for CHRP IEEE1275"), 0},
{"output", 'o', N_("FILE"), 0, N_("output a generated image to FILE [default=stdout]"), 0},
@ -1709,6 +1743,8 @@ struct arguments
char *dir;
char *prefix;
char *memdisk;
char **pubkeys;
size_t npubkeys;
char *font;
char *config;
int note;
@ -1771,6 +1807,13 @@ argp_parser (int key, char *arg, struct argp_state *state)
arguments->prefix = xstrdup ("(memdisk)/boot/grub");
break;
case 'k':
arguments->pubkeys = xrealloc (arguments->pubkeys,
sizeof (arguments->pubkeys[0])
* (arguments->npubkeys + 1));
arguments->pubkeys[arguments->npubkeys++] = xstrdup (arg);
break;
case 'c':
if (arguments->config)
free (arguments->config);
@ -1879,7 +1922,8 @@ main (int argc, char *argv[])
generate_image (arguments.dir, arguments.prefix ? : DEFAULT_DIRECTORY, fp,
arguments.output,
arguments.modules, arguments.memdisk, arguments.config,
arguments.modules, arguments.memdisk, arguments.pubkeys,
arguments.npubkeys, arguments.config,
arguments.image_target, arguments.note, arguments.comp);
fflush (fp);

211
util/import_gcry.py
View file

@ -39,6 +39,17 @@ try:
os.makedirs (cipher_dir_out)
except:
print ("WARNING: %s already exists" % cipher_dir_out)
mpidir = os.path.join (basedir, "mpi")
try:
os.makedirs (mpidir)
except:
print ("WARNING: %s already exists" % mpidir)
srcdir = os.path.join (basedir, "src")
try:
os.makedirs (srcdir)
except:
print ("WARNING: %s already exists" % srcdir)
cipher_files = sorted (os.listdir (cipher_dir_in))
conf = codecs.open (os.path.join ("grub-core", "Makefile.gcry.def"), "w", "utf-8")
@ -52,7 +63,7 @@ confutil.write (" cppflags = '$(CPPFLAGS_GCRY)';\n");
confutil.write (" extra_dist = grub-core/lib/libgcrypt-grub/cipher/ChangeLog;\n");
confutil.write ("\n");
chlog = ""
modules = []
modules_sym_md = []
# Strictly speaking CRC32/CRC24 work on bytes so this value should be 1
# But libgcrypt uses 64. Let's keep the value for compatibility. Since
@ -69,6 +80,8 @@ mdblocksizes = {"_gcry_digest_spec_crc32" : 64,
"_gcry_digest_spec_sha384" : 128,
"_gcry_digest_spec_sha512" : 128,
"_gcry_digest_spec_tiger" : 64,
"_gcry_digest_spec_tiger1" : 64,
"_gcry_digest_spec_tiger2" : 64,
"_gcry_digest_spec_whirlpool" : 64}
cryptolist = codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8")
@ -92,7 +105,7 @@ for cipher_file in cipher_files:
if cipher_file == "ChangeLog":
continue
chlognew = " * %s" % cipher_file
if re.match ("(Manifest|Makefile\.am|ac\.c|cipher\.c|hash-common\.c|hmac-tests\.c|md\.c|pubkey\.c)$", cipher_file):
if re.match ("(Manifest|Makefile\.am|ac\.c|cipher\.c|hash-common\.c|hmac-tests\.c|md\.c|pubkey\.c)$", cipher_file) or cipher_file == "elgamal.c" or cipher_file == "primegen.c" or cipher_file == "test-getrusage.c":
chlog = "%s%s: Removed\n" % (chlog, chlognew)
continue
# Autogenerated files. Not even worth mentionning in ChangeLog
@ -124,10 +137,12 @@ for cipher_file in cipher_files:
ciphernames = []
mdnames = []
pknames = []
hold = False
skip = False
skip2 = False
ismd = False
ispk = False
iscipher = False
iscryptostart = False
iscomma = False
@ -159,7 +174,7 @@ for cipher_file in cipher_files:
sg = s.groups()[0]
cryptolist.write (("%s: %s\n") % (sg, modname))
iscryptostart = False
if ismd or iscipher:
if ismd or iscipher or ispk:
if not re.search (" *};", line) is None:
if not iscomma:
fw.write (" ,\n")
@ -175,6 +190,7 @@ for cipher_file in cipher_files:
% mdblocksizes [mdname])
ismd = False
iscipher = False
ispk = False
iscomma = not re.search (",$", line) is None
# Used only for selftests.
m = re.match ("(static byte|static unsigned char) (weak_keys_chksum)\[[0-9]*\] =", line)
@ -190,18 +206,33 @@ for cipher_file in cipher_files:
continue
if hold:
hold = False
# We're optimising for size.
if not re.match ("(run_selftests|selftest|_gcry_aes_c.._..c|_gcry_[a-z0-9]*_hash_buffer|tripledes_set2keys|do_tripledes_set_extra_info|_gcry_rmd160_mixblock|serpent_test)", line) is None:
# We're optimising for size and exclude anything needing good
# randomness.
if not re.match ("(run_selftests|selftest|_gcry_aes_c.._..c|_gcry_[a-z0-9]*_hash_buffer|tripledes_set2keys|do_tripledes_set_extra_info|_gcry_rmd160_mixblock|serpent_test|dsa_generate_ext|test_keys|gen_k|sign|gen_x931_parm_xp|generate_x931|generate_key|dsa_generate|dsa_sign|ecc_sign|generate|generate_fips186|_gcry_register_pk_dsa_progress|_gcry_register_pk_ecc_progress|progress|scanval|ec2os|ecc_generate_ext|ecc_generate|compute_keygrip|ecc_get_param|_gcry_register_pk_dsa_progress|gen_x931_parm_xp|gen_x931_parm_xi|rsa_decrypt|rsa_sign|rsa_generate_ext|rsa_generate|secret|check_exponent|rsa_blind|rsa_unblind|extract_a_from_sexp|curve_free|curve_copy|point_set)", line) is None:
skip = True
if not re.match ("serpent_test", line) is None:
fw.write ("static const char *serpent_test (void) { return 0; }\n");
if not re.match ("dsa_generate", line) is None:
fw.write ("#define dsa_generate 0");
if not re.match ("ecc_generate", line) is None:
fw.write ("#define ecc_generate 0");
if not re.match ("rsa_generate ", line) is None:
fw.write ("#define rsa_generate 0");
if not re.match ("rsa_sign", line) is None:
fw.write ("#define rsa_sign 0");
if not re.match ("rsa_decrypt", line) is None:
fw.write ("#define rsa_decrypt 0");
if not re.match ("dsa_sign", line) is None:
fw.write ("#define dsa_sign 0");
if not re.match ("ecc_sign", line) is None:
fw.write ("#define ecc_sign 0");
fname = re.match ("[a-zA-Z0-9_]*", line).group ()
chmsg = "(%s): Removed." % fname
if nch:
chlognew = "%s\n %s" % (chlognew, chmsg)
else:
chlognew = "%s %s" % (chlognew, chmsg)
nch = True
nch = True
continue
else:
fw.write (holdline)
@ -216,7 +247,8 @@ for cipher_file in cipher_files:
continue
m = re.match ("gcry_cipher_spec_t", line)
if isc and not m is None:
assert (not iscryptostart)
assert (not ismd)
assert (not ispk)
assert (not iscipher)
assert (not iscryptostart)
ciphername = line [len ("gcry_cipher_spec_t"):].strip ()
@ -224,9 +256,23 @@ for cipher_file in cipher_files:
ciphernames.append (ciphername)
iscipher = True
iscryptostart = True
m = re.match ("gcry_pk_spec_t", line)
if isc and not m is None:
assert (not ismd)
assert (not ispk)
assert (not iscipher)
assert (not iscryptostart)
pkname = line [len ("gcry_pk_spec_t"):].strip ()
pkname = re.match("[a-zA-Z0-9_]*",pkname).group ()
pknames.append (pkname)
ispk = True
iscryptostart = True
m = re.match ("gcry_md_spec_t", line)
if isc and not m is None:
assert (not ismd)
assert (not ispk)
assert (not iscipher)
assert (not iscryptostart)
mdname = line [len ("gcry_md_spec_t"):].strip ()
@ -245,7 +291,53 @@ for cipher_file in cipher_files:
chlognew = "%s %s" % (chlognew, chmsg)
nch = True
continue
m = re.match ("(static const char( |)\*|static gpg_err_code_t|void|static int|static gcry_err_code_t)$", line)
m = re.match ("static gcry_mpi_t gen_k .*;$", line)
if not m is None:
chmsg = "(gen_k): Removed declaration."
if nch:
chlognew = "%s\n %s" % (chlognew, chmsg)
else:
chlognew = "%s %s" % (chlognew, chmsg)
nch = True
continue
m = re.match ("static (int|void) test_keys .*;$", line)
if not m is None:
chmsg = "(test_keys): Removed declaration."
if nch:
chlognew = "%s\n %s" % (chlognew, chmsg)
else:
chlognew = "%s %s" % (chlognew, chmsg)
nch = True
continue
m = re.match ("static void secret .*;$", line)
if not m is None:
chmsg = "(secret): Removed declaration."
if nch:
chlognew = "%s\n %s" % (chlognew, chmsg)
else:
chlognew = "%s %s" % (chlognew, chmsg)
nch = True
continue
m = re.match ("static void \(\*progress_cb\).*;$", line)
if not m is None:
chmsg = "(progress_cb): Removed declaration."
if nch:
chlognew = "%s\n %s" % (chlognew, chmsg)
else:
chlognew = "%s %s" % (chlognew, chmsg)
nch = True
continue
m = re.match ("static void \*progress_cb_data.*;$", line)
if not m is None:
chmsg = "(progress_cb): Removed declaration."
if nch:
chlognew = "%s\n %s" % (chlognew, chmsg)
else:
chlognew = "%s %s" % (chlognew, chmsg)
nch = True
continue
m = re.match ("(static const char( |)\*|static gpg_err_code_t|void|static int|static gcry_err_code_t|static gcry_mpi_t|static void|void|static elliptic_curve_t) *$", line)
if not m is None:
hold = True
holdline = line
@ -257,6 +349,12 @@ for cipher_file in cipher_files:
if not m is None:
skip_statement = True
continue
m = re.match ("static void sign|static gpg_err_code_t sign|static gpg_err_code_t generate",
line)
if not m is None:
skip_statement = True
continue
m = re.match ("cipher_extra_spec_t", line)
if isc and not m is None:
skip2 = True
@ -269,6 +367,18 @@ for cipher_file in cipher_files:
chlognew = "%s %s" % (chlognew, chmsg)
nch = True
continue
m = re.match ("pk_extra_spec_t", line)
if isc and not m is None:
skip2 = True
fname = line[len ("pk_extra_spec_t "):]
fname = re.match ("[a-zA-Z0-9_]*", fname).group ()
chmsg = "(%s): Removed." % fname
if nch:
chlognew = "%s\n %s" % (chlognew, chmsg)
else:
chlognew = "%s %s" % (chlognew, chmsg)
nch = True
continue
m = re.match ("md_extra_spec_t", line)
if isc and not m is None:
skip2 = True
@ -282,13 +392,14 @@ for cipher_file in cipher_files:
nch = True
continue
fw.write (line)
if len (ciphernames) > 0 or len (mdnames) > 0:
if len (ciphernames) > 0 or len (mdnames) > 0 or len (pknames) > 0:
if isglue:
modfiles = "lib/libgcrypt-grub/cipher/%s lib/libgcrypt-grub/cipher/%s" \
% (cipher_file, cipher_file.replace ("-glue.c", ".c"))
else:
modfiles = "lib/libgcrypt-grub/cipher/%s" % cipher_file
modules.append (modname)
if len (ciphernames) > 0 or len (mdnames) > 0:
modules_sym_md.append (modname)
chmsg = "(GRUB_MOD_INIT(%s)): New function\n" % modname
if nch:
chlognew = "%s\n %s" % (chlognew, chmsg)
@ -305,6 +416,11 @@ for cipher_file in cipher_files:
chmsg = "Register digest %s" % mdname
chlognew = "%s\n %s" % (chlognew, chmsg)
fw.write (" grub_md_register (&%s);\n" % mdname)
for pkname in pknames:
chmsg = "Register pk %s" % mdname
chlognew = "%s\n %s" % (chlognew, chmsg)
fw.write (" grub_crypto_pk_%s = &%s;\n"
% (pkname.replace ("_gcry_pubkey_spec_", ""), pkname))
fw.write ("}")
chmsg = "(GRUB_MOD_FINI(%s)): New function\n" % modname
chlognew = "%s\n %s" % (chlognew, chmsg)
@ -318,13 +434,22 @@ for cipher_file in cipher_files:
chmsg = "Unregister MD %s" % mdname
chlognew = "%s\n %s" % (chlognew, chmsg)
fw.write (" grub_md_unregister (&%s);\n" % mdname)
for pkname in pknames:
chmsg = "Unregister pk %s" % mdname
chlognew = "%s\n %s" % (chlognew, chmsg)
fw.write (" grub_crypto_pk_%s = 0;\n"
% (pkname.replace ("_gcry_pubkey_spec_", "")))
fw.write ("}\n")
conf.write ("module = {\n")
conf.write (" name = %s;\n" % modname)
for src in modfiles.split():
conf.write (" common = %s;\n" % src)
confutil.write (" common = grub-core/%s;\n" % src)
if modname == "gcry_rijndael" or modname == "gcry_md4" or modname == "gcry_md5" or modname == "gcry_rmd160" or modname == "gcry_sha1" or modname == "gcry_sha256" or modname == "gcry_sha512" or modname == "gcry_tiger":
if len (ciphernames) > 0 or len (mdnames) > 0:
confutil.write (" common = grub-core/%s;\n" % src)
if modname == "gcry_ecc":
conf.write (" common = lib/libgcrypt-grub/mpi/ec.c;\n")
conf.write (" cflags = '$(CFLAGS_GCRY) -Wno-redundant-decls -Wno-sign-compare';\n")
elif modname == "gcry_rijndael" or modname == "gcry_md4" or modname == "gcry_md5" or modname == "gcry_rmd160" or modname == "gcry_sha1" or modname == "gcry_sha256" or modname == "gcry_sha512" or modname == "gcry_tiger":
# Alignment checked by hand
conf.write (" cflags = '$(CFLAGS_GCRY) -Wno-cast-align -Wno-strict-aliasing';\n");
else:
@ -346,6 +471,62 @@ for cipher_file in cipher_files:
print ("WARNING: unknown file %s" % cipher_file)
cryptolist.close ()
for src in sorted (os.listdir (os.path.join (indir, "src"))):
if src == "versioninfo.rc.in":
continue
outfile = os.path.join (basedir, "src", src)
infile = os.path.join (indir, "src", src)
if os.path.isdir (infile):
continue
fw = codecs.open (outfile, "w", "utf-8")
if src == "gcrypt-module.h":
fw.close ()
continue
if src == "visibility.h":
fw.write ("# include <grub/gcrypt/gcrypt.h>")
fw.close ()
continue
f = codecs.open (infile, "r", "utf-8")
fw.write (f.read ())
f.close ()
fw.close ()
for src in sorted (os.listdir (os.path.join (indir, "mpi"))):
infile = os.path.join (indir, "mpi", src)
outfile = os.path.join (basedir, "mpi", src)
if os.path.isdir (infile):
continue
f = codecs.open (infile, "r", "utf-8")
fw = codecs.open (outfile, "w", "utf-8")
fw.write ("/* This file was automatically imported with \n")
fw.write (" import_gcry.py. Please don't modify it */\n")
hold = False
skip = False
for line in f:
if skip:
if line[0] == "}":
skip = False
continue
if hold:
hold = False
# We're optimising for size and exclude anything needing good
# randomness.
if not re.match ("(_gcry_mpi_get_hw_config|gcry_mpi_randomize)", line) is None:
skip = True
continue
else:
fw.write (holdline)
m = re.match ("(const char( |)\*|void) *$", line)
if not m is None:
hold = True
holdline = line
continue
m = re.match ("#include \"mod-source-info\.h\"", line)
if not m is None:
continue
fw.write (line)
chlog = "%s * crypto.lst: New file.\n" % chlog
outfile = os.path.join (cipher_dir_out, "types.h")
@ -382,21 +563,21 @@ conf.close ();
initfile = codecs.open (os.path.join (cipher_dir_out, "init.c"), "w", "utf-8")
initfile.write ("#include <grub/crypto.h>\n")
for module in modules:
for module in modules_sym_md:
initfile.write ("extern void grub_%s_init (void);\n" % module)
initfile.write ("extern void grub_%s_fini (void);\n" % module)
initfile.write ("\n")
initfile.write ("void\n")
initfile.write ("grub_gcry_init_all (void)\n")
initfile.write ("{\n")
for module in modules:
for module in modules_sym_md:
initfile.write (" grub_%s_init ();\n" % module)
initfile.write ("}\n")
initfile.write ("\n")
initfile.write ("void\n")
initfile.write ("grub_gcry_fini_all (void)\n")
initfile.write ("{\n")
for module in modules:
for module in modules_sym_md:
initfile.write (" grub_%s_fini ();\n" % module)
initfile.write ("}\n")
initfile.close ()

7
util/import_gcrypth.sed Normal file
View file

@ -0,0 +1,7 @@
/^#@INSERT_SYS_SELECT_H@/ d
/^@FALLBACK_SOCKLEN_T@/ d
/^#include <stdlib\.h>/ d
/^#include <string\.h>/ d
/^#include <gpg-error\.h>/ s,#include <gpg-error.h>,#include <grub/gcrypt/gpg-error.h>,
s,_gcry_mpi_invm,gcry_mpi_invm,g
p