git.ipfire.org Git - thirdparty/grub.git/commit

author	Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
	Mon, 6 Oct 2025 07:24:55 +0000 (12:54 +0530)
committer	Daniel Kiper <daniel.kiper@oracle.com>
	Sat, 11 Oct 2025 13:36:44 +0000 (15:36 +0200)
commit	069f3614e6b4131bc20c7403f1413797ded6a15b
tree	ee0f664c6d6766bc74f1cc034c97a9731d2a9031	tree \| snapshot
parent	f8e8779d8e2bd30c990ed3551d0e170064ea1863	commit \| diff

appended signatures: Support verifying appended signatures

Building on the parsers and the ability to embed X.509 certificates, as well
as the existing gcrypt functionality, add a module for verifying appended
signatures.

This includes a signature verifier that requires that the Linux kernel and
GRUB modules have appended signatures for verification.

Signature verification must be enabled by setting check_appended_signatures.
If secure boot is enabled with enforce mode when the appendedsig module is
loaded, signature verification will be enabled, and trusted keys will be
extracted from the GRUB ELF Note and stored in the db and locked automatically.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

grub-core/Makefile.core.def		diff \| blob \| blame \| history
grub-core/commands/appendedsig/appendedsig.c	[new file with mode: 0644]	blob
include/grub/err.h		diff \| blob \| blame \| history
include/grub/file.h		diff \| blob \| blame \| history