[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 05/22] docs/grub: Document signing grub under UEFI
|
From: |
Daniel Axtens |
|
Subject: |
[PATCH v2 05/22] docs/grub: Document signing grub under UEFI |
|
Date: |
Wed, 30 Jun 2021 18:40:14 +1000 |
Before adding information about how grub is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
docs/grub.texi | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/docs/grub.texi b/docs/grub.texi
index f8b4b3b21a7f..2ffc3b417312 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -5795,6 +5795,7 @@ environment variables and commands are listed in the same
order.
* Secure Boot Advanced Targeting:: Embedded information for generation
number based revocation
* Measured Boot:: Measuring boot components
* Lockdown:: Lockdown when booting on a secure setup
+* Signing GRUB itself:: Ensuring the integrity of the GRUB core
image
@end menu
@node Authentication and authorisation
@@ -5873,7 +5874,7 @@ commands.
GRUB's @file{core.img} can optionally provide enforcement that all files
subsequently read from disk are covered by a valid digital signature.
-This document does @strong{not} cover how to ensure that your
+This section does @strong{not} cover how to ensure that your
platform's firmware (e.g., Coreboot) validates @file{core.img}.
If environment variable @code{check_signatures}
@@ -6035,6 +6036,25 @@ be restricted and some operations/commands cannot be
executed.
The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
Otherwise it does not exit.
+@node Signing GRUB itself
+@section Signing GRUB itself
+
+To ensure a complete secure-boot chain, there must be a way for the code that
+loads GRUB to verify the integrity of the core image.
+
+This is ultimately platform-specific and individual platforms can define their
+own mechanisms. However, there are general-purpose mechanisms that can be used
+with GRUB.
+
+@section Signing GRUB for UEFI secure boot
+
+On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
+with a tool such as @command{pesign} or @command{sbsign}. Refer to the
+suggestions in @pxref{UEFI secure boot and shim} to ensure that the final
+image works under UEFI secure boot and can maintain the secure-boot chain. It
+will also be necessary to enrol the public key used into a relevant firmware
+key database.
+
@node Platform limitations
@chapter Platform limitations
--
2.30.2
- [PATCH v2 00/22] appended signature secure boot support, Daniel Axtens, 2021/06/30
- [PATCH v2 01/22] ieee1275: drop HEAP_MAX_ADDR, HEAP_MIN_SIZE, Daniel Axtens, 2021/06/30
- [PATCH v2 02/22] ieee1275: claim more memory, Daniel Axtens, 2021/06/30
- [PATCH v2 03/22] ieee1275: request memory with ibm, client-architecture-support, Daniel Axtens, 2021/06/30
- [PATCH v2 04/22] Add suport for signing grub with an appended signature, Daniel Axtens, 2021/06/30
- [PATCH v2 05/22] docs/grub: Document signing grub under UEFI,
Daniel Axtens <=
- [PATCH v2 06/22] docs/grub: Document signing grub with an appended signature, Daniel Axtens, 2021/06/30
- [PATCH v2 07/22] dl: provide a fake grub_dl_set_persistent for the emu target, Daniel Axtens, 2021/06/30
- [PATCH v2 08/22] pgp: factor out rsa_pad, Daniel Axtens, 2021/06/30
- [PATCH v2 09/22] crypto: move storage for grub_crypto_pk_* to crypto.c, Daniel Axtens, 2021/06/30
- [PATCH v2 10/22] posix_wrap: tweaks in preparation for libtasn1, Daniel Axtens, 2021/06/30
- [PATCH v2 11/22] libtasn1: import libtasn1-4.16.0, Daniel Axtens, 2021/06/30
- [PATCH v2 12/22] libtasn1: disable code not needed in grub, Daniel Axtens, 2021/06/30
- [PATCH v2 13/22] libtasn1: changes for grub compatibility, Daniel Axtens, 2021/06/30
- [PATCH v2 14/22] libtasn1: compile into asn1 module, Daniel Axtens, 2021/06/30
- [PATCH v2 16/22] grub-install: support embedding x509 certificates, Daniel Axtens, 2021/06/30