grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v1 02/21] docs/grub: Document signing grub under UEFI

From: Stefan Berger
Subject: Re: [PATCH v1 02/21] docs/grub: Document signing grub under UEFI
Date: Fri, 27 Dec 2024 10:00:39 -0500
User-agent: Mozilla Thunderbird 


On 12/18/24 9:56 AM, Sudhakar Kuppusamy wrote:

From: Daniel Axtens <dja@axtens.net>

Before adding information about how grub is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
---
  docs/grub.texi | 18 +++++++++++++++++-
  1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index 200e747af..c07d5d0dc 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -8572,6 +8572,7 @@ environment variables and commands are listed in the same 
order.
  * Measured Boot::                    Measuring boot components
  * Lockdown::                         Lockdown when booting on a secure setup
  * TPM2 key protector::               Managing disk key with TPM2 key protector
+* Signing GRUB itself::              Ensuring the integrity of the GRUB core 
image
  @end menu
@node Authentication and authorisation 
@@ -8652,7 +8653,7 @@ commands.
GRUB's @file{core.img} can optionally provide enforcement that all files 
  subsequently read from disk are covered by a valid digital signature.
-This document does @strong{not} cover how to ensure that your
+This section does @strong{not} cover how to ensure that your
  platform's firmware (e.g., Coreboot) validates @file{core.img}.
If environment variable @code{check_signatures} 
@@ -9119,6 +9120,21 @@ command through the swtpm control channel.
  # @kbd{swtpm_ioctl -s --unix swtpm-state/ctrl}
  @end example
+@node Signing GRUB itself 
+@section Signing GRUB itself
+To ensure a complete secure-boot chain, there must be a way for the code that
+loads GRUB to verify the integrity of the core image.
+This is ultimately platform-specific and individual platforms can define their
+own mechanisms. However, there are general-purpose mechanisms that can be used
+with GRUB.
+@section Signing GRUB for UEFI secure boot
+On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
+with a tool such as @command{pesign} or @command{sbsign}. Refer to the
+suggestions in @pxref{UEFI secure boot and shim} to ensure that the final
+image works under UEFI secure boot and can maintain the secure-boot chain. It
+will also be necessary to enrol the public key used into a relevant firmware


s/enrol/enroll


+key database.
+
  @node Platform limitations
  @chapter Platform limitations


With nit fixed:
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]