Before adding information about how grub is signed with an appended signature scheme, it's worth adding some information about how it can currently be signed for UEFI.
Signed-off-by: Daniel Axtens <d...@axtens.net> --- docs/grub.texi | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/docs/grub.texi b/docs/grub.texi index 1ce9993a53fc..35da48456d9e 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -5736,6 +5736,7 @@ environment variables and commands are listed in the same order. * Using digital signatures:: Booting digitally signed code * UEFI secure boot and shim:: Booting digitally signed PE files * Measured Boot:: Measuring boot components +* Signing GRUB itself:: Ensuring the integrity of the GRUB core image @end menu @node Authentication and authorisation @@ -5814,7 +5815,7 @@ commands. GRUB's @file{core.img} can optionally provide enforcement that all files subsequently read from disk are covered by a valid digital signature. -This document does @strong{not} cover how to ensure that your +This section does @strong{not} cover how to ensure that your platform's firmware (e.g., Coreboot) validates @file{core.img}. If environment variable @code{check_signatures} @@ -5950,6 +5951,25 @@ into @file{core.img} in order to avoid a potential gap in measurement between Measured boot is currently only supported on EFI platforms. +@node Signing GRUB itself +@section Signing GRUB itself + +To ensure a complete secure-boot chain, there must be a way for the code that +loads GRUB to verify the integrity of the core image. + +This is ultimately platform-specific and individual platforms can define their +own mechanisms. However, there are general-purpose mechanisms that can be used +with GRUB. + +@section Signing GRUB for UEFI secure boot + +On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed +with a tool such as @command{pesign} or @command{sbsign}. Refer to the +suggestions in @pxref{UEFI secure boot and shim} to ensure that the final +image works under UEFI secure boot and can maintain the secure-boot chain. It +will also be necessary to enrol the public key used into a relevant firmware +key database. + @node Platform limitations @chapter Platform limitations -- 2.25.1 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel