On Tue, Jun 10, 2025 at 09:20:37PM +0530, Sudhakar wrote:
> From: Daniel Axtens <d...@axtens.net>
>
> Signing GRUB for firmware that verifies an appended signature is a
> bit fiddly. I don't want people to have to figure it out from scratch
> so document it here.
>
> Signed-off-by: Daniel Axtens <d...@axtens.net>
> Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
> Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
> Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
> ---
> docs/grub.texi | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 48 insertions(+)
>
> diff --git a/docs/grub.texi b/docs/grub.texi
> index 320fa2124..cd73ac6bf 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi
> @@ -9379,6 +9379,54 @@ image works under UEFI secure boot and can maintain
> the secure-boot chain. It
> will also be necessary to enroll the public key used into a relevant firmware
> key database.
>
> +@section Signing GRUB with an appended signature
> +The @file{core.img} itself can be signed with a Linux kernel module-style
> +appended signature.
> +To support IEEE1275 platforms where the boot image is often loaded directly
> +from a disk partition rather than from a file system, the @file{core.img}
> +can specify the size and location of the appended signature with an ELF
> +note added by @command{grub-install}.
> +An image can be signed this way using the @command{sign-file} command from
> +the Linux kernel:
> +@example
> +@group
> +# grub.key is your private key and certificate.der is your public key
> +# kernel.der is your kernel signing public key
> +# For single signature:
> +# Determine the size of the appended signature. It depends on the signing
> +# certificate and the hash algorithm
> +sign-file SHA256 grub.key certificate.der /dev/null /dev/null.sig
Please do not create random files in the /dev directory. And probably
s/null.sig/empty.sig/...
> +SIG_SIZE=`stat -c '%s' /dev/null.sig`
s/SIG_SIZE/EMPTY_SIG_SIZE/
> +# Build a GRUB image with $SIG_SIZE reserved for the signature
> +grub-install --appended-signature-size $SIG_SIZE --modules="..." ...
> + or
> +grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel.der -p /grub2
> +--appended-signature-size $SIG_SIZE --modules="..." ...
> +# sign the GRUB image with an appended signature
> +sign-file SHA256 grub.key certificate.der core.elf.unsigned core.elf.signed
> +# For Multiple signature:
> +# Determine the size of the appended signature
> +openssl cms -sign -binary -nocerts -in /dev/null -signer certificate.pem
> -inkey grub.key
> +-signer certificate1.pem -inkey grub1.key -out /dev/null.p7s -outform DER
> -noattr -md sha256
You glue all lines together and it is not possible to get where a
command starts and ends. If you want break lines the two lines above
should be presented in the docs in the following way:
openssl cms -sign -binary -nocerts -in /dev/null -signer certificate.pem -inkey
grub.key \
-signer certificate1.pem -inkey grub1.key -out /dev/null.p7s -outform DER
-noattr -md sha256
In general I suggest to add empty line after each command.
> +sign-file -s /dev/null.p7s sha256 /dev/null /dev/null /dev/null.signed
Again, please do not pollute /dev directory.
> +SIG_SIZE=`stat -c '%s' /dev/null.signed`
> +# Build a GRUB image with $SIG_SIZE reserved for the signature
> +grub-install --appended-signature-size $SIG_SIZE --modules="..." ...
> + or
> +grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel.der -p
> /grub2 --appended-signature-size $SIG_SIZE
> +--modules="..." ...
> +# generate raw signature
> +openssl cms -sign -binary -nocerts -in core.elf.unsigned -signer
> certificate.pem
> +-inkey grub.key -signer certificate1.pem -inkey grub1.key -out core.p7s
> -outform DER -noattr -md sha256
Same problem. Missing line continuation as above. Please fix similar
problems everywhere...
And I suggest to add a command to remove all temporary files.
Daniel
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
