Re: [PATCH v7 20/20] docs/grub: Document appended signature

Thu, 21 Aug 2025 01:04:13 -0700 

On Tue, Aug 19, 2025 at 06:43:23PM +0530, Sudhakar Kuppusamy wrote:
> This explains how appended signatures can be used to form part of
> a secure boot chain, and documents the commands and variables
> introduced.
> 
> Signed-off-by: Daniel Axtens <[email protected]>
> Signed-off-by: Sudhakar Kuppusamy <[email protected]>
> Reviewed-by: Avnish Chouhan <[email protected]>
> ---
>  docs/grub.texi | 401 +++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 401 insertions(+)
> 
> diff --git a/docs/grub.texi b/docs/grub.texi
> index 5072bbb13..7f09249b0 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi

-->8--

> +@node Signing a file with an appended signature
A new node is declared here, so this node has to be listed in the menu
of '@chapter Security'. Otherwise, 'makeinfo' failed with the following
messages:

../../docs/grub.texi:9856: warning: node `Security' is up for `Signing a file 
with an appended signature' in sectioning but not in menu
../../docs/grub.texi:8933: node `Security' lacks menu item for `Signing a file 
with an appended signature' despite being its Up target

Cheers,

Gary Lin

> +@section Signing a file with an appended signature
> +The X.509 certificate (public key) file and hash file (binary/certificate 
> hash file)
> +can be signed with a Linux kernel module-style appended signature.
> +
> +The signer.key is private key used for signing, signer.der is corresponding
> +public key (certificate) used for signature verification.
> +
> +@itemize
> +@item Signing the X.509 certificate file using @file{sign-file}.
> +The kernel.der is your X.509 certificate file.
> +@example
> +
> +sign-file SHA256 signer.key signer.der kernel.der \
> +  kernel.der.signed
> +
> +@end example
> +@item Signing the hash file using @file{sign-file}.
> +The binary_hash is your hash file.
> +@example
> +
> +sign-file SHA256 signer.key signer.der binary_hash \
> +  binary_hash.signed
> +
> +@end example
> +@end itemize
> +
>  @node Platform limitations
>  @chapter Platform limitations
>  
> -- 
> 2.39.5 (Apple Git-154)
> 
> 
> _______________________________________________
> Grub-devel mailing list
> [email protected]
> https://lists.gnu.org/mailman/listinfo/grub-devel

_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to