On Mon, Sep 22, 2025 at 02:58:02PM +0530, Sudhakar Kuppusamy wrote: > Signing GRUB for firmware that verifies an appended signature is a > bit fiddly. I don't want people to have to figure it out from scratch > so document it here. > > Signed-off-by: Daniel Axtens <[email protected]> > Signed-off-by: Sudhakar Kuppusamy <[email protected]> > Reviewed-by: Stefan Berger <[email protected]> > Reviewed-by: Avnish Chouhan <[email protected]> > --- > docs/grub.texi | 102 +++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 102 insertions(+) > > diff --git a/docs/grub.texi b/docs/grub.texi > index 358975fc8..74777c040 100644 > --- a/docs/grub.texi > +++ b/docs/grub.texi > @@ -9611,6 +9611,108 @@ image works under UEFI secure boot and can maintain > the secure-boot chain. It > will also be necessary to enroll the public key used into a relevant firmware > key database. > > +@section Signing GRUB with an appended signature > +The @file{core.elf} itself can be signed with a Linux kernel module-style > +appended signature (@pxref{Using appended signatures}). > +To support IEEE1275 platforms where the boot image is often loaded directly > +from a disk partition rather than from a file system, the @file{core.elf} > +can specify the size and location of the appended signature with an ELF > +Note added by @command{grub-install} or @command{grub-mkimage}. > +An image can be signed this way using the @command{sign-file} command from > +the Linux kernel: > + > +@itemize > +@item Signing a GRUB image using a single signer key. The grub.key is your > +private key used for GRUB signing, grub.der is a corresponding public key > +(certificate) used for GRUB signature verification, and the kernel.der is > +your public key (certificate) used for kernel signature verification. > +@example > +@group > +# Determine the size of the appended signature. It depends on the > +# signing key and the hash algorithm. > +# > +# Signing the /dev/null with an appended signature. > + > +sign-file SHA256 grub.key grub.der /dev/null ./empty.sig > + > +# Get the size of the signature. > + > +EMPTY_SIG_SIZE=`stat -c '%s' ./empty.sig` > + > +# Remove the empty file signature. > + > +rm ./empty.sig > + > +# Build a GRUB image with $EMPTY_SIG_SIZE reserved for the signature. > + > +grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel.der \ > + -p /grub --appended-signature-size $EMPTY_SIG_SIZE \
s/$EMPTY_SIG_SIZE/$(stat -c '%s' ./empty.sig)/ Then drop EMPTY_SIG_SIZE assignment and move "rm ./empty.sig" behind grub-mkimage command. This way we can simplify the process further... > + --modules="appendedsig ..." ... > + > +# Signing a GRUB image with an appended signature. > + > +sign-file SHA256 grub.key grub.der core.elf.unsigned core.elf.signed > + > +@end group > +@end example > +@item Signing a GRUB image using more than one signer key. The grub1.key and > +grub2.key are private keys used for GRUB signing, grub1.der and grub2.der > +are corresponding public keys (certificates) used for GRUB signature > verification. > +The kernel1.der and kernel2.der are your public keys (certificates) used for > +kernel signature verification. > +@example > +@group > +# Generate a raw signature for /dev/null signing using OpenSSL. > + > +openssl cms -sign -binary -nocerts -in /dev/null -signer \ > + grub1.der -inkey grub1.key -signer grub2.der -inkey grub2.key \ > + -out ./empty.p7s -outform DER -noattr -md sha256 > + > +# Signing the /dev/null with an appended signature. > + > +sign-file -s ./empty.p7s sha256 /dev/null /dev/null ./empty.signed > + > +# Get the size of the signature. > + > +EMPTY_SIG_SIZE=`stat -c '%s' ./empty.signed` > + > +# Remove the empty file signatures. > + > +rm ./empty.signed ./empty.p7s > + > +# Build a GRUB image with $EMPTY_SIG_SIZE reserved for the signature. > + > +grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel1.der \ > + kernel2.der -p /grub --appended-signature-size $EMPTY_SIG_SIZE \ Ditto. Otherwise LGTM. So, if you fix these two minor issues you can add my RB... Daniel _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
