Re: [PATCH v12 22/22] docs/grub: Document appended signature

Fri, 17 Oct 2025 19:51:11 -0700 

On Mon, Sep 22, 2025 at 02:58:03PM +0530, Sudhakar Kuppusamy wrote:
> This explains how appended signatures can be used to form part of
> a secure boot chain, and documents the commands and variables
> introduced.
>
> Signed-off-by: Daniel Axtens <[email protected]>
> Signed-off-by: Sudhakar Kuppusamy <[email protected]>
> ---
>  docs/grub.texi | 327 +++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 327 insertions(+)
>
> diff --git a/docs/grub.texi b/docs/grub.texi
> index 74777c040..785cfb970 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi

[...]

> +Note that when the environment variable @code{check_appended_signatures} is 
> set to @code{enforce},

s/enforce/yes/ here and there and in the code...

> +the @command{append_add_db_cert} and @command{append_add_dbx_cert} commands 
> only accept
> +the file @samp{@var{X509_certificate}} that is signed with an appended 
> signature
> +(@pxref{Signing certificate and hash file}), and the 
> @command{append_add_db_hash} and
> +@command{append_add_dbx_hash} commands only accept the file 
> @samp{@var{hash_file}} that is
> +signed with an appended signature (@pxref{Signing certificate and hash 
> file}).
> +The signature is verified by appendedsig module.
> +When the environment variable @code{check_appended_signatures} is set to 
> @code{no},
> +these commands accept files without an appended signature.
> +
> +Also, note that @samp{@var{X509_certificate}} should be in DER-format and 
> @samp{@var{hash_file}}
> +should be in binary format. Certificates/hashes of certificates/binaries 
> added through
> +@command{append_add_db_cert}, @command{append_add_dbx_cert}, 
> @command{append_add_db_hash},
> +and @command{append_add_dbx_hash} will not be persisted across boots.
> +
> +Only supported signatures generated using the SHA-256 or SHA-512 hash 
> algorithms,
> +RSA signatures generated using 2048, 3076, or 4096 bit keys,
> +and binary/certificate hash generated using SHA-256, SHA-384, or SHA-512 
> algorithms.

This sentence does not parse. Please rephrase it...

Otherwise patch LGTM. So, you can add my RB if you fix these minor issues...

Daniel

_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to