From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1k8ww5-0006Hn-5t for mharc-grub-devel@gnu.org; Thu, 20 Aug 2020 22:37:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55374) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8ww3-0006Es-D1 for grub-devel@gnu.org; Thu, 20 Aug 2020 22:37:43 -0400 Received: from mail-pf1-x444.google.com ([2607:f8b0:4864:20::444]:41627) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1k8ww1-0004Ft-G0 for grub-devel@gnu.org; Thu, 20 Aug 2020 22:37:43 -0400 Received: by mail-pf1-x444.google.com with SMTP id a79so331514pfa.8 for ; Thu, 20 Aug 2020 19:37:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/sQA6ojZf+219She64sM/XmqnNfMQPjxTWMwYOP/KlI=; b=UCS1vdZZbZqhf0NMOMxnG+jbyjU38N8o4y4pBowbtyl9RPEA0fH8AEgl4+pMdy1vHb bSrkMHkiXeb/9X66OHuFH538IYB22EbFUGac5SadWUPTQI+6g57oOfx/0ynRHSLnwJff CtLVWN86VhZ2rKkZQ0NPlMebYMfD5SuDsa7hs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/sQA6ojZf+219She64sM/XmqnNfMQPjxTWMwYOP/KlI=; b=AM2MBQaH88a0c6LZJZYPVA3Hta7pwEx2cFhsWryNahSggnBp54HXXWXVOPHNzAOsFJ QUw+JyK3mDoljt56X8Z5GT01pY22PsHnfQIZnN3LJ0Ax4UYqYFamwLE/274Wsc3hXSh0 VisOoHfqsj9fdvNYckUgFvdh4oxHIMf17Cno62blh5oza34noE9xQu/l8nji68EckoA4 IZWMP70a3aZxadSGUcoRXgFpIUQUu/TdjtoLQQ8ListeWfxA3P5SOk68XHe1pYxiJEpi yD9vIk57C+TVKjeneAVLtXIAHLOfDXlptyqKzebrN2T42sF7DEbw13z+5R94Sh/yiXI5 A3Cg== X-Gm-Message-State: AOAM530GseYNR4GDaxc5O0wrZQFkqHuRrubS4W0dhlOJqJCS5LLe63zw P71Bi0tz3vHD3eOYydpSIDzAS0ykkyVNeQ== X-Google-Smtp-Source: ABdhPJzSCYmZBnY/d8aIw/DQg4FTZDWeeSnjQ3CGQGkYPd6NNMAb4ju+xwSNEEojkerroHKygGK1/Q== X-Received: by 2002:a63:501f:: with SMTP id e31mr720156pgb.389.1597977459696; Thu, 20 Aug 2020 19:37:39 -0700 (PDT) Received: from localhost (2001-44b8-1113-6700-0951-8f5b-1590-b7af.static.ipv6.internode.on.net. [2001:44b8:1113:6700:951:8f5b:1590:b7af]) by smtp.gmail.com with ESMTPSA id z17sm492221pfq.38.2020.08.20.19.37.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 20 Aug 2020 19:37:39 -0700 (PDT) From: Daniel Axtens To: grub-devel@gnu.org Cc: rashmica.g@gmail.com, alastair@d-silva.org, Daniel Axtens Subject: [PATCH 2/3] docs/grub: Document signing grub under UEFI Date: Fri, 21 Aug 2020 12:37:19 +1000 Message-Id: <20200821023720.13747-3-dja@axtens.net> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200821023720.13747-1-dja@axtens.net> References: <20200821023720.13747-1-dja@axtens.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::444; envelope-from=dja@axtens.net; helo=mail-pf1-x444.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Aug 2020 02:37:43 -0000 Before adding information about how grub is signed with an appended signature scheme, it's worth adding some information about how it can currently be signed for UEFI. Signed-off-by: Daniel Axtens --- docs/grub.texi | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/docs/grub.texi b/docs/grub.texi index 1ce9993a53fc..35da48456d9e 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -5736,6 +5736,7 @@ environment variables and commands are listed in the same order. * Using digital signatures:: Booting digitally signed code * UEFI secure boot and shim:: Booting digitally signed PE files * Measured Boot:: Measuring boot components +* Signing GRUB itself:: Ensuring the integrity of the GRUB core image @end menu @node Authentication and authorisation @@ -5814,7 +5815,7 @@ commands. GRUB's @file{core.img} can optionally provide enforcement that all files subsequently read from disk are covered by a valid digital signature. -This document does @strong{not} cover how to ensure that your +This section does @strong{not} cover how to ensure that your platform's firmware (e.g., Coreboot) validates @file{core.img}. If environment variable @code{check_signatures} @@ -5950,6 +5951,25 @@ into @file{core.img} in order to avoid a potential gap in measurement between Measured boot is currently only supported on EFI platforms. +@node Signing GRUB itself +@section Signing GRUB itself + +To ensure a complete secure-boot chain, there must be a way for the code that +loads GRUB to verify the integrity of the core image. + +This is ultimately platform-specific and individual platforms can define their +own mechanisms. However, there are general-purpose mechanisms that can be used +with GRUB. + +@section Signing GRUB for UEFI secure boot + +On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed +with a tool such as @command{pesign} or @command{sbsign}. Refer to the +suggestions in @pxref{UEFI secure boot and shim} to ensure that the final +image works under UEFI secure boot and can maintain the secure-boot chain. It +will also be necessary to enrol the public key used into a relevant firmware +key database. + @node Platform limitations @chapter Platform limitations -- 2.25.1