From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1k8ww8-0006Nr-OH for mharc-grub-devel@gnu.org; Thu, 20 Aug 2020 22:37:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55402) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8ww6-0006KK-I0 for grub-devel@gnu.org; Thu, 20 Aug 2020 22:37:46 -0400 Received: from mail-pf1-x42d.google.com ([2607:f8b0:4864:20::42d]:37416) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1k8ww4-0004H8-OZ for grub-devel@gnu.org; Thu, 20 Aug 2020 22:37:46 -0400 Received: by mail-pf1-x42d.google.com with SMTP id x25so340790pff.4 for ; Thu, 20 Aug 2020 19:37:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=SUdRL7hHCHQ1m1ps2noLW2io4dAW8WKDXIhUTsU5zLw=; b=ntLzfcy8MvlFXxbD+C5OcB2xaFy/F4I2x+zb/vZF8RzPytaz4RyJxyzy+kUZkFK07F fua5z5A4A1se3sey4vyqqDioTlnoZYuknKeXLnXnhE3iOMf6uAcb9eDSDWV59AQLUWKC 1Ds2qpt1Mp4OC8mrx+y/pEiQ48FXXzzuy5KNc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=SUdRL7hHCHQ1m1ps2noLW2io4dAW8WKDXIhUTsU5zLw=; b=n8eV7B3anIucHZhwGs9wMr5IHGNGKpXuHQWUoZhXA50PPRCkDB7dUMWMkw/nYuVWc7 2a4QzHk54nJv/WfJjSiHQFRtMQz4oN6fMqi0JTE1liEgHiVoGXpO9cWK6IPkbS8H04kD 5t++ImEYfJ6E22rdD9jTPrmRCMzYk2YsbeDiP5phBkj2U1iWltAexK95+CcT/ZJsUxhc elMoxY7IBjPo8OCZz2sylLk8qr/Dd2WBk4sCNhlAbN0kcMFwLSG6janYlhprYQ7IkIck +TKHgnPhv6DfhiHBv+bpySQtfuedzUg6ZWKd+5/ghxUVtBaPWxLSNXRs73IfwPb/xfel XKAQ== X-Gm-Message-State: AOAM532h1ynicMX4WimQjxYMLk/8LR8o7Nu90mqIo/VvKlesF0J8sd5y TJauUD3aKw/hcIylcoj3VRu+/yWp1sVuZg== X-Google-Smtp-Source: ABdhPJwHf3A+eL5zfpT7iGI2UNnl8xEPQyPB1C61+Bkkz7+IIhrHVfu/+HSxqLVUnSyKszhfWIh9qg== X-Received: by 2002:a63:c252:: with SMTP id l18mr778595pgg.349.1597977463103; Thu, 20 Aug 2020 19:37:43 -0700 (PDT) Received: from localhost (2001-44b8-1113-6700-0951-8f5b-1590-b7af.static.ipv6.internode.on.net. [2001:44b8:1113:6700:951:8f5b:1590:b7af]) by smtp.gmail.com with ESMTPSA id z26sm471392pfa.55.2020.08.20.19.37.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 20 Aug 2020 19:37:42 -0700 (PDT) From: Daniel Axtens To: grub-devel@gnu.org Cc: rashmica.g@gmail.com, alastair@d-silva.org, Daniel Axtens Subject: [PATCH 3/3] docs/grub: Document signing grub with an appended signature Date: Fri, 21 Aug 2020 12:37:20 +1000 Message-Id: <20200821023720.13747-4-dja@axtens.net> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200821023720.13747-1-dja@axtens.net> References: <20200821023720.13747-1-dja@axtens.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::42d; envelope-from=dja@axtens.net; helo=mail-pf1-x42d.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Aug 2020 02:37:46 -0000 Signing grub for firmware that verifies an appended signature is a bit fiddly. I don't want people to have to figure it out from scratch so document it here. Signed-off-by: Daniel Axtens --- docs/grub.texi | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/docs/grub.texi b/docs/grub.texi index 35da48456d9e..bbbe6c7e07bf 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -5970,6 +5970,48 @@ image works under UEFI secure boot and can maintain the secure-boot chain. It will also be necessary to enrol the public key used into a relevant firmware key database. +@section Signing GRUB with an appended signature + +The @file{core.img} itself can be signed with a Linux kernel module-style +appended signature. + +To support IEEE1275 platforms where the boot image is often loaded directly +from a disk partition rather than from a file system, the @file{core.img} +can specify the size and location of the appended signature with an ELF +note added by @command{grub-install}. + +An image can be signed this way using the @command{sign-file} command from +the Linux kernel: + +@example +@group +# grub.key is your private key and certificate.der is your public key + +# Determine the size of the appended signature. It depends on the signing +# certificate and the hash algorithm +touch empty +sign-file SHA256 grub.key certificate.der empty empty.sig +SIG_SIZE=`stat -c '%s' empty.sig` +rm empty empty.sig + +# Build a grub image with $SIG_SIZE reserved for the signature +grub-install --appended-signature-size $SIG_SIZE --modules="..." ... + +# Replace the reserved size with a signature: +# cut off the last $SIG_SIZE bytes with truncate's minus modifier +truncate -s -$SIG_SIZE /boot/grub/powerpc-ieee1275/core.elf core.elf.unsigned +# sign the trimmed file with an appended signature, restoring the correct size +sign-file SHA256 grub.key certificate.der core.elf.unsigned core.elf.signed + +# Don't forget to install the signed image as required +# (e.g. on powerpc-ieee1275, to the PReP partition) +@end group +@end example + +As with UEFI secure boot, it is necessary to build in the required modules, +or sign them separately. + + @node Platform limitations @chapter Platform limitations -- 2.25.1