From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1lyVmS-0000lj-4G for mharc-grub-devel@gnu.org; Wed, 30 Jun 2021 04:41:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53770) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lyVmP-0000eI-4H for grub-devel@gnu.org; Wed, 30 Jun 2021 04:41:09 -0400 Received: from mail-pg1-x530.google.com ([2607:f8b0:4864:20::530]:41552) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lyVmL-0003g1-6f for grub-devel@gnu.org; Wed, 30 Jun 2021 04:41:08 -0400 Received: by mail-pg1-x530.google.com with SMTP id m26so1550472pgb.8 for ; Wed, 30 Jun 2021 01:41:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=WGPj5Ka7TawWFyoAwUdLqpmIn9ZCGe4HEXt35pt2eM8=; b=N34tvsGrojWOBSBz+GMUO8yuKcMJL4T+U3PUlTFYZcAX+8TQGSXv1SjR24iq6pScoI iMt2j0vw0/Z8afwBGarF2Dv0Bb71m/YpBLDbRyI4vAzEN/R7NakeMKejbWHF7i9eq25w /gbX9gtU2UjDJT6cIk8YfOKl84fyFBKch4pDg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WGPj5Ka7TawWFyoAwUdLqpmIn9ZCGe4HEXt35pt2eM8=; b=cEIyQtE/pCpUk2M3L+EF/PzQl50HG3JZD3bQJmOxqYjV1dIL1sQZBH9l5OvsEi3ExV zT0P9+8kIQqthXowpEyMLzESPHoWrmntrt4zplyvriDhKPe4h+khO03snlzAmsxW6dLk ZZIjlegaZcaJzgjE9tLH4ihTiwvDT1A34C6oDoQuCKsfSxXj4fdzZHodUZpP8+Bnx/qj kkxwt7Pyas1/3b+eEqC61O3L6Mp2lDR/fj40wTEwiWX6lSPtYqvMfyKEDMGg6SAKp3s3 mq8Js6Hczmw55aQqJ1OY+8GyCt8SSTbff5sjvgRyPNyLC508ms9c3/kPkouThV8MWNVr JTXg== X-Gm-Message-State: AOAM530aZkjNxO2k8RgY6l4DA9IH1VFhQj7Um3sTmuMissXknhA01cWL L2kd3H4OSOhIImJRyW2cyAAoAdjNdfaW2Q== X-Google-Smtp-Source: ABdhPJwt3rXT74cTBB3prnpmja3Qa40Rda8ZCZ+lxJ+/uSOR30gFs796usWpnUpa4INOkBWh4wI9dA== X-Received: by 2002:a63:4e63:: with SMTP id o35mr22436465pgl.374.1625042462897; Wed, 30 Jun 2021 01:41:02 -0700 (PDT) Received: from localhost ([203.206.29.204]) by smtp.gmail.com with ESMTPSA id c5sm19843771pfv.47.2021.06.30.01.41.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Jun 2021 01:41:02 -0700 (PDT) From: Daniel Axtens To: grub-devel@gnu.org Cc: rashmica.g@gmail.com, alastair@d-silva.org, nayna@linux.ibm.com, Daniel Axtens Subject: [PATCH v2 05/22] docs/grub: Document signing grub under UEFI Date: Wed, 30 Jun 2021 18:40:14 +1000 Message-Id: <20210630084031.2663622-6-dja@axtens.net> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210630084031.2663622-1-dja@axtens.net> References: <20210630084031.2663622-1-dja@axtens.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::530; envelope-from=dja@axtens.net; helo=mail-pg1-x530.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2021 08:41:09 -0000 Before adding information about how grub is signed with an appended signature scheme, it's worth adding some information about how it can currently be signed for UEFI. Signed-off-by: Daniel Axtens --- docs/grub.texi | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/docs/grub.texi b/docs/grub.texi index f8b4b3b21a7f..2ffc3b417312 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -5795,6 +5795,7 @@ environment variables and commands are listed in the same order. * Secure Boot Advanced Targeting:: Embedded information for generation number based revocation * Measured Boot:: Measuring boot components * Lockdown:: Lockdown when booting on a secure setup +* Signing GRUB itself:: Ensuring the integrity of the GRUB core image @end menu @node Authentication and authorisation @@ -5873,7 +5874,7 @@ commands. GRUB's @file{core.img} can optionally provide enforcement that all files subsequently read from disk are covered by a valid digital signature. -This document does @strong{not} cover how to ensure that your +This section does @strong{not} cover how to ensure that your platform's firmware (e.g., Coreboot) validates @file{core.img}. If environment variable @code{check_signatures} @@ -6035,6 +6036,25 @@ be restricted and some operations/commands cannot be executed. The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down. Otherwise it does not exit. +@node Signing GRUB itself +@section Signing GRUB itself + +To ensure a complete secure-boot chain, there must be a way for the code that +loads GRUB to verify the integrity of the core image. + +This is ultimately platform-specific and individual platforms can define their +own mechanisms. However, there are general-purpose mechanisms that can be used +with GRUB. + +@section Signing GRUB for UEFI secure boot + +On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed +with a tool such as @command{pesign} or @command{sbsign}. Refer to the +suggestions in @pxref{UEFI secure boot and shim} to ensure that the final +image works under UEFI secure boot and can maintain the secure-boot chain. It +will also be necessary to enrol the public key used into a relevant firmware +key database. + @node Platform limitations @chapter Platform limitations -- 2.30.2