From: Stefan Berger <stefanb@linux.ibm.com>
To: The development of GNU GRUB <grub-devel@gnu.org>,
Daniel Axtens <dja@axtens.net>
Cc: rashmica.g@gmail.com, alastair@d-silva.org, nayna@linux.ibm.com
Subject: Re: [PATCH v2 06/22] docs/grub: Document signing grub with an appended signature
Date: Mon, 12 Jul 2021 08:46:46 -0400 [thread overview]
Message-ID: <35badfa4-bc8f-cc17-7705-821f17092a30@linux.ibm.com> (raw)
In-Reply-To: <20210630084031.2663622-7-dja@axtens.net>
On 6/30/21 4:40 AM, Daniel Axtens wrote:
> Signing grub for firmware that verifies an appended signature is a
> bit fiddly. I don't want people to have to figure it out from scratch
> so document it here.
>
> Signed-off-by: Daniel Axtens <dja@axtens.net>
> ---
> docs/grub.texi | 42 ++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 42 insertions(+)
>
> diff --git a/docs/grub.texi b/docs/grub.texi
> index 2ffc3b417312..bed565371460 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi
> @@ -6055,6 +6055,48 @@ image works under UEFI secure boot and can maintain the secure-boot chain. It
> will also be necessary to enrol the public key used into a relevant firmware
> key database.
>
> +@section Signing GRUB with an appended signature
> +
> +The @file{core.img} itself can be signed with a Linux kernel module-style
> +appended signature.
> +
> +To support IEEE1275 platforms where the boot image is often loaded directly
> +from a disk partition rather than from a file system, the @file{core.img}
> +can specify the size and location of the appended signature with an ELF
> +note added by @command{grub-install}.
> +
> +An image can be signed this way using the @command{sign-file} command from
> +the Linux kernel:
> +
> +@example
> +@group
> +# grub.key is your private key and certificate.der is your public key
> +
> +# Determine the size of the appended signature. It depends on the signing
> +# certificate and the hash algorithm
> +touch empty
> +sign-file SHA256 grub.key certificate.der empty empty.sig
> +SIG_SIZE=`stat -c '%s' empty.sig`
> +rm empty empty.sig
> +
> +# Build a grub image with $SIG_SIZE reserved for the signature
> +grub-install --appended-signature-size $SIG_SIZE --modules="..." ...
> +
> +# Replace the reserved size with a signature:
> +# cut off the last $SIG_SIZE bytes with truncate's minus modifier
> +truncate -s -$SIG_SIZE /boot/grub/powerpc-ieee1275/core.elf core.elf.unsigned
> +# sign the trimmed file with an appended signature, restoring the correct size
> +sign-file SHA256 grub.key certificate.der core.elf.unsigned core.elf.signed
> +
> +# Don't forget to install the signed image as required
> +# (e.g. on powerpc-ieee1275, to the PReP partition)
> +@end group
> +@end example
> +
> +As with UEFI secure boot, it is necessary to build in the required modules,
> +or sign them separately.
> +
> +
> @node Platform limitations
> @chapter Platform limitations
>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
next prev parent reply other threads:[~2021-07-12 12:46 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-30 8:40 [PATCH v2 00/22] appended signature secure boot support Daniel Axtens
2021-06-30 8:40 ` [PATCH v2 01/22] ieee1275: drop HEAP_MAX_ADDR, HEAP_MIN_SIZE Daniel Axtens
2021-07-12 12:33 ` Stefan Berger
2021-07-14 16:21 ` Daniel Kiper
2021-06-30 8:40 ` [PATCH v2 02/22] ieee1275: claim more memory Daniel Axtens
2021-07-12 12:35 ` Stefan Berger
2021-07-15 21:51 ` Daniel Kiper
2021-07-16 3:59 ` Patrick Steinhardt
2021-07-21 14:45 ` Daniel Kiper
2021-07-21 15:24 ` Stefan Berger
2021-07-22 17:11 ` Stefan Berger
2021-07-28 11:17 ` Daniel Kiper
2021-06-30 8:40 ` [PATCH v2 03/22] ieee1275: request memory with ibm, client-architecture-support Daniel Axtens
2021-07-12 12:40 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 04/22] Add suport for signing grub with an appended signature Daniel Axtens
2021-07-12 12:43 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 05/22] docs/grub: Document signing grub under UEFI Daniel Axtens
2021-07-12 12:44 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 06/22] docs/grub: Document signing grub with an appended signature Daniel Axtens
2021-07-12 12:46 ` Stefan Berger [this message]
2021-06-30 8:40 ` [PATCH v2 07/22] dl: provide a fake grub_dl_set_persistent for the emu target Daniel Axtens
2021-07-12 12:48 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 08/22] pgp: factor out rsa_pad Daniel Axtens
2021-07-12 12:52 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 09/22] crypto: move storage for grub_crypto_pk_* to crypto.c Daniel Axtens
2021-07-12 12:54 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 10/22] posix_wrap: tweaks in preparation for libtasn1 Daniel Axtens
2021-07-12 12:56 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 11/22] libtasn1: import libtasn1-4.16.0 Daniel Axtens
2021-07-20 21:46 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 12/22] libtasn1: disable code not needed in grub Daniel Axtens
2021-07-20 21:47 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 13/22] libtasn1: changes for grub compatibility Daniel Axtens
2021-07-12 13:04 ` Stefan Berger
2022-04-21 6:16 ` Daniel Axtens
2021-06-30 8:40 ` [PATCH v2 14/22] libtasn1: compile into asn1 module Daniel Axtens
2021-07-12 13:05 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 15/22] test_asn1: test module for libtasn1 Daniel Axtens
2021-07-12 19:35 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 16/22] grub-install: support embedding x509 certificates Daniel Axtens
2021-07-12 20:24 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 17/22] appended signatures: import GNUTLS's ASN.1 description files Daniel Axtens
2021-07-19 21:09 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 18/22] appended signatures: parse PKCS#7 signedData and X.509 certificates Daniel Axtens
2021-07-19 22:02 ` Stefan Berger
2022-04-21 6:36 ` Daniel Axtens
2021-06-30 8:40 ` [PATCH v2 19/22] appended signatures: support verifying appended signatures Daniel Axtens
2021-07-20 1:31 ` Stefan Berger
2022-04-21 7:10 ` Daniel Axtens
2021-06-30 8:40 ` [PATCH v2 20/22] appended signatures: verification tests Daniel Axtens
2021-07-20 12:49 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 21/22] appended signatures: documentation Daniel Axtens
2021-07-19 22:24 ` Stefan Berger
2022-04-21 7:15 ` Daniel Axtens
2021-06-30 8:40 ` [PATCH v2 22/22] ieee1275: enter lockdown based on /ibm,secure-boot Daniel Axtens
2021-07-19 22:08 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=35badfa4-bc8f-cc17-7705-821f17092a30@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=alastair@d-silva.org \
--cc=dja@axtens.net \
--cc=grub-devel@gnu.org \
--cc=nayna@linux.ibm.com \
--cc=rashmica.g@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.