Part of a secure boot chain is allowing boot firmware to verify the grub core.img. For UEFI platforms, this is done by signing the PE binary with a tool like pesign or sb-sign. However, for platforms that don't implement UEFI, an alternative scheme is required.
These patches provide some infrastructure and documentation for signing grub's core.img with a Linux-kernel-module style appended signature. Because some platforms, such as powerpc-ieee1275, load grub from a raw disk partition rather than a filesystem, we extend grub-install to add an ELF note that allows us to specify the size and location of the signature. More details are in patch 1, including a link to an open-source firmware capable of verifying a grub image signed this way. Daniel Axtens (2): docs/grub: Document signing grub under UEFI docs/grub: Document signing grub with an appended signature Rashmica Gupta (1): Add suport for signing grub with an appended signature docs/grub.texi | 64 ++++++++++++++++++++++++++++++++++++- include/grub/util/install.h | 8 +++-- include/grub/util/mkimage.h | 4 +-- util/grub-install-common.c | 16 ++++++++-- util/grub-mkimage.c | 11 +++++++ util/grub-mkimagexx.c | 39 +++++++++++++++++++++- util/mkimage.c | 10 +++--- 7 files changed, 138 insertions(+), 14 deletions(-) -- 2.25.1 _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
