From: Daniel Axtens <d...@axtens.net>
Signing GRUB for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens <d...@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
---
docs/grub.texi | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 320fa2124..cd73ac6bf 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -9379,6 +9379,54 @@ image works under UEFI secure boot and can maintain the
secure-boot chain. It
will also be necessary to enroll the public key used into a relevant firmware
key database.
+@section Signing GRUB with an appended signature
+The @file{core.img} itself can be signed with a Linux kernel module-style
+appended signature.
+To support IEEE1275 platforms where the boot image is often loaded directly
+from a disk partition rather than from a file system, the @file{core.img}
+can specify the size and location of the appended signature with an ELF
+note added by @command{grub-install}.
+An image can be signed this way using the @command{sign-file} command from
+the Linux kernel:
+@example
+@group
+# grub.key is your private key and certificate.der is your public key
+# kernel.der is your kernel signing public key
+# For single signature:
+# Determine the size of the appended signature. It depends on the signing
+# certificate and the hash algorithm
+sign-file SHA256 grub.key certificate.der /dev/null /dev/null.sig
+SIG_SIZE=`stat -c '%s' /dev/null.sig`
+# Build a GRUB image with $SIG_SIZE reserved for the signature
+grub-install --appended-signature-size $SIG_SIZE --modules="..." ...
+ or
+grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel.der -p /grub2
+--appended-signature-size $SIG_SIZE --modules="..." ...
+# sign the GRUB image with an appended signature
+sign-file SHA256 grub.key certificate.der core.elf.unsigned core.elf.signed
+# For Multiple signature:
+# Determine the size of the appended signature
+openssl cms -sign -binary -nocerts -in /dev/null -signer certificate.pem
-inkey grub.key
+-signer certificate1.pem -inkey grub1.key -out /dev/null.p7s -outform DER
-noattr -md sha256
+sign-file -s /dev/null.p7s sha256 /dev/null /dev/null /dev/null.signed
+SIG_SIZE=`stat -c '%s' /dev/null.signed`
+# Build a GRUB image with $SIG_SIZE reserved for the signature
+grub-install --appended-signature-size $SIG_SIZE --modules="..." ...
+ or
+grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel.der -p /grub2
--appended-signature-size $SIG_SIZE
+--modules="..." ...
+# generate raw signature
+openssl cms -sign -binary -nocerts -in core.elf.unsigned -signer
certificate.pem
+-inkey grub.key -signer certificate1.pem -inkey grub1.key -out core.p7s
-outform DER -noattr -md sha256
+# sign the GRUB image with an appended signature
+sign-file -s core.p7s sha256 /dev/null core.elf.unsigned core.elf.signed
+# Don't forget to install the signed image as required
+# (e.g. on powerpc-ieee1275, to the PReP partition)
+@end group
+@end example
+As with UEFI secure boot, it is necessary to build-in the required modules,
+or sign them separately.
+
@node Platform limitations
@chapter Platform limitations
--
2.49.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
