Re: [PATCH v7 20/20] docs/grub: Document appended signature

Thu, 21 Aug 2025 02:16:22 -0700 


> On 21 Aug 2025, at 12:14 PM, Gary Lin <g...@suse.com> wrote:
> 
> On Tue, Aug 19, 2025 at 06:43:23PM +0530, Sudhakar Kuppusamy wrote:
>> This explains how appended signatures can be used to form part of
>> a secure boot chain, and documents the commands and variables
>> introduced.
>> 
>> Signed-off-by: Daniel Axtens <d...@axtens.net>
>> Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
>> Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
>> ---
>> docs/grub.texi | 401 +++++++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 401 insertions(+)
>> 
>> diff --git a/docs/grub.texi b/docs/grub.texi
>> index 5072bbb13..7f09249b0 100644
>> --- a/docs/grub.texi
>> +++ b/docs/grub.texi
> 
> -->8--
> 
>> +@node Signing a file with an appended signature
> A new node is declared here, so this node has to be listed in the menu
> of '@chapter Security'. Otherwise, 'makeinfo' failed with the following
> messages:
> 
> ../../docs/grub.texi:9856: warning: node `Security' is up for `Signing a file 
> with an appended signature' in sectioning but not in menu
> ../../docs/grub.texi:8933: node `Security' lacks menu item for `Signing a 
> file with an appended signature' despite being its Up target

Thanks you Gary. Fixed it on v8.

Thanks,
Sudhakar
> 
> Cheers,
> 
> Gary Lin
> 
>> +@section Signing a file with an appended signature
>> +The X.509 certificate (public key) file and hash file (binary/certificate 
>> hash file)
>> +can be signed with a Linux kernel module-style appended signature.
>> +
>> +The signer.key is private key used for signing, signer.der is corresponding
>> +public key (certificate) used for signature verification.
>> +
>> +@itemize
>> +@item Signing the X.509 certificate file using @file{sign-file}.
>> +The kernel.der is your X.509 certificate file.
>> +@example
>> +
>> +sign-file SHA256 signer.key signer.der kernel.der \
>> +  kernel.der.signed
>> +
>> +@end example
>> +@item Signing the hash file using @file{sign-file}.
>> +The binary_hash is your hash file.
>> +@example
>> +
>> +sign-file SHA256 signer.key signer.der binary_hash \
>> +  binary_hash.signed
>> +
>> +@end example
>> +@end itemize
>> +
>> @node Platform limitations
>> @chapter Platform limitations
>> 
>> -- 
>> 2.39.5 (Apple Git-154)
>> 
>> 
>> _______________________________________________
>> Grub-devel mailing list
>> Grub-devel@gnu.org
>> https://lists.gnu.org/mailman/listinfo/grub-devel


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to