tablet/grub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs/grub: Document signing GRUB under UEFI

Browse Source 
Before adding information about how GRUB is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Daniel Axtens 2025-10-06 12:55:03 +05:30 committed by Daniel Kiper
parent dbfa3d7d7e
commit 0b59d379fc
1 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
docs/grub.texi
View File

@ -8907,6 +8907,7 @@ environment variables and commands are listed in the same order.
* Measured Boot:: Measuring boot components
* Lockdown:: Lockdown when booting on a secure setup
* TPM2 key protector:: Managing disk key with TPM2 key protector
* Signing GRUB itself:: Ensuring the integrity of the GRUB core image
@end menu
@node Authentication and authorisation
@ -8987,7 +8988,7 @@ commands.
GRUB's @file{core.img} can optionally provide enforcement that all files
subsequently read from disk are covered by a valid digital signature.
This document does @strong{not} cover how to ensure that your
This section does @strong{not} cover how to ensure that your
platform's firmware (e.g., Coreboot) validates @file{core.img}.
If environment variable @code{check_signatures}
@ -9595,6 +9596,21 @@ which increases the risk of password leakage during the process. Moreover, the
superuser list must be well maintained, and the password used cannot be
synchronized with LUKS key rotation.
@node Signing GRUB itself
@section Signing GRUB itself
To ensure a complete secure-boot chain, there must be a way for the code that
loads GRUB to verify the integrity of the core image.
This is ultimately platform-specific and individual platforms can define their
own mechanisms. However, there are general-purpose mechanisms that can be used
with GRUB.
@section Signing GRUB for UEFI secure boot
On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
with a tool such as @command{pesign} or @command{sbsign}. Refer to the
suggestions in @pxref{UEFI secure boot and shim} to ensure that the final
image works under UEFI secure boot and can maintain the secure-boot chain. It
will also be necessary to enroll the public key used into a relevant firmware
key database.
@node Platform limitations
@chapter Platform limitations