On Thu, Mar 27, 2025 at 01:02:24AM +0530, Sudhakar Kuppusamy wrote:
> From: Daniel Axtens <d...@axtens.net>
>
> Signing grub for firmware that verifies an appended signature is a
s/grub/GRUB/
The project name is GRUB. Please fix it everywhere.
> bit fiddly. I don't want people to have to figure it out from scratch
> so document it here.
>
> Signed-off-by: Daniel Axtens <d...@axtens.net>
> Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
> Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
> Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
> ---
> docs/grub.texi | 32 ++++++++++++++++++++++++++++++++
> 1 file changed, 32 insertions(+)
>
> diff --git a/docs/grub.texi b/docs/grub.texi
> index 0e877e026..19bbe9b2b 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi
> @@ -9262,6 +9262,38 @@ image works under UEFI secure boot and can maintain
> the secure-boot chain. It
> will also be necessary to enroll the public key used into a relevant firmware
> key database.
>
> +@section Signing GRUB with an appended signature
> +The @file{core.img} itself can be signed with a Linux kernel module-style
> +appended signature.
> +To support IEEE1275 platforms where the boot image is often loaded directly
> +from a disk partition rather than from a file system, the @file{core.img}
> +can specify the size and location of the appended signature with an ELF
> +note added by @command{grub-install}.
> +An image can be signed this way using the @command{sign-file} command from
> +the Linux kernel:
> +@example
> +@group
> +# grub.key is your private key and certificate.der is your public key
> +# Determine the size of the appended signature. It depends on the signing
> +# certificate and the hash algorithm
> +touch empty
> +sign-file SHA256 grub.key certificate.der empty empty.sig
Would not signing /dev/null instead of empty work?
> +SIG_SIZE=`stat -c '%s' empty.sig`
> +rm empty empty.sig
> +# Build a grub image with $SIG_SIZE reserved for the signature
> +grub-install --appended-signature-size $SIG_SIZE --modules="..." ...
> +# Replace the reserved size with a signature:
> +# cut off the last $SIG_SIZE bytes with truncate's minus modifier
> +truncate -s -$SIG_SIZE /boot/grub/powerpc-ieee1275/core.elf core.elf.unsigned
This could be possibly done by grub-install/grub-mkimage. Then you would
have one step less. Or even automate signing process by calling sign-file
from the GRUB utils.
> +# sign the trimmed file with an appended signature, restoring the correct
> size
> +sign-file SHA256 grub.key certificate.der core.elf.unsigned core.elf.signed
> +# Don't forget to install the signed image as required
> +# (e.g. on powerpc-ieee1275, to the PReP partition)
> +@end group
> +@end example
> +As with UEFI secure boot, it is necessary to build-in the required modules,
> +or sign them separately.
Daniel
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
