On Mon, Aug 25, 2025 at 04:38:42PM +0530, Sudhakar Kuppusamy wrote: > Signing GRUB for firmware that verifies an appended signature is a > bit fiddly. I don't want people to have to figure it out from scratch > so document it here. > > Signed-off-by: Daniel Axtens <[email protected]> > Signed-off-by: Sudhakar Kuppusamy <[email protected]> > Reviewed-by: Stefan Berger <[email protected]> > Reviewed-by: Avnish Chouhan <[email protected]> > --- > docs/grub.texi | 100 +++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 100 insertions(+) > > diff --git a/docs/grub.texi b/docs/grub.texi > index 72ee8d08c..3ee4989b8 100644 > --- a/docs/grub.texi > +++ b/docs/grub.texi > @@ -9379,6 +9379,106 @@ image works under UEFI secure boot and can maintain > the secure-boot chain. It > will also be necessary to enroll the public key used into a relevant firmware > key database. > > +@section Signing GRUB with an appended signature > +The @file{core.elf} itself can be signed with a Linux kernel module-style > +appended signature (@pxref{Using appended signatures}). > +To support IEEE1275 platforms where the boot image is often loaded directly > +from a disk partition rather than from a file system, the @file{core.elf} > +can specify the size and location of the appended signature with an ELF > +Note added by @command{grub-install} or @command{grub-mkimage}. > +An image can be signed this way using the @command{sign-file} command from > +the Linux kernel: > + > +@itemize > +@item Signing a GRUB image using a single signer key. The grub.key is your > +private key used for GRUB signing, grub.der is a corresponding public key > +(certificate) used for GRUB signature verification, and the kernel.der is > +your public key (certificate) used for kernel signature verification. > +@example > +@group > +# Determine the size of the appended signature. It depends on the > +# signing key (certificate) and the hash algorithm.
s/ (certificate)// > +# Signing the /dev/null with an appended signature. > + > +sign-file SHA256 grub.key grub.der /dev/null ./empty.sig > + > +# Get the size of the signature. > + > +EMPTY_SIG_SIZE=`stat -c '%s' ./empty.sig` > + > +# Remove the empty file signature. > + > +rm ./empty.sig > + > +# Build a GRUB image with $EMPTY_SIG_SIZE reserved for the signature. > + > +grub-install --appended-signature-size $EMPTY_SIG_SIZE -x kernel.der \ > + --modules="appendedsig ..." ... > + or I think the grub-install does not make a lot of sense here because it installs unsigned version of GRUB image to the partition. So, I would simply drop it... > +grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel.der \ > + -p /grub --appended-signature-size $EMPTY_SIG_SIZE \ > + --modules="appendedsig ..." ... > + > +# Signing a GRUB image with an appended signature. > + > +sign-file SHA256 grub.key grub.der core.elf.unsigned core.elf.signed I think installation step is missing here. Please add an example how the signed image should be installed to the partition. > +@end group > +@end example > +@item Signing a GRUB image using more than one signer key. The grub1.key and > +grub2.key are private keys used for GRUB signing, grub1.der and grub2.der > +are corresponding public keys (certificates) used for GRUB signature > verification. > +The kernel1.der and kernel2.der are your public keys (certificates) used for > +kernel signature verification. > +@example > +@group > +# Generate a raw signature for /dev/null signing using OpenSSL. > + > +openssl cms -sign -binary -nocerts -in /dev/null -signer \ > + grub1.der -inkey grub1.key -signer grub2.der -inkey grub2.key \ > + -out ./empty.p7s -outform DER -noattr -md sha256 > + > +# Signing the /dev/null with an appended signature. > + > +sign-file -s ./empty.p7s sha256 /dev/null /dev/null ./empty.signed > + > +# Get the size of the signature. > + > +EMPTY_SIG_SIZE=`stat -c '%s' ./empty.signed` > + > +# Remove the empty file signatures. > + > +rm ./empty.signed ./empty.p7s > + > +# Build a GRUB image with $EMPTY_SIG_SIZE reserved for the signature. > + > +grub-install --appended-signature-size $EMPTY_SIG_SIZE -x kernel1.der \ > + kernel2.der --modules="appendedsig ..." ... Again, I would drop grub-install from here... > + or > +grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel1.der \ > + kernel2.der -p /grub --appended-signature-size $EMPTY_SIG_SIZE \ > + --modules="appendedsig ..." ... > + > +# Generate a raw signature for GRUB image signing using OpenSSL. > + > +openssl cms -sign -binary -nocerts -in core.elf.unsigned -signer \ > + grub1.der -inkey grub1.key -signer grub2.der -inkey grub2.key \ > + -out core.p7s -outform DER -noattr -md sha256 > + > +# Signing a GRUB image with an appended signature. > + > +sign-file -s core.p7s sha256 /dev/null core.elf.unsigned core.elf.signed As above, please add an example how signed image should be installed... > +@end group > +@end example > +@item Don't forget to install the signed image as required > +(e.g. on powerpc-ieee1275, to the PReP partition). And here it is... Though I think you should add example install commands as I stated above. Daniel _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
