From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
To: grub-devel@gnu.org
Cc: dja@axtens.net, jan.setjeeilers@oracle.com,
julian.klode@canonical.com, mate.kukri@canonical.com,
pjones@redhat.com, msuchanek@suse.com, mlewando@redhat.com,
stefanb@linux.ibm.com, avnish@linux.ibm.com, nayna@linux.ibm.com,
ssrish@linux.ibm.com, Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Subject: [PATCH v6 19/20] docs/grub: Document signing GRUB with an appended signature
Date: Tue, 29 Jul 2025 20:21:55 +0530 [thread overview]
Message-ID: <20250729145156.3522-20-sudhakar@linux.ibm.com> (raw)
In-Reply-To: <20250729145156.3522-1-sudhakar@linux.ibm.com>
Signing GRUB for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
---
docs/grub.texi | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 98 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 72ee8d08c..2ff867cc5 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -9379,6 +9379,104 @@ image works under UEFI secure boot and can maintain the secure-boot chain. It
will also be necessary to enroll the public key used into a relevant firmware
key database.
+@section Signing GRUB with an appended signature
+The @file{core.elf} itself can be signed with a Linux kernel module-style
+appended signature.
+To support IEEE1275 platforms where the boot image is often loaded directly
+from a disk partition rather than from a file system, the @file{core.elf}
+can specify the size and location of the appended signature with an ELF
+Note added by @command{grub-install} or @command{grub-mkimage}.
+An image can be signed this way using the @command{sign-file} command from
+the Linux kernel:
+
+@itemize
+@item Signing a GRUB image using single signer key. The grub.key is your
+private key, certificate.der is your GRUB signing public key, and
+kernel.der is your kernel signing public key.
+@example
+@group
+# Determine the size of the appended signature. It depends on the
+# signing certificate and the hash algorithm.
+#
+# Signing the /dev/null with an appended signature.
+
+sign-file SHA256 grub.key certificate.der /dev/null ./empty.sig
+
+# Get the size of the signature.
+
+EMPTY_SIG_SIZE=`stat -c '%s' ./empty.sig`
+
+# Remove the empty file signature.
+
+rm ./empty.sig
+
+# Build a GRUB image with $EMPTY_SIG_SIZE reserved for the signature.
+
+grub-install --appended-signature-size $EMPTY_SIG_SIZE \
+ --modules="appendedsig ..." ...
+ or
+grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel.der \
+ -p /grub --appended-signature-size $EMPTY_SIG_SIZE \
+ --modules="appendedsig ..." ...
+
+# Signing a GRUB image with an appended signature.
+
+sign-file SHA256 grub.key certificate.der core.elf.unsigned core.elf.signed
+
+@end group
+@end example
+@item Signing a GRUB image using more than one signer key. The grub1.key and
+grub2.key are your private keys, certificate1.der and certificate2.der
+are your GRUB signing public keys. kernel.der and kernel2.der are your
+kernel signing public key.
+@example
+@group
+# Generate a raw signature for /dev/null signing using OpenSSL.
+
+openssl cms -sign -binary -nocerts -in /dev/null -signer \
+ certificate1.pem -inkey grub1.key -signer certificate2.pem \
+ -inkey grub2.key -out ./empty.p7s -outform DER -noattr -md sha256
+
+# Signing the /dev/null with an appended signature.
+
+sign-file -s ./empty.p7s sha256 /dev/null /dev/null ./empty.signed
+
+# Get the size of the signature.
+
+EMPTY_SIG_SIZE=`stat -c '%s' ./empty.signed`
+
+# Remove the empty file signatures.
+
+rm ./empty.signed ./empty.p7s
+
+# Build a GRUB image with $EMPTY_SIG_SIZE reserved for the signature.
+
+grub-install --appended-signature-size $EMPTY_SIG_SIZE \
+ --modules="appendedsig ..." ...
+ or
+grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel.der \
+ -p /grub --appended-signature-size $EMPTY_SIG_SIZE \
+ --modules="appendedsig ..." ...
+
+# Generate a raw signature for GRUB image signing using OpenSSL.
+
+openssl cms -sign -binary -nocerts -in core.elf.unsigned -signer \
+ certificate.pem -inkey grub.key -signer certificate1.pem -inkey \
+ grub1.key -out core.p7s -outform DER -noattr -md sha256
+
+# Signing a GRUB image with an appended signature.
+
+sign-file -s core.p7s sha256 /dev/null core.elf.unsigned core.elf.signed
+
+@end group
+@end example
+@item Don't forget to install the signed image as required
+(e.g. on powerpc-ieee1275, to the PReP partition).
+@end itemize
+
+As with UEFI secure boot, it is necessary to build-in the required modules,
+or sign them separately.
+
@node Platform limitations
@chapter Platform limitations
--
2.39.5 (Apple Git-154)
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next prev parent reply other threads:[~2025-07-29 14:56 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-29 14:51 [PATCH v6 00/20] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 01/20] powerpc-ieee1275: Add support for signing GRUB with an appended signature Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 02/20] crypto: Move storage for grub_crypto_pk_* to crypto.c Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 03/20] pgp: Rename OBJ_TYPE_PUBKEY to OBJ_TYPE_GPG_PUBKEY Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 04/20] grub-install: Support embedding x509 certificates Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 05/20] appended signatures: Import GNUTLS's ASN.1 description files Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 06/20] appended signatures: Parse ASN1 node Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 07/20] appended signatures: Parse PKCS#7 signedData Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 08/20] appended signatures: Parse X.509 certificates Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 09/20] powerpc_ieee1275: Enter lockdown based on /ibm, secure-boot Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 10/20] appended signatures: Support verifying appended signatures Sudhakar Kuppusamy
2025-08-11 15:54 ` Daniel Kiper
2025-08-12 5:00 ` Sudhakar Kuppusamy
2025-08-12 11:30 ` Daniel Kiper
2025-08-12 11:46 ` Sudhakar Kuppusamy
2025-08-13 14:33 ` Daniel Kiper
2025-08-13 14:48 ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 11/20] powerpc_ieee1275: Read the db and dbx secure boot variables Sudhakar Kuppusamy
2025-08-11 16:24 ` Daniel Kiper
2025-08-11 16:40 ` Sudhakar Kuppusamy
2025-08-12 11:39 ` Daniel Kiper
2025-07-29 14:51 ` [PATCH v6 12/20] appended signatures: Create db and dbx lists Sudhakar Kuppusamy
2025-08-11 17:21 ` Daniel Kiper
2025-08-11 17:34 ` Sudhakar Kuppusamy
2025-08-12 11:50 ` Daniel Kiper
2025-07-29 14:51 ` [PATCH v6 13/20] appended signatures: Using db and dbx lists for signature verification Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 14/20] powerpc_ieee1275: Introduce use_static_keys flag Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 15/20] appended signatures: Read default db keys from the ELF Note Sudhakar Kuppusamy
2025-08-13 14:43 ` Daniel Kiper
2025-08-13 14:49 ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 16/20] appended signatures: Introduce GRUB commands to access db and dbx Sudhakar Kuppusamy
2025-08-13 15:42 ` Daniel Kiper
2025-08-14 6:22 ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 17/20] appended signatures: Verification tests Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 18/20] docs/grub: Document signing GRUB under UEFI Sudhakar Kuppusamy
2025-07-29 14:51 ` Sudhakar Kuppusamy [this message]
2025-08-13 16:45 ` [PATCH v6 19/20] docs/grub: Document signing GRUB with an appended signature Daniel Kiper
2025-08-14 6:54 ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 20/20] docs/grub: Document " Sudhakar Kuppusamy
2025-08-14 14:20 ` Daniel Kiper
2025-08-14 18:33 ` Sudhakar Kuppusamy
-- strict thread matches above, loose matches on Subject: below --
2025-07-29 12:36 [PATCH v6 00/20] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2025-07-29 12:37 ` [PATCH v6 19/20] docs/grub: Document signing GRUB with an appended signature Sudhakar Kuppusamy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250729145156.3522-20-sudhakar@linux.ibm.com \
--to=sudhakar@linux.ibm.com \
--cc=avnish@linux.ibm.com \
--cc=dja@axtens.net \
--cc=grub-devel@gnu.org \
--cc=jan.setjeeilers@oracle.com \
--cc=julian.klode@canonical.com \
--cc=mate.kukri@canonical.com \
--cc=mlewando@redhat.com \
--cc=msuchanek@suse.com \
--cc=nayna@linux.ibm.com \
--cc=pjones@redhat.com \
--cc=ssrish@linux.ibm.com \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.