Re: [PATCH v2 03/21] docs/grub: Document signing grub with an appended signature

[sudhakar <sudhakar@linux.ibm.com>]

Hi Daniel,

Thank you for your valuable review comments. addressed all your 
comments.

On 2025-05-22 23:49, Daniel Kiper wrote:
> On Thu, Mar 27, 2025 at 01:02:24AM +0530, Sudhakar Kuppusamy wrote:
>> From: Daniel Axtens <dja@axtens.net>
>> 
>> Signing grub for firmware that verifies an appended signature is a
> 
> s/grub/GRUB/
> 
> The project name is GRUB. Please fix it everywhere.
> 
>> bit fiddly. I don't want people to have to figure it out from scratch
>> so document it here.
>> 
>> Signed-off-by: Daniel Axtens <dja@axtens.net>
>> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
>> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
>> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
>> ---
>>  docs/grub.texi | 32 ++++++++++++++++++++++++++++++++
>>  1 file changed, 32 insertions(+)
>> 
>> diff --git a/docs/grub.texi b/docs/grub.texi
>> index 0e877e026..19bbe9b2b 100644
>> --- a/docs/grub.texi
>> +++ b/docs/grub.texi
>> @@ -9262,6 +9262,38 @@ image works under UEFI secure boot and can 
>> maintain the secure-boot chain. It
>>  will also be necessary to enroll the public key used into a relevant 
>> firmware
>>  key database.
>> 
>> +@section Signing GRUB with an appended signature
>> +The @file{core.img} itself can be signed with a Linux kernel 
>> module-style
>> +appended signature.
>> +To support IEEE1275 platforms where the boot image is often loaded 
>> directly
>> +from a disk partition rather than from a file system, the 
>> @file{core.img}
>> +can specify the size and location of the appended signature with an 
>> ELF
>> +note added by @command{grub-install}.
>> +An image can be signed this way using the @command{sign-file} command 
>> from
>> +the Linux kernel:
>> +@example
>> +@group
>> +# grub.key is your private key and certificate.der is your public key
>> +# Determine the size of the appended signature. It depends on the 
>> signing
>> +# certificate and the hash algorithm
>> +touch empty
>> +sign-file SHA256 grub.key certificate.der empty empty.sig
> 
> Would not signing /dev/null instead of empty work?

It is work for /dev/null. addressed this in v3

> 
>> +SIG_SIZE=`stat -c '%s' empty.sig`
>> +rm empty empty.sig
>> +# Build a grub image with $SIG_SIZE reserved for the signature
>> +grub-install --appended-signature-size $SIG_SIZE --modules="..." ...
>> +# Replace the reserved size with a signature:
>> +# cut off the last $SIG_SIZE bytes with truncate's minus modifier
>> +truncate -s -$SIG_SIZE /boot/grub/powerpc-ieee1275/core.elf 
>> core.elf.unsigned
> 
> This could be possibly done by grub-install/grub-mkimage. Then you 
> would
> have one step less. Or even automate signing process by calling 
> sign-file
> from the GRUB utils.

In v3, I reduced the truncate step and added the same in 
grub-install/grub-mkimage.
In future, I will add automate signing process in the GRUB utils

>> +# sign the trimmed file with an appended signature, restoring the 
>> correct size
>> +sign-file SHA256 grub.key certificate.der core.elf.unsigned 
>> core.elf.signed
>> +# Don't forget to install the signed image as required
>> +# (e.g. on powerpc-ieee1275, to the PReP partition)
>> +@end group
>> +@end example
>> +As with UEFI secure boot, it is necessary to build-in the required 
>> modules,
>> +or sign them separately.

> Daniel

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel