[PATCH v4 02/23] docs/grub: Document signing GRUB under UEFI

From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
To: grub-devel@gnu.org
Cc: jan.setjeeilers@oracle.com, julian.klode@canonical.com,
	mate.kukri@canonical.com, pjones@redhat.com, msuchanek@suse.com,
	mlewando@redhat.com, nayna@linux.ibm.com,
	ltcgcw@linux.vnet.ibm.com, ssrish@linux.ibm.com,
	stefanb@linux.ibm.com, avnish@linux.ibm.com,
	Daniel Axtens <dja@axtens.net>,
	Sudhakar Kuppusamy <sudhakar@linux.ibm.com>,
	Daniel Kiper <daniel.kiper@oracle.com>
Subject: [PATCH v4 02/23] docs/grub: Document signing GRUB under UEFI
Date: Wed,  9 Jul 2025 17:15:19 +0530	[thread overview]
Message-ID: <20250709114540.58608-3-sudhakar@linux.ibm.com> (raw)
In-Reply-To: <20250709114540.58608-1-sudhakar@linux.ibm.com>

From: Daniel Axtens <dja@axtens.net>

Before adding information about how grub is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 docs/grub.texi | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index 34b3484dc..320fa2124 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -8675,6 +8675,7 @@ environment variables and commands are listed in the same order.
 * Measured Boot::                    Measuring boot components
 * Lockdown::                         Lockdown when booting on a secure setup
 * TPM2 key protector::               Managing disk key with TPM2 key protector
+* Signing GRUB itself::              Ensuring the integrity of the GRUB core image
 @end menu
 
 @node Authentication and authorisation
@@ -8755,7 +8756,7 @@ commands.
 
 GRUB's @file{core.img} can optionally provide enforcement that all files
 subsequently read from disk are covered by a valid digital signature.
-This document does @strong{not} cover how to ensure that your
+This section does @strong{not} cover how to ensure that your
 platform's firmware (e.g., Coreboot) validates @file{core.img}.
 
 If environment variable @code{check_signatures}
@@ -9363,6 +9364,21 @@ which increases the risk of password leakage during the process. Moreover, the
 superuser list must be well maintained, and the password used cannot be
 synchronized with LUKS key rotation.
 
+@node Signing GRUB itself
+@section Signing GRUB itself
+To ensure a complete secure-boot chain, there must be a way for the code that
+loads GRUB to verify the integrity of the core image.
+This is ultimately platform-specific and individual platforms can define their
+own mechanisms. However, there are general-purpose mechanisms that can be used
+with GRUB.
+@section Signing GRUB for UEFI secure boot
+On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
+with a tool such as @command{pesign} or @command{sbsign}. Refer to the
+suggestions in @pxref{UEFI secure boot and shim} to ensure that the final
+image works under UEFI secure boot and can maintain the secure-boot chain. It
+will also be necessary to enroll the public key used into a relevant firmware
+key database.
+
 @node Platform limitations
 @chapter Platform limitations
 
-- 
2.39.5 (Apple Git-154)


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
