From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
To: grub-devel@gnu.org
Cc: jan.setjeeilers@oracle.com, julian.klode@canonical.com,
mate.kukri@canonical.com, pjones@redhat.com, msuchanek@suse.com,
mlewando@redhat.com, nayna@linux.ibm.com,
ltcgcw@linux.vnet.ibm.com, ssrish@linux.ibm.com,
stefanb@linux.ibm.com, avnish@linux.ibm.com,
Sudhakar Kuppusamy <sudhakar@linux.ibm.com>,
dja@axtens.net
Subject: [PATCH v4 03/23] docs/grub: Document signing GRUB with an appended signature
Date: Wed, 9 Jul 2025 17:15:20 +0530 [thread overview]
Message-ID: <20250709114540.58608-4-sudhakar@linux.ibm.com> (raw)
In-Reply-To: <20250709114540.58608-1-sudhakar@linux.ibm.com>
Signing GRUB for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
---
docs/grub.texi | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 86 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 320fa2124..d594e29bd 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -9379,6 +9379,92 @@ image works under UEFI secure boot and can maintain the secure-boot chain. It
will also be necessary to enroll the public key used into a relevant firmware
key database.
+@section Signing GRUB with an appended signature
+The @file{core.img} itself can be signed with a Linux kernel module-style
+appended signature.
+To support IEEE1275 platforms where the boot image is often loaded directly
+from a disk partition rather than from a file system, the @file{core.img}
+can specify the size and location of the appended signature with an ELF
+note added by @command{grub-install}.
+An image can be signed this way using the @command{sign-file} command from
+the Linux kernel:
+@example
+@group
+# Signing a GRUB image with only one signer key in the appended signature:
+# The grub.key is your private key and certificate.der is your GRUB signing public key
+# kernel.der is your kernel signing public key.
+#
+# Determine the size of the appended signature. It depends on the signing certificate
+# and the hash algorithm.
+#
+# Signing the /dev/null with an appended signature.
+
+sign-file SHA256 grub.key certificate.der /dev/null /dev/empty.sig
+
+# Get the size of the signature.
+
+EMPTY_SIG_SIZE=`stat -c '%s' /dev/empty.sig`
+
+# Remove the empty files.
+
+rm -rf /dev/empty.sig
+
+# Build a GRUB image with $EMPTY_SIG_SIZE reserved for the signature.
+
+grub-install --appended-signature-size $EMPTY_SIG_SIZE --modules="appendedsig ..." ...
+ or
+grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel.der -p /grub2 \
+--appended-signature-size $EMPTY_SIG_SIZE --modules="appendedsig ..." ...
+
+# Signing a GRUB image with an appended signature.
+
+sign-file SHA256 grub.key certificate.der core.elf.unsigned core.elf.signed
+
+#
+# Signing a GRUB image with more than one signer key in the appended signature:
+# The grub1.key and grub2.key are your private keys, certificate1.der and certificate2.der
+# are your GRUB signing public keys. kernel.der and Kernel2.der are your kernel signing public key.
+
+# Generate a raw signature for /dev/null signing using OpenSSL.
+
+openssl cms -sign -binary -nocerts -in /dev/null -signer certificate1.pem -inkey grub1.key \
+-signer certificate2.pem -inkey grub2.key -out /dev/empty.p7s -outform DER -noattr -md sha256
+
+# Signing the /dev/null with an appended signature.
+
+sign-file -s /dev/empty.p7s sha256 /dev/null /dev/null /dev/empty.signed
+
+# Get the size of the signature.
+
+EMPTY_SIG_SIZE=`stat -c '%s' /dev/empty.signed`
+
+# Remove the empty files.
+
+rm -rf /dev/empty.signed /dev/empty.p7s
+
+# Build a GRUB image with $EMPTY_SIG_SIZE reserved for the signature.
+
+grub-install --appended-signature-size $EMPTY_SIG_SIZE --modules="appendedsig ..." ...
+ or
+grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel.der -p /grub2 \
+--appended-signature-size $EMPTY_SIG_SIZE --modules="appendedsig ..." ...
+
+# Generate a raw signature for GRUB image signing using OpenSSL.
+
+openssl cms -sign -binary -nocerts -in core.elf.unsigned -signer certificate.pem \
+-inkey grub.key -signer certificate1.pem -inkey grub1.key -out core.p7s -outform DER -noattr -md sha256
+
+# Signing a GRUB image with an appended signature.
+
+sign-file -s core.p7s sha256 /dev/null core.elf.unsigned core.elf.signed
+
+# Don't forget to install the signed image as required (e.g. on powerpc-ieee1275, to the PReP partition)
+
+@end group
+@end example
+As with UEFI secure boot, it is necessary to build-in the required modules,
+or sign them separately.
+
@node Platform limitations
@chapter Platform limitations
--
2.39.5 (Apple Git-154)
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next prev parent reply other threads:[~2025-07-09 11:50 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-09 11:45 [PATCH v4 00/23] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 01/23] powerpc-ieee1275: Add support for signing GRUB with an appended signature Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 02/23] docs/grub: Document signing GRUB under UEFI Sudhakar Kuppusamy
2025-07-09 11:45 ` Sudhakar Kuppusamy [this message]
2025-07-09 11:45 ` [PATCH v4 04/23] pgp: Factor out rsa_pad Sudhakar Kuppusamy
2025-07-24 8:55 ` Gary Lin via Grub-devel
2025-07-31 12:01 ` Sudhakar Kuppusamy
2025-08-01 1:24 ` Gary Lin via Grub-devel
2025-07-09 11:45 ` [PATCH v4 05/23] crypto: Move storage for grub_crypto_pk_* to crypto.c Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 06/23] pgp: Rename OBJ_TYPE_PUBKEY to OBJ_TYPE_GPG_PUBKEY Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 07/23] grub-install: Support embedding x509 certificates Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 08/23] appended signatures: Import GNUTLS's ASN.1 description files Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 09/23] appended signatures: Parse ASN1 node Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 10/23] appended signatures: Parse PKCS#7 signedData Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 11/23] appended signatures: Parse X.509 certificates Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 12/23] appended signatures: Support verifying appended signatures Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 13/23] appended signatures: Verification tests Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 14/23] appended signatures: Documentation Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 15/23] ieee1275: Enter lockdown based on /ibm,secure-boot Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 16/23] ieee1275: Read the DB and DBX secure boot variables Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 17/23] appendedsig: create db and dbx lists Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 18/23] appendedsig: verify the kernel using " Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 19/23] powerpc_ieee1275: Introduce use_static_keys flag Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 20/23] appendedsig: Read default DB keys from the ELF Note Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 21/23] appendedsig: Introduce GRUB commands to access db and dbx Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 22/23] appendedsig: Documentation Sudhakar Kuppusamy
2025-07-09 11:45 ` [PATCH v4 23/23] appendedsig test: Replace the certificate number with an x.509 certificate Sudhakar Kuppusamy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250709114540.58608-4-sudhakar@linux.ibm.com \
--to=sudhakar@linux.ibm.com \
--cc=avnish@linux.ibm.com \
--cc=dja@axtens.net \
--cc=grub-devel@gnu.org \
--cc=jan.setjeeilers@oracle.com \
--cc=julian.klode@canonical.com \
--cc=ltcgcw@linux.vnet.ibm.com \
--cc=mate.kukri@canonical.com \
--cc=mlewando@redhat.com \
--cc=msuchanek@suse.com \
--cc=nayna@linux.ibm.com \
--cc=pjones@redhat.com \
--cc=ssrish@linux.ibm.com \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).