From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
To: grub-devel@gnu.org
Cc: dja@axtens.net, jan.setjeeilers@oracle.com,
julian.klode@canonical.com, mate.kukri@canonical.com,
pjones@redhat.com, msuchanek@suse.com, mlewando@redhat.com,
stefanb@linux.ibm.com, avnish@linux.ibm.com, nayna@linux.ibm.com,
ssrish@linux.ibm.com, Sudhakar Kuppusamy <sudhakar@linux.ibm.com>,
Daniel Kiper <daniel.kiper@oracle.com>
Subject: [PATCH v6 18/20] docs/grub: Document signing GRUB under UEFI
Date: Tue, 29 Jul 2025 20:21:54 +0530 [thread overview]
Message-ID: <20250729145156.3522-19-sudhakar@linux.ibm.com> (raw)
In-Reply-To: <20250729145156.3522-1-sudhakar@linux.ibm.com>
From: Daniel Axtens <dja@axtens.net>
Before adding information about how GRUB is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
docs/grub.texi | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/docs/grub.texi b/docs/grub.texi
index 15f087f27..72ee8d08c 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -8675,6 +8675,7 @@ environment variables and commands are listed in the same order.
* Measured Boot:: Measuring boot components
* Lockdown:: Lockdown when booting on a secure setup
* TPM2 key protector:: Managing disk key with TPM2 key protector
+* Signing GRUB itself:: Ensuring the integrity of the GRUB core image
@end menu
@node Authentication and authorisation
@@ -8755,7 +8756,7 @@ commands.
GRUB's @file{core.img} can optionally provide enforcement that all files
subsequently read from disk are covered by a valid digital signature.
-This document does @strong{not} cover how to ensure that your
+This section does @strong{not} cover how to ensure that your
platform's firmware (e.g., Coreboot) validates @file{core.img}.
If environment variable @code{check_signatures}
@@ -9363,6 +9364,21 @@ which increases the risk of password leakage during the process. Moreover, the
superuser list must be well maintained, and the password used cannot be
synchronized with LUKS key rotation.
+@node Signing GRUB itself
+@section Signing GRUB itself
+To ensure a complete secure-boot chain, there must be a way for the code that
+loads GRUB to verify the integrity of the core image.
+This is ultimately platform-specific and individual platforms can define their
+own mechanisms. However, there are general-purpose mechanisms that can be used
+with GRUB.
+@section Signing GRUB for UEFI secure boot
+On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
+with a tool such as @command{pesign} or @command{sbsign}. Refer to the
+suggestions in @pxref{UEFI secure boot and shim} to ensure that the final
+image works under UEFI secure boot and can maintain the secure-boot chain. It
+will also be necessary to enroll the public key used into a relevant firmware
+key database.
+
@node Platform limitations
@chapter Platform limitations
--
2.39.5 (Apple Git-154)
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next prev parent reply other threads:[~2025-07-29 14:54 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-29 14:51 [PATCH v6 00/20] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 01/20] powerpc-ieee1275: Add support for signing GRUB with an appended signature Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 02/20] crypto: Move storage for grub_crypto_pk_* to crypto.c Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 03/20] pgp: Rename OBJ_TYPE_PUBKEY to OBJ_TYPE_GPG_PUBKEY Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 04/20] grub-install: Support embedding x509 certificates Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 05/20] appended signatures: Import GNUTLS's ASN.1 description files Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 06/20] appended signatures: Parse ASN1 node Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 07/20] appended signatures: Parse PKCS#7 signedData Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 08/20] appended signatures: Parse X.509 certificates Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 09/20] powerpc_ieee1275: Enter lockdown based on /ibm, secure-boot Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 10/20] appended signatures: Support verifying appended signatures Sudhakar Kuppusamy
2025-08-11 15:54 ` Daniel Kiper
2025-08-12 5:00 ` Sudhakar Kuppusamy
2025-08-12 11:30 ` Daniel Kiper
2025-08-12 11:46 ` Sudhakar Kuppusamy
2025-08-13 14:33 ` Daniel Kiper
2025-08-13 14:48 ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 11/20] powerpc_ieee1275: Read the db and dbx secure boot variables Sudhakar Kuppusamy
2025-08-11 16:24 ` Daniel Kiper
2025-08-11 16:40 ` Sudhakar Kuppusamy
2025-08-12 11:39 ` Daniel Kiper
2025-07-29 14:51 ` [PATCH v6 12/20] appended signatures: Create db and dbx lists Sudhakar Kuppusamy
2025-08-11 17:21 ` Daniel Kiper
2025-08-11 17:34 ` Sudhakar Kuppusamy
2025-08-12 11:50 ` Daniel Kiper
2025-07-29 14:51 ` [PATCH v6 13/20] appended signatures: Using db and dbx lists for signature verification Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 14/20] powerpc_ieee1275: Introduce use_static_keys flag Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 15/20] appended signatures: Read default db keys from the ELF Note Sudhakar Kuppusamy
2025-08-13 14:43 ` Daniel Kiper
2025-08-13 14:49 ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 16/20] appended signatures: Introduce GRUB commands to access db and dbx Sudhakar Kuppusamy
2025-08-13 15:42 ` Daniel Kiper
2025-08-14 6:22 ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 17/20] appended signatures: Verification tests Sudhakar Kuppusamy
2025-07-29 14:51 ` Sudhakar Kuppusamy [this message]
2025-07-29 14:51 ` [PATCH v6 19/20] docs/grub: Document signing GRUB with an appended signature Sudhakar Kuppusamy
2025-08-13 16:45 ` Daniel Kiper
2025-08-14 6:54 ` Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 20/20] docs/grub: Document " Sudhakar Kuppusamy
2025-08-14 14:20 ` Daniel Kiper
2025-08-14 18:33 ` Sudhakar Kuppusamy
-- strict thread matches above, loose matches on Subject: below --
2025-07-29 12:36 [PATCH v6 00/20] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2025-07-29 12:37 ` [PATCH v6 18/20] docs/grub: Document signing GRUB under UEFI Sudhakar Kuppusamy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250729145156.3522-19-sudhakar@linux.ibm.com \
--to=sudhakar@linux.ibm.com \
--cc=avnish@linux.ibm.com \
--cc=daniel.kiper@oracle.com \
--cc=dja@axtens.net \
--cc=grub-devel@gnu.org \
--cc=jan.setjeeilers@oracle.com \
--cc=julian.klode@canonical.com \
--cc=mate.kukri@canonical.com \
--cc=mlewando@redhat.com \
--cc=msuchanek@suse.com \
--cc=nayna@linux.ibm.com \
--cc=pjones@redhat.com \
--cc=ssrish@linux.ibm.com \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).