nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0180-docs-grub-Document-signing-grub-under-UEFI.patch

8e15ce
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
8e15ce
From: Daniel Axtens <dja@axtens.net>
8e15ce
Date: Sat, 15 Aug 2020 02:00:57 +1000
8e15ce
Subject: [PATCH] docs/grub: Document signing grub under UEFI
8e15ce
8e15ce
Before adding information about how grub is signed with an appended
8e15ce
signature scheme, it's worth adding some information about how it
8e15ce
can currently be signed for UEFI.
8e15ce
8e15ce
Signed-off-by: Daniel Axtens <dja@axtens.net>
8e15ce
---
8e15ce
 docs/grub.texi | 22 +++++++++++++++++++++-
8e15ce
 1 file changed, 21 insertions(+), 1 deletion(-)
8e15ce
8e15ce
diff --git a/docs/grub.texi b/docs/grub.texi
8e15ce
index 4870faaa00a..365d1d6931b 100644
8e15ce
--- a/docs/grub.texi
8e15ce
+++ b/docs/grub.texi
8e15ce
@@ -5817,6 +5817,7 @@ environment variables and commands are listed in the same order.
8e15ce
 * Secure Boot Advanced Targeting::   Embedded information for generation number based revocation
8e15ce
 * Measured Boot::                    Measuring boot components
8e15ce
 * Lockdown::                         Lockdown when booting on a secure setup
8e15ce
+* Signing GRUB itself::              Ensuring the integrity of the GRUB core image
8e15ce
 @end menu
8e15ce
 
8e15ce
 @node Authentication and authorisation
8e15ce
@@ -5895,7 +5896,7 @@ commands.
8e15ce
 
8e15ce
 GRUB's @file{core.img} can optionally provide enforcement that all files
8e15ce
 subsequently read from disk are covered by a valid digital signature.
8e15ce
-This document does @strong{not} cover how to ensure that your
8e15ce
+This section does @strong{not} cover how to ensure that your
8e15ce
 platform's firmware (e.g., Coreboot) validates @file{core.img}.
8e15ce
 
8e15ce
 If environment variable @code{check_signatures}
8e15ce
@@ -6067,6 +6068,25 @@ be restricted and some operations/commands cannot be executed.
8e15ce
 The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
8e15ce
 Otherwise it does not exit.
8e15ce
 
8e15ce
+@node Signing GRUB itself
8e15ce
+@section Signing GRUB itself
8e15ce
+
8e15ce
+To ensure a complete secure-boot chain, there must be a way for the code that
8e15ce
+loads GRUB to verify the integrity of the core image.
8e15ce
+
8e15ce
+This is ultimately platform-specific and individual platforms can define their
8e15ce
+own mechanisms. However, there are general-purpose mechanisms that can be used
8e15ce
+with GRUB.
8e15ce
+
8e15ce
+@section Signing GRUB for UEFI secure boot
8e15ce
+
8e15ce
+On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
8e15ce
+with a tool such as @command{pesign} or @command{sbsign}. Refer to the
8e15ce
+suggestions in @pxref{UEFI secure boot and shim} to ensure that the final
8e15ce
+image works under UEFI secure boot and can maintain the secure-boot chain. It
8e15ce
+will also be necessary to enrol the public key used into a relevant firmware
8e15ce
+key database.
8e15ce
+
8e15ce
 @node Platform limitations
8e15ce
 @chapter Platform limitations
8e15ce