Blame SOURCES/0180-docs-grub-Document-signing-grub-under-UEFI.patch

5593c8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
5593c8
From: Daniel Axtens <dja@axtens.net>
5593c8
Date: Sat, 15 Aug 2020 02:00:57 +1000
5593c8
Subject: [PATCH] docs/grub: Document signing grub under UEFI
5593c8
5593c8
Before adding information about how grub is signed with an appended
5593c8
signature scheme, it's worth adding some information about how it
5593c8
can currently be signed for UEFI.
5593c8
5593c8
Signed-off-by: Daniel Axtens <dja@axtens.net>
5593c8
---
5593c8
 docs/grub.texi | 22 +++++++++++++++++++++-
5593c8
 1 file changed, 21 insertions(+), 1 deletion(-)
5593c8
5593c8
diff --git a/docs/grub.texi b/docs/grub.texi
d3c3ab
index 4870faaa00a..365d1d6931b 100644
5593c8
--- a/docs/grub.texi
5593c8
+++ b/docs/grub.texi
5593c8
@@ -5817,6 +5817,7 @@ environment variables and commands are listed in the same order.
5593c8
 * Secure Boot Advanced Targeting::   Embedded information for generation number based revocation
5593c8
 * Measured Boot::                    Measuring boot components
5593c8
 * Lockdown::                         Lockdown when booting on a secure setup
5593c8
+* Signing GRUB itself::              Ensuring the integrity of the GRUB core image
5593c8
 @end menu
5593c8
 
5593c8
 @node Authentication and authorisation
5593c8
@@ -5895,7 +5896,7 @@ commands.
5593c8
 
5593c8
 GRUB's @file{core.img} can optionally provide enforcement that all files
5593c8
 subsequently read from disk are covered by a valid digital signature.
5593c8
-This document does @strong{not} cover how to ensure that your
5593c8
+This section does @strong{not} cover how to ensure that your
5593c8
 platform's firmware (e.g., Coreboot) validates @file{core.img}.
5593c8
 
5593c8
 If environment variable @code{check_signatures}
5593c8
@@ -6067,6 +6068,25 @@ be restricted and some operations/commands cannot be executed.
5593c8
 The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
5593c8
 Otherwise it does not exit.
5593c8
 
5593c8
+@node Signing GRUB itself
5593c8
+@section Signing GRUB itself
5593c8
+
5593c8
+To ensure a complete secure-boot chain, there must be a way for the code that
5593c8
+loads GRUB to verify the integrity of the core image.
5593c8
+
5593c8
+This is ultimately platform-specific and individual platforms can define their
5593c8
+own mechanisms. However, there are general-purpose mechanisms that can be used
5593c8
+with GRUB.
5593c8
+
5593c8
+@section Signing GRUB for UEFI secure boot
5593c8
+
5593c8
+On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
5593c8
+with a tool such as @command{pesign} or @command{sbsign}. Refer to the
5593c8
+suggestions in @pxref{UEFI secure boot and shim} to ensure that the final
5593c8
+image works under UEFI secure boot and can maintain the secure-boot chain. It
5593c8
+will also be necessary to enrol the public key used into a relevant firmware
5593c8
+key database.
5593c8
+
5593c8
 @node Platform limitations
5593c8
 @chapter Platform limitations
5593c8