Blame SOURCES/0350-docs-grub-Document-signing-grub-under-UEFI.patch

3efed6
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
3efed6
From: Daniel Axtens <dja@axtens.net>
3efed6
Date: Sat, 15 Aug 2020 02:00:57 +1000
3efed6
Subject: [PATCH] docs/grub: Document signing grub under UEFI
3efed6
3efed6
Before adding information about how grub is signed with an appended
3efed6
signature scheme, it's worth adding some information about how it
3efed6
can currently be signed for UEFI.
3efed6
3efed6
(adjusted from upstream - s/grub/grub2/ in the docs)
3efed6
Signed-off-by: Daniel Axtens <dja@axtens.net>
3efed6
---
3efed6
 docs/grub.texi | 19 ++++++++++++++++++-
3efed6
 1 file changed, 18 insertions(+), 1 deletion(-)
3efed6
3efed6
diff --git a/docs/grub.texi b/docs/grub.texi
b71686
index fa11cc0af..acace6c07 100644
3efed6
--- a/docs/grub.texi
3efed6
+++ b/docs/grub.texi
3efed6
@@ -5610,6 +5610,7 @@ environment variables and commands are listed in the same order.
3efed6
 @menu
3efed6
 * Authentication and authorisation:: Users and access control
3efed6
 * Using digital signatures::         Booting digitally signed code
3efed6
+* Signing GRUB itself::              Ensuring the integrity of the GRUB core image
3efed6
 @end menu
3efed6
 
3efed6
 @node Authentication and authorisation
3efed6
@@ -5687,7 +5688,7 @@ commands.
3efed6
 
3efed6
 GRUB's @file{core.img} can optionally provide enforcement that all files
3efed6
 subsequently read from disk are covered by a valid digital signature.
3efed6
-This document does @strong{not} cover how to ensure that your
3efed6
+This section does @strong{not} cover how to ensure that your
3efed6
 platform's firmware (e.g., Coreboot) validates @file{core.img}.
3efed6
 
3efed6
 If environment variable @code{check_signatures}
3efed6
@@ -5772,6 +5773,22 @@ or BIOS) configuration to cause the machine to boot from a different
3efed6
 (attacker-controlled) device.  GRUB is at best only one link in a
3efed6
 secure boot chain.
3efed6
 
3efed6
+@node Signing GRUB itself
3efed6
+@section Signing GRUB itself
3efed6
+
3efed6
+To ensure a complete secure-boot chain, there must be a way for the code that
3efed6
+loads GRUB to verify the integrity of the core image.
3efed6
+
3efed6
+This is ultimately platform-specific and individual platforms can define their
3efed6
+own mechanisms. However, there are general-purpose mechanisms that can be used
3efed6
+with GRUB.
3efed6
+
3efed6
+@section Signing GRUB for UEFI secure boot
3efed6
+
3efed6
+On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
3efed6
+with a tool such as @command{pesign} or @command{sbsign}. It will also be
3efed6
+necessary to enrol the public key used into a relevant firmware key database.
3efed6
+
3efed6
 @node Platform limitations
3efed6
 @chapter Platform limitations
3efed6