5975ab
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
5975ab
From: Daniel Axtens <dja@axtens.net>
5975ab
Date: Sat, 15 Aug 2020 02:00:57 +1000
5975ab
Subject: [PATCH] docs/grub: Document signing grub under UEFI
5975ab
5975ab
Before adding information about how grub is signed with an appended
5975ab
signature scheme, it's worth adding some information about how it
5975ab
can currently be signed for UEFI.
5975ab
5975ab
(adjusted from upstream - s/grub/grub2/ in the docs)
5975ab
Signed-off-by: Daniel Axtens <dja@axtens.net>
5975ab
---
5975ab
 docs/grub.texi | 19 ++++++++++++++++++-
5975ab
 1 file changed, 18 insertions(+), 1 deletion(-)
5975ab
5975ab
diff --git a/docs/grub.texi b/docs/grub.texi
f6e916
index fa11cc0af..acace6c07 100644
5975ab
--- a/docs/grub.texi
5975ab
+++ b/docs/grub.texi
5975ab
@@ -5610,6 +5610,7 @@ environment variables and commands are listed in the same order.
5975ab
 @menu
5975ab
 * Authentication and authorisation:: Users and access control
5975ab
 * Using digital signatures::         Booting digitally signed code
5975ab
+* Signing GRUB itself::              Ensuring the integrity of the GRUB core image
5975ab
 @end menu
5975ab
 
5975ab
 @node Authentication and authorisation
5975ab
@@ -5687,7 +5688,7 @@ commands.
5975ab
 
5975ab
 GRUB's @file{core.img} can optionally provide enforcement that all files
5975ab
 subsequently read from disk are covered by a valid digital signature.
5975ab
-This document does @strong{not} cover how to ensure that your
5975ab
+This section does @strong{not} cover how to ensure that your
5975ab
 platform's firmware (e.g., Coreboot) validates @file{core.img}.
5975ab
 
5975ab
 If environment variable @code{check_signatures}
5975ab
@@ -5772,6 +5773,22 @@ or BIOS) configuration to cause the machine to boot from a different
5975ab
 (attacker-controlled) device.  GRUB is at best only one link in a
5975ab
 secure boot chain.
5975ab
 
5975ab
+@node Signing GRUB itself
5975ab
+@section Signing GRUB itself
5975ab
+
5975ab
+To ensure a complete secure-boot chain, there must be a way for the code that
5975ab
+loads GRUB to verify the integrity of the core image.
5975ab
+
5975ab
+This is ultimately platform-specific and individual platforms can define their
5975ab
+own mechanisms. However, there are general-purpose mechanisms that can be used
5975ab
+with GRUB.
5975ab
+
5975ab
+@section Signing GRUB for UEFI secure boot
5975ab
+
5975ab
+On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
5975ab
+with a tool such as @command{pesign} or @command{sbsign}. It will also be
5975ab
+necessary to enrol the public key used into a relevant firmware key database.
5975ab
+
5975ab
 @node Platform limitations
5975ab
 @chapter Platform limitations
5975ab