80913e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
80913e
From: Daniel Axtens <dja@axtens.net>
80913e
Date: Thu, 1 Oct 2020 13:02:09 +1000
80913e
Subject: [PATCH] appended signatures: documentation
80913e
80913e
This explains how appended signatures can be used to form part of
80913e
a secure boot chain, and documents the commands and variables
80913e
introduced.
80913e
80913e
(docs: s/grub/grub2/)
80913e
Signed-off-by: Daniel Axtens <dja@axtens.net>
80913e
---
80913e
 docs/grub.texi | 185 +++++++++++++++++++++++++++++++++++++++++++++++++++++----
80913e
 1 file changed, 172 insertions(+), 13 deletions(-)
80913e
80913e
diff --git a/docs/grub.texi b/docs/grub.texi
b32e65
index a833364d5..97f0f47e0 100644
80913e
--- a/docs/grub.texi
80913e
+++ b/docs/grub.texi
80913e
@@ -3160,6 +3160,7 @@ These variables have special meaning to GRUB.
80913e
 
80913e
 @menu
80913e
 * biosnum::
80913e
+* check_appended_signatures::
80913e
 * check_signatures::
80913e
 * chosen::
80913e
 * cmdpath::
80913e
@@ -3219,11 +3220,18 @@ For an alternative approach which also changes BIOS drive mappings for the
80913e
 chain-loaded system, @pxref{drivemap}.
80913e
 
80913e
 
80913e
+@node check_appended_signatures
80913e
+@subsection check_appended_signatures
80913e
+
80913e
+This variable controls whether GRUB enforces appended signature validation on
80913e
+certain loaded files. @xref{Using appended signatures}.
80913e
+
80913e
+
80913e
 @node check_signatures
80913e
 @subsection check_signatures
80913e
 
80913e
-This variable controls whether GRUB enforces digital signature
80913e
-validation on loaded files. @xref{Using digital signatures}.
80913e
+This variable controls whether GRUB enforces GPG-style digital signature
80913e
+validation on loaded files. @xref{Using GPG-style digital signatures}.
80913e
 
80913e
 @node chosen
80913e
 @subsection chosen
80913e
@@ -3937,6 +3945,7 @@ you forget a command, you can run the command @command{help}
80913e
 * date::                        Display or set current date and time
80913e
 * devicetree::                  Load a device tree blob
80913e
 * distrust::                    Remove a pubkey from trusted keys
80913e
+* distrust_certificate::        Remove a certificate from the list of trusted certificates
80913e
 * drivemap::                    Map a drive to another
80913e
 * echo::                        Display a line of text
80913e
 * eval::                        Evaluate agruments as GRUB commands
80913e
@@ -3953,6 +3962,7 @@ you forget a command, you can run the command @command{help}
80913e
 * keystatus::                   Check key modifier status
80913e
 * linux::                       Load a Linux kernel
80913e
 * linux16::                     Load a Linux kernel (16-bit mode)
80913e
+* list_certificates::           List trusted certificates
80913e
 * list_env::                    List variables in environment block
80913e
 * list_trusted::                List trusted public keys
80913e
 * load_env::                    Load variables from environment block
80913e
@@ -3989,9 +3999,11 @@ you forget a command, you can run the command @command{help}
80913e
 * test::                        Check file types and compare values
80913e
 * true::                        Do nothing, successfully
80913e
 * trust::                       Add public key to list of trusted keys
80913e
+* trust_certificate::           Add an x509 certificate to the list of trusted certificates
80913e
 * unset::                       Unset an environment variable
80913e
 * uppermem::                    Set the upper memory size
80913e
 @comment * vbeinfo::                     List available video modes
80913e
+* verify_appended::             Verify appended digital signature
80913e
 * verify_detached::             Verify detached digital signature
80913e
 * videoinfo::                   List available video modes
80913e
 @comment * xen_*::              Xen boot commands for AArch64
80913e
@@ -4282,9 +4294,28 @@ These keys are used to validate signatures when environment variable
80913e
 @code{check_signatures} is set to @code{enforce}
80913e
 (@pxref{check_signatures}), and by some invocations of
80913e
 @command{verify_detached} (@pxref{verify_detached}).  @xref{Using
80913e
-digital signatures}, for more information.
80913e
+GPG-style digital signatures}, for more information.
80913e
 @end deffn
80913e
 
80913e
+
80913e
+@node distrust_certificate
80913e
+@subsection distrust_certificate
80913e
+
80913e
+@deffn Command distrust_certificate cert_number
80913e
+Remove the x509 certificate numbered @var{cert_number} from GRUB's keyring of
80913e
+trusted x509 certificates for verifying appended signatures.
80913e
+
80913e
+@var{cert_number} is the certificate number as listed by
80913e
+@command{list_certificates} (@pxref{list_certificates}).
80913e
+
80913e
+These certificates are used to validate appended signatures when environment
80913e
+variable @code{check_appended_signatures} is set to @code{enforce}
80913e
+(@pxref{check_appended_signatures}), and by @command{verify_appended}
80913e
+(@pxref{verify_appended}). See @xref{Using appended signatures} for more
80913e
+information.
80913e
+@end deffn
80913e
+
80913e
+
80913e
 @node drivemap
80913e
 @subsection drivemap
80913e
 
80913e
@@ -4542,6 +4573,21 @@ This command is only available on x86 systems.
80913e
 @end deffn
80913e
 
80913e
 
80913e
+@node list_certificates
80913e
+@subsection list_certificates
80913e
+
80913e
+@deffn Command list_certificates
80913e
+List all x509 certificates trusted by GRUB for validating appended signatures.
80913e
+The output is a numbered list of certificates, showing the certificate's serial
80913e
+number and Common Name.
80913e
+
80913e
+The certificate number can be used as an argument to
80913e
+@command{distrust_certificate} (@pxref{distrust_certificate}).
80913e
+
80913e
+See @xref{Using appended signatures} for more information.
80913e
+@end deffn
80913e
+
80913e
+
80913e
 @node list_env
80913e
 @subsection list_env
80913e
 
80913e
@@ -4561,7 +4607,7 @@ The output is in GPG's v4 key fingerprint format (i.e., the output of
80913e
 @code{gpg --fingerprint}).  The least significant four bytes (last
80913e
 eight hexadecimal digits) can be used as an argument to
80913e
 @command{distrust} (@pxref{distrust}).
80913e
-@xref{Using digital signatures}, for more information about uses for
80913e
+@xref{Using GPG-style digital signatures}, for more information about uses for
80913e
 these keys.
80913e
 @end deffn
80913e
 
80913e
@@ -4596,8 +4642,12 @@ When used with care, @option{--skip-sig} and the whitelist enable an
80913e
 administrator to configure a system to boot only signed
80913e
 configurations, but to allow the user to select from among multiple
80913e
 configurations, and to enable ``one-shot'' boot attempts and
80913e
-``savedefault'' behavior.  @xref{Using digital signatures}, for more
80913e
+``savedefault'' behavior.  @xref{Using GPG-style digital signatures}, for more
80913e
 information.
80913e
+
80913e
+Extra care should be taken when combining this command with appended signatures
80913e
+(@pxref{Using appended signatures}), as this file is not validated by an
80913e
+appended signature and could set @code{check_appended_signatures=no}.
80913e
 @end deffn
80913e
 
80913e
 
80913e
@@ -4883,7 +4933,7 @@ read.  It is possible to modify a digitally signed environment block
80913e
 file from within GRUB using this command, such that its signature will
80913e
 no longer be valid on subsequent boots.  Care should be taken in such
80913e
 advanced configurations to avoid rendering the system
80913e
-unbootable. @xref{Using digital signatures}, for more information.
80913e
+unbootable. @xref{Using GPG-style digital signatures}, for more information.
80913e
 @end deffn
80913e
 
80913e
 
80913e
@@ -5208,11 +5258,31 @@ signatures when environment variable @code{check_signatures} is set to
80913e
 must itself be properly signed.  The @option{--skip-sig} option can be
80913e
 used to disable signature-checking when reading @var{pubkey_file}
80913e
 itself. It is expected that @option{--skip-sig} is useful for testing
80913e
-and manual booting. @xref{Using digital signatures}, for more
80913e
+and manual booting. @xref{Using GPG-style digital signatures}, for more
80913e
 information.
80913e
 @end deffn
80913e
 
80913e
 
80913e
+@node trust_certificate
80913e
+@subsection trust_certificate
80913e
+
80913e
+@deffn Command trust_certificate x509_certificate
80913e
+Read an DER-formatted x509 certificate from the file @var{x509_certificate}
80913e
+and add it to GRUB's internal list of trusted x509 certificates. These
80913e
+certificates are used to validate appended signatures when the environment
80913e
+variable @code{check_appended_signatures} is set to @code{enforce}.
80913e
+
80913e
+Note that if @code{check_appended_signatures} is set to @code{enforce}
80913e
+when @command{trust_certificate} is executed, then @var{x509_certificate}
80913e
+must itself bear an appended signature. (It is not sufficient that
80913e
+@var{x509_certificate} be signed by a trusted certificate according to the
80913e
+x509 rules: grub does not include support for validating signatures within x509
80913e
+certificates themselves.)
80913e
+
80913e
+See @xref{Using appended signatures} for more information.
80913e
+@end deffn
80913e
+
80913e
+
80913e
 @node unset
80913e
 @subsection unset
80913e
 
80913e
@@ -5237,6 +5307,18 @@ only on PC BIOS platforms.
80913e
 @end deffn
80913e
 @end ignore
80913e
 
80913e
+@node verify_appended
80913e
+@subsection verify_appended
80913e
+
80913e
+@deffn Command verify_appended file
80913e
+Verifies an appended signature on @var{file} against the trusted certificates
80913e
+known to GRUB (See @pxref{list_certificates}, @pxref{trust_certificate}, and
80913e
+@pxref{distrust_certificate}).
80913e
+
80913e
+Exit code @code{$?} is set to 0 if the signature validates
80913e
+successfully.  If validation fails, it is set to a non-zero value.
80913e
+See @xref{Using appended signatures}, for more information.
80913e
+@end deffn
80913e
 
80913e
 @node verify_detached
80913e
 @subsection verify_detached
80913e
@@ -5255,7 +5337,7 @@ tried.
80913e
 
80913e
 Exit code @code{$?} is set to 0 if the signature validates
80913e
 successfully.  If validation fails, it is set to a non-zero value.
80913e
-@xref{Using digital signatures}, for more information.
80913e
+@xref{Using GPG-style digital signatures}, for more information.
80913e
 @end deffn
80913e
 
80913e
 @node videoinfo
80913e
@@ -5601,9 +5683,10 @@ environment variables and commands are listed in the same order.
80913e
 @chapter Security
80913e
 
80913e
 @menu
80913e
-* Authentication and authorisation:: Users and access control
80913e
-* Using digital signatures::         Booting digitally signed code
80913e
-* Signing GRUB itself::              Ensuring the integrity of the GRUB core image
80913e
+* Authentication and authorisation::   Users and access control
80913e
+* Using GPG-style digital signatures:: Booting digitally signed code
80913e
+* Using appended signatures::          An alternative approach to booting digitally signed code
80913e
+* Signing GRUB itself::                Ensuring the integrity of the GRUB core image
80913e
 @end menu
80913e
 
80913e
 @node Authentication and authorisation
80913e
@@ -5676,8 +5759,8 @@ generating configuration files with authentication.  You can use
80913e
 adding @kbd{set superusers=} and @kbd{password} or @kbd{password_pbkdf2}
80913e
 commands.
80913e
 
80913e
-@node Using digital signatures
80913e
-@section Using digital signatures in GRUB
80913e
+@node Using GPG-style digital signatures
80913e
+@section Using GPG-style digital signatures in GRUB
80913e
 
80913e
 GRUB's @file{core.img} can optionally provide enforcement that all files
80913e
 subsequently read from disk are covered by a valid digital signature.
80913e
@@ -5760,6 +5843,82 @@ or BIOS) configuration to cause the machine to boot from a different
80913e
 (attacker-controlled) device.  GRUB is at best only one link in a
80913e
 secure boot chain.
80913e
 
80913e
+@node Using appended signatures
80913e
+@section Using appended signatures in GRUB
80913e
+
80913e
+GRUB supports verifying Linux-style 'appended signatures' for secure boot.
80913e
+Appended signatures are PKCS#7 messages containing a signature over the
80913e
+contents of a file, plus some metadata, appended to the end of a file. A file
80913e
+with an appended signature ends with the magic string:
80913e
+
80913e
+@example
80913e
+~Module signature appended~\n
80913e
+@end example
80913e
+
80913e
+where @code{\n} represents the carriage-return character, @code{0x0a}.
80913e
+
80913e
+To enable appended signature verification, load the appendedsig module and an
80913e
+x509 certificate for verification. Building the appendedsig module into the
80913e
+core grub image is recommended.
80913e
+
80913e
+Certificates can be managed at boot time using the @pxref{trust_certificate},
80913e
+@pxref{distrust_certificate} and @pxref{list_certificates} commands.
80913e
+Certificates can also be built in to the core image using the @code{--x509}
80913e
+parameter to @command{grub-install} or @command{grub-mkimage}.
80913e
+
80913e
+A file can be explictly verified using the @pxref{verify_appended} command.
80913e
+
80913e
+Only signatures made with the SHA-256 or SHA-512 hash algorithm are supported,
80913e
+and only RSA signatures are supported.
80913e
+
80913e
+A file can be signed with the @command{sign-file} utility supplied with the
80913e
+Linux kernel source. For example, if you have @code{signing.key} as the private
80913e
+key and @code{certificate.der} as the x509 certificate containing the public key:
80913e
+
80913e
+@example
80913e
+sign-file SHA256 signing.key certificate.der vmlinux vmlinux.signed
80913e
+@end example
80913e
+
80913e
+Enforcement of signature verification is controlled by the
80913e
+@code{check_appended_signatures} variable. Verification will only take place
80913e
+when files are loaded if the variable is set to @code{enforce}. If a
80913e
+certificate is built into the grub core image with the @code{--x509} parameter,
80913e
+the variable will be automatically set to @code{enforce} when the appendedsig
80913e
+module is loaded.
80913e
+
80913e
+Unlike GPG-style signatures, not all files loaded by GRUB are required to be
80913e
+signed. Once verification is turned on, the following file types must carry
80913e
+appended signatures:
80913e
+
80913e
+@enumerate
80913e
+@item Linux, Multiboot, BSD, XNU and Plan9 kernels
80913e
+@item Grub modules, except those built in to the core image
80913e
+@item Any new certificate files to be trusted
80913e
+@end enumerate
80913e
+
80913e
+ACPI tables and Device Tree images will not be checked for appended signatures
80913e
+but must be verified by another mechanism such as GPG-style signatures before
80913e
+they will be loaded.
80913e
+
80913e
+No attempt is made to validate any other file type. In particular,
80913e
+chain-loaded binaries are not verified - if your platform supports
80913e
+chain-loading and this cannot be disabled, consider an alternative secure
80913e
+boot mechanism.
80913e
+
80913e
+As with GPG-style appended signatures, signature checking does @strong{not}
80913e
+stop an attacker with console access from dropping manually to the GRUB
80913e
+console and executing:
80913e
+
80913e
+@example
80913e
+set check_appended_signatures=no
80913e
+@end example
80913e
+
80913e
+Refer to the section on password-protecting GRUB (@pxref{Authentication
80913e
+and authorisation}) for more information on preventing this.
80913e
+
80913e
+Additionally, special care must be taken around the @command{loadenv} command,
80913e
+which can be used to turn off @code{check_appended_signature}.
80913e
+
80913e
 @node Signing GRUB itself
80913e
 @section Signing GRUB itself
80913e