5975ab
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
5975ab
From: Daniel Axtens <dja@axtens.net>
5975ab
Date: Thu, 1 Oct 2020 13:02:09 +1000
5975ab
Subject: [PATCH] appended signatures: documentation
5975ab
5975ab
This explains how appended signatures can be used to form part of
5975ab
a secure boot chain, and documents the commands and variables
5975ab
introduced.
5975ab
5975ab
(docs: s/grub/grub2/)
5975ab
Signed-off-by: Daniel Axtens <dja@axtens.net>
5975ab
---
5975ab
 docs/grub.texi | 185 +++++++++++++++++++++++++++++++++++++++++++++++++++++----
5975ab
 1 file changed, 172 insertions(+), 13 deletions(-)
5975ab
5975ab
diff --git a/docs/grub.texi b/docs/grub.texi
f6e916
index a833364d5..97f0f47e0 100644
5975ab
--- a/docs/grub.texi
5975ab
+++ b/docs/grub.texi
5975ab
@@ -3160,6 +3160,7 @@ These variables have special meaning to GRUB.
5975ab
 
5975ab
 @menu
5975ab
 * biosnum::
5975ab
+* check_appended_signatures::
5975ab
 * check_signatures::
5975ab
 * chosen::
5975ab
 * cmdpath::
5975ab
@@ -3219,11 +3220,18 @@ For an alternative approach which also changes BIOS drive mappings for the
5975ab
 chain-loaded system, @pxref{drivemap}.
5975ab
 
5975ab
 
5975ab
+@node check_appended_signatures
5975ab
+@subsection check_appended_signatures
5975ab
+
5975ab
+This variable controls whether GRUB enforces appended signature validation on
5975ab
+certain loaded files. @xref{Using appended signatures}.
5975ab
+
5975ab
+
5975ab
 @node check_signatures
5975ab
 @subsection check_signatures
5975ab
 
5975ab
-This variable controls whether GRUB enforces digital signature
5975ab
-validation on loaded files. @xref{Using digital signatures}.
5975ab
+This variable controls whether GRUB enforces GPG-style digital signature
5975ab
+validation on loaded files. @xref{Using GPG-style digital signatures}.
5975ab
 
5975ab
 @node chosen
5975ab
 @subsection chosen
5975ab
@@ -3937,6 +3945,7 @@ you forget a command, you can run the command @command{help}
5975ab
 * date::                        Display or set current date and time
5975ab
 * devicetree::                  Load a device tree blob
5975ab
 * distrust::                    Remove a pubkey from trusted keys
5975ab
+* distrust_certificate::        Remove a certificate from the list of trusted certificates
5975ab
 * drivemap::                    Map a drive to another
5975ab
 * echo::                        Display a line of text
5975ab
 * eval::                        Evaluate agruments as GRUB commands
5975ab
@@ -3953,6 +3962,7 @@ you forget a command, you can run the command @command{help}
5975ab
 * keystatus::                   Check key modifier status
5975ab
 * linux::                       Load a Linux kernel
5975ab
 * linux16::                     Load a Linux kernel (16-bit mode)
5975ab
+* list_certificates::           List trusted certificates
5975ab
 * list_env::                    List variables in environment block
5975ab
 * list_trusted::                List trusted public keys
5975ab
 * load_env::                    Load variables from environment block
5975ab
@@ -3989,9 +3999,11 @@ you forget a command, you can run the command @command{help}
5975ab
 * test::                        Check file types and compare values
5975ab
 * true::                        Do nothing, successfully
5975ab
 * trust::                       Add public key to list of trusted keys
5975ab
+* trust_certificate::           Add an x509 certificate to the list of trusted certificates
5975ab
 * unset::                       Unset an environment variable
5975ab
 * uppermem::                    Set the upper memory size
5975ab
 @comment * vbeinfo::                     List available video modes
5975ab
+* verify_appended::             Verify appended digital signature
5975ab
 * verify_detached::             Verify detached digital signature
5975ab
 * videoinfo::                   List available video modes
5975ab
 @comment * xen_*::              Xen boot commands for AArch64
5975ab
@@ -4282,9 +4294,28 @@ These keys are used to validate signatures when environment variable
5975ab
 @code{check_signatures} is set to @code{enforce}
5975ab
 (@pxref{check_signatures}), and by some invocations of
5975ab
 @command{verify_detached} (@pxref{verify_detached}).  @xref{Using
5975ab
-digital signatures}, for more information.
5975ab
+GPG-style digital signatures}, for more information.
5975ab
 @end deffn
5975ab
 
5975ab
+
5975ab
+@node distrust_certificate
5975ab
+@subsection distrust_certificate
5975ab
+
5975ab
+@deffn Command distrust_certificate cert_number
5975ab
+Remove the x509 certificate numbered @var{cert_number} from GRUB's keyring of
5975ab
+trusted x509 certificates for verifying appended signatures.
5975ab
+
5975ab
+@var{cert_number} is the certificate number as listed by
5975ab
+@command{list_certificates} (@pxref{list_certificates}).
5975ab
+
5975ab
+These certificates are used to validate appended signatures when environment
5975ab
+variable @code{check_appended_signatures} is set to @code{enforce}
5975ab
+(@pxref{check_appended_signatures}), and by @command{verify_appended}
5975ab
+(@pxref{verify_appended}). See @xref{Using appended signatures} for more
5975ab
+information.
5975ab
+@end deffn
5975ab
+
5975ab
+
5975ab
 @node drivemap
5975ab
 @subsection drivemap
5975ab
 
5975ab
@@ -4542,6 +4573,21 @@ This command is only available on x86 systems.
5975ab
 @end deffn
5975ab
 
5975ab
 
5975ab
+@node list_certificates
5975ab
+@subsection list_certificates
5975ab
+
5975ab
+@deffn Command list_certificates
5975ab
+List all x509 certificates trusted by GRUB for validating appended signatures.
5975ab
+The output is a numbered list of certificates, showing the certificate's serial
5975ab
+number and Common Name.
5975ab
+
5975ab
+The certificate number can be used as an argument to
5975ab
+@command{distrust_certificate} (@pxref{distrust_certificate}).
5975ab
+
5975ab
+See @xref{Using appended signatures} for more information.
5975ab
+@end deffn
5975ab
+
5975ab
+
5975ab
 @node list_env
5975ab
 @subsection list_env
5975ab
 
5975ab
@@ -4561,7 +4607,7 @@ The output is in GPG's v4 key fingerprint format (i.e., the output of
5975ab
 @code{gpg --fingerprint}).  The least significant four bytes (last
5975ab
 eight hexadecimal digits) can be used as an argument to
5975ab
 @command{distrust} (@pxref{distrust}).
5975ab
-@xref{Using digital signatures}, for more information about uses for
5975ab
+@xref{Using GPG-style digital signatures}, for more information about uses for
5975ab
 these keys.
5975ab
 @end deffn
5975ab
 
5975ab
@@ -4596,8 +4642,12 @@ When used with care, @option{--skip-sig} and the whitelist enable an
5975ab
 administrator to configure a system to boot only signed
5975ab
 configurations, but to allow the user to select from among multiple
5975ab
 configurations, and to enable ``one-shot'' boot attempts and
5975ab
-``savedefault'' behavior.  @xref{Using digital signatures}, for more
5975ab
+``savedefault'' behavior.  @xref{Using GPG-style digital signatures}, for more
5975ab
 information.
5975ab
+
5975ab
+Extra care should be taken when combining this command with appended signatures
5975ab
+(@pxref{Using appended signatures}), as this file is not validated by an
5975ab
+appended signature and could set @code{check_appended_signatures=no}.
5975ab
 @end deffn
5975ab
 
5975ab
 
5975ab
@@ -4883,7 +4933,7 @@ read.  It is possible to modify a digitally signed environment block
5975ab
 file from within GRUB using this command, such that its signature will
5975ab
 no longer be valid on subsequent boots.  Care should be taken in such
5975ab
 advanced configurations to avoid rendering the system
5975ab
-unbootable. @xref{Using digital signatures}, for more information.
5975ab
+unbootable. @xref{Using GPG-style digital signatures}, for more information.
5975ab
 @end deffn
5975ab
 
5975ab
 
5975ab
@@ -5208,11 +5258,31 @@ signatures when environment variable @code{check_signatures} is set to
5975ab
 must itself be properly signed.  The @option{--skip-sig} option can be
5975ab
 used to disable signature-checking when reading @var{pubkey_file}
5975ab
 itself. It is expected that @option{--skip-sig} is useful for testing
5975ab
-and manual booting. @xref{Using digital signatures}, for more
5975ab
+and manual booting. @xref{Using GPG-style digital signatures}, for more
5975ab
 information.
5975ab
 @end deffn
5975ab
 
5975ab
 
5975ab
+@node trust_certificate
5975ab
+@subsection trust_certificate
5975ab
+
5975ab
+@deffn Command trust_certificate x509_certificate
5975ab
+Read an DER-formatted x509 certificate from the file @var{x509_certificate}
5975ab
+and add it to GRUB's internal list of trusted x509 certificates. These
5975ab
+certificates are used to validate appended signatures when the environment
5975ab
+variable @code{check_appended_signatures} is set to @code{enforce}.
5975ab
+
5975ab
+Note that if @code{check_appended_signatures} is set to @code{enforce}
5975ab
+when @command{trust_certificate} is executed, then @var{x509_certificate}
5975ab
+must itself bear an appended signature. (It is not sufficient that
5975ab
+@var{x509_certificate} be signed by a trusted certificate according to the
5975ab
+x509 rules: grub does not include support for validating signatures within x509
5975ab
+certificates themselves.)
5975ab
+
5975ab
+See @xref{Using appended signatures} for more information.
5975ab
+@end deffn
5975ab
+
5975ab
+
5975ab
 @node unset
5975ab
 @subsection unset
5975ab
 
5975ab
@@ -5237,6 +5307,18 @@ only on PC BIOS platforms.
5975ab
 @end deffn
5975ab
 @end ignore
5975ab
 
5975ab
+@node verify_appended
5975ab
+@subsection verify_appended
5975ab
+
5975ab
+@deffn Command verify_appended file
5975ab
+Verifies an appended signature on @var{file} against the trusted certificates
5975ab
+known to GRUB (See @pxref{list_certificates}, @pxref{trust_certificate}, and
5975ab
+@pxref{distrust_certificate}).
5975ab
+
5975ab
+Exit code @code{$?} is set to 0 if the signature validates
5975ab
+successfully.  If validation fails, it is set to a non-zero value.
5975ab
+See @xref{Using appended signatures}, for more information.
5975ab
+@end deffn
5975ab
 
5975ab
 @node verify_detached
5975ab
 @subsection verify_detached
5975ab
@@ -5255,7 +5337,7 @@ tried.
5975ab
 
5975ab
 Exit code @code{$?} is set to 0 if the signature validates
5975ab
 successfully.  If validation fails, it is set to a non-zero value.
5975ab
-@xref{Using digital signatures}, for more information.
5975ab
+@xref{Using GPG-style digital signatures}, for more information.
5975ab
 @end deffn
5975ab
 
5975ab
 @node videoinfo
5975ab
@@ -5601,9 +5683,10 @@ environment variables and commands are listed in the same order.
5975ab
 @chapter Security
5975ab
 
5975ab
 @menu
5975ab
-* Authentication and authorisation:: Users and access control
5975ab
-* Using digital signatures::         Booting digitally signed code
5975ab
-* Signing GRUB itself::              Ensuring the integrity of the GRUB core image
5975ab
+* Authentication and authorisation::   Users and access control
5975ab
+* Using GPG-style digital signatures:: Booting digitally signed code
5975ab
+* Using appended signatures::          An alternative approach to booting digitally signed code
5975ab
+* Signing GRUB itself::                Ensuring the integrity of the GRUB core image
5975ab
 @end menu
5975ab
 
5975ab
 @node Authentication and authorisation
5975ab
@@ -5676,8 +5759,8 @@ generating configuration files with authentication.  You can use
5975ab
 adding @kbd{set superusers=} and @kbd{password} or @kbd{password_pbkdf2}
5975ab
 commands.
5975ab
 
5975ab
-@node Using digital signatures
5975ab
-@section Using digital signatures in GRUB
5975ab
+@node Using GPG-style digital signatures
5975ab
+@section Using GPG-style digital signatures in GRUB
5975ab
 
5975ab
 GRUB's @file{core.img} can optionally provide enforcement that all files
5975ab
 subsequently read from disk are covered by a valid digital signature.
5975ab
@@ -5760,6 +5843,82 @@ or BIOS) configuration to cause the machine to boot from a different
5975ab
 (attacker-controlled) device.  GRUB is at best only one link in a
5975ab
 secure boot chain.
5975ab
 
5975ab
+@node Using appended signatures
5975ab
+@section Using appended signatures in GRUB
5975ab
+
5975ab
+GRUB supports verifying Linux-style 'appended signatures' for secure boot.
5975ab
+Appended signatures are PKCS#7 messages containing a signature over the
5975ab
+contents of a file, plus some metadata, appended to the end of a file. A file
5975ab
+with an appended signature ends with the magic string:
5975ab
+
5975ab
+@example
5975ab
+~Module signature appended~\n
5975ab
+@end example
5975ab
+
5975ab
+where @code{\n} represents the carriage-return character, @code{0x0a}.
5975ab
+
5975ab
+To enable appended signature verification, load the appendedsig module and an
5975ab
+x509 certificate for verification. Building the appendedsig module into the
5975ab
+core grub image is recommended.
5975ab
+
5975ab
+Certificates can be managed at boot time using the @pxref{trust_certificate},
5975ab
+@pxref{distrust_certificate} and @pxref{list_certificates} commands.
5975ab
+Certificates can also be built in to the core image using the @code{--x509}
5975ab
+parameter to @command{grub-install} or @command{grub-mkimage}.
5975ab
+
5975ab
+A file can be explictly verified using the @pxref{verify_appended} command.
5975ab
+
5975ab
+Only signatures made with the SHA-256 or SHA-512 hash algorithm are supported,
5975ab
+and only RSA signatures are supported.
5975ab
+
5975ab
+A file can be signed with the @command{sign-file} utility supplied with the
5975ab
+Linux kernel source. For example, if you have @code{signing.key} as the private
5975ab
+key and @code{certificate.der} as the x509 certificate containing the public key:
5975ab
+
5975ab
+@example
5975ab
+sign-file SHA256 signing.key certificate.der vmlinux vmlinux.signed
5975ab
+@end example
5975ab
+
5975ab
+Enforcement of signature verification is controlled by the
5975ab
+@code{check_appended_signatures} variable. Verification will only take place
5975ab
+when files are loaded if the variable is set to @code{enforce}. If a
5975ab
+certificate is built into the grub core image with the @code{--x509} parameter,
5975ab
+the variable will be automatically set to @code{enforce} when the appendedsig
5975ab
+module is loaded.
5975ab
+
5975ab
+Unlike GPG-style signatures, not all files loaded by GRUB are required to be
5975ab
+signed. Once verification is turned on, the following file types must carry
5975ab
+appended signatures:
5975ab
+
5975ab
+@enumerate
5975ab
+@item Linux, Multiboot, BSD, XNU and Plan9 kernels
5975ab
+@item Grub modules, except those built in to the core image
5975ab
+@item Any new certificate files to be trusted
5975ab
+@end enumerate
5975ab
+
5975ab
+ACPI tables and Device Tree images will not be checked for appended signatures
5975ab
+but must be verified by another mechanism such as GPG-style signatures before
5975ab
+they will be loaded.
5975ab
+
5975ab
+No attempt is made to validate any other file type. In particular,
5975ab
+chain-loaded binaries are not verified - if your platform supports
5975ab
+chain-loading and this cannot be disabled, consider an alternative secure
5975ab
+boot mechanism.
5975ab
+
5975ab
+As with GPG-style appended signatures, signature checking does @strong{not}
5975ab
+stop an attacker with console access from dropping manually to the GRUB
5975ab
+console and executing:
5975ab
+
5975ab
+@example
5975ab
+set check_appended_signatures=no
5975ab
+@end example
5975ab
+
5975ab
+Refer to the section on password-protecting GRUB (@pxref{Authentication
5975ab
+and authorisation}) for more information on preventing this.
5975ab
+
5975ab
+Additionally, special care must be taken around the @command{loadenv} command,
5975ab
+which can be used to turn off @code{check_appended_signature}.
5975ab
+
5975ab
 @node Signing GRUB itself
5975ab
 @section Signing GRUB itself
5975ab