[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 06/22] docs/grub: Document signing grub with an appended s

From: Stefan Berger
Subject: Re: [PATCH v2 06/22] docs/grub: Document signing grub with an appended signature
Date: Mon, 12 Jul 2021 08:46:46 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0

On 6/30/21 4:40 AM, Daniel Axtens wrote:
Signing grub for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.

Signed-off-by: Daniel Axtens <>
  docs/grub.texi | 42 ++++++++++++++++++++++++++++++++++++++++++
  1 file changed, 42 insertions(+)

diff --git a/docs/grub.texi b/docs/grub.texi
index 2ffc3b417312..bed565371460 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -6055,6 +6055,48 @@ image works under UEFI secure boot and can maintain the 
secure-boot chain. It
  will also be necessary to enrol the public key used into a relevant firmware
  key database.
+@section Signing GRUB with an appended signature
+The @file{core.img} itself can be signed with a Linux kernel module-style
+appended signature.
+To support IEEE1275 platforms where the boot image is often loaded directly
+from a disk partition rather than from a file system, the @file{core.img}
+can specify the size and location of the appended signature with an ELF
+note added by @command{grub-install}.
+An image can be signed this way using the @command{sign-file} command from
+the Linux kernel:
+# grub.key is your private key and certificate.der is your public key
+# Determine the size of the appended signature. It depends on the signing
+# certificate and the hash algorithm
+touch empty
+sign-file SHA256 grub.key certificate.der empty empty.sig
+SIG_SIZE=`stat -c '%s' empty.sig`
+rm empty empty.sig
+# Build a grub image with $SIG_SIZE reserved for the signature
+grub-install --appended-signature-size $SIG_SIZE --modules="..." ...
+# Replace the reserved size with a signature:
+# cut off the last $SIG_SIZE bytes with truncate's minus modifier
+truncate -s -$SIG_SIZE /boot/grub/powerpc-ieee1275/core.elf core.elf.unsigned
+# sign the trimmed file with an appended signature, restoring the correct size
+sign-file SHA256 grub.key certificate.der core.elf.unsigned core.elf.signed
+# Don't forget to install the signed image as required
+# (e.g. on powerpc-ieee1275, to the PReP partition)
+@end group
+@end example
+As with UEFI secure boot, it is necessary to build in the required modules,
+or sign them separately.
  @node Platform limitations
  @chapter Platform limitations

Reviewed-by: Stefan Berger <>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]