grub2/0281-docs-grub-Document-signing-grub-under-UEFI.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Sat, 15 Aug 2020 02:00:57 +1000
Subject: [PATCH] docs/grub: Document signing grub under UEFI

Before adding information about how grub is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.

(adjusted from upstream - s/grub/grub2/ in the docs)
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 docs/grub.texi | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index 085b9974cc5..abb1d0fae54 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -5645,6 +5645,7 @@ environment variables and commands are listed in the same order.
 @menu
 * Authentication and authorisation:: Users and access control
 * Using digital signatures::         Booting digitally signed code
+* Signing GRUB itself::              Ensuring the integrity of the GRUB core image
 * UEFI secure boot and shim::        Booting digitally signed PE files
 * Measured Boot::                    Measuring boot components
 @end menu
@@ -5724,7 +5725,7 @@ commands.
 
 GRUB's @file{core.img} can optionally provide enforcement that all files
 subsequently read from disk are covered by a valid digital signature.
-This document does @strong{not} cover how to ensure that your
+This section does @strong{not} cover how to ensure that your
 platform's firmware (e.g., Coreboot) validates @file{core.img}.
 
 If environment variable @code{check_signatures}
@@ -5809,6 +5810,22 @@ or BIOS) configuration to cause the machine to boot from a different
 (attacker-controlled) device.  GRUB is at best only one link in a
 secure boot chain.
 
+@node Signing GRUB itself
+@section Signing GRUB itself
+
+To ensure a complete secure-boot chain, there must be a way for the code that
+loads GRUB to verify the integrity of the core image.
+
+This is ultimately platform-specific and individual platforms can define their
+own mechanisms. However, there are general-purpose mechanisms that can be used
+with GRUB.
+
+@section Signing GRUB for UEFI secure boot
+
+On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
+with a tool such as @command{pesign} or @command{sbsign}. It will also be
+necessary to enrol the public key used into a relevant firmware key database.
+
 @node UEFI secure boot and shim
 @section UEFI secure boot and shim support
Appended signatures support, unify GRUB config location and some fixes - Remove -fcf-protection compiler flag to allow i386 builds (law) Related: rhbz#1915452 - Unify GRUB configuration file location across all platforms Related: rhbz#1918817 - Add 'at_keyboard_fallback_set' var to force the set manually (rmetrich) - Add appended signatures support for ppc64le LPAR Secure Boot (daxtens) Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> 2021-02-08 19:01:52 +00:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: Daniel Axtens <dja@axtens.net>`
			`Date: Sat, 15 Aug 2020 02:00:57 +1000`
			`Subject: [PATCH] docs/grub: Document signing grub under UEFI`

			`Before adding information about how grub is signed with an appended`
			`signature scheme, it's worth adding some information about how it`
			`can currently be signed for UEFI.`

			`(adjusted from upstream - s/grub/grub2/ in the docs)`
			`Signed-off-by: Daniel Axtens <dja@axtens.net>`
			`---`
			`docs/grub.texi \| 19 ++++++++++++++++++-`
			`1 file changed, 18 insertions(+), 1 deletion(-)`

			`diff --git a/docs/grub.texi b/docs/grub.texi`
			`index 085b9974cc5..abb1d0fae54 100644`
			`--- a/docs/grub.texi`
			`+++ b/docs/grub.texi`
			`@@ -5645,6 +5645,7 @@ environment variables and commands are listed in the same order.`
			`@menu`
			`* Authentication and authorisation:: Users and access control`
			`* Using digital signatures:: Booting digitally signed code`
			`+* Signing GRUB itself:: Ensuring the integrity of the GRUB core image`
			`* UEFI secure boot and shim:: Booting digitally signed PE files`
			`* Measured Boot:: Measuring boot components`
			`@end menu`
			`@@ -5724,7 +5725,7 @@ commands.`

			`GRUB's @file{core.img} can optionally provide enforcement that all files`
			`subsequently read from disk are covered by a valid digital signature.`
			`-This document does @strong{not} cover how to ensure that your`
			`+This section does @strong{not} cover how to ensure that your`
			`platform's firmware (e.g., Coreboot) validates @file{core.img}.`

			`If environment variable @code{check_signatures}`
			`@@ -5809,6 +5810,22 @@ or BIOS) configuration to cause the machine to boot from a different`
			`(attacker-controlled) device. GRUB is at best only one link in a`
			`secure boot chain.`

			`+@node Signing GRUB itself`
			`+@section Signing GRUB itself`
			`+`
			`+To ensure a complete secure-boot chain, there must be a way for the code that`
			`+loads GRUB to verify the integrity of the core image.`
			`+`
			`+This is ultimately platform-specific and individual platforms can define their`
			`+own mechanisms. However, there are general-purpose mechanisms that can be used`
			`+with GRUB.`
			`+`
			`+@section Signing GRUB for UEFI secure boot`
			`+`
			`+On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed`
			`+with a tool such as @command{pesign} or @command{sbsign}. It will also be`
			`+necessary to enrol the public key used into a relevant firmware key database.`
			`+`
			`@node UEFI secure boot and shim`
			`@section UEFI secure boot and shim support`