From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Nicolas Frayer Date: Wed, 19 Nov 2025 14:17:51 +0100 Subject: [PATCH] docs: fix duplicated entries Signed-off-by: Nicolas Frayer --- docs/grub.texi | 60 ---------------------------------------------------------- 1 file changed, 60 deletions(-) diff --git a/docs/grub.texi b/docs/grub.texi index e4f36df..9f5eb68 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -7025,66 +7025,6 @@ GRUB will be restricted and some operations/commands cannot be executed. The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down. Otherwise it does not exit. -@node Signing GRUB itself -@section Signing GRUB itself - -To ensure a complete secure-boot chain, there must be a way for the code that -loads GRUB to verify the integrity of the core image. - -This is ultimately platform-specific and individual platforms can define their -own mechanisms. However, there are general-purpose mechanisms that can be used -with GRUB. - -@section Signing GRUB for UEFI secure boot - -On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed -with a tool such as @command{pesign} or @command{sbsign}. Refer to the -suggestions in @pxref{UEFI secure boot and shim} to ensure that the final -image works under UEFI secure boot and can maintain the secure-boot chain. It -will also be necessary to enrol the public key used into a relevant firmware -key database. - -@section Signing GRUB with an appended signature - -The @file{core.elf} itself can be signed with a Linux kernel module-style -appended signature. - -To support IEEE1275 platforms where the boot image is often loaded directly -from a disk partition rather than from a file system, the @file{core.elf} -can specify the size and location of the appended signature with an ELF -note added by @command{grub-install}. - -An image can be signed this way using the @command{sign-file} command from -the Linux kernel: - -@example -@group -# grub.key is your private key and certificate.der is your public key - -# Determine the size of the appended signature. It depends on the signing -# certificate and the hash algorithm -touch empty -sign-file SHA256 grub.key certificate.der empty empty.sig -SIG_SIZE=`stat -c '%s' empty.sig` -rm empty empty.sig - -# Build a grub image with $SIG_SIZE reserved for the signature -grub-install --appended-signature-size $SIG_SIZE --modules="..." ... - -# Replace the reserved size with a signature: -# cut off the last $SIG_SIZE bytes with truncate's minus modifier -truncate -s -$SIG_SIZE /boot/grub/powerpc-ieee1275/core.elf core.elf.unsigned -# sign the trimmed file with an appended signature, restoring the correct size -sign-file SHA256 grub.key certificate.der core.elf.unsigned core.elf.signed - -# Don't forget to install the signed image as required -# (e.g. on powerpc-ieee1275, to the PReP partition) -@end group -@end example - -As with UEFI secure boot, it is necessary to build in the required modules, -or sign them separately. - @subsection Command line and menuentry editor protection The TPM key protector provides full disk encryption support on servers or