82 lines
3.1 KiB
Diff
82 lines
3.1 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Nicolas Frayer <nfrayer@redhat.com>
|
|
Date: Wed, 19 Nov 2025 14:17:51 +0100
|
|
Subject: [PATCH] docs: fix duplicated entries
|
|
|
|
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
|
|
---
|
|
docs/grub.texi | 60 ----------------------------------------------------------
|
|
1 file changed, 60 deletions(-)
|
|
|
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
|
index e4f36df..9f5eb68 100644
|
|
--- a/docs/grub.texi
|
|
+++ b/docs/grub.texi
|
|
@@ -7025,66 +7025,6 @@ GRUB will be restricted and some operations/commands cannot be executed.
|
|
The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
|
|
Otherwise it does not exit.
|
|
|
|
-@node Signing GRUB itself
|
|
-@section Signing GRUB itself
|
|
-
|
|
-To ensure a complete secure-boot chain, there must be a way for the code that
|
|
-loads GRUB to verify the integrity of the core image.
|
|
-
|
|
-This is ultimately platform-specific and individual platforms can define their
|
|
-own mechanisms. However, there are general-purpose mechanisms that can be used
|
|
-with GRUB.
|
|
-
|
|
-@section Signing GRUB for UEFI secure boot
|
|
-
|
|
-On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
|
|
-with a tool such as @command{pesign} or @command{sbsign}. Refer to the
|
|
-suggestions in @pxref{UEFI secure boot and shim} to ensure that the final
|
|
-image works under UEFI secure boot and can maintain the secure-boot chain. It
|
|
-will also be necessary to enrol the public key used into a relevant firmware
|
|
-key database.
|
|
-
|
|
-@section Signing GRUB with an appended signature
|
|
-
|
|
-The @file{core.elf} itself can be signed with a Linux kernel module-style
|
|
-appended signature.
|
|
-
|
|
-To support IEEE1275 platforms where the boot image is often loaded directly
|
|
-from a disk partition rather than from a file system, the @file{core.elf}
|
|
-can specify the size and location of the appended signature with an ELF
|
|
-note added by @command{grub-install}.
|
|
-
|
|
-An image can be signed this way using the @command{sign-file} command from
|
|
-the Linux kernel:
|
|
-
|
|
-@example
|
|
-@group
|
|
-# grub.key is your private key and certificate.der is your public key
|
|
-
|
|
-# Determine the size of the appended signature. It depends on the signing
|
|
-# certificate and the hash algorithm
|
|
-touch empty
|
|
-sign-file SHA256 grub.key certificate.der empty empty.sig
|
|
-SIG_SIZE=`stat -c '%s' empty.sig`
|
|
-rm empty empty.sig
|
|
-
|
|
-# Build a grub image with $SIG_SIZE reserved for the signature
|
|
-grub-install --appended-signature-size $SIG_SIZE --modules="..." ...
|
|
-
|
|
-# Replace the reserved size with a signature:
|
|
-# cut off the last $SIG_SIZE bytes with truncate's minus modifier
|
|
-truncate -s -$SIG_SIZE /boot/grub/powerpc-ieee1275/core.elf core.elf.unsigned
|
|
-# sign the trimmed file with an appended signature, restoring the correct size
|
|
-sign-file SHA256 grub.key certificate.der core.elf.unsigned core.elf.signed
|
|
-
|
|
-# Don't forget to install the signed image as required
|
|
-# (e.g. on powerpc-ieee1275, to the PReP partition)
|
|
-@end group
|
|
-@end example
|
|
-
|
|
-As with UEFI secure boot, it is necessary to build in the required modules,
|
|
-or sign them separately.
|
|
-
|
|
@subsection Command line and menuentry editor protection
|
|
|
|
The TPM key protector provides full disk encryption support on servers or
|