Digital Signature

GRUB’s core.img can optionally provide enforcement that all files subsequently read from disk are covered by a valid digital signature. This document does not cover how to ensure that your platform’s firmware (e.g., Coreboot) validates core.img.

Create

If environment variable check_signatures is set to enforce, then every attempt by the GRUB core.img to load another file foo implicitly invokes verify_detached foo foo.sig. foo.sig must contain a valid digital signature over the contents of foo, which can be verified with a public key currently trusted by GRUB. If the validation fails, then the file foo cannot be opened. This failure may even halt or otherwise impact the boot process.

Create Detached Signature

GRUB uses GPG-style detached signatures (meaning that a file foo.sig will be produced when file foo is signed), and currently supports the DSA and RSA signing algorithms. A signing key can be generated as follows:

gpg --gen-key

An individual file can be signed as follows:

gpg --detach-sign /path/to/file

For successful validation of all of GRUB’s subcomponents and the loaded OS kernel, they must all be signed. One way to accomplish this is the following (after having already produced the desired grub.cfg file, e.g., by running grub-mkconfig:

# Edit /path/to/passphrase.txt to contain your signing key's passphrase

for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \

        -name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \

        -name "grubenv"`;

do

        gpg --batch --detach-sign --passphrase-fd 0 $i < \

        /path/to/passphrase.txt

done

shred /path/to/passphrase.txt

Verify

You can use:

• check_signatures - check all files
• verify_detached - for single file verification
• trust
• list_trusted
• distrust
• load_env
• save_env

Note that internally signature enforcement is controlled by setting the environment variable check_signatures equal to enforce. Passing one or more --pubkey options to grub-mkimage implicitly defines check_signatures equal to enforce in core.img prior to processing any configuration files.

For File Integrity Checking Use Only

Note that signature checking does not prevent an attacker with (serial, physical, ...) console access from dropping manually to the GRUB console and executing:

set check_signatures=no

To prevent this, we use GRUB identity access management.