Digital Signature
GRUB’s core.img can optionally provide enforcement that all files subsequently read from disk are covered by a valid digital signature. This document does not cover how to ensure that your platform’s firmware (e.g., Coreboot) validates core.img.
Create
If environment variable check_signatures
is set to enforce
, then every attempt by the GRUB core.img to load another file foo implicitly invokes verify_detached foo foo.sig
. foo.sig
must contain a valid digital signature over the contents of foo
, which can be verified with a public key currently trusted by GRUB. If the validation fails, then the file foo
cannot be opened. This failure may even halt or otherwise impact the boot process.
Create Detached Signature
GRUB uses GPG-style detached signatures (meaning that a file foo.sig
will be produced when file foo is signed), and currently supports the DSA and RSA signing algorithms. A signing key can be generated as follows:
gpg --gen-key
An individual file can be signed as follows:
gpg --detach-sign /path/to/file
For successful validation of all of GRUB’s subcomponents and the loaded OS kernel, they must all be signed. One way to accomplish this is the following (after having already produced the desired grub.cfg file, e.g., by running grub-mkconfig
:
# Edit /path/to/passphrase.txt to contain your signing key's passphrase
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
-name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
-name "grubenv"`;
do
gpg --batch --detach-sign --passphrase-fd 0 $i < \
/path/to/passphrase.txt
done
shred /path/to/passphrase.txt
Verify
You can use:
- check_signatures - check all files
- verify_detached - for single file verification
- trust
- list_trusted
- distrust
- load_env
- save_env
Note that internally signature enforcement is controlled by setting the environment variable check_signatures
equal to enforce
. Passing one or more --pubkey
options to grub-mkimage
implicitly defines check_signatures
equal to enforce
in core.img prior to processing any configuration files.
For File Integrity Checking Use Only
Note that signature checking does not prevent an attacker with (serial, physical, ...) console access from dropping manually to the GRUB console and executing:
set check_signatures=no
To prevent this, we use GRUB identity access management.