grub: Using digital signatures
19.2 Using digital signatures in GRUB
=====================================
GRUB's ‘core.img’ can optionally provide enforcement that all files
subsequently read from disk are covered by a valid digital signature.
This document does *not* cover how to ensure that your platform's
firmware (e.g., Coreboot) validates ‘core.img’.
If environment variable ‘check_signatures’ (⇒check_signatures)
is set to ‘enforce’, then every attempt by the GRUB ‘core.img’ to load
another file ‘foo’ implicitly invokes ‘verify_detached foo foo.sig’
(⇒verify_detached). ‘foo.sig’ must contain a valid digital
signature over the contents of ‘foo’, which can be verified with a
DONTPRINTYET public key currently trusted by GRUB (⇒list_trusted, *noteDONTPRINTYET public key currently trusted by GRUB (⇒list_trusted, ⇒
trust, and ⇒distrust). If validation fails, then file ‘foo’
cannot be opened. This failure may halt or otherwise impact the boot
process.
An initial trusted public key can be embedded within the GRUB
‘core.img’ using the ‘--pubkey’ option to ‘grub-install’ (⇒Invoking
grub-install).
GRUB uses GPG-style detached signatures (meaning that a file
‘foo.sig’ will be produced when file ‘foo’ is signed), and currently
supports the DSA and RSA signing algorithms. A signing key can be
generated as follows:
gpg --gen-key
An individual file can be signed as follows:
gpg --detach-sign /path/to/file
For successful validation of all of GRUB's subcomponents and the
loaded OS kernel, they must all be signed. One way to accomplish this
is the following (after having already produced the desired ‘grub.cfg’
file, e.g., by running ‘grub-mkconfig’ (⇒Invoking grub-mkconfig):
# Edit /dev/shm/passphrase.txt to contain your signing key's passphrase
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
-name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
-name "grubenv"`;
do
gpg --batch --detach-sign --passphrase-fd 0 $i < \
/dev/shm/passphrase.txt
done
shred /dev/shm/passphrase.txt
DONTPRINTYET See also: ⇒check_signatures, ⇒verify_detached, *noteDONTPRINTYET DONTPRINTYET See also: ⇒check_signatures, ⇒verify_detached, ⇒
trust, ⇒list_trusted, ⇒distrust, ⇒load_env, *noteDONTPRINTYET DONTPRINTYET See also: ⇒check_signatures, ⇒verify_detached, ⇒
trust, ⇒list_trusted, ⇒distrust, ⇒load_env, ⇒
save_env.
Note that internally signature enforcement is controlled by setting
the environment variable ‘check_signatures’ equal to ‘enforce’. Passing
one or more ‘--pubkey’ options to ‘grub-mkimage’ implicitly defines
‘check_signatures’ equal to ‘enforce’ in ‘core.img’ prior to processing
any configuration files.
Note that signature checking does *not* prevent an attacker with
(serial, physical, ...) console access from dropping manually to the
GRUB console and executing:
set check_signatures=no
To prevent this, password-protection (⇒Authentication and
authorisation) is essential. Note that even with GRUB password
protection, GRUB itself cannot prevent someone with physical access to
the machine from altering that machine's firmware (e.g., Coreboot or
BIOS) configuration to cause the machine to boot from a different
(attacker-controlled) device. GRUB is at best only one link in a secure
boot chain.