GRUB’s core.img can optionally provide enforcement that all files subsequently read from disk are covered by a valid digital signature. This document does not cover how to ensure that your platform’s firmware (e.g., Coreboot) validates core.img.
If environment variable
(see check_signatures) is set to
enforce, then every
attempt by the GRUB core.img to load another file foo
verify_detached foo foo.sig
foo.sig must contain a valid
digital signature over the contents of
foo, which can be
verified with a public key currently trusted by GRUB
(see list_trusted, see trust, and see distrust). If
validation fails, then file foo cannot be opened. This failure
may halt or otherwise impact the boot process.
An initial trusted public key can be embedded within the GRUB core.img
--pubkey option to
(see Invoking grub-install).
GRUB uses GPG-style detached signatures (meaning that a file foo.sig will be produced when file foo is signed), and currently supports the DSA and RSA signing algorithms. A signing key can be generated as follows:
An individual file can be signed as follows:
gpg --detach-sign /path/to/file
For successful validation of all of GRUB’s subcomponents and the
loaded OS kernel, they must all be signed. One way to accomplish this
is the following (after having already produced the desired
grub.cfg file, e.g., by running
(see Invoking grub-mkconfig):
# Edit /dev/shm/passphrase.txt to contain your signing key's passphrase for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \ -name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \ -name "grubenv"`; do gpg --batch --detach-sign --passphrase-fd 0 $i < \ /dev/shm/passphrase.txt done shred /dev/shm/passphrase.txt
See also: check_signatures, verify_detached, trust, list_trusted, distrust, load_env, save_env.
Note that internally signature enforcement is controlled by setting
the environment variable
check_signatures equal to
enforce. Passing one or more
--pubkey options to
grub-mkimage implicitly defines
enforce in core.img prior to processing any
Note that signature checking does not prevent an attacker with (serial, physical, ...) console access from dropping manually to the GRUB console and executing:
To prevent this, password-protection (see Authentication and authorisation) is essential. Note that even with GRUB password protection, GRUB itself cannot prevent someone with physical access to the machine from altering that machine’s firmware (e.g., Coreboot or BIOS) configuration to cause the machine to boot from a different (attacker-controlled) device. GRUB is at best only one link in a secure boot chain.