Next: UEFI secure boot and shim, Previous: Authentication and authorisation, Up: Security [Contents][Index]
GRUB’s core.img can optionally provide enforcement that all files subsequently read from disk are covered by a valid digital signature. This document does not cover how to ensure that your platform’s firmware (e.g., Coreboot) validates core.img.
If environment variable check_signatures
(see check_signatures) is set to enforce
, then every
attempt by the GRUB core.img to load another file foo
implicitly invokes verify_detached foo foo.sig
(see verify_detached). foo.sig
must contain a valid
digital signature over the contents of foo
, which can be
verified with a public key currently trusted by GRUB
(see list_trusted, see trust, and see distrust). If
validation fails, then file foo cannot be opened. This failure
may halt or otherwise impact the boot process.
An initial trusted public key can be embedded within the GRUB core.img
using the --pubkey
option to grub-install
(see Invoking grub-install).
GRUB uses GPG-style detached signatures (meaning that a file foo.sig will be produced when file foo is signed), and currently supports the DSA and RSA signing algorithms. A signing key can be generated as follows:
gpg --gen-key
An individual file can be signed as follows:
gpg --detach-sign /path/to/file
For successful validation of all of GRUB’s subcomponents and the
loaded OS kernel, they must all be signed. One way to accomplish this
is the following (after having already produced the desired
grub.cfg file, e.g., by running grub-mkconfig
(see Invoking grub-mkconfig):
# Edit /dev/shm/passphrase.txt to contain your signing key's passphrase for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \ -name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \ -name "grubenv"`; do gpg --batch --detach-sign --passphrase-fd 0 $i < \ /dev/shm/passphrase.txt done shred /dev/shm/passphrase.txt
See also: check_signatures, verify_detached, trust, list_trusted, distrust, load_env, save_env.
Note that internally signature enforcement is controlled by setting
the environment variable check_signatures
equal to
enforce
. Passing one or more --pubkey
options to
grub-mkimage
implicitly defines check_signatures
equal to enforce
in core.img prior to processing any
configuration files.
Note that signature checking does not prevent an attacker with (serial, physical, ...) console access from dropping manually to the GRUB console and executing:
set check_signatures=no
To prevent this, password-protection (see Authentication and authorisation) is essential. Note that even with GRUB password protection, GRUB itself cannot prevent someone with physical access to the machine from altering that machine’s firmware (e.g., Coreboot or BIOS) configuration to cause the machine to boot from a different (attacker-controlled) device. GRUB is at best only one link in a secure boot chain.
Next: UEFI secure boot and shim, Previous: Authentication and authorisation, Up: Security [Contents][Index]