Next: append_list_db, Previous: append_add_dbx_cert, Up: Command-line commands [Contents][Index]
Read a binary/certificate hash from the file hash_file
and add it to GRUB’s internal dbx list of distrusted binary/certificate hashes.
When the environment variable check_appended_signatures (see check_appended_signatures)
is set to yes or the append_verify (see append_verify) command
is executed from the GRUB console, then matching distrusted binary hashes or the signature
validation with distrusted certificates may lead to the rejection of the Linux kernel or GRUB modules.
Also, these hashes are used to prevent distrusted certificates and binary hashes from being
added to the db list later on.
The -b (--binary-hash) can be used to specify a binary hash file and -c (--cert-hash) can be used to specify a certificate hash file.
Here is an example for how to generate a SHA-256 hash for a binary and a certificate file. The hash will be in binary format:
# The vmlinux (kernel image) file is your binary file, and # it should be unsigned. The kernel.der is your certificate file. # # Generate the cert_hash.bin file from the kernel.der file openssl dgst -binary -sha256 -out cert_hash.bin kernel.der # Generate the binary_hash.bin file from the vmlinux file openssl dgst -binary -sha256 -out binary_hash.bin vmlinux
See Using appended signatures in GRUB for more information.