How to query EFI signature
It depends on what kind of signature you're talking about. If you have an EFI system, you can have signed EFI executables (*.efi
) and force your EFI firmware to only execute those with a known signature. This is known as Secure Boot. To check an EFI binary for a signature you can use the tool sbverify
:
$ sbverify --no-verify signed-binary.efi
Signature verification OK
$ sbverify --no-verify unsigned-binary.efi
No signature table present
Unable to read signature data from unsigned-binary.efi
Signature verification failed
Unfortunately I didn't see an easy way of extracting and displaying the EFI signature. :(
What's more likely what you are looking for is GRUB's own ability to check its modules and kernels to be booted for valid signatures (Secure Boot just affects the GRUB binary itself, everything GRUB loads does not necessarily need to be EFI-signed). Those are (as far as I understand) plain old detached GPG signatures (so for example for a kernel called vmlinuz-1.2.3
you'd have a file vmlinuz-1.2.3.sig
with the signature). Those can simply be displayed and verified with
$ gpg --verify vmlinuz-1.2.3.sig vmlinuz-1.2.3
gpg: Signature made Tue Apr 1 12:34:56 2014 CEST using RSA key ID d3adb33f
gpg: Good signature from "John Doe <[email protected]>"
If you don't have a *.sig
file to your kernel, it is obviously not signed.
You can disable signature checking in GRUB by entering set check_signature=no
at the GRUB command prompt. You can get more information on that topic here (this functionality is rather new and the official GRUB website only has the manual for version 2.00 online, which lacks this feature). This also explains how to sign your modules and kernel with your own key and to tell GRUB about it.