public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Joursoir" <chat@joursoir.net>
To: devel@edk2.groups.io
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Rebecca Cran <rebecca@bsdio.com>
Subject: Re: [edk2-devel] [PATCH] OvmfPkg/README: Document Secure Boot
Date: Fri, 16 Jun 2023 00:51:55 +0400	[thread overview]
Message-ID: <20230616005155.275150a1@reeva> (raw)
In-Reply-To: <1765BEFF9799FDDB.7352@groups.io>

+cc to maintainers

On Sat, 3 Jun 2023 01:44:40 +0400
"Joursoir" <chat@joursoir.net> wrote:

> Add the new section for Secure Boot.
> 
> Signed-off-by: Alexander Goncharov <chat@joursoir.net>
> ---
>  OvmfPkg/README | 36 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 36 insertions(+)
> 
> diff --git a/OvmfPkg/README b/OvmfPkg/README
> index 0a408abf01..e106e19818 100644
> --- a/OvmfPkg/README
> +++ b/OvmfPkg/README
> @@ -120,6 +120,42 @@ $ OvmfPkg/build.sh -a X64 qemu -cdrom
> /path/to/disk-image.iso To build a 32-bit OVMF without debug messages
> using GCC 4.8: $ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC48
>  
> +=== Secure Boot ===
> +
> +Secure Boot is a security feature that ensures only trusted and
> digitally +signed software is allowed to run during the boot process.
> +
> +* In order to support Secure Boot, OVMF must be built with the
> +  "-D SECURE_BOOT_ENABLE" option.
> +
> +* By default, OVMF is not shipped with any SecureBoot keys installed.
> The user
> +  need to install them with "Secure Boot Configuration" utility in
> the firmware
> +  UI, or enroll the default UEFI keys using the
> OvmfPkg/EnrollDefaultKeys app. +
> +  For the EnrollDefaultKeys application, the hypervisor is expected
> to add a
> +  string entry to the "OEM Strings" (Type 11) SMBIOS table. The
> string should
> +  have the following format:
> +
> +    4e32566d-8e9e-4f52-81d3-5bb9715f9727:<Base64 X509 cert for PK and
> first KEK> +
> +  Such string can be generated with the following script, for
> example: +
> +    sed \
> +      -e 's/^-----BEGIN
> CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
> +      -e '/^-----END CERTIFICATE-----$/d' \
> +      PkKek1.pem \
> +    | tr -d '\n' \
> +    > PkKek1.oemstr
> +
> +  - Using QEMU 5.2 or later, the SMBIOS type 11 field can be
> specified from a
> +    file:
> +
> +    -smbios type=11,path=PkKek1.oemstr \
> +
> +  - Using QEMU 5.1 or earlier, the string has to be passed as a
> value: +
> +    -smbios type=11,value="$(< PkKek1.oemstr)"
> +
>  === SMM support ===
>  
>  Requirements:

-- 
Joursoir

       reply	other threads:[~2023-06-15 20:52 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1765BEFF9799FDDB.7352@groups.io>
2023-06-15 20:51 ` Joursoir [this message]
2023-06-19 11:51   ` [edk2-devel] [PATCH] OvmfPkg/README: Document Secure Boot Gerd Hoffmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230616005155.275150a1@reeva \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox