From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.joursoir.net (smtp.joursoir.net [91.192.102.115]) by mx.groups.io with SMTP id smtpd.web11.29582.1686862325107702459 for ; Thu, 15 Jun 2023 13:52:05 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: joursoir.net, ip: 91.192.102.115, mailfrom: chat@joursoir.net) Received: from reeva (unknown [5.152.6.46]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.joursoir.net (Postfix) with ESMTPSA id 04D89411DD; Thu, 15 Jun 2023 23:51:57 +0300 (MSK) Date: Fri, 16 Jun 2023 00:51:55 +0400 From: "Joursoir" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Jiewen Yao , Jordan Justen , Gerd Hoffmann , Rebecca Cran Subject: Re: [edk2-devel] [PATCH] OvmfPkg/README: Document Secure Boot Message-ID: <20230616005155.275150a1@reeva> In-Reply-To: <1765BEFF9799FDDB.7352@groups.io> References: <1765BEFF9799FDDB.7352@groups.io> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit +cc to maintainers On Sat, 3 Jun 2023 01:44:40 +0400 "Joursoir" wrote: > Add the new section for Secure Boot. > > Signed-off-by: Alexander Goncharov > --- > OvmfPkg/README | 36 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 36 insertions(+) > > diff --git a/OvmfPkg/README b/OvmfPkg/README > index 0a408abf01..e106e19818 100644 > --- a/OvmfPkg/README > +++ b/OvmfPkg/README > @@ -120,6 +120,42 @@ $ OvmfPkg/build.sh -a X64 qemu -cdrom > /path/to/disk-image.iso To build a 32-bit OVMF without debug messages > using GCC 4.8: $ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC48 > > +=== Secure Boot === > + > +Secure Boot is a security feature that ensures only trusted and > digitally +signed software is allowed to run during the boot process. > + > +* In order to support Secure Boot, OVMF must be built with the > + "-D SECURE_BOOT_ENABLE" option. > + > +* By default, OVMF is not shipped with any SecureBoot keys installed. > The user > + need to install them with "Secure Boot Configuration" utility in > the firmware > + UI, or enroll the default UEFI keys using the > OvmfPkg/EnrollDefaultKeys app. + > + For the EnrollDefaultKeys application, the hypervisor is expected > to add a > + string entry to the "OEM Strings" (Type 11) SMBIOS table. The > string should > + have the following format: > + > + 4e32566d-8e9e-4f52-81d3-5bb9715f9727: first KEK> + > + Such string can be generated with the following script, for > example: + > + sed \ > + -e 's/^-----BEGIN > CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \ > + -e '/^-----END CERTIFICATE-----$/d' \ > + PkKek1.pem \ > + | tr -d '\n' \ > + > PkKek1.oemstr > + > + - Using QEMU 5.2 or later, the SMBIOS type 11 field can be > specified from a > + file: > + > + -smbios type=11,path=PkKek1.oemstr \ > + > + - Using QEMU 5.1 or earlier, the string has to be passed as a > value: + > + -smbios type=11,value="$(< PkKek1.oemstr)" > + > === SMM support === > > Requirements: -- Joursoir