From: "Joursoir" <chat@joursoir.net>
To: devel@edk2.groups.io
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
Jiewen Yao <jiewen.yao@intel.com>,
Jordan Justen <jordan.l.justen@intel.com>,
Rebecca Cran <rebecca@bsdio.com>,
"Gerd Hoffmann" <kraxel@redhat.com>
Subject: [PATCH v2 1/1] OvmfPkg/README: Document Secure Boot
Date: Fri, 30 Jun 2023 02:26:03 +0400 [thread overview]
Message-ID: <20230630022603.0067d5ac@reeva> (raw)
Add the new section for Secure Boot.
Signed-off-by: Alexander Goncharov <chat@joursoir.net>
---
OvmfPkg/README | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/OvmfPkg/README b/OvmfPkg/README
index 0a408abf01..a5b447dae3 100644
--- a/OvmfPkg/README
+++ b/OvmfPkg/README
@@ -120,6 +120,46 @@ $ OvmfPkg/build.sh -a X64 qemu -cdrom /path/to/disk-image.iso
To build a 32-bit OVMF without debug messages using GCC 4.8:
$ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC48
+=== Secure Boot ===
+
+Secure Boot is a security feature that ensures only trusted and digitally
+signed software is allowed to run during the boot process. This is achieved
+by storing Secure Boot keys in UEFI Variables, as result it can be easily
+bypassed by writing directly to the flash varstore. To avoid this situation,
+it's necessary to make the varstore with SB keys read-only and/or provide an
+isolated execution environment for flash access (such as SMM).
+
+* In order to support Secure Boot, OVMF must be built with the
+ "-D SECURE_BOOT_ENABLE" option.
+
+* By default, OVMF is not shipped with any SecureBoot keys installed. The user
+ need to install them with "Secure Boot Configuration" utility in the firmware
+ UI, or enroll the default UEFI keys using the OvmfPkg/EnrollDefaultKeys app.
+
+ For the EnrollDefaultKeys application, the hypervisor is expected to add a
+ string entry to the "OEM Strings" (Type 11) SMBIOS table. The string should
+ have the following format:
+
+ 4e32566d-8e9e-4f52-81d3-5bb9715f9727:<Base64 X509 cert for PK and first KEK>
+
+ Such string can be generated with the following script, for example:
+
+ sed \
+ -e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
+ -e '/^-----END CERTIFICATE-----$/d' \
+ PkKek1.pem \
+ | tr -d '\n' \
+ > PkKek1.oemstr
+
+ - Using QEMU 5.2 or later, the SMBIOS type 11 field can be specified from a
+ file:
+
+ -smbios type=11,path=PkKek1.oemstr \
+
+ - Using QEMU 5.1 or earlier, the string has to be passed as a value:
+
+ -smbios type=11,value="$(< PkKek1.oemstr)"
+
=== SMM support ===
Requirements:
--
2.41.0
--
Joursoir
next reply other threads:[~2023-06-29 22:26 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-29 22:26 Joursoir [this message]
2023-07-04 7:28 ` [PATCH v2 1/1] OvmfPkg/README: Document Secure Boot Gerd Hoffmann
2023-09-07 13:48 ` [edk2-devel] " Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230630022603.0067d5ac@reeva \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox