From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 746EED80851 for ; Wed, 9 Aug 2023 10:37:40 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=xkJGu4QpZQtMCqrJaGSUGGziXV+c4z9a+VJ1Qw/ml5I=; c=relaxed/simple; d=groups.io; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Transfer-Encoding; s=20140610; t=1691577459; v=1; b=fkLyzDkwXz9fUkpkCYRgtZYU7iYV8xrFMx4Xx2ZTXVk/mKn56L61GXXyhE/EFxUukc7OVVD2 OMQeJWDitoRZ257GwZ1uIldvNSKY2XjGdqpphgcp8D2YEr36PPNF2jvvq9uNBUPm6uTbtHfSCS0 ESOY9AAnsMpsnHzTCQk4q2wc= X-Received: by 127.0.0.2 with SMTP id ukKPYY7687511xSfgRLmLqPd; Wed, 09 Aug 2023 03:37:39 -0700 X-Received: from smtp.joursoir.net (smtp.joursoir.net [91.192.102.115]) by mx.groups.io with SMTP id smtpd.web11.85137.1691577457939693930 for ; Wed, 09 Aug 2023 03:37:38 -0700 X-Received: from reeva (unknown [91.222.228.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.joursoir.net (Postfix) with ESMTPSA id 83F1341A5D; Wed, 9 Aug 2023 13:37:31 +0300 (MSK) Date: Wed, 9 Aug 2023 13:37:29 +0300 From: "Joursoir" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Jiewen Yao , Jordan Justen , Rebecca Cran , "Gerd Hoffmann" Subject: Re: [edk2-devel] [PATCH v2 1/1] OvmfPkg/README: Document Secure Boot Message-ID: <20230809133729.70e1fa17@reeva> In-Reply-To: <176D419C880552C9.377@groups.io> References: <176D419C880552C9.377@groups.io> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,chat@joursoir.net List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: aSisPy6D1GWpTewQmR1wBgdix7686176AA= Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=fkLyzDkw; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=none ping. Is anyone interested in reviewing this patch? On Fri, 30 Jun 2023 02:26:03 +0400 "Joursoir" wrote: > Add the new section for Secure Boot. >=20 > Signed-off-by: Alexander Goncharov > --- > OvmfPkg/README | 40 ++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 40 insertions(+) >=20 > diff --git a/OvmfPkg/README b/OvmfPkg/README > index 0a408abf01..a5b447dae3 100644 > --- a/OvmfPkg/README > +++ b/OvmfPkg/README > @@ -120,6 +120,46 @@ $ OvmfPkg/build.sh -a X64 qemu -cdrom > /path/to/disk-image.iso To build a 32-bit OVMF without debug messages > using GCC 4.8: $ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC48 > =20 > +=3D=3D=3D Secure Boot =3D=3D=3D > + > +Secure Boot is a security feature that ensures only trusted and > digitally +signed software is allowed to run during the boot process. > This is achieved +by storing Secure Boot keys in UEFI Variables, as > result it can be easily +bypassed by writing directly to the flash > varstore. To avoid this situation, +it's necessary to make the > varstore with SB keys read-only and/or provide an +isolated execution > environment for flash access (such as SMM). + > +* In order to support Secure Boot, OVMF must be built with the > + "-D SECURE_BOOT_ENABLE" option. > + > +* By default, OVMF is not shipped with any SecureBoot keys > installed. The user > + need to install them with "Secure Boot Configuration" utility in > the firmware > + UI, or enroll the default UEFI keys using the > OvmfPkg/EnrollDefaultKeys app. + > + For the EnrollDefaultKeys application, the hypervisor is expected > to add a > + string entry to the "OEM Strings" (Type 11) SMBIOS table. The > string should > + have the following format: > + > + 4e32566d-8e9e-4f52-81d3-5bb9715f9727: and first KEK> + > + Such string can be generated with the following script, for > example: + > + sed \ > + -e 's/^-----BEGIN > CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \ > + -e '/^-----END CERTIFICATE-----$/d' \ > + PkKek1.pem \ > + | tr -d '\n' \ > + > PkKek1.oemstr > + > + - Using QEMU 5.2 or later, the SMBIOS type 11 field can be > specified from a > + file: > + > + -smbios type=3D11,path=3DPkKek1.oemstr \ > + > + - Using QEMU 5.1 or earlier, the string has to be passed as a > value: + > + -smbios type=3D11,value=3D"$(< PkKek1.oemstr)" > + > =3D=3D=3D SMM support =3D=3D=3D > =20 > Requirements: --=20 Joursoir -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#107653): https://edk2.groups.io/g/devel/message/107653 Mute This Topic: https://groups.io/mt/100640076/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-