* Re: [edk2-devel] [PATCH v2 1/1] OvmfPkg/README: Document Secure Boot
[not found] <176D419C880552C9.377@groups.io>
@ 2023-08-09 10:37 ` Joursoir
0 siblings, 0 replies; 2+ messages in thread
From: Joursoir @ 2023-08-09 10:37 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, Jiewen Yao, Jordan Justen, Rebecca Cran,
Gerd Hoffmann
ping. Is anyone interested in reviewing this patch?
On Fri, 30 Jun 2023 02:26:03 +0400
"Joursoir" <chat@joursoir.net> wrote:
> Add the new section for Secure Boot.
>
> Signed-off-by: Alexander Goncharov <chat@joursoir.net>
> ---
> OvmfPkg/README | 40 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 40 insertions(+)
>
> diff --git a/OvmfPkg/README b/OvmfPkg/README
> index 0a408abf01..a5b447dae3 100644
> --- a/OvmfPkg/README
> +++ b/OvmfPkg/README
> @@ -120,6 +120,46 @@ $ OvmfPkg/build.sh -a X64 qemu -cdrom
> /path/to/disk-image.iso To build a 32-bit OVMF without debug messages
> using GCC 4.8: $ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC48
>
> +=== Secure Boot ===
> +
> +Secure Boot is a security feature that ensures only trusted and
> digitally +signed software is allowed to run during the boot process.
> This is achieved +by storing Secure Boot keys in UEFI Variables, as
> result it can be easily +bypassed by writing directly to the flash
> varstore. To avoid this situation, +it's necessary to make the
> varstore with SB keys read-only and/or provide an +isolated execution
> environment for flash access (such as SMM). +
> +* In order to support Secure Boot, OVMF must be built with the
> + "-D SECURE_BOOT_ENABLE" option.
> +
> +* By default, OVMF is not shipped with any SecureBoot keys
> installed. The user
> + need to install them with "Secure Boot Configuration" utility in
> the firmware
> + UI, or enroll the default UEFI keys using the
> OvmfPkg/EnrollDefaultKeys app. +
> + For the EnrollDefaultKeys application, the hypervisor is expected
> to add a
> + string entry to the "OEM Strings" (Type 11) SMBIOS table. The
> string should
> + have the following format:
> +
> + 4e32566d-8e9e-4f52-81d3-5bb9715f9727:<Base64 X509 cert for PK
> and first KEK> +
> + Such string can be generated with the following script, for
> example: +
> + sed \
> + -e 's/^-----BEGIN
> CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
> + -e '/^-----END CERTIFICATE-----$/d' \
> + PkKek1.pem \
> + | tr -d '\n' \
> + > PkKek1.oemstr
> +
> + - Using QEMU 5.2 or later, the SMBIOS type 11 field can be
> specified from a
> + file:
> +
> + -smbios type=11,path=PkKek1.oemstr \
> +
> + - Using QEMU 5.1 or earlier, the string has to be passed as a
> value: +
> + -smbios type=11,value="$(< PkKek1.oemstr)"
> +
> === SMM support ===
>
> Requirements:
--
Joursoir
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107653): https://edk2.groups.io/g/devel/message/107653
Mute This Topic: https://groups.io/mt/100640076/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH v2 1/1] OvmfPkg/README: Document Secure Boot
@ 2023-06-29 22:26 Joursoir
2023-07-04 7:28 ` Gerd Hoffmann
0 siblings, 1 reply; 2+ messages in thread
From: Joursoir @ 2023-06-29 22:26 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, Jiewen Yao, Jordan Justen, Rebecca Cran,
Gerd Hoffmann
Add the new section for Secure Boot.
Signed-off-by: Alexander Goncharov <chat@joursoir.net>
---
OvmfPkg/README | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/OvmfPkg/README b/OvmfPkg/README
index 0a408abf01..a5b447dae3 100644
--- a/OvmfPkg/README
+++ b/OvmfPkg/README
@@ -120,6 +120,46 @@ $ OvmfPkg/build.sh -a X64 qemu -cdrom /path/to/disk-image.iso
To build a 32-bit OVMF without debug messages using GCC 4.8:
$ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC48
+=== Secure Boot ===
+
+Secure Boot is a security feature that ensures only trusted and digitally
+signed software is allowed to run during the boot process. This is achieved
+by storing Secure Boot keys in UEFI Variables, as result it can be easily
+bypassed by writing directly to the flash varstore. To avoid this situation,
+it's necessary to make the varstore with SB keys read-only and/or provide an
+isolated execution environment for flash access (such as SMM).
+
+* In order to support Secure Boot, OVMF must be built with the
+ "-D SECURE_BOOT_ENABLE" option.
+
+* By default, OVMF is not shipped with any SecureBoot keys installed. The user
+ need to install them with "Secure Boot Configuration" utility in the firmware
+ UI, or enroll the default UEFI keys using the OvmfPkg/EnrollDefaultKeys app.
+
+ For the EnrollDefaultKeys application, the hypervisor is expected to add a
+ string entry to the "OEM Strings" (Type 11) SMBIOS table. The string should
+ have the following format:
+
+ 4e32566d-8e9e-4f52-81d3-5bb9715f9727:<Base64 X509 cert for PK and first KEK>
+
+ Such string can be generated with the following script, for example:
+
+ sed \
+ -e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
+ -e '/^-----END CERTIFICATE-----$/d' \
+ PkKek1.pem \
+ | tr -d '\n' \
+ > PkKek1.oemstr
+
+ - Using QEMU 5.2 or later, the SMBIOS type 11 field can be specified from a
+ file:
+
+ -smbios type=11,path=PkKek1.oemstr \
+
+ - Using QEMU 5.1 or earlier, the string has to be passed as a value:
+
+ -smbios type=11,value="$(< PkKek1.oemstr)"
+
=== SMM support ===
Requirements:
--
2.41.0
--
Joursoir
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2 1/1] OvmfPkg/README: Document Secure Boot
2023-06-29 22:26 Joursoir
@ 2023-07-04 7:28 ` Gerd Hoffmann
2023-09-07 13:48 ` [edk2-devel] " Ard Biesheuvel
0 siblings, 1 reply; 2+ messages in thread
From: Gerd Hoffmann @ 2023-07-04 7:28 UTC (permalink / raw)
To: Joursoir; +Cc: devel, Ard Biesheuvel, Jiewen Yao, Jordan Justen, Rebecca Cran
On Fri, Jun 30, 2023 at 02:26:03AM +0400, Joursoir wrote:
> Add the new section for Secure Boot.
>
> Signed-off-by: Alexander Goncharov <chat@joursoir.net>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
take care,
Gerd
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] OvmfPkg/README: Document Secure Boot
2023-07-04 7:28 ` Gerd Hoffmann
@ 2023-09-07 13:48 ` Ard Biesheuvel
0 siblings, 0 replies; 2+ messages in thread
From: Ard Biesheuvel @ 2023-09-07 13:48 UTC (permalink / raw)
To: Gerd Hoffmann
Cc: Joursoir, devel, Ard Biesheuvel, Jiewen Yao, Jordan Justen,
Rebecca Cran
On Tue, 4 Jul 2023 at 09:28, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> On Fri, Jun 30, 2023 at 02:26:03AM +0400, Joursoir wrote:
> > Add the new section for Secure Boot.
> >
> > Signed-off-by: Alexander Goncharov <chat@joursoir.net>
>
> Acked-by: Gerd Hoffmann <kraxel@redhat.com>
>
Thanks all
Queued as #4800
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#108389): https://edk2.groups.io/g/devel/message/108389
Mute This Topic: https://groups.io/mt/99860809/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-09-07 13:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <176D419C880552C9.377@groups.io>
2023-08-09 10:37 ` [edk2-devel] [PATCH v2 1/1] OvmfPkg/README: Document Secure Boot Joursoir
2023-06-29 22:26 Joursoir
2023-07-04 7:28 ` Gerd Hoffmann
2023-09-07 13:48 ` [edk2-devel] " Ard Biesheuvel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox