diff options
| author | Joursoir <chat@joursoir.net> | 2023-06-30 02:26:03 +0400 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2023-09-07 14:10:11 +0000 |
| commit | b81557a00c61cc80ab118828f16ed9ce79455880 (patch) | |
| tree | 57ee443eca79060cf3d1cea400fc8cce60f7efe8 | |
| parent | bbf182229587958b17336c114e0a1525c4f90f3d (diff) | |
| download | edk2-b81557a00c61cc80ab118828f16ed9ce79455880.tar.gz edk2-b81557a00c61cc80ab118828f16ed9ce79455880.tar.bz2 edk2-b81557a00c61cc80ab118828f16ed9ce79455880.zip | |
OvmfPkg/README: Document Secure Boot
Add the new section for Secure Boot.
Signed-off-by: Alexander Goncharov <chat@joursoir.net>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
| -rw-r--r-- | OvmfPkg/README | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/OvmfPkg/README b/OvmfPkg/README index 0a408abf01..a5b447dae3 100644 --- a/OvmfPkg/README +++ b/OvmfPkg/README @@ -120,6 +120,46 @@ $ OvmfPkg/build.sh -a X64 qemu -cdrom /path/to/disk-image.iso To build a 32-bit OVMF without debug messages using GCC 4.8:
$ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC48
+=== Secure Boot ===
+
+Secure Boot is a security feature that ensures only trusted and digitally
+signed software is allowed to run during the boot process. This is achieved
+by storing Secure Boot keys in UEFI Variables, as result it can be easily
+bypassed by writing directly to the flash varstore. To avoid this situation,
+it's necessary to make the varstore with SB keys read-only and/or provide an
+isolated execution environment for flash access (such as SMM).
+
+* In order to support Secure Boot, OVMF must be built with the
+ "-D SECURE_BOOT_ENABLE" option.
+
+* By default, OVMF is not shipped with any SecureBoot keys installed. The user
+ need to install them with "Secure Boot Configuration" utility in the firmware
+ UI, or enroll the default UEFI keys using the OvmfPkg/EnrollDefaultKeys app.
+
+ For the EnrollDefaultKeys application, the hypervisor is expected to add a
+ string entry to the "OEM Strings" (Type 11) SMBIOS table. The string should
+ have the following format:
+
+ 4e32566d-8e9e-4f52-81d3-5bb9715f9727:<Base64 X509 cert for PK and first KEK>
+
+ Such string can be generated with the following script, for example:
+
+ sed \
+ -e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
+ -e '/^-----END CERTIFICATE-----$/d' \
+ PkKek1.pem \
+ | tr -d '\n' \
+ > PkKek1.oemstr
+
+ - Using QEMU 5.2 or later, the SMBIOS type 11 field can be specified from a
+ file:
+
+ -smbios type=11,path=PkKek1.oemstr \
+
+ - Using QEMU 5.1 or earlier, the string has to be passed as a value:
+
+ -smbios type=11,value="$(< PkKek1.oemstr)"
+
=== SMM support ===
Requirements:
|