Skip to content

Commit

Permalink
rm: security: add UEFI provisioning section
Browse files Browse the repository at this point in the history 
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
  • Loading branch information
@ldts
ldts committed Sep 5, 2024
1 parent 332d060 commit 7ebb85c
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion source/reference-manual/security/secure-boot-uefi.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,18 @@ The signing process in LmP is controlled by the following Yocto Project variable
* ``UEFI_SIGN_ENABLE``
* If set to ``1`` the systemd-boot bootloader and Linux kernel binaries will be signed by with the DB key (``DB.key`` at ``UEFI_SIGN_KEYDIR``)


UEFI Secure Boot Provisioning
-----------------------------

LmP includes and distributes ``LockDown.efi``, an EFI application from the ``efitools`` suite. This application contains the necessary certificates to configure and activate Secure Boot. When executed, it validates and installs the certificates into non-volatile memory, enables Secure Boot, and restarts the system.

Check warning on line 139 in source/reference-manual/security/secure-boot-uefi.rst

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Fio-docs.expand-acronyms] 'EFI' has no definition, definition is missing capitalization, or is a variable name and should be written as a literal.

Raw Output:
{"message": "[Fio-docs.expand-acronyms] 'EFI' has no definition, definition is missing capitalization, or is a variable name and should be written as a literal.", "location": {"path": "source/reference-manual/security/secure-boot-uefi.rst", "range": {"start": {"line": 139, "column": 51}}}, "severity": "WARNING"}

LmP provides access to the application through a systemd-boot menu. Simply selecting it during boot initiates the provisioning process. After the reboot, the system will verify image signatures, and booting will be blocked if the signature verification fails.

.. figure:: secure-boot-uefi/uefi-lockdown-provisioning.png
:alt: UEFI Secure Boot Provisioning


Backup Current UEFI Secure Boot Certificates
--------------------------------------------

Expand Down Expand Up @@ -159,7 +171,6 @@ Enrolling Custom UEFI Secure Boot Certificates
----------------------------------------------

It is possible to enroll custom UEFI Secure Boot Certificates using your firmware's built-in setup utility, ``KeyTool`` (from ``efitools``).
You could also create a custom ``LockDown`` efi program with the certificates embedded into it.

By default, LmP installs the required certificates (via ``UEFI_SIGN_KEYDIR``) into the ESP image partition (under ``ESP/uefi_certs``).
This can be used when enrolling via the firmware's built-in setup utility.
Expand Down
Binary file added source/reference-manual/security/secure-boot-uefi/uefi-lockdown-provisioning.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 7ebb85c

Please sign in to comment.