From 418372ab45d8bc6b54cbbb34ec468cc33636ec4a Mon Sep 17 00:00:00 2001 From: Jorge Ramirez-Ortiz Date: Wed, 11 Sep 2024 13:00:41 +0200 Subject: [PATCH] rm: security: add UEFI PXE provisioning clarification When using QEMU to do UEFI PXE provisioning, declaring the boot order is necessary when booting the Secure Image. This avoids entering the UEFI Shell. With this commit we hope to avoid CS questions on the matter. Signed-off-by: Jorge Ramirez-Ortiz --- .../security/secure-boot-uefi.rst | 32 +++++++++++++++---- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/source/reference-manual/security/secure-boot-uefi.rst b/source/reference-manual/security/secure-boot-uefi.rst index d344bd80..152ba62c 100644 --- a/source/reference-manual/security/secure-boot-uefi.rst +++ b/source/reference-manual/security/secure-boot-uefi.rst @@ -137,9 +137,14 @@ The signing process in LmP is controlled by the following Yocto Project variable UEFI Secure Boot Provisioning ----------------------------- -LmP includes and distributes ``LockDown.efi``, a UEFI application from the ``efitools`` suite. This application contains the necessary certificates to configure and activate Secure Boot. When executed, it validates and installs the certificates into non-volatile memory, enables Secure Boot, and restarts the system. +LmP includes and distributes ``LockDown.efi``, a UEFI application from the ``efitools`` suite. This application contains the necessary certificates to configure and activate Secure Boot. When executed, it validates and installs the certificates into non-volatile memory, attempts to enable Secure Boot, and restarts the system. -LmP provides access to the application through a systemd-boot menu. Simply selecting it during boot initiates the provisioning process. After the reboot, the system will verify image signatures, and booting will be blocked if the signature verification fails. +Be aware that some OEMs (Original Equipment Manufacturers) may require users to access the **Setup utility** to enable **Secure Boot** after programming the certificates. + +.. note:: + LockDown.efi requires that the platform be booted in Setup Mode. The method for entering this mode depends on the OEM. + +LmP provides access to the application through a systemd-boot menu. Simply selecting it during boot initiates the provisioning process. After the reboot, the system will verify image signatures, and booting will be blocked if the signature verification fails. .. figure:: secure-boot-uefi/uefi-lockdown-provisioning.png :alt: UEFI Secure Boot Provisioning @@ -152,7 +157,7 @@ The ``LockDown.efi`` application can be tested in a virtual environment using QE An easy way to do this, as QEMU includes PXE support, is to run the application standalone in the UEFI environment. -In the snippet below, QEMU fetches `LockDown.efi` from the `/tmp` directory using its PXE capabilities. +In the snippet below, QEMU fetches `LockDown.efi` from the `/tmp` directory using its PXE capabilities. Note that **OVMF** boots directly in **Setup Mode**, so it does not require initialization for this mode. This is in accordance with what is described in section 32.3, `Creating Trust Relationships`_, of the UEFI specification. .. prompt:: @@ -160,20 +165,32 @@ In the snippet below, QEMU fetches `LockDown.efi` from the `/tmp` directory usin -device virtio-net-pci,netdev=net0,mac=52:54:00:12:35:02 \ -netdev user,id=net0,tftp=/tmp/,bootfile=/LockDown.efi \ -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 \ - -drive if=pflash,format=qcow2,file=/tmp/ovmf.secboot.qcow2 --no-reboot\ + -drive if=pflash,format=qcow2,file=/tmp/ovmf.secboot.qcow2 --no-reboot \ + -drive if=pflash,format=qcow2,file=/tmp/ovmf.vars.qcow2 \ -nographic -m 4096 \ -boot nc +After provisioning the system using PXE boot with QEMU, you can boot the secure image. Ensure that you set ``bootindex=0`` on the device from which you want to boot. + +.. prompt:: + + -drive if=none,id=hd,file=/tmp/lmp-mini-image-intel-corei7-64.wic,format=raw \ + -device virtio-scsi-pci,id=scsi -device scsi-hd,drive=hd,bootindex=0 \ + You can also boot a wic image in QEMU and select the Secure Boot Provisioning menu using the following command: .. prompt:: - qemu-system-x86_64 -device virtio-net-pci,netdev=net0,mac=52:54:00:12:35:02 \ + qemu-system-x86_64 \ + -device virtio-net-pci,netdev=net0,mac=52:54:00:12:35:02 \ -netdev user,id=net0,hostfwd=tcp::5522-:22 \ -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 \ -drive if=none,id=hd,file=/tmp/lmp-mini-image-intel-corei7-64.wic,format=raw \ + -device virtio-scsi-pci,id=scsi -device scsi-hd,drive=hd \ -drive if=pflash,format=qcow2,file=/tmp/ovmf.secboot.qcow2 -no-reboot \ - -drive if=pflash,format=qcow2,file=/tmp/ovmf.vars.qcow2 + -drive if=pflash,format=qcow2,file=/tmp/ovmf.vars.qcow2 \ + -nographic -m 4096 + After selecting the menu, you can expect the following output, after which the system will reset. @@ -317,3 +334,6 @@ Additional Documentation and References .. _systemd-boot: https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/ + +.. _Creating Trust Relationships: + https://uefi.org/specs/UEFI/2.10_A/32_Secure_Boot_and_Driver_Signing.html#firmware-os-key-exchange-creating-trust-relationships