diff options
-rw-r--r-- | doc/book-enea-nfv-access-getting-started/doc/book.xml | 3 | ||||
-rw-r--r-- | doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml | 186 |
2 files changed, 189 insertions, 0 deletions
diff --git a/doc/book-enea-nfv-access-getting-started/doc/book.xml b/doc/book-enea-nfv-access-getting-started/doc/book.xml index 1f51d01..534b7f9 100644 --- a/doc/book-enea-nfv-access-getting-started/doc/book.xml +++ b/doc/book-enea-nfv-access-getting-started/doc/book.xml | |||
@@ -24,6 +24,9 @@ | |||
24 | <xi:include href="getting_started_nfv_access.xml" | 24 | <xi:include href="getting_started_nfv_access.xml" |
25 | xmlns:xi="http://www.w3.org/2001/XInclude" /> | 25 | xmlns:xi="http://www.w3.org/2001/XInclude" /> |
26 | 26 | ||
27 | <xi:include href="secure_boot.xml" | ||
28 | xmlns:xi="http://www.w3.org/2001/XInclude" /> | ||
29 | |||
27 | <xi:include href="getting_started_ucpe_manager.xml" | 30 | <xi:include href="getting_started_ucpe_manager.xml" |
28 | xmlns:xi="http://www.w3.org/2001/XInclude" /> | 31 | xmlns:xi="http://www.w3.org/2001/XInclude" /> |
29 | 32 | ||
diff --git a/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml b/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml new file mode 100644 index 0000000..cf2e935 --- /dev/null +++ b/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml | |||
@@ -0,0 +1,186 @@ | |||
1 | <?xml version="1.0" encoding="ISO-8859-1"?> | ||
2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" | ||
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | ||
4 | <chapter id="secure_boot"> | ||
5 | <title>UEFI Secure Boot</title> | ||
6 | |||
7 | <para>This chapter contains information needed in order to enable the Secure | ||
8 | Boot. Secure Boot is an optional feature in the Enea NFV Access Run Time | ||
9 | Platform. If you do not intend to use this feature, skip to the next | ||
10 | chapter.</para> | ||
11 | |||
12 | <section id="intro"> | ||
13 | <title>Introduction</title> | ||
14 | |||
15 | <para>Secure Boot was designed to enhance security in the pre-boot | ||
16 | environment. It prevents malicious software and applications from being | ||
17 | loaded during the system start-up process.</para> | ||
18 | |||
19 | <para>The basic principle of UEFI Secure Boot is that it requires all | ||
20 | artifacts involved in the boot process (bootloaders, kernel, initramfs) to | ||
21 | be signed using a set of private keys. On a Secure Boot enabled uCPE device | ||
22 | these artifacts are checked against a set of public certificates which | ||
23 | correspond to these keys. If there are any mismatches the boot process | ||
24 | will fail at various stages.</para> | ||
25 | |||
26 | <para>For more information about Secure Boot please refer to <ulink | ||
27 | url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure | ||
28 | Boot in Modern Computer Security Solutions</ulink>.</para> | ||
29 | </section> | ||
30 | |||
31 | <section id="secure_boot_keys"> | ||
32 | <title>Enabling UEFI Secure Boot</title> | ||
33 | |||
34 | <para>All Enea NFV Access image artifacts delivered with the release are | ||
35 | signed using the Enea UEFI Secure boot private keys. These artifacts can | ||
36 | be used on a uCPE device that doesn't have Secure Boot enabled. To use the | ||
37 | Secure Boot feature, however, the user must make the Enea UEFI Secure Boot | ||
38 | public certificates available on the uCPE device before enabling the feature | ||
39 | in BIOS. This process is called "Provisioning".</para> | ||
40 | |||
41 | <section id="manual_key_provisioning"> | ||
42 | <title>Provisioning the Enea UEFI Secure Boot Certificates</title> | ||
43 | |||
44 | <para>The UEFI firmware is normally shipped with factory preloaded | ||
45 | certificates. If these do not already include Certificates from Enea, | ||
46 | they will need to be appended or replaced with the Enea | ||
47 | Certificates.</para> | ||
48 | |||
49 | <para><emphasis role="bold">UEFI Secure Boot certificates provided with | ||
50 | your release:</emphasis></para> | ||
51 | |||
52 | <itemizedlist> | ||
53 | <listitem> | ||
54 | <para><literal>Platform Key (PK)</literal>: the purpose of this key | ||
55 | is to protect the next key from uncontrolled modification. Once this | ||
56 | key is enrolled, Secure Boot enters into <literal>User | ||
57 | Mode</literal>. The drivers and loaders signed with the | ||
58 | <literal>platform key</literal> can then be loaded by the | ||
59 | firmware.</para> | ||
60 | </listitem> | ||
61 | |||
62 | <listitem> | ||
63 | <para><literal>Key Exchange key (KEK)</literal>: this key allows | ||
64 | other certificates which have a connection to the private portion of | ||
65 | the <literal>platform key</literal> to be used.</para> | ||
66 | </listitem> | ||
67 | |||
68 | <listitem> | ||
69 | <para><literal>Authorized Signature (DB)</literal>: contains the | ||
70 | <literal>trusted keys</literal> used for authenticating any drivers | ||
71 | or applications executed in the UEFI environment.</para> | ||
72 | </listitem> | ||
73 | </itemizedlist> | ||
74 | |||
75 | <para>The Enea UEFI Secure Boot certificates are installed together with | ||
76 | the Enea NFV Access Run Time Platform onto the hard drive. They can be | ||
77 | found on the EFI partition (usually the first partition of the drive) | ||
78 | under /uefi_sb_keys.</para> | ||
79 | |||
80 | <para><emphasis role="bold">How to manually enroll Enea | ||
81 | Certificates</emphasis></para> | ||
82 | |||
83 | <orderedlist> | ||
84 | <listitem> | ||
85 | <para>Reboot the uCPE device and press <literal>DEL</literal> to | ||
86 | enter into the BIOS.</para> | ||
87 | </listitem> | ||
88 | |||
89 | <listitem> | ||
90 | <para>Select "Secure Booot Mode" -> "Custom".</para> | ||
91 | </listitem> | ||
92 | |||
93 | <listitem> | ||
94 | <para>Select <literal>Key Management</literal> from the | ||
95 | <literal>Security</literal> menu.</para> | ||
96 | </listitem> | ||
97 | |||
98 | <listitem> | ||
99 | <para>Enroll the <literal>Platform Key (PK)</literal>: <itemizedlist> | ||
100 | <listitem> | ||
101 | Select "Set New Key" -> "File from a file system". | ||
102 | </listitem> | ||
103 | |||
104 | <listitem> | ||
105 | Specify the folder: | ||
106 | |||
107 | <literal><user-keys>/<uefi_sb_keys>/PK.esl</literal> | ||
108 | |||
109 | . | ||
110 | </listitem> | ||
111 | |||
112 | <listitem> | ||
113 | Select "Public Key Certificate" and then "Ok". | ||
114 | </listitem> | ||
115 | </itemizedlist></para> | ||
116 | </listitem> | ||
117 | |||
118 | <listitem> | ||
119 | <para>Enroll the <literal>Key Exchange key (KEK)</literal>: | ||
120 | <itemizedlist> | ||
121 | <listitem> | ||
122 | Select "Set New Key" -> "File from a file system". | ||
123 | </listitem> | ||
124 | |||
125 | <listitem> | ||
126 | Specify the folder: | ||
127 | |||
128 | <literal><user-keys>/<uefi_sb_keys>/KEK.esl</literal> | ||
129 | |||
130 | . | ||
131 | </listitem> | ||
132 | |||
133 | <listitem> | ||
134 | Select "Public Key Certificate" and then "ok". | ||
135 | </listitem> | ||
136 | </itemizedlist></para> | ||
137 | </listitem> | ||
138 | |||
139 | <listitem> | ||
140 | <para>Enroll the <literal>Authorized Signature (DB)</literal>: | ||
141 | <itemizedlist> | ||
142 | <listitem> | ||
143 | Select "Set New Key" -> "File from a file system". | ||
144 | </listitem> | ||
145 | |||
146 | <listitem> | ||
147 | Specify the folder: | ||
148 | |||
149 | <literal><user-keys>/<uefi_sb_keys>/DB.esl</literal> | ||
150 | |||
151 | . | ||
152 | </listitem> | ||
153 | |||
154 | <listitem> | ||
155 | Select "Public Key Certificate" and then "ok". | ||
156 | </listitem> | ||
157 | </itemizedlist></para> | ||
158 | </listitem> | ||
159 | </orderedlist> | ||
160 | |||
161 | <note> | ||
162 | <para>Details on how to provision the certificates may vary with | ||
163 | different versions of UEFI firmware.</para> | ||
164 | </note> | ||
165 | </section> | ||
166 | |||
167 | <section id="enable_secure_boot"> | ||
168 | <title>Turn on Secure Boot in BIOS</title> | ||
169 | |||
170 | <para>Finally, once the certificates are provisioned we can enable the | ||
171 | Secure Boot feature:</para> | ||
172 | |||
173 | <orderedlist> | ||
174 | <listitem> | ||
175 | <para>Select <literal>Security option</literal> from the top | ||
176 | menu.</para> | ||
177 | </listitem> | ||
178 | |||
179 | <listitem> | ||
180 | <para>Set the <literal>Boot Menu</literal> -> | ||
181 | <literal>Enabled.</literal></para> | ||
182 | </listitem> | ||
183 | </orderedlist> | ||
184 | </section> | ||
185 | </section> | ||
186 | </chapter> | ||