From 6a7862077b08ae360635cdc962253a3e321fd0cf Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 1 Oct 2019 07:44:43 +0200 Subject: GettingStarted: add "Advanced Configurations" ch - Move "Hugepage Reservation Service", "UEFI Secure Boot and "Bare Metal Provisioning" to "Advanced Configurations" chapter - Fix review comments on "Bare Metal Provisioning" chapter Change-Id: I2dbaf2d419d4a19e900b31472fc8690ec7f88169 Signed-off-by: Sona Sarmadi --- .../doc/advanced_configurations.xml | 519 +++++++++++++++++++++ .../doc/bare_metal_provisioning.xml | 210 --------- .../doc/book.xml | 8 +- .../doc/getting_started_nfv_access.xml | 138 ------ .../doc/secure_boot.xml | 174 ------- 5 files changed, 520 insertions(+), 529 deletions(-) create mode 100644 doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml delete mode 100644 doc/book-enea-nfv-access-getting-started/doc/bare_metal_provisioning.xml delete mode 100644 doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml (limited to 'doc/book-enea-nfv-access-getting-started') diff --git a/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml new file mode 100644 index 0000000..0dbdd84 --- /dev/null +++ b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml @@ -0,0 +1,519 @@ + + + + Advanced Configurations + + This chapter describes possible configurations for select advanced features + such as the Hugepage Reservation Service, UEFI Secure Boot and Bare Metal + Provisioning. These features are optional in the Enea NFV Access platform. + If you do not intend to use these features, skip this chapter. + +
+ Hugepage Reservation Service + + NFV Access implements an automatic hugepage allocation service that + is triggered at each startup. The service is skipped if hugepages have + been allocated in the kernel boot command line. + + There are two strategies outlined for hugepage allocation: + + + + If a system has an amount of memory up to 8GB, the allocation + algorithm will reserve up to 30% (no more than 2GB), for the OS and + the rest as 2MB hugepages. + + + + If a system has an amount of memory that's higher than 8GB, the + allocation algorithm will reserve all but 2GB of memory as 1GB + hugepages, leaving the rest (2GB) to be used by the OS. + + + + + This is a best effort reservation after kernel boot, so the + results may vary accordingly. + + +
+ Customizing Automatic Hugepage Reservation + + Configuration of Hugepage reservation is done in + /etc/enea-nfv-access/hugepages.cfg. + + Parameters used by the automatic algorithm: + + + + + hugepage_setup: Enables the automatic + configuraiton algorithm. It has only one value, + auto. For manual configuration comment or remove + this parameter. Use the other parameter descriptions as a + template/example. + + + + threshold_to_use_1g: Decides the threshold + which instructs the algorithm to use 1GB hugepages. If a system's + memory is higher than threshold_to_use_1g, then + the algorithm will use 1GB hugepages, otherwise it will use 2MB + hugepages. + + + + percent_os_alloc: Decides how much memory + to try to reserve for userspace applications. The algorithm will try + to reserve at least the value of percent_os_alloc of the total + system memory for userspace applications. + + + + maximum_os_alloc_mb: Maximum amount of + memory to allocate for userspace applications. If + percent_os_alloc of the total system memory + exceeds maximum_os_alloc_mb then the maximum + allocated memory for userspace applications is + maximum_os_alloc_mb. + + + + Example of automatic Hugepage + Configuration: + + hugepage_setup = auto + threshold_to_use_1g = 8192 + percent_os_alloc = 30 + maximum_os_alloc_mb = 2048 + + The following possible allocations can result (based on total + system memory available): + + + + 2GB of memory: approximately 30% will be allocated for the OS + and the rest will be allocated as 2MB hugepages. + + + + 4GB of memory: approximately 30% will be allocated for the OS + and the rest will be allocated as 2MB hugepages. + + + + 16GB of memory: approximately 2GB will be allocated for the OS + and the rest as 1GB hugepages. + + + + + The memory allocated for the kernel and hugepages might vary + slightly depending on how much memory is available. + +
+ +
+ Customizing Manual Hugepage Reservation + + The automatic algorithm can be disabled and hugepages in turn, configured + manually. To do this, comment the line which defines + hugepage_setup as auto and + configure memory for each CPU socket in the following manner: + + <NUMA node>.<hugepage size> = <number of pages> + + Where <NUMA node> refers to a node which + is part of the system's NUMA topology, <hugepage + size> decides what type of hugepages should be set and + <number of hugepages> is how many hugepages of + <hugepage size> should be allocated. + + To list the available system nodes, run: + + ls -d /sys/devices/system/node/node* + + To list available hugepage sizes, per node, run: + + ls -d /sys/devices/system/node/node*/hugepages/hugepages-* + + Example of Manual Hugepage Configuration, configuring the system + to allocate three 1GB hugepages and 512 of 2MB hugepages on node: + + node0.2048kB = 512 +node0.1048576kB = 3 +
+
+ +
+ UEFI Secure Boot + + Secure Boot was designed to enhance security in the pre-boot + environment. It prevents malicious software and applications from being + loaded during the system start-up process. + + The basic principle of UEFI Secure Boot is that it requires all + artifacts involved in the boot process (bootloaders, kernel, initramfs) + to be signed using a set of private keys. On a Secure Boot enabled uCPE + device these artifacts are checked against a set of public certificates + which correspond to these keys. If there are any mismatches the boot + process will fail at the stage(s) they are detected. + + For more information about Secure Boot please refer to Secure + Boot in Modern Computer Security Solutions. + +
+ Enabling UEFI Secure Boot + + All Enea NFV Access image artifacts delivered with the release are + signed using the Enea UEFI Secure boot private keys. These artifacts can + be used on a uCPE device that doesn't have Secure Boot enabled. To use + the Secure Boot feature, however, the user must make the Enea UEFI + Secure Boot public certificates available on the uCPE device before + enabling the feature in BIOS. This process is called + "Provisioning". + +
+ Provisioning the Enea UEFI Secure Boot Certificates + + The UEFI firmware is normally shipped with factory preloaded + certificates. If these do not already include Certificates from Enea, + they will need to be appended or replaced with the Enea + Certificates. + + UEFI Secure Boot certificates provided + with your release: + + + + Platform Key (PK): this key protects the + next key from uncontrolled modification. Once this key is + enrolled, Secure Boot enters into User Mode. + The drivers and loaders signed with the Platform + Key can then be loaded by the firmware. + + + + Key Exchange key (KEK): this key allows + other certificates which have a connection to the private portion + of the Platform Key to be used. + + + + Authorized Signature (DB): contains the + trusted keys used for authenticating any + drivers or applications executed in the UEFI environment. + + + + The Enea UEFI Secure Boot certificates are installed together + with the Enea NFV Access Run Time Platform onto the hard drive. They + can be found on the EFI partition (usually the first partition of the + drive) under /uefi_sb_keys. + + How to manually enroll Enea + Certificates + + + + Reboot the uCPE device and press DEL to + enter into BIOS. + + + + Select Secure Boot Mode -> + Custom. + + + + Select Key Management from the + Security menu. + + + + Enroll the Platform Key (PK): + + + Select Set New Key -> + File from a file system. . + + + + Specify the folder: <user-keys>/<uefi_sb_keys>/PK.esl + + + + Select Public Key Certificate and then Ok. + + + + + + Enroll the Key Exchange key (KEK): + + + Select Set New Key -> File from a file system. + + + + Specify the folder: <user-keys>/<uefi_sb_keys>/KEK.esl + + + + Select Public Key Certificate and then Ok. + + + + + + Enroll the Authorized Signature (DB): + + + Select Set New Key -> File from a file system. + + + + Specify the folder: <user-keys>/<uefi_sb_keys>/DB.esl + + + + Select Public Key Certificate and then Ok. + + + + + + + Details on how to provision the certificates may vary with + different versions of UEFI firmware. + +
+ +
+ Enabling Secure Boot in BIOS + + Once the certificates are provisioned we can enable the Secure + Boot feature: + + + + Within BIOS, select the Security option from the top + menu. + + + + Set the Boot Menu -> + Enabled. + + +
+
+
+ +
+ Bare Metal Provisioning + + Bare Metal Provisioning can be used for automated deployment of + the Enea NFV Access Run Time Platform on a large number of uCPE devices. + The uCPE devices may have no previous operating system installed, or are + reinstalled without preserving any existing data. Enea NFV Access Bare + Metal Provisioning is based on standardized Pre-Boot Execution + environment (PXE) booting. + + The Bare Metal Provisioning process begins by PXE booting an Enea + NFV Access installer initramfs image. The installer + downloads a configuration file, as well as the Enea NFV Access Run Time + Platform image and then proceeds to install the system by dividing the + disk into 2 partitions. A GPT partition containing the GRUB boot loader + and a second partition containing the Enea NFV Access Run Time Platform + root filesystem. When the installation is complete, the uCPE device is + automatically rebooted into Enea NFV Access Run Time Platform. + +
+ Prerequisites + + + + The uCPE devices to be installed are connected in a working + PXE network boot environment. The PXE server can be set up using any + Linux distribution that includes TFTP and DHCP software packages. + Refer to the documentation for your distribution for setup + instructions. + + + + An HTTP server must be available and accessible from the uCPE + devices in the provisioning network. Note that the installer will + use the same interface that the uCPE device is PXE-booted from, to + obtain an IP address using DHCP and access the HTTP server. + + + + The uCPE devices are preconfigured in BIOS to boot from the + hard drive where the Enea NFV Access Run Time Platform will be + installed. + + + + A remote management tool is available that can be used to set + the next boot option to PXE and reboot the uCPE devices in order to + begin the installation. + + +
+ +
+ Server Configuration + + The following images provided with your Enea NFV Access release + need to be made available on the PXE and HTTP servers: + + + + Copy the Enea NFV Access installer + initramfs image and kernel + bzImage for your uCPE device architecture to the + TFTP directory on the PXE server (e.g + /var/lib/tftpboot). + + + + Compress the Enea NFV Access Run Time Platform + hddimg image for the uCPE device architecture + using gzip and copy the resulting + hddimg.gz file to the HTTP server. + + + +
+ Installation Configuration File + + An installation configuration file needs to be prepared on the + HTTP server. The format of the configuration file is a list of + "name = value" pairs and the available parameters + are described below. + + Mandatory parameters: + + + + image_url. The HTTP server URL used for + downloading the Enea NFV Access Run Time Platform image. This + image will be installed on the uCPE device(s) in the + hddimg.gz format. + + + + Optional parameters: + + + + install_drive. The name of the drive + where the Enea NFV Access Run Time Platform will be installed (e.g + /dev/sda). If not set, the installer will use + the largest detected (non-USB) drive on the uCPE device. + + + + prompt_user. If the parameter is set to + "yes", the installer will ask for confirmation before formatting + and partitioning the drive. The default behaviour is to proceed + automatically without any user interaction. + + + + Optional parameters for sending status notifications to a + server. All three must be provided if used: + + + + notify_user. Server SSH username. + + + + notify_pass. Server SSH password. + + + + notify_path. Location where notification + files will be placed, specified in Server IP:directory + format. + + + + Installation Configuration File Example: + + + image_url = http://192.168.1.100/enea-nfv-access-xeon-d.hddimg.gz + install_drive = /dev/sda + notify_user = username + notify_pass = password + notify_path = 192.168.1.100:/home/user/status_notifications + + +
+ +
+ PXE Configuration + + A PXE entry for the Enea NFV Access installation needs to be + added as the default boot selection in the pxelinux configuration file + (e.g /var/lib/tftpboot/pxelinux.cfg/default). The + PXE entry should have the following settings: + + + default nfv_access + label nfv_access + menu label ^NFV_ACCESS_INSTALLER + kernel <Path to kernel> + append root=/dev/ram0 initrd=<Path to initramfs> LABEL=pxe-installer \ + INSTALL_CFG=http://<Server IP>/<Path to install config file> + ipappend 2 + +
+
+ +
+ Starting the Installation + + To initiate the installation, set the boot device (for next boot + only) to PXE and reboot the uCPE devices. How to do this depends on the + remote management capabilities of the uCPE devices and may require + vendor-specific tools. + + Example initiation using ipmitool: + + + ipmitool -U <user> -P <password> -H <uCPE device IPMI IP address> chassis bootdev pxe + ipmitool -U <user> -P <password> -H <uCPE device IPMI IP address> power reset + + + The uCPE devices should be configured in BIOS to boot from the + installation drive first in order to automatically start the Enea NFV + Access Run Time Platform when the installation is finished. + +
+ Server Notifications + + Optionally, the uCPE devices can send a notification file to a + server once the installation is complete and Enea NFV Access Run Time + Platform has successfully booted. Notifications are enabled by + providing the notify_* parameters in the + installation configuration file. + + Each uCPE device will push a file to the server location + specified in the installation configuration file. The file name will + be the MAC address of the PXE boot network interface in order to + uniquely identify the device. + + + Note that the status notification will only be sent on the + first boot after installation is done, subsequent reboots of the + uCPE device will not cause any new notifications to be sent. + +
+
+
+ diff --git a/doc/book-enea-nfv-access-getting-started/doc/bare_metal_provisioning.xml b/doc/book-enea-nfv-access-getting-started/doc/bare_metal_provisioning.xml deleted file mode 100644 index 8ff70ee..0000000 --- a/doc/book-enea-nfv-access-getting-started/doc/bare_metal_provisioning.xml +++ /dev/null @@ -1,210 +0,0 @@ - - - - Bare Metal Provisioning - - This chapter contains information needed in order to use Bare Metal - Provisioning. Bare Metal Provisioning is an optional feature in the Enea NFV - Access Run Time Platform. If you do not intend to use this feature, skip to - the next chapter. - -
- Introduction - - Bare Metal Provisioning can be used for automated deployment of the - Enea NFV Access Run Time Platform on a large number of uCPE devices. The - uCPE devices may have no previous operating system installed, or are - reinstalled without preserving any existing data. Enea NFV Access Bare - Metal Provisioning is based on standardized Pre-Boot Execution environment - (PXE) booting. - - The Bare Metal Provisioning process begins by PXE booting an Enea - NFV Access installer initramfs image. The installer - downloads a configuration file, as well as the Enea NFV Access Run Time - Platform image and then proceeds to install the system by dividing the - disk into 2 partitions. A GPT partition containing the GRUB boot loader - and a second partition containing the Enea NFV Access Run Time Platform - root filesystem. When the installation is complete, the uCPE device is - automatically rebooted into Enea NFV Access Run Time Platform. -
- -
- Prerequisites - - - - The uCPE devices to be installed are connected in a working PXE - network boot environment. The PXE server can be set up using any Linux - distribution that includes TFTP and DHCP software packages. Refer to - the documentation for your distribution for setup instructions. - - - - An HTTP server must be available and accessible from the uCPE - devices in the provisioning network. Note that the installer will use - the same interface that the uCPE device is PXE-booted from, to obtain - an IP address using DHCP and access the HTTP server. - - - - The uCPE devices are preconfigured in BIOS to boot from the hard - drive where the Enea NFV Access Run Time Platform will be - installed. - - - - A remote management tool is available that can be used to set - the next boot option to PXE and reboot the uCPE devices in order to - begin the installation. - - -
- -
- Server Configuration - - The following images provided with your Enea NFV Access release - needs to be made available on the PXE and HTTP servers: - - - - Copy the Enea NFV Access installer initramfs - image and kernel bzImage for the uCPE device - architecture to the TFTP directory on the PXE server (e.g - /var/lib/tftpboot). - - - - Compress the Enea NFV Access Run Time Platform - hddimg image for the uCPE device architecture using - gzip and copy the resulting - hddimg.gz file to the HTTP server. - - - -
- Installation Configuration File - - An installation configuration file needs to be prepared on the - HTTP server. The format of the configuration file is a list of - "name = value" pairs and the available parameters are - described below. - - Mandatory parameters: - - - - image_url. The HTTP server URL used for - downloading the Enea NFV Access Run Time Platform image to be - installed on the uCPE devices in hddimg.gz - format. - - - - Optional parameters: - - - - install_drive. The name of the drive where - the Enea NFV Access Run Time Platform will be installed (e.g - /dev/sda). If not set, the installer will use the - largest detected (non-USB) drive on the uCPE device. - - - - prompt_user. If the parameter is set to - "yes", the installer will ask for confirmation before formatting and - partitioning the drive. The default behaviour is to proceed - automatically without any user interaction. - - - - Optional parameters for sending status notifications to a server. - All three must be provided if used: - - - - notify_user. Server SSH username - - - - notify_pass. Server SSH password - - - - notify_path. Location where notification - files will be placed, specified in "Server IP:directory" - format. - - - - Installation Configuration File Example: - - - image_url = http://192.168.1.100/enea-nfv-access-xeon-d.hddimg.gz - install_drive = /dev/sda - notify_user = username - notify_pass = password - notify_path = 192.168.1.100:/home/user/status_notifications - - -
- -
- PXE Configuration - - A PXE entry for the Enea NFV Access installation needs to be added - as the default boot selection in the pxelinux configuration file (e.g - /var/lib/tftpboot/pxelinux.cfg/default). The PXE - entry should have the following settings: - - - default nfv_access - label nfv_access - menu label ^NFV_ACCESS_INSTALLER - kernel <Path to kernel> - append root=/dev/ram0 initrd=<Path to initramfs> LABEL=pxe-installer \ - INSTALL_CFG=http://<Server IP>/<Path to install config file> - ipappend 2 - -
-
- -
- Starting the Installation - - To initiate the installation, set the boot device (for next boot - only) to PXE and reboot the uCPE devices. How to do this depends on the - remote management capabilities of the uCPE devices and may require - vendor-specific tools. - - Example initiation using ipmitool: - - - ipmitool -U <user> -P <password> -H <uCPE device IPMI IP address> chassis bootdev pxe - ipmitool -U <user> -P <password> -H <uCPE device IPMI IP address> power reset - - - The uCPE devices should be configured in BIOS to boot from the - installation drive first in order to automatically start the Enea NFV - Access Run Time Platform when the installation is finished. - -
- Server Notifications - - Optionally, the uCPE devices can send a notification file to a - server once the installation is complete and Enea NFV Access Runtime - Platform has successfully booted. Notifications are enabled by providing - the notify_* parameters in the installation - configuration file. - - Each uCPE device will push a file to the server location specified - in the installation configuration file. The file name will be the MAC - address of the PXE boot network interface in order to uniquely identify - the device. Note that the status notification will only be sent on the - first boot after installation is done, subsequent reboots of the uCPE - device will not cause any new notifications to be sent. -
-
- \ No newline at end of file diff --git a/doc/book-enea-nfv-access-getting-started/doc/book.xml b/doc/book-enea-nfv-access-getting-started/doc/book.xml index 9289fe8..4ddc693 100644 --- a/doc/book-enea-nfv-access-getting-started/doc/book.xml +++ b/doc/book-enea-nfv-access-getting-started/doc/book.xml @@ -27,12 +27,6 @@ - - - - - diff --git a/doc/book-enea-nfv-access-getting-started/doc/getting_started_nfv_access.xml b/doc/book-enea-nfv-access-getting-started/doc/getting_started_nfv_access.xml index 7a30f28..6d9e8c4 100644 --- a/doc/book-enea-nfv-access-getting-started/doc/getting_started_nfv_access.xml +++ b/doc/book-enea-nfv-access-getting-started/doc/getting_started_nfv_access.xml @@ -238,7 +238,6 @@ of=/dev/sdb bs=4M conv=fsync Platform using a bootable USB stick image - Plug the USB stick into the reference uCPE device. Make sure you are connected to the serial port. @@ -480,143 +479,6 @@ run -
- Hugepage Reservation Service - - NFV Access implements an automatic hugepage allocation service that - is triggered at each startup. The service is skipped if hugepages have - been allocated in the kernel boot command line. - - There are two strategies outlined for hugepage allocation: - - - - If a system has an amount of memory up to 8GB, the allocation - algorithm will reserve up to 30%, but no more than 2GB, for the OS and - the rest as 2MB hugepages. - - - - If a system has an amount of memory that's higher than 8GB, the - allocation algorithm will reserve all but 2GB of memory as 1GB - hugepages, leaving the rest (2GB) to be used by the OS. - - - - - This is a best effort reservation, after the kernel boot, so the - results may not be as described. - - -
- Customizing Automatic Hugepage Reservation - - Configuration of Hugepage reservation is done in - /etc/enea-nfv-access/hugepages.cfg. - - Parameters used by the automatic algorithm: - - - - - hugepage_setup: Enables the automatic - configuraiton algorithm. It has only one value, - auto. For manual configuration comment or remove - the parameter. Use the other parameter descriptions as a - template/example. - - - - threshold_to_use_1g: Decides the threshold - which instructs the algorithm to use 1GB hugepages. If a system's - memory is higher than threshold_to_use_1g, then - the algorithm will use 1GB hugepages, otherwise it will use 2MB - hugepages. - - - - percent_os_alloc: Decides how much memory - to try to reserve for userspace applications. The algorithm will try - to reserve at least percent_os_alloc of the total - system memory to user space applications. - - - - maximum_os_alloc_mb: Maximum amount of - memory to allocate for userspace applications. If - percent_os_alloc of the total system memory - exceeds maximum_os_alloc_mb then the maximum - allocated memory for userspace applications is - maximum_os_alloc_mb. - - - - Example of automatic Hugepage - Configuration: - - hugepage_setup = auto - threshold_to_use_1g = 8192 - percent_os_alloc = 30 - maximum_os_alloc_mb = 2048 - - The following possible allocations could result (based on total - system memory available): - - - - 2GB of memory: approximately 30% will be allocated for the OS - and the rest will be allocated as 2MB hugepages. - - - - 4GB of memory: approximately 30% will be allocated for the OS - and the rest will be allocated as 2MB hugepages. - - - - 16GB of memory: approximately 2GB will be allocated for the OS - and the rest as 1GB hugepages. - - - - - The memory allocated for the kernel and hugepages might vary - slightly depending on how much memory is available. - -
- -
- Customizing Manual Hugepage Reservation - - The automatic algorithm can be disabled and hugepages configured - manually. To do this, comment the line which defines - hugepage_setup as auto and - configure memory for each CPU socket in the following manner: - - <NUMA node>.<hugepage size> = <number of pages> - - Where <NUMA node> refers to a node which - is part of the system's NUMA topology, <hugepage - size> decides what type of hugepages should be set and - <number of hugepages> is how many hugepages of - <hugepage size> should be allocated. - - To list the available system nodes, run: - - ls -d /sys/devices/system/node/node* - - To list available hugepage sizes, per node, run: - - ls -d /sys/devices/system/node/node*/hugepages/hugepages-* - - Example of Manual Hugepage Configuration, to configure the sytem - to allocate e.g. 3 1GB hugepages and 512 2MB hugepages on node: - - node0.2048kB = 512 -node0.1048576kB = 3 -
-
-
NFV Access Release content diff --git a/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml b/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml deleted file mode 100644 index 7b07086..0000000 --- a/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml +++ /dev/null @@ -1,174 +0,0 @@ - - - - UEFI Secure Boot - - This chapter contains information needed in order to enable the Secure - Boot. Secure Boot is an optional feature in the Enea NFV Access Run Time - Platform. If you do not intend to use this feature, skip to the next - chapter. - -
- Introduction - - Secure Boot was designed to enhance security in the pre-boot - environment. It prevents malicious software and applications from being - loaded during the system start-up process. - - The basic principle of UEFI Secure Boot is that it requires all - artifacts involved in the boot process (bootloaders, kernel, initramfs) to - be signed using a set of private keys. On a Secure Boot enabled uCPE - device these artifacts are checked against a set of public certificates - which correspond to these keys. If there are any mismatches the boot - process will fail at various stages. - - For more information about Secure Boot please refer to Secure - Boot in Modern Computer Security Solutions. -
- -
- Enabling UEFI Secure Boot - - All Enea NFV Access image artifacts delivered with the release are - signed using the Enea UEFI Secure boot private keys. These artifacts can - be used on a uCPE device that doesn't have Secure Boot enabled. To use the - Secure Boot feature, however, the user must make the Enea UEFI Secure Boot - public certificates available on the uCPE device before enabling the - feature in BIOS. This process is called "Provisioning". - -
- Provisioning the Enea UEFI Secure Boot Certificates - - The UEFI firmware is normally shipped with factory preloaded - certificates. If these do not already include Certificates from Enea, - they will need to be appended or replaced with the Enea - Certificates. - - UEFI Secure Boot certificates provided with - your release: - - - - Platform Key (PK): this key protects the - next key from uncontrolled modification. Once this key is enrolled, - Secure Boot enters into User Mode. The drivers - and loaders signed with the Platform Key can then - be loaded by the firmware. - - - - Key Exchange key (KEK): this key allows - other certificates which have a connection to the private portion of - the Platform Key to be used. - - - - Authorized Signature (DB): contains the - trusted keys used for authenticating any drivers - or applications executed in the UEFI environment. - - - - The Enea UEFI Secure Boot certificates are installed together with - the Enea NFV Access Run Time Platform onto the hard drive. They can be - found on the EFI partition (usually the first partition of the drive) - under /uefi_sb_keys. - - How to manually enroll Enea - Certificates - - - - Reboot the uCPE device and press DEL to - enter into BIOS. - - - - Select Secure Boot Mode -> - Custom. - - - - Select Key Management from the - Security menu. - - - - Enroll the Platform Key (PK): - - Select Set New Key -> File from a file system. - - - - Specify the folder: - <user-keys>/<uefi_sb_keys>/PK.esl. - - - Select Public Key Certificate and then Ok. - - - - - - Enroll the Key Exchange key (KEK): - - - Select Set New Key -> File from a file system. - - - - Specify the folder: - <user-keys>/<uefi_sb_keys>/KEK.esl. - - - - Select Public Key Certificate and then Ok. - - - - - - - Enroll the Authorized Signature (DB): - - - Select Set New Key -> File from a file system. - - - - Specify the folder: - <user-keys>/<uefi_sb_keys>/DB.esl. . - - - - Select Public Key Certificate and then Ok. - - - - - - - Details on how to provision the certificates may vary with - different versions of UEFI firmware. - -
- -
- Turning on Secure Boot in BIOS - - Once the certificates are provisioned we can enable the Secure Boot feature: - - - - Select Security option from the top menu. - - - - Set the Boot Menu -> Enabled. - - -
-
- \ No newline at end of file -- cgit v1.2.3-54-g00ecf