summaryrefslogtreecommitdiffstats
path: root/documentation/secureboot
diff options
context:
space:
mode:
authorCalifornia Sullivan <california.l.sullivan@intel.com>2017-10-17 19:39:55 (GMT)
committerCalifornia Sullivan <california.l.sullivan@intel.com>2017-10-17 19:41:36 (GMT)
commit7600ff9a4f2ac5feafc920507d7c5bea8a208c37 (patch)
tree84afbeb32860e69bc09ab0265090f1af85e91d48 /documentation/secureboot
parentc27cfdc898d6360ac5d1b38c6f08bafe06228f7a (diff)
downloadmeta-intel-7600ff9a4f2ac5feafc920507d7c5bea8a208c37.tar.gz
documentation: add Secure Boot information
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
Diffstat (limited to 'documentation/secureboot')
-rw-r--r--documentation/secureboot/README38
1 files changed, 38 insertions, 0 deletions
diff --git a/documentation/secureboot/README b/documentation/secureboot/README
new file mode 100644
index 0000000..3d5703b
--- /dev/null
+++ b/documentation/secureboot/README
@@ -0,0 +1,38 @@
1Currently, only one implementation of Secure Boot is available out of the box,
2which is using a single signed EFI application to directly boot the kernel with
3an optional initramfs.
4
5This can be added to your build either through local.conf, or via your own
6custom image recipe.
7
8If you are adding it via local.conf, set the following variables:
9
10IMAGE_FEATURES += "secureboot"
11WKS_FILE = "generic-bootdisk.wks.in"
12SECURE_BOOT_SIGNING_KEY = "/path/to/your/signing/key"
13SECURE_BOOT_SIGNING_CERT = "/path/to/your/signing/cert"
14IMAGE_CLASSES += "uefi-comboapp"
15
16If working with an image recipe, you can inherit uefi-comboapp directly instead
17of using the IMAGE_CLASSES variable.
18
19The signing keys and certs can be created via openssl commands. Here's an
20example:
21openssl req -new -x509 -newkey rsa:2048 -subj "/CN=your-subject/" -keyout \
22your-key.key -out your-key.crt -days 365 -nodes -sha256
23openssl x509 -in your-key.crt -out your-key.cer -outform DER
24
25The .crt file is your SECURE_BOOT_SIGNING_CERT, and the .key file is your
26SECURE_BOOT_SIGNING_KEY.
27
28You should enroll the .crt key in your firmware under the PK, KEK, and DB
29options (methods are different depending on your firmware). If a key should ever
30become invalid, enroll it under DBX to blacklist it.
31
32The comboapp can be further manipulated in a number of ways. You can modify the
33kernel command line via the APPEND variable, you can change the default UUID via
34the DISK_SIGNATURE_UUID variable, and you can modify the contents of the
35initramfs via the INITRD_IMAGE or INITRD_LIVE variables.
36
37A simple Secure Boot enabled image used for testing can be viewed at:
38common/recipes-selftest/images/secureboot-selftest-image-signed.bb