Revised Secure Boot in Getting Started.

Change-Id: I4bf4cc5f765aa3cebf7d227cf758963e44f796a0
author: Miruna Paun <Miruna.Paun@enea.com> 2019-07-02 19:08:04 +0200
committer: Miruna Paun <Miruna.Paun@enea.com> 2019-07-04 10:46:27 +0200
commit: 7c1091880ef23b6c8b16b13609cc3dbeb099b5c3 (patch)
tree: 816b95302267172192c7598aaa9faaddbf11e94e
parent: b42195e73e2a1ae3fc04d3c40fe0d5fce2984344 (diff)
download: nfv-access-documentation-7c1091880ef23b6c8b16b13609cc3dbeb099b5c3.tar.gz
1 files changed, 35 insertions, 47 deletions
diff --git a/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml b/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml
index cf2e935..7b07086 100644
--- a/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml
+++ b/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml
@@ -18,10 +18,10 @@
    <para>The basic principle of UEFI Secure Boot is that it requires all
    artifacts involved in the boot process (bootloaders, kernel, initramfs) to
-    be signed using a set of private keys. On a Secure Boot enabled uCPE device
+    be signed using a set of private keys. On a Secure Boot enabled uCPE
-    these artifacts are checked against a set of public certificates which
+    device these artifacts are checked against a set of public certificates
-    correspond to these keys. If there are any mismatches the boot process
+    which correspond to these keys. If there are any mismatches the boot
-    will fail at various stages.</para>
+    process will fail at various stages.</para>
    <para>For more information about Secure Boot please refer to <ulink
    url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure
@@ -35,8 +35,8 @@
    signed using the Enea UEFI Secure boot private keys. These artifacts can
    be used on a uCPE device that doesn't have Secure Boot enabled. To use the
    Secure Boot feature, however, the user must make the Enea UEFI Secure Boot
-    public certificates available on the uCPE device before enabling the feature
+    public certificates available on the uCPE device before enabling the
-    in BIOS. This process is called "Provisioning".</para>
+    feature in BIOS. This process is called "Provisioning".</para>
    <section id="manual_key_provisioning">
      <title>Provisioning the Enea UEFI Secure Boot Certificates</title>
@@ -51,18 +51,17 @@
      <itemizedlist>
        <listitem>
-          <para><literal>Platform Key (PK)</literal>: the purpose of this key
+          <para><literal>Platform Key (PK)</literal>: this key protects the
-          is to protect the next key from uncontrolled modification. Once this
+          next key from uncontrolled modification. Once this key is enrolled,
-          key is enrolled, Secure Boot enters into <literal>User
+          Secure Boot enters into <literal>User Mode</literal>. The drivers
-          Mode</literal>. The drivers and loaders signed with the
+          and loaders signed with the <literal>Platform Key</literal> can then
-          <literal>platform key</literal> can then be loaded by the
+          be loaded by the firmware.</para>
-          firmware.</para>
        </listitem>
        <listitem>
          <para><literal>Key Exchange key (KEK)</literal>: this key allows
          other certificates which have a connection to the private portion of
-          the <literal>platform key</literal> to be used.</para>
+          the <literal>Platform Key</literal> to be used.</para>
        </listitem>
        <listitem>
@@ -75,7 +74,7 @@
      <para>The Enea UEFI Secure Boot certificates are installed together with
      the Enea NFV Access Run Time Platform onto the hard drive. They can be
      found on the EFI partition (usually the first partition of the drive)
-      under /uefi_sb_keys.</para>
+      under <literal>/uefi_sb_keys</literal>.</para>
      <para><emphasis role="bold">How to manually enroll Enea
      Certificates</emphasis></para>
@@ -83,11 +82,12 @@
      <orderedlist>
        <listitem>
          <para>Reboot the uCPE device and press <literal>DEL</literal> to
-          enter into the BIOS.</para>
+          enter into BIOS.</para>
        </listitem>
        <listitem>
-          <para>Select "Secure Booot Mode" -&gt; "Custom".</para>
+          <para>Select <literal>Secure Boot Mode</literal> -&gt;
+          <literal>Custom</literal>.</para>
        </listitem>
        <listitem>
@@ -98,19 +98,15 @@
        <listitem>
          <para>Enroll the <literal>Platform Key (PK)</literal>: <itemizedlist>
              <listitem>
-                Select "Set New Key" -&gt; "File from a file system".
+                 Select <literal>Set New Key</literal> -&gt; <literal>File from a file system</literal>. 
              </listitem>
              <listitem>
-                Specify the folder:
+                 Specify the folder: 
+                <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/PK.esl</literal>.</listitem>
-                <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/PK.esl</literal>
-                .
-              </listitem>
              <listitem>
-                Select "Public Key Certificate" and then "Ok".
+                 Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>. 
              </listitem>
            </itemizedlist></para>
        </listitem>
@@ -119,40 +115,35 @@
          <para>Enroll the <literal>Key Exchange key (KEK)</literal>:
          <itemizedlist>
              <listitem>
-                Select "Set New Key" -&gt; "File from a file system".
+                 Select <literal>Set New Key</literal> -&gt; <literal>File from a file system</literal>. 
              </listitem>
              <listitem>
-                Specify the folder:
+                 Specify the folder: 
+                <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/KEK.esl</literal>.
-                <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/KEK.esl</literal>
-                .
              </listitem>
              <listitem>
-                Select "Public Key Certificate" and then "ok".
+                 Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>. 
              </listitem>
-            </itemizedlist></para>
+            </itemizedlist>
+                  </para>
        </listitem>
        <listitem>
          <para>Enroll the <literal>Authorized Signature (DB)</literal>:
          <itemizedlist>
              <listitem>
-                Select "Set New Key" -&gt; "File from a file system".
+                 Select <literal>Set New Key</literal> -&gt; <literal>File from a file system</literal>. 
              </listitem>
              <listitem>
-                Specify the folder:
+                 Specify the folder: 
+                <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/DB.esl</literal>.                 . 
-                <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/DB.esl</literal>
-                .
              </listitem>
              <listitem>
-                Select "Public Key Certificate" and then "ok".
+                 Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
              </listitem>
            </itemizedlist></para>
        </listitem>
@@ -165,22 +156,19 @@
    </section>
    <section id="enable_secure_boot">
-      <title>Turn on Secure Boot in BIOS</title>
+      <title>Turning on Secure Boot in BIOS</title>
-      <para>Finally, once the certificates are provisioned we can enable the
+      <para>Once the certificates are provisioned we can enable the Secure Boot feature:</para>
-      Secure Boot feature:</para>
      <orderedlist>
        <listitem>
-          <para>Select <literal>Security option</literal> from the top
+          <para>Select <literal>Security option</literal> from the top menu.</para>
-          menu.</para>
        </listitem>
        <listitem>
-          <para>Set the <literal>Boot Menu</literal> -&gt;
+          <para>Set the <literal>Boot Menu</literal> -&gt; <literal>Enabled.</literal></para>
-          <literal>Enabled.</literal></para>
        </listitem>
      </orderedlist>
    </section>
  </section>
-</chapter>
+</chapter>
+\ No newline at end of file
author	Miruna Paun <Miruna.Paun@enea.com>	2019-07-02 19:08:04 +0200
committer	Miruna Paun <Miruna.Paun@enea.com>	2019-07-04 10:46:27 +0200
commit	7c1091880ef23b6c8b16b13609cc3dbeb099b5c3 (patch)
tree	816b95302267172192c7598aaa9faaddbf11e94e
parent	b42195e73e2a1ae3fc04d3c40fe0d5fce2984344 (diff)
download	nfv-access-documentation-7c1091880ef23b6c8b16b13609cc3dbeb099b5c3.tar.gz

diff --git a/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml b/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml index cf2e935..7b07086 100644 --- a/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml +++ b/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml
@@ -18,10 +18,10 @@
18		18
19	<para>The basic principle of UEFI Secure Boot is that it requires all	19	<para>The basic principle of UEFI Secure Boot is that it requires all
20	artifacts involved in the boot process (bootloaders, kernel, initramfs) to	20	artifacts involved in the boot process (bootloaders, kernel, initramfs) to
21	be signed using a set of private keys. On a Secure Boot enabled uCPE device	21	be signed using a set of private keys. On a Secure Boot enabled uCPE
22	these artifacts are checked against a set of public certificates which	22	device these artifacts are checked against a set of public certificates
23	correspond to these keys. If there are any mismatches the boot process	23	which correspond to these keys. If there are any mismatches the boot
24	will fail at various stages.</para>	24	process will fail at various stages.</para>
25		25
26	<para>For more information about Secure Boot please refer to <ulink	26	<para>For more information about Secure Boot please refer to <ulink
27	url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure	27	url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure
@@ -35,8 +35,8 @@
35	signed using the Enea UEFI Secure boot private keys. These artifacts can	35	signed using the Enea UEFI Secure boot private keys. These artifacts can
36	be used on a uCPE device that doesn't have Secure Boot enabled. To use the	36	be used on a uCPE device that doesn't have Secure Boot enabled. To use the
37	Secure Boot feature, however, the user must make the Enea UEFI Secure Boot	37	Secure Boot feature, however, the user must make the Enea UEFI Secure Boot
38	public certificates available on the uCPE device before enabling the feature	38	public certificates available on the uCPE device before enabling the
39	in BIOS. This process is called "Provisioning".</para>	39	feature in BIOS. This process is called "Provisioning".</para>
40		40
41	<section id="manual_key_provisioning">	41	<section id="manual_key_provisioning">
42	<title>Provisioning the Enea UEFI Secure Boot Certificates</title>	42	<title>Provisioning the Enea UEFI Secure Boot Certificates</title>
@@ -51,18 +51,17 @@
51		51
52	<itemizedlist>	52	<itemizedlist>
53	<listitem>	53	<listitem>
54	<para><literal>Platform Key (PK)</literal>: the purpose of this key	54	<para><literal>Platform Key (PK)</literal>: this key protects the
55	is to protect the next key from uncontrolled modification. Once this	55	next key from uncontrolled modification. Once this key is enrolled,
56	key is enrolled, Secure Boot enters into <literal>User	56	Secure Boot enters into <literal>User Mode</literal>. The drivers
57	Mode</literal>. The drivers and loaders signed with the	57	and loaders signed with the <literal>Platform Key</literal> can then
58	<literal>platform key</literal> can then be loaded by the	58	be loaded by the firmware.</para>
59	firmware.</para>
60	</listitem>	59	</listitem>
61		60
62	<listitem>	61	<listitem>
63	<para><literal>Key Exchange key (KEK)</literal>: this key allows	62	<para><literal>Key Exchange key (KEK)</literal>: this key allows
64	other certificates which have a connection to the private portion of	63	other certificates which have a connection to the private portion of
65	the <literal>platform key</literal> to be used.</para>	64	the <literal>Platform Key</literal> to be used.</para>
66	</listitem>	65	</listitem>
67		66
68	<listitem>	67	<listitem>
@@ -75,7 +74,7 @@
75	<para>The Enea UEFI Secure Boot certificates are installed together with	74	<para>The Enea UEFI Secure Boot certificates are installed together with
76	the Enea NFV Access Run Time Platform onto the hard drive. They can be	75	the Enea NFV Access Run Time Platform onto the hard drive. They can be
77	found on the EFI partition (usually the first partition of the drive)	76	found on the EFI partition (usually the first partition of the drive)
78	under /uefi_sb_keys.</para>	77	under <literal>/uefi_sb_keys</literal>.</para>
79		78
80	<para><emphasis role="bold">How to manually enroll Enea	79	<para><emphasis role="bold">How to manually enroll Enea
81	Certificates</emphasis></para>	80	Certificates</emphasis></para>
@@ -83,11 +82,12 @@
83	<orderedlist>	82	<orderedlist>
84	<listitem>	83	<listitem>
85	<para>Reboot the uCPE device and press <literal>DEL</literal> to	84	<para>Reboot the uCPE device and press <literal>DEL</literal> to
86	enter into the BIOS.</para>	85	enter into BIOS.</para>
87	</listitem>	86	</listitem>
88		87
89	<listitem>	88	<listitem>
90	<para>Select "Secure Booot Mode" -> "Custom".</para>	89	<para>Select <literal>Secure Boot Mode</literal> ->
		90	<literal>Custom</literal>.</para>
91	</listitem>	91	</listitem>
92		92
93	<listitem>	93	<listitem>
@@ -98,19 +98,15 @@
98	<listitem>	98	<listitem>
99	<para>Enroll the <literal>Platform Key (PK)</literal>: <itemizedlist>	99	<para>Enroll the <literal>Platform Key (PK)</literal>: <itemizedlist>
100	<listitem>	100	<listitem>
101	Select "Set New Key" -> "File from a file system".	101	Select <literal>Set New Key</literal> -> <literal>File from a file system</literal>.
102	</listitem>	102	</listitem>
103		103
104	<listitem>	104	<listitem>
105	Specify the folder:	105	Specify the folder:
106		106	<literal><user-keys>/<uefi_sb_keys>/PK.esl</literal>.</listitem>
107	<literal><user-keys>/<uefi_sb_keys>/PK.esl</literal>
108
109	.
110	</listitem>
111		107
112	<listitem>	108	<listitem>
113	Select "Public Key Certificate" and then "Ok".	109	Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
114	</listitem>	110	</listitem>
115	</itemizedlist></para>	111	</itemizedlist></para>
116	</listitem>	112	</listitem>
@@ -119,40 +115,35 @@
119	<para>Enroll the <literal>Key Exchange key (KEK)</literal>:	115	<para>Enroll the <literal>Key Exchange key (KEK)</literal>:
120	<itemizedlist>	116	<itemizedlist>
121	<listitem>	117	<listitem>
122	Select "Set New Key" -> "File from a file system".	118	Select <literal>Set New Key</literal> -> <literal>File from a file system</literal>.
123	</listitem>	119	</listitem>
124		120
125	<listitem>	121	<listitem>
126	Specify the folder:	122	Specify the folder:
127		123	<literal><user-keys>/<uefi_sb_keys>/KEK.esl</literal>.
128	<literal><user-keys>/<uefi_sb_keys>/KEK.esl</literal>
129
130	.
131	</listitem>	124	</listitem>
132		125
133	<listitem>	126	<listitem>
134	Select "Public Key Certificate" and then "ok".	127	Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
135	</listitem>	128	</listitem>
136	</itemizedlist></para>	129	</itemizedlist>
		130	</para>
137	</listitem>	131	</listitem>
138		132
139	<listitem>	133	<listitem>
140	<para>Enroll the <literal>Authorized Signature (DB)</literal>:	134	<para>Enroll the <literal>Authorized Signature (DB)</literal>:
141	<itemizedlist>	135	<itemizedlist>
142	<listitem>	136	<listitem>
143	Select "Set New Key" -> "File from a file system".	137	Select <literal>Set New Key</literal> -> <literal>File from a file system</literal>.
144	</listitem>	138	</listitem>
145		139
146	<listitem>	140	<listitem>
147	Specify the folder:	141	Specify the folder:
148		142	<literal><user-keys>/<uefi_sb_keys>/DB.esl</literal>. .
149	<literal><user-keys>/<uefi_sb_keys>/DB.esl</literal>
150
151	.
152	</listitem>	143	</listitem>
153		144
154	<listitem>	145	<listitem>
155	Select "Public Key Certificate" and then "ok".	146	Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
156	</listitem>	147	</listitem>
157	</itemizedlist></para>	148	</itemizedlist></para>
158	</listitem>	149	</listitem>
@@ -165,22 +156,19 @@
165	</section>	156	</section>
166		157
167	<section id="enable_secure_boot">	158	<section id="enable_secure_boot">
168	<title>Turn on Secure Boot in BIOS</title>	159	<title>Turning on Secure Boot in BIOS</title>
169		160
170	<para>Finally, once the certificates are provisioned we can enable the	161	<para>Once the certificates are provisioned we can enable the Secure Boot feature:</para>
171	Secure Boot feature:</para>
172		162
173	<orderedlist>	163	<orderedlist>
174	<listitem>	164	<listitem>
175	<para>Select <literal>Security option</literal> from the top	165	<para>Select <literal>Security option</literal> from the top menu.</para>
176	menu.</para>
177	</listitem>	166	</listitem>
178		167
179	<listitem>	168	<listitem>
180	<para>Set the <literal>Boot Menu</literal> ->	169	<para>Set the <literal>Boot Menu</literal> -> <literal>Enabled.</literal></para>
181	<literal>Enabled.</literal></para>
182	</listitem>	170	</listitem>
183	</orderedlist>	171	</orderedlist>
184	</section>	172	</section>
185	</section>	173	</section>
186	</chapter>	174	</chapter> \ No newline at end of file