diff options
| -rw-r--r-- | doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml | 82 | 
1 files changed, 35 insertions, 47 deletions
| diff --git a/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml b/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml index cf2e935..7b07086 100644 --- a/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml +++ b/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml | |||
| @@ -18,10 +18,10 @@ | |||
| 18 | 18 | ||
| 19 | <para>The basic principle of UEFI Secure Boot is that it requires all | 19 | <para>The basic principle of UEFI Secure Boot is that it requires all | 
| 20 | artifacts involved in the boot process (bootloaders, kernel, initramfs) to | 20 | artifacts involved in the boot process (bootloaders, kernel, initramfs) to | 
| 21 | be signed using a set of private keys. On a Secure Boot enabled uCPE device | 21 | be signed using a set of private keys. On a Secure Boot enabled uCPE | 
| 22 | these artifacts are checked against a set of public certificates which | 22 | device these artifacts are checked against a set of public certificates | 
| 23 | correspond to these keys. If there are any mismatches the boot process | 23 | which correspond to these keys. If there are any mismatches the boot | 
| 24 | will fail at various stages.</para> | 24 | process will fail at various stages.</para> | 
| 25 | 25 | ||
| 26 | <para>For more information about Secure Boot please refer to <ulink | 26 | <para>For more information about Secure Boot please refer to <ulink | 
| 27 | url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure | 27 | url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure | 
| @@ -35,8 +35,8 @@ | |||
| 35 | signed using the Enea UEFI Secure boot private keys. These artifacts can | 35 | signed using the Enea UEFI Secure boot private keys. These artifacts can | 
| 36 | be used on a uCPE device that doesn't have Secure Boot enabled. To use the | 36 | be used on a uCPE device that doesn't have Secure Boot enabled. To use the | 
| 37 | Secure Boot feature, however, the user must make the Enea UEFI Secure Boot | 37 | Secure Boot feature, however, the user must make the Enea UEFI Secure Boot | 
| 38 | public certificates available on the uCPE device before enabling the feature | 38 | public certificates available on the uCPE device before enabling the | 
| 39 | in BIOS. This process is called "Provisioning".</para> | 39 | feature in BIOS. This process is called "Provisioning".</para> | 
| 40 | 40 | ||
| 41 | <section id="manual_key_provisioning"> | 41 | <section id="manual_key_provisioning"> | 
| 42 | <title>Provisioning the Enea UEFI Secure Boot Certificates</title> | 42 | <title>Provisioning the Enea UEFI Secure Boot Certificates</title> | 
| @@ -51,18 +51,17 @@ | |||
| 51 | 51 | ||
| 52 | <itemizedlist> | 52 | <itemizedlist> | 
| 53 | <listitem> | 53 | <listitem> | 
| 54 | <para><literal>Platform Key (PK)</literal>: the purpose of this key | 54 | <para><literal>Platform Key (PK)</literal>: this key protects the | 
| 55 | is to protect the next key from uncontrolled modification. Once this | 55 | next key from uncontrolled modification. Once this key is enrolled, | 
| 56 | key is enrolled, Secure Boot enters into <literal>User | 56 | Secure Boot enters into <literal>User Mode</literal>. The drivers | 
| 57 | Mode</literal>. The drivers and loaders signed with the | 57 | and loaders signed with the <literal>Platform Key</literal> can then | 
| 58 | <literal>platform key</literal> can then be loaded by the | 58 | be loaded by the firmware.</para> | 
| 59 | firmware.</para> | ||
| 60 | </listitem> | 59 | </listitem> | 
| 61 | 60 | ||
| 62 | <listitem> | 61 | <listitem> | 
| 63 | <para><literal>Key Exchange key (KEK)</literal>: this key allows | 62 | <para><literal>Key Exchange key (KEK)</literal>: this key allows | 
| 64 | other certificates which have a connection to the private portion of | 63 | other certificates which have a connection to the private portion of | 
| 65 | the <literal>platform key</literal> to be used.</para> | 64 | the <literal>Platform Key</literal> to be used.</para> | 
| 66 | </listitem> | 65 | </listitem> | 
| 67 | 66 | ||
| 68 | <listitem> | 67 | <listitem> | 
| @@ -75,7 +74,7 @@ | |||
| 75 | <para>The Enea UEFI Secure Boot certificates are installed together with | 74 | <para>The Enea UEFI Secure Boot certificates are installed together with | 
| 76 | the Enea NFV Access Run Time Platform onto the hard drive. They can be | 75 | the Enea NFV Access Run Time Platform onto the hard drive. They can be | 
| 77 | found on the EFI partition (usually the first partition of the drive) | 76 | found on the EFI partition (usually the first partition of the drive) | 
| 78 | under /uefi_sb_keys.</para> | 77 | under <literal>/uefi_sb_keys</literal>.</para> | 
| 79 | 78 | ||
| 80 | <para><emphasis role="bold">How to manually enroll Enea | 79 | <para><emphasis role="bold">How to manually enroll Enea | 
| 81 | Certificates</emphasis></para> | 80 | Certificates</emphasis></para> | 
| @@ -83,11 +82,12 @@ | |||
| 83 | <orderedlist> | 82 | <orderedlist> | 
| 84 | <listitem> | 83 | <listitem> | 
| 85 | <para>Reboot the uCPE device and press <literal>DEL</literal> to | 84 | <para>Reboot the uCPE device and press <literal>DEL</literal> to | 
| 86 | enter into the BIOS.</para> | 85 | enter into BIOS.</para> | 
| 87 | </listitem> | 86 | </listitem> | 
| 88 | 87 | ||
| 89 | <listitem> | 88 | <listitem> | 
| 90 | <para>Select "Secure Booot Mode" -> "Custom".</para> | 89 | <para>Select <literal>Secure Boot Mode</literal> -> | 
| 90 | <literal>Custom</literal>.</para> | ||
| 91 | </listitem> | 91 | </listitem> | 
| 92 | 92 | ||
| 93 | <listitem> | 93 | <listitem> | 
| @@ -98,19 +98,15 @@ | |||
| 98 | <listitem> | 98 | <listitem> | 
| 99 | <para>Enroll the <literal>Platform Key (PK)</literal>: <itemizedlist> | 99 | <para>Enroll the <literal>Platform Key (PK)</literal>: <itemizedlist> | 
| 100 | <listitem> | 100 | <listitem> | 
| 101 | Select "Set New Key" -> "File from a file system". | 101 | Select <literal>Set New Key</literal> -> <literal>File from a file system</literal>. | 
| 102 | </listitem> | 102 | </listitem> | 
| 103 | 103 | ||
| 104 | <listitem> | 104 | <listitem> | 
| 105 | Specify the folder: | 105 | Specify the folder: | 
| 106 | 106 | <literal><user-keys>/<uefi_sb_keys>/PK.esl</literal>.</listitem> | |
| 107 | <literal><user-keys>/<uefi_sb_keys>/PK.esl</literal> | ||
| 108 | |||
| 109 | . | ||
| 110 | </listitem> | ||
| 111 | 107 | ||
| 112 | <listitem> | 108 | <listitem> | 
| 113 | Select "Public Key Certificate" and then "Ok". | 109 | Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>. | 
| 114 | </listitem> | 110 | </listitem> | 
| 115 | </itemizedlist></para> | 111 | </itemizedlist></para> | 
| 116 | </listitem> | 112 | </listitem> | 
| @@ -119,40 +115,35 @@ | |||
| 119 | <para>Enroll the <literal>Key Exchange key (KEK)</literal>: | 115 | <para>Enroll the <literal>Key Exchange key (KEK)</literal>: | 
| 120 | <itemizedlist> | 116 | <itemizedlist> | 
| 121 | <listitem> | 117 | <listitem> | 
| 122 | Select "Set New Key" -> "File from a file system". | 118 | Select <literal>Set New Key</literal> -> <literal>File from a file system</literal>. | 
| 123 | </listitem> | 119 | </listitem> | 
| 124 | 120 | ||
| 125 | <listitem> | 121 | <listitem> | 
| 126 | Specify the folder: | 122 | Specify the folder: | 
| 127 | 123 | <literal><user-keys>/<uefi_sb_keys>/KEK.esl</literal>. | |
| 128 | <literal><user-keys>/<uefi_sb_keys>/KEK.esl</literal> | ||
| 129 | |||
| 130 | . | ||
| 131 | </listitem> | 124 | </listitem> | 
| 132 | 125 | ||
| 133 | <listitem> | 126 | <listitem> | 
| 134 | Select "Public Key Certificate" and then "ok". | 127 | Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>. | 
| 135 | </listitem> | 128 | </listitem> | 
| 136 | </itemizedlist></para> | 129 | </itemizedlist> | 
| 130 | </para> | ||
| 137 | </listitem> | 131 | </listitem> | 
| 138 | 132 | ||
| 139 | <listitem> | 133 | <listitem> | 
| 140 | <para>Enroll the <literal>Authorized Signature (DB)</literal>: | 134 | <para>Enroll the <literal>Authorized Signature (DB)</literal>: | 
| 141 | <itemizedlist> | 135 | <itemizedlist> | 
| 142 | <listitem> | 136 | <listitem> | 
| 143 | Select "Set New Key" -> "File from a file system". | 137 | Select <literal>Set New Key</literal> -> <literal>File from a file system</literal>. | 
| 144 | </listitem> | 138 | </listitem> | 
| 145 | 139 | ||
| 146 | <listitem> | 140 | <listitem> | 
| 147 | Specify the folder: | 141 | Specify the folder: | 
| 148 | 142 | <literal><user-keys>/<uefi_sb_keys>/DB.esl</literal>. . | |
| 149 | <literal><user-keys>/<uefi_sb_keys>/DB.esl</literal> | ||
| 150 | |||
| 151 | . | ||
| 152 | </listitem> | 143 | </listitem> | 
| 153 | 144 | ||
| 154 | <listitem> | 145 | <listitem> | 
| 155 | Select "Public Key Certificate" and then "ok". | 146 | Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>. | 
| 156 | </listitem> | 147 | </listitem> | 
| 157 | </itemizedlist></para> | 148 | </itemizedlist></para> | 
| 158 | </listitem> | 149 | </listitem> | 
| @@ -165,22 +156,19 @@ | |||
| 165 | </section> | 156 | </section> | 
| 166 | 157 | ||
| 167 | <section id="enable_secure_boot"> | 158 | <section id="enable_secure_boot"> | 
| 168 | <title>Turn on Secure Boot in BIOS</title> | 159 | <title>Turning on Secure Boot in BIOS</title> | 
| 169 | 160 | ||
| 170 | <para>Finally, once the certificates are provisioned we can enable the | 161 | <para>Once the certificates are provisioned we can enable the Secure Boot feature:</para> | 
| 171 | Secure Boot feature:</para> | ||
| 172 | 162 | ||
| 173 | <orderedlist> | 163 | <orderedlist> | 
| 174 | <listitem> | 164 | <listitem> | 
| 175 | <para>Select <literal>Security option</literal> from the top | 165 | <para>Select <literal>Security option</literal> from the top menu.</para> | 
| 176 | menu.</para> | ||
| 177 | </listitem> | 166 | </listitem> | 
| 178 | 167 | ||
| 179 | <listitem> | 168 | <listitem> | 
| 180 | <para>Set the <literal>Boot Menu</literal> -> | 169 | <para>Set the <literal>Boot Menu</literal> -> <literal>Enabled.</literal></para> | 
| 181 | <literal>Enabled.</literal></para> | ||
| 182 | </listitem> | 170 | </listitem> | 
| 183 | </orderedlist> | 171 | </orderedlist> | 
| 184 | </section> | 172 | </section> | 
| 185 | </section> | 173 | </section> | 
| 186 | </chapter> | 174 | </chapter> \ No newline at end of file | 
