summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml82
1 files changed, 35 insertions, 47 deletions
diff --git a/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml b/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml
index cf2e935..7b07086 100644
--- a/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml
+++ b/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml
@@ -18,10 +18,10 @@
18 18
19 <para>The basic principle of UEFI Secure Boot is that it requires all 19 <para>The basic principle of UEFI Secure Boot is that it requires all
20 artifacts involved in the boot process (bootloaders, kernel, initramfs) to 20 artifacts involved in the boot process (bootloaders, kernel, initramfs) to
21 be signed using a set of private keys. On a Secure Boot enabled uCPE device 21 be signed using a set of private keys. On a Secure Boot enabled uCPE
22 these artifacts are checked against a set of public certificates which 22 device these artifacts are checked against a set of public certificates
23 correspond to these keys. If there are any mismatches the boot process 23 which correspond to these keys. If there are any mismatches the boot
24 will fail at various stages.</para> 24 process will fail at various stages.</para>
25 25
26 <para>For more information about Secure Boot please refer to <ulink 26 <para>For more information about Secure Boot please refer to <ulink
27 url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure 27 url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure
@@ -35,8 +35,8 @@
35 signed using the Enea UEFI Secure boot private keys. These artifacts can 35 signed using the Enea UEFI Secure boot private keys. These artifacts can
36 be used on a uCPE device that doesn't have Secure Boot enabled. To use the 36 be used on a uCPE device that doesn't have Secure Boot enabled. To use the
37 Secure Boot feature, however, the user must make the Enea UEFI Secure Boot 37 Secure Boot feature, however, the user must make the Enea UEFI Secure Boot
38 public certificates available on the uCPE device before enabling the feature 38 public certificates available on the uCPE device before enabling the
39 in BIOS. This process is called "Provisioning".</para> 39 feature in BIOS. This process is called "Provisioning".</para>
40 40
41 <section id="manual_key_provisioning"> 41 <section id="manual_key_provisioning">
42 <title>Provisioning the Enea UEFI Secure Boot Certificates</title> 42 <title>Provisioning the Enea UEFI Secure Boot Certificates</title>
@@ -51,18 +51,17 @@
51 51
52 <itemizedlist> 52 <itemizedlist>
53 <listitem> 53 <listitem>
54 <para><literal>Platform Key (PK)</literal>: the purpose of this key 54 <para><literal>Platform Key (PK)</literal>: this key protects the
55 is to protect the next key from uncontrolled modification. Once this 55 next key from uncontrolled modification. Once this key is enrolled,
56 key is enrolled, Secure Boot enters into <literal>User 56 Secure Boot enters into <literal>User Mode</literal>. The drivers
57 Mode</literal>. The drivers and loaders signed with the 57 and loaders signed with the <literal>Platform Key</literal> can then
58 <literal>platform key</literal> can then be loaded by the 58 be loaded by the firmware.</para>
59 firmware.</para>
60 </listitem> 59 </listitem>
61 60
62 <listitem> 61 <listitem>
63 <para><literal>Key Exchange key (KEK)</literal>: this key allows 62 <para><literal>Key Exchange key (KEK)</literal>: this key allows
64 other certificates which have a connection to the private portion of 63 other certificates which have a connection to the private portion of
65 the <literal>platform key</literal> to be used.</para> 64 the <literal>Platform Key</literal> to be used.</para>
66 </listitem> 65 </listitem>
67 66
68 <listitem> 67 <listitem>
@@ -75,7 +74,7 @@
75 <para>The Enea UEFI Secure Boot certificates are installed together with 74 <para>The Enea UEFI Secure Boot certificates are installed together with
76 the Enea NFV Access Run Time Platform onto the hard drive. They can be 75 the Enea NFV Access Run Time Platform onto the hard drive. They can be
77 found on the EFI partition (usually the first partition of the drive) 76 found on the EFI partition (usually the first partition of the drive)
78 under /uefi_sb_keys.</para> 77 under <literal>/uefi_sb_keys</literal>.</para>
79 78
80 <para><emphasis role="bold">How to manually enroll Enea 79 <para><emphasis role="bold">How to manually enroll Enea
81 Certificates</emphasis></para> 80 Certificates</emphasis></para>
@@ -83,11 +82,12 @@
83 <orderedlist> 82 <orderedlist>
84 <listitem> 83 <listitem>
85 <para>Reboot the uCPE device and press <literal>DEL</literal> to 84 <para>Reboot the uCPE device and press <literal>DEL</literal> to
86 enter into the BIOS.</para> 85 enter into BIOS.</para>
87 </listitem> 86 </listitem>
88 87
89 <listitem> 88 <listitem>
90 <para>Select "Secure Booot Mode" -&gt; "Custom".</para> 89 <para>Select <literal>Secure Boot Mode</literal> -&gt;
90 <literal>Custom</literal>.</para>
91 </listitem> 91 </listitem>
92 92
93 <listitem> 93 <listitem>
@@ -98,19 +98,15 @@
98 <listitem> 98 <listitem>
99 <para>Enroll the <literal>Platform Key (PK)</literal>: <itemizedlist> 99 <para>Enroll the <literal>Platform Key (PK)</literal>: <itemizedlist>
100 <listitem> 100 <listitem>
101 Select "Set New Key" -&gt; "File from a file system". 101 Select <literal>Set New Key</literal> -&gt; <literal>File from a file system</literal>.
102 </listitem> 102 </listitem>
103 103
104 <listitem> 104 <listitem>
105 Specify the folder: 105 Specify the folder:
106 106 <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/PK.esl</literal>.</listitem>
107 <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/PK.esl</literal>
108
109 .
110 </listitem>
111 107
112 <listitem> 108 <listitem>
113 Select "Public Key Certificate" and then "Ok". 109 Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
114 </listitem> 110 </listitem>
115 </itemizedlist></para> 111 </itemizedlist></para>
116 </listitem> 112 </listitem>
@@ -119,40 +115,35 @@
119 <para>Enroll the <literal>Key Exchange key (KEK)</literal>: 115 <para>Enroll the <literal>Key Exchange key (KEK)</literal>:
120 <itemizedlist> 116 <itemizedlist>
121 <listitem> 117 <listitem>
122 Select "Set New Key" -&gt; "File from a file system". 118 Select <literal>Set New Key</literal> -&gt; <literal>File from a file system</literal>.
123 </listitem> 119 </listitem>
124 120
125 <listitem> 121 <listitem>
126 Specify the folder: 122 Specify the folder:
127 123 <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/KEK.esl</literal>.
128 <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/KEK.esl</literal>
129
130 .
131 </listitem> 124 </listitem>
132 125
133 <listitem> 126 <listitem>
134 Select "Public Key Certificate" and then "ok". 127 Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
135 </listitem> 128 </listitem>
136 </itemizedlist></para> 129 </itemizedlist>
130 </para>
137 </listitem> 131 </listitem>
138 132
139 <listitem> 133 <listitem>
140 <para>Enroll the <literal>Authorized Signature (DB)</literal>: 134 <para>Enroll the <literal>Authorized Signature (DB)</literal>:
141 <itemizedlist> 135 <itemizedlist>
142 <listitem> 136 <listitem>
143 Select "Set New Key" -&gt; "File from a file system". 137 Select <literal>Set New Key</literal> -&gt; <literal>File from a file system</literal>.
144 </listitem> 138 </listitem>
145 139
146 <listitem> 140 <listitem>
147 Specify the folder: 141 Specify the folder:
148 142 <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/DB.esl</literal>. .
149 <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/DB.esl</literal>
150
151 .
152 </listitem> 143 </listitem>
153 144
154 <listitem> 145 <listitem>
155 Select "Public Key Certificate" and then "ok". 146 Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
156 </listitem> 147 </listitem>
157 </itemizedlist></para> 148 </itemizedlist></para>
158 </listitem> 149 </listitem>
@@ -165,22 +156,19 @@
165 </section> 156 </section>
166 157
167 <section id="enable_secure_boot"> 158 <section id="enable_secure_boot">
168 <title>Turn on Secure Boot in BIOS</title> 159 <title>Turning on Secure Boot in BIOS</title>
169 160
170 <para>Finally, once the certificates are provisioned we can enable the 161 <para>Once the certificates are provisioned we can enable the Secure Boot feature:</para>
171 Secure Boot feature:</para>
172 162
173 <orderedlist> 163 <orderedlist>
174 <listitem> 164 <listitem>
175 <para>Select <literal>Security option</literal> from the top 165 <para>Select <literal>Security option</literal> from the top menu.</para>
176 menu.</para>
177 </listitem> 166 </listitem>
178 167
179 <listitem> 168 <listitem>
180 <para>Set the <literal>Boot Menu</literal> -&gt; 169 <para>Set the <literal>Boot Menu</literal> -&gt; <literal>Enabled.</literal></para>
181 <literal>Enabled.</literal></para>
182 </listitem> 170 </listitem>
183 </orderedlist> 171 </orderedlist>
184 </section> 172 </section>
185 </section> 173 </section>
186</chapter> 174</chapter> \ No newline at end of file