OrgACRN
/
acrn-hypervisor
mirror of https://github.com/projectacrn/acrn-hypervisor.git
1
0
Fork 0
Code Issues Releases Wiki Activity
acrn-hypervisor/doc/tutorials/enable_laag_secure_boot.rst

280 lines
8.4 KiB
ReStructuredText
Raw Blame History

.. _enable_laag_secure_boot:
Secure Boot enabling for Clear Linux User VM
############################################
Prerequisites
*************
- ACRN Service VM is installed on the KBL NUC.
- ACRN OVMF version is v1.2 or above ( :acrn-issue:`3506` ).
- ACRN DM support OVMF write back ( :acrn-issue:`3413` ).
- ``efi-tools`` and ``sbsigntools`` are installed in the Service VM::
# swupd bundle-add os-clr-on-clr
Validated versions
******************
- **Clear Linux version:** 31080
- **ACRN-hypervisor tag:** v1.3
- **ACRN-Kernel(Service VM kernel):** 4.19.73-92.iot-lts2018-sos
- **OVMF version:** v1.3
Prepare keys (PK/KEK/DB)
************************
Generate keys
=============
.. _Ubuntu-KeyGeneration:
https://wiki.ubuntu.com/UEFI/SecureBoot/KeyManagement/KeyGeneration
.. _Windows-secure-boot-key-creation-and-management-guidance:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance
For formal case, key generation and management can be referenced by:
`Ubuntu-KeyGeneration`_ or `Windows-secure-boot-key-creation-and-management-guidance`_.
For testing, the keys can be created on the KBL NUC with these commands:
.. code-block:: none
$ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=test platform key/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256
$ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=test key-exchange-key/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256
$ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=test signing key/" -keyout db.key -out db.crt -days 3650 -nodes -sha256
$ cert-to-efi-sig-list -g "$(uuidgen)" PK.crt PK.esl
$ sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth
$ cert-to-efi-sig-list -g "$(uuidgen)" KEK.crt KEK.esl
$ sign-efi-sig-list -a -k PK.key -c PK.crt KEK KEK.esl KEK.auth
$ cert-to-efi-sig-list -g "$(uuidgen)" db.crt db.esl
$ sign-efi-sig-list -a -k KEK.key -c KEK.crt db db.esl db.auth
$ openssl x509 -outform DER -in PK.crt -out PK.der
$ openssl x509 -outform DER -in KEK.crt -out KEK.der
$ openssl x509 -outform DER -in db.crt -out db.der
The keys to be enrolled in UEFI BIOS: **PK.der**, **KEK.der**, **db.der**
The keys to sign bootloader or kernel: **db.key**, **db.crt**
Create virtual disk to hold the keys
====================================
Follow these commands to create a virtual disk and copy the keys
generated above:
.. code-block:: none
$ sudo dd if=/dev/zero of=$PWD/hdd_keys.img bs=1024 count=10240
$ mkfs.msdos hdd_keys.img
$ sudo losetup -D
$ sudo losetup -f -P --show $PWD/hdd_keys.img
$ sudo mount /dev/loop0 /mnt
$ sudo cp PK.der KEK.der db.der /mnt
$ sync
$ sudo umount /mnt
$ sudo losetup -d /dev/loop0
Enroll keys in OVMF
===================
#. Customize the ``launch_uos.sh`` script to boot with the virtual disk
that contains the keys for enrollment:
.. code-block:: none
:emphasize-lines: 6,7,9
$ cp /usr/share/acrn/samples/nuc/launch_uos.sh ./launch_virtual_disk.sh
$ sudo vim ./launch_virtual_disk.sh
acrn-dm -A -m $mem_size -c $2 -s 0:0,hostbridge \
-s 2,pci-gvt -G "$3" \
-l com1,stdio \
-s 5,virtio-console,@pty:pty_port \
-s 6,virtio-hyper_dmabuf \
-s 3,virtio-blk,./hdd_keys.img \
-s 4,virtio-net,tap0 \
-s 7,virtio-rnd \
--ovmf w,/usr/share/acrn/bios/OVMF.fd \
$pm_channel $pm_by_vuart $pm_vuart_node \
$logger_setting \
--mac_seed $mac_seed \
$vm_name
}
#. Launch the customized script to enroll keys::
$ sudo ./launch_virtual_disk.sh
#. Type ``exit`` command in UEFI shell.
.. figure:: images/exit_uefi_shell.png
|
#. Select **Device Manager** \-\-> **Secure Boot Configuration**.
.. figure:: images/secure_boot_config_1.png
|
.. figure:: images/secure_boot_config_2.png
|
.. figure:: images/secure_boot_config_3.png
|
#. Select **Secure Boot Mode** \-\-> **Custom Mode** \-\-> **Custom Secure Boot Options**.
.. figure:: images/select_custom_mode.png
|
.. figure:: images/enable_custom_boot.png
|
#. Enroll Keys:
a. Enroll PK: Select **PK Options** \-\-> **Enroll PK** \-\->
**Enroll PK Using File** \-\-> **VOLUME** \-\- PK.der \-\-> **Commit Changes and Exit**
#. Enroll KEK(similar with PK): Select **KEK Options** --> **Enroll KEK** -->
**Enroll KEK Using File** --> **VOLUME** --> KEK.der --> **Commit Changes and Exit**
#. Enroll Signatures(similar with PK): Select **DB Options** --> **Enroll Signature** -->
**Enroll Signature Using File** --> **VOLUME** --> db.der --> **Commit Changes and Exit**
Example for enrolling the PK file:
.. figure:: images/enroll_pk_key_1.png
|
.. figure:: images/enroll_pk_key_2.png
|
.. figure:: images/enroll_pk_key_3.png
|
.. figure:: images/enroll_pk_key_4.png
|
.. figure:: images/enroll_pk_key_5.png
|
.. figure:: images/enroll_pk_key_6.png
|
#. Press :kbd:`ESC` to go back to the **Secure Boot Configuration** interface.
Now the **Current Secure Boot State** is **Enabled** and **Attempt Secure Boot** option is selected.
.. figure:: images/secure_boot_enabled.png
|
#. Go back to UEFI GUI main interface and select **Reset** to perform a formal
reset/shutdown to ensure the key enrollment is taking effect in the next boot.
.. figure:: images/reset_in_bios.png
|
#. Type ``reset -s`` to shutdown the guest in the UEFI shell.
.. figure:: images/reset_in_uefi_shell.png
|
Sign the Clear Linux image
**************************
Follow these commands to sign the Clear Linux VM binaries.
#. Download and decompress the Clear Linux image::
$ wget https://download.clearlinux.org/releases/31080/clear/clear-31080-kvm.img.xz
$ unxz clear-31080-kvm.img.xz
#. Download the script to sign image::
$ wget https://raw.githubusercontent.com/projectacrn/acrn-hypervisor/master/doc/scripts/sign_image.sh
#. Run the script to sign image.
.. code-block:: none
$ sudo sh sign_image.sh clear-31080-kvm.img db.key db.crt
/mnt/EFI/BOOT/BOOTX64.EFI
warning: data remaining[93184 vs 105830]: gaps between PE/COFF sections?
warning: data remaining[93184 vs 105832]: gaps between PE/COFF sections?
Signing Unsigned original image
sign /mnt/EFI/BOOT/BOOTX64.EFI succeed
/mnt/EFI/org.clearlinux/bootloaderx64.efi
warning: data remaining[1065472 vs 1196031]: gaps between PE/COFF sections?
warning: data remaining[1065472 vs 1196032]: gaps between PE/COFF sections?
Signing Unsigned original image
sign /mnt/EFI/org.clearlinux/bootloaderx64.efi succeed
/mnt/EFI/org.clearlinux/kernel-org.clearlinux.kvm.5.2.17-389
Signing Unsigned original image
sign /mnt/EFI/org.clearlinux/kernel-org.clearlinux.kvm.5.2.17-389 succeed
/mnt/EFI/org.clearlinux/loaderx64.efi
warning: data remaining[93184 vs 105830]: gaps between PE/COFF sections?
warning: data remaining[93184 vs 105832]: gaps between PE/COFF sections?
Signing Unsigned original image
sign /mnt/EFI/org.clearlinux/loaderx64.efi succeed
#. You will get the signed Clear Linux image: ``clear-31080-kvm.img.signed``
Boot Clear Linux signed image
*****************************
#. Modify the ``launch_uos.sh`` script to use the signed image.
.. code-block:: none
:emphasize-lines: 5,6,8
$ sudo vim /usr/share/acrn/samples/nuc/launch_uos.sh
acrn-dm -A -m $mem_size -c $2 -s 0:0,hostbridge \
-s 2,pci-gvt -G "$3" \
-l com1,stdio \
-s 5,virtio-console,@pty:pty_port \
-s 6,virtio-hyper_dmabuf \
-s 3,virtio-blk,./clear-31080-kvm.img.signed \
-s 4,virtio-net,tap0 \
-s 7,virtio-rnd \
--ovmf /usr/share/acrn/bios/OVMF.fd \
$pm_channel $pm_by_vuart $pm_vuart_node \
$logger_setting \
--mac_seed $mac_seed \
$vm_name
}
#. You may see the UEFI shell boots by default.
.. figure:: images/uefi_shell_boot_default.png
|
#. Type ``exit`` to enter Bios configuration.
#. Navigate to the **Boot Manager** and select **UEFI Misc Device** to
boot the signed Clear Linux image.
#. Login as root and use ``dmesg`` to check the secure boot status on
the User VM.
.. code-block:: none
:emphasize-lines: 2
root@clr-763e953a125f4bda94dd2efbab77f776 ~ # dmesg | grep Secure
[ 0.001330] Secure boot enabled
Reference in New Issue View Git Blame Copy Permalink