Secure Boot
Secure Boot¶
M1 Secureboot
ESP32 Secureboot
UEFI Secureboot
QEMU Secure Boot¶
libvirt domain config (RHEL-7.3 host):
<domain type='kvm'>
<name>secboot-rhel7-kvm</name>
[ ... ]
<os>
<type arch='x86_64' machine='pc-q35-rhel7.3.0'>hvm</type>
<loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/.../secboot-rhel7-kvm_VARS.fd</nvram>
</os>
<features>
[ ... ]
<smm state='on'/>
</features>
[ ... ]
Run command:
/usr/libexec/qemu-kvm \
-machine q35,accel=kvm,smm=on \
-drive file=.../OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on \
-drive file=.../secboot-rhel7-kvm_VARS.fd,if=pflash,format=raw,unit=1 \
-global driver=cfi.pflash01,property=secure,value=on \
${moreargs}
Encroll Keys¶
- OVMF doesn't ship with any keys installed.
Setup procedure:
- Boot from /usr/share/OVMF/UefiShell.iso
- Drops you into a efi shell.
- Run EnrollDefaultKeys efi application.
# dmesg | grep "EFI.*cert"
EFI: Loaded cert 'Microsoft Windows Production PCA 2011: [ ... ]
EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: [ ... ]
EFI: Loaded cert 'Red Hat Secure Boot (CA key 1): [ ... ]
How it works¶
Security features of the Intel/Windows platform secure boot process