Link to this headingSecure Boot

Link to this headingPlatform Implementations

M1 Secureboot
[ESP32 Secureboot](/Reverse Engineering/Firmware/Embeded Devices/ESP32#secure-boot)
[UEFI Secureboot](/Reverse Engineering/Firmware/UEFI)
Intel/Windows platform secure boot process

Link to this headingQEMU Secure Boot

Source

libvirt domain config (RHEL-7.3 host):

<domain type='kvm'> <name>secboot-rhel7-kvm</name> [ ... ] <os> <type arch='x86_64' machine='pc-q35-rhel7.3.0'>hvm</type> <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.secboot.fd</loader> <nvram template='/usr/share/OVMF/OVMF_VARS.fd'>/.../secboot-rhel7-kvm_VARS.fd</nvram> </os> <features> [ ... ] <smm state='on'/> </features> [ ... ]

Run command:

/usr/libexec/qemu-kvm \ -machine q35,accel=kvm,smm=on \ -drive file=.../OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on \ -drive file=.../secboot-rhel7-kvm_VARS.fd,if=pflash,format=raw,unit=1 \ -global driver=cfi.pflash01,property=secure,value=on \ ${moreargs}

Link to this headingEnroll Keys

  • OVMF doesn’t ship with any keys installed.

Setup procedure:

  • Boot from /usr/share/OVMF/UefiShell.iso
  • Drops you into a efi shell.
  • Run EnrollDefaultKeys EFI application
>>> dmesg | grep "EFI.*cert" EFI: Loaded cert 'Microsoft Windows Production PCA 2011: [ ... ] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: [ ... ] EFI: Loaded cert 'Red Hat Secure Boot (CA key 1): [ ... ]

Link to this headingLinux Secure boot

TODO: Link to Linux

Link to this headingBypass Techniques