Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Enabled UEFI Secure Boot on UEFI and StandaloneMm firmware

Step 1: Build EDK2 and StandaloneMm with SecureBoot enabled

$ cd $WORKDIR
$ git clone https://github.com/intel-innersource/frameworks.platforms.risc-v.edk2.git edk2 -b devel-standalonemm
$ cd edk2
$ git submodule update --init --recursive --depth=1
$ . edksetup.sh
$ make -C BaseTools
$ export GCC5_RISCV64_PREFIX=/usr/bin/riscv64-linux-gnu-
$ build -a RISCV64 -t GCC5 -p OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc -b DEBUG -DSECURE_BOOT_ENABLE=TRUE
$ build -a RISCV64 -t GCC5 -D FW_BASE_ADDRESS=0x80C00000 -D EDK2_PAYLOAD_OFFSET -p OvmfPkg/RiscVVirt/RiscVVirtQemuStandaloneMm.dsc -b DEBUG

Step 2: Leverage OVMF_VARS_4M.ms.fd  (This is optional to have the default SecureBoot enabled)
$ rm flash0.img
$ dd if=/dev/zero of=flash0.img bs=1M count=32
$ dd if=/usr/share/OVMF/OVMF_VARS_4M.ms.fd of=flash0.img conv=notrunc 

Step 3: Create Custom Keys for Secure Boot

$ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Platform Key/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256
$ openssl x509 -in PK.crt -out PK.cer -outform DER
$ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Key Exchange Key/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256
$ openssl x509 -in KEK.crt -out KEK.cer -outform DER
$ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Database/" -keyout DB.key -out DB.crt -days 3650 -nodes -sha256
$ openssl x509 -in DB.crt -out DB.cer -outform DER

$ sbsign --key DB.key --cert DB.crt --output EmptyApplication-Riscv.efi.signed EmptyApplication-Riscv.efi

This will have Invalid PE header magic issue if use the default sbsign in ubuntu 22.04, need rebuild the sbsigntools !

Step 4: Download and rebuild the latest sbsigntools

$ git clone https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git
$ cd sbsigntools/
$ vim src/coff/pe.h
  Make sure the RISCV64 machine is there
  #define IMAGE_FILE_MACHINE_RISCV64           0x5064

$ git clone https://github.com/rustyrussell/ccan.git lib/ccan.git
$ git submodule init
$ git submodule update
$ sudo apt-get install binutils-dev gnu-efi help2man
$ ./autogen.sh
$ ./configure
$ make

Step 5: Sign the EFI applicaiton by using private key, and copy the public key to the fat disk

$ ./sbsigntools/src/sbsign --key DB.key --cert DB.crt --output EmptyApplication-Riscv.efi.signed EmptyApplication-Riscv.efi

$ cp EmptyApplication.efi.signed ~/src/fat/

$ cp EmptyApplication.efi~/src/fat/

$ cp *.cer ~/src/fat/


Step 6:  Enroll the PK, KEK, DB keys to the EDK2 as the Custom Secure Keys

Execute the run.sh script in
https://github.com/intel-innersource/frameworks.platforms.risc-v.edk2/blob/devel-standalonemm/OvmfPkg/RiscVVirt/HowToBuildMm.MD

Playing with Secure Boot in Tianocore

By default, TianoCore boots up into Setup Mode, meaning the platform is not provisioned with any keys and the user can take control.  To take control, go to the EFI menu screens (type exit if you’re at the efi boot prompt) select the “Device Manager” entry, then “Secure Boot Configuration”.  Here you will see the status of the Secure Boot flag (“Attempt Secure Boot”) and the platform mode.  Setting the platform from “Standard Mode” to “Custom Mode” will allow you to edit the keys. Once the platform is in “Custom Mode”, a “Custom Secure Boot Options” menu will appear and you will be able to manipulate the four sets of key databases from here.  The format of all key files for openssl generated keys is DER format (by default openssl generates PEM format).  Note that the KEK, db and dbx options will ask you for a GUID as well as a key file.  The GUID is the platform’s way of identifying the key.  It serves no purpose other than for you to tell which key is which when you delete them (it’s not used at all in signature verification).  By default, since GUIDs aren’t really human readable, I just ignore this and the GUID is set to all zeros.



After Enrolling the PK, KEK, and DB to the Secure Boot Keys, the Secure Boot should be enabled



Step 7:  Test the signed EFI application
Reboot and Execute the EmptyApplication-Riscv.efi - get Access Denied


Execute the EmptyApplication-Riscv.efi.signed - get SUCCESS
  • No labels