#U boot secure boot install#
I think it is more easy to use Machine Owner Keys for your kernel (which is a much better documented process).Īs I said before, I did not have my PK in ".auth" format, so I was only able to install and verify the KEK and DB. Remember that they must be in ".cer" and ".auth" format otherwise Keytool will ignore themįrom here you can boot into a Linux OS and run "mokutil -pk", "mokutil -kek", "mokutil -db" to verify that your keys are installed, and use pesign or sbsign to verify that your bootloaders are signed with the correct cert before enabling secure boot. Follow the menus to import DB, KEK, and PK. In the Internal EFI Shell, search your prepared USB drive (e.g. Select the Internal EFI Shell as the next boot device, and proceed to boot into it.ġ0. Now, enable the Internal EFI Shell, then reboot and open the Visual BIOSĩ. so, disable Secure Boot, then reboot and open the Visual BIOSĨ. Some attention has been paid to make this software easily configurable and extendable. Now we need to disable Secure Boot in order to enable the Internal EFI Shell. The development of U-Boot is closely related to Linux: some parts of the source code originate in the Linux source tree, we have some header files in common, and special provision has been made to support booting of Linux images. You do this by enabling Secure Boot, and selecting Clear Secure Boot Data. First we need the platform in Setup Mode. Most of the examples have been encountered by the F-Secure Consulting Hardware Security team when. It is easier if you just set "BIOS Setup Auto-Entry" at this point, because there are several reboots requiredĦ. already using U-Boot as part of their existing products.
#U boot secure boot how to#
The instructions on how to generate this are in the previously shared link.ĥ. Copy your Secure Boot keys into the USB: KEK and DB must have ".cer" extension, or KeyTool will ignore them. Copy the /usr/share/efitools/efi/KeyTool.efi into the prepared USBĤ. Prepare a USB formatted in FAT32 or ExFat (you can also use the boot partition for this, whatever is more confortable)Ģ. The process I followed is (on my Fedora 33):ġ.
In my case, I only have the public part of the PK, and I may need the private part to generate the. I was able to import the DB and KEK, but my PK don't have the ".auth" format required by KeyTool. To answer this demand, U-Boot offers an alternative to Secure Boot called Verified Boot. The API comprises access to block storage, network, and console to name a few. Often encryption and signing are seen as complicated or not necessary, but there is an increasing trend to secure device firmware for both security and integrity.
#U boot secure boot drivers#
It provides a stable API for the interaction of drivers and applications with the firmware. I had some level of success with KeyTool by following this wiki. The Unified Extensible Firmware Interface Specification (UEFI) 1 has become the default for booting on AArch64 and x86 systems. There is no "import" function (or it must be hidden very well!) It looks like the NUC's Visual BIOS is a no go for installing custom Secure Boot keys.
0 kommentar(er)
