diff --git a/doc/tutorials/images/waag_secure_boot_image1.png b/doc/tutorials/images/waag_secure_boot_image1.png new file mode 100644 index 000000000..240c88112 Binary files /dev/null and b/doc/tutorials/images/waag_secure_boot_image1.png differ diff --git a/doc/tutorials/images/waag_secure_boot_image10.png b/doc/tutorials/images/waag_secure_boot_image10.png new file mode 100644 index 000000000..ea6bf5a3e Binary files /dev/null and b/doc/tutorials/images/waag_secure_boot_image10.png differ diff --git a/doc/tutorials/images/waag_secure_boot_image2.png b/doc/tutorials/images/waag_secure_boot_image2.png new file mode 100644 index 000000000..932426e32 Binary files /dev/null and b/doc/tutorials/images/waag_secure_boot_image2.png differ diff --git a/doc/tutorials/images/waag_secure_boot_image3.png b/doc/tutorials/images/waag_secure_boot_image3.png new file mode 100644 index 000000000..7cf86bea7 Binary files /dev/null and b/doc/tutorials/images/waag_secure_boot_image3.png differ diff --git a/doc/tutorials/images/waag_secure_boot_image5.png b/doc/tutorials/images/waag_secure_boot_image5.png new file mode 100644 index 000000000..782373d0c Binary files /dev/null and b/doc/tutorials/images/waag_secure_boot_image5.png differ diff --git a/doc/tutorials/images/waag_secure_boot_image6.png b/doc/tutorials/images/waag_secure_boot_image6.png new file mode 100644 index 000000000..1bce0080e Binary files /dev/null and b/doc/tutorials/images/waag_secure_boot_image6.png differ diff --git a/doc/tutorials/images/waag_secure_boot_image7.png b/doc/tutorials/images/waag_secure_boot_image7.png new file mode 100644 index 000000000..f2a9b3f2e Binary files /dev/null and b/doc/tutorials/images/waag_secure_boot_image7.png differ diff --git a/doc/tutorials/images/waag_secure_boot_image8.png b/doc/tutorials/images/waag_secure_boot_image8.png new file mode 100644 index 000000000..eedbcaed5 Binary files /dev/null and b/doc/tutorials/images/waag_secure_boot_image8.png differ diff --git a/doc/tutorials/images/waag_secure_boot_image9.png b/doc/tutorials/images/waag_secure_boot_image9.png new file mode 100644 index 000000000..059725e68 Binary files /dev/null and b/doc/tutorials/images/waag_secure_boot_image9.png differ diff --git a/doc/tutorials/using_windows_as_uos.rst b/doc/tutorials/using_windows_as_uos.rst index 54faac614..9f21dadb3 100644 --- a/doc/tutorials/using_windows_as_uos.rst +++ b/doc/tutorials/using_windows_as_uos.rst @@ -485,6 +485,11 @@ Device configurations of acrn-dm command line * *--ovmf /usr/share/acrn/bios/OVMF.fd*: Make sure it points to your OVMF binary path +Secure boot enabling +******************** +You may refer to the steps in :ref:`How-to-enable-secure-boot-for-windows` for +secure boot enabling. + References ********** diff --git a/doc/tutorials/waag-secure-boot.rst b/doc/tutorials/waag-secure-boot.rst new file mode 100644 index 000000000..e505f3032 --- /dev/null +++ b/doc/tutorials/waag-secure-boot.rst @@ -0,0 +1,866 @@ + .. _How-to-enable-secure-boot-for-windows: + +How to enable secure boot for windows +===================================== + +This document is the guide to enable secure boot to launch Windows 10 +through OVMF on ACRNGT, including: + +- Generate Platform Key + +- Get KEK and DB from Microsoft + +- Inject PK, KEK and DB into OVMF + +Generate PK (Platform Key) +========================== + +In UEFI secure boot, the Platform Key establishes a trust relationship +between the platform owner and the platform firmware. According to +Microsoft document, section 1.5: +https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance, +PK is a self-signed certificate and owned by OEM, OEM can generate their +own PK. + +Here we show two ways, openssl and Microsoft tools to generate a PK. + +1. Using openssl +---------------- + + 1). Generate a Self-Signed Certificate as PK from a new key. + + You will be required to answer the CSR information prompt to complete the process. + + For example:: + + $ openssl req -newkey rsa:2048 -nodes -keyout PKpriv.key -x509 -days + 365 -out PK.crt + + Generating a 2048 bit RSA private key + + ....+++ + + .+++ + + writing new private key to 'PKpriv.key' + + ----- + + You are about to be asked to enter information that will be + incorporated + + into your certificate request. + + What you are about to enter is what is called a Distinguished Name + or a DN. + + There are quite a few fields but you can leave some blank + + For some fields there will be a default value, + + If you enter '.', the field will be left blank. + + ----- + + Country Name (2 letter code) [AU]:CN + + State or Province Name (full name) [Some-State]:Shanghai + + Locality Name (eg, city) []:Shanghai + + Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intel + + Organizational Unit Name (eg, section) []:Intel + + Common Name (e.g. server FQDN or YOUR name) []: + + Email Address []: + +And you can also generate the self-signed certificate from an existing +key: + +openssl req -key testpriv.key –new -x509 -days 365 -out PK.crt + + 2). View the content of certificate:: + + $ openssl x509 -text -noout -in PK2.crt + + Certificate: + + Data: + + Version: 3 (0x2) + + Serial Number: 10097816361374596362 (0x8c22a67aeadc3d0a) + + Signature Algorithm: sha256WithRSAEncryption + + Issuer: C=CN, ST=Shanghai, L=Shanghai, O=Intel, OU=Intel + + Validity + + Not Before: Jun 26 06:29:14 2019 GMT + + Not After : Jun 25 06:29:14 2020 GMT + + Subject: C=CN, ST=Shanghai, L=Shanghai, O=Intel, OU=Intel + + Subject Public Key Info: + + Public Key Algorithm: rsaEncryption + + Public-Key: (2048 bit) + + Modulus: + + 00:9e:15:70:40:8c:b0:a7:c2:dd:45:15:e9:ab:c2: + + d9:3d:d7:32:1e:7f:ec:1d:26:e3:d3:07:2c:5c:40: + + 8a:42:12:d3:31:59:2c:f0:b0:f7:3d:94:51:ae:b8: + + 25:16:ab:98:97:60:68:67:80:e1:77:85:aa:f2:70: + + f3:47:fc:39:8c:9c:25:46:a8:ca:4f:aa:8f:d1:db: + + f1:50:9b:d9:b6:3d:28:bf:5c:bf:1a:52:12:4c:e2: + + 04:dd:fe:04:f1:98:3a:9f:a7:ff:f9:43:43:f7:8b: + + 48:48:ee:d8:2e:b1:25:26:97:ca:1f:94:1c:00:1e: + + 68:8f:e1:30:3d:3c:1d:99:32:d0:d3:08:0b:ed:4c: + + 4b:b4:7c:42:b9:1c:e4:ef:df:47:cf:52:37:7e:6e: + + a1:87:02:f9:23:6b:f4:22:e7:a8:8a:40:4c:5d:ff: + + f2:9f:bd:05:68:15:5c:1a:03:e3:4b:80:55:08:38: + + 78:1f:e7:4c:dc:cd:49:22:ef:c0:60:4a:c2:b2:c9: + + cb:2b:5c:e2:c8:1d:ec:9e:2d:eb:ed:b1:d7:53:54: + + ea:ce:1a:f2:1c:f9:19:2e:c4:6f:fa:f2:46:bd:48: + + bc:84:f2:a7:b4:1c:0c:60:26:eb:b1:31:d2:76:24: + + df:21:0d:4e:fb:80:3d:ce:8e:a4:5c:8f:8d:b5:51: + + 88:a3 + + Exponent: 65537 (0x10001) + + X509v3 extensions: + + X509v3 Subject Key Identifier: + + 4D:A0:DC:F6:6C:56:1E:D2:25:C5:E3:EE:5D:0C:70:ED:71:E7:72:AA + + X509v3 Authority Key Identifier: + + keyid:4D:A0:DC:F6:6C:56:1E:D2:25:C5:E3:EE:5D:0C:70:ED:71:E7:72:AA + + X509v3 Basic Constraints: + + CA:TRUE + + Signature Algorithm: sha256WithRSAEncryption + + 24:0a:38:57:49:e5:35:05:58:d9:88:03:eb:3a:8c:5b:0d:88: + + 70:58:ea:77:b2:4c:37:ff:87:52:b7:f3:bd:0f:6f:5e:7c:fc: + + 28:16:37:19:23:d0:90:af:ed:1e:f3:36:ee:9d:66:0e:7c:07: + + 5b:7d:0a:2a:fa:80:8c:6a:35:48:2d:50:9e:d2:f4:fc:d1:2a: + + ed:f5:7f:e4:d9:ec:ac:09:10:52:5c:b9:c7:68:4a:91:98:33: + + 95:c3:23:4a:06:ca:ec:d3:ef:46:94:92:61:88:e4:e2:f5:db: + + c1:7a:a7:98:9d:59:0d:43:c2:2a:46:11:74:53:44:37:08:cd: + + b1:99:36:b6:3f:5e:51:f2:8c:d7:a0:0c:c5:9f:68:ba:2b:ab: + + 7a:57:1f:fd:c9:44:0d:b9:39:6e:52:8c:09:8b:eb:5f:ea:3d: + + d4:3d:05:17:1a:7f:47:92:38:94:1d:e0:59:d2:66:bb:37:95: + + 1d:11:4b:70:a1:89:1f:09:5a:25:dc:80:ee:27:17:7e:4a:cc: + + 32:63:1d:e2:89:27:b1:44:99:9f:fb:4d:45:31:23:49:7b:ba: + + 21:05:eb:d8:8a:b3:d0:72:c0:19:97:2a:59:4b:d1:12:ce:04: + + c4:c6:61:6f:19:e4:c2:fa:6a:0f:c7:70:c9:08:85:0c:65:97: + + 83:41:c6:4b + + 3). Convert certificate from PEM to DER + + Only DER format encoded certificate is supported. After conversion, save + PK.der for use. + + openssl x509 -in PK.crt -outform der -out PK.der + +2. Using Microsoft tools +------------------------ + +In Microsoft document, it introduced how to use Microsoft tools to +generate secure boot key. +https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/secure-boot-key-generation-and-signing-using-hsm--example + +Using certutil.exe to list the CSPs (Cryptographic Service Provider). + + For the detailed information of each Microsoft Cryptographic Service + Provider, please check Microsoft document: + https://docs.microsoft.com/en-us/windows/desktop/seccrypto/microsoft-cryptographic-service-providers. + + Here, we chose “Microsoft Strong Cryptographic Provider” for example.:: + + C:\\CertReq\\test> certutil -csplist + + Provider Name: Microsoft Base Cryptographic Provider v1.0 + + Provider Type: 1 - PROV\_RSA\_FULL + + Provider Name: Microsoft Base DSS and Diffie-Hellman Cryptographic + Provider + + Provider Type: 13 - PROV\_DSS\_DH + + Provider Name: Microsoft Base DSS Cryptographic Provider + + Provider Type: 3 - PROV\_DSS + + Provider Name: Microsoft Base Smart Card Crypto Provider + + Provider Type: 1 - PROV\_RSA\_FULL + + Provider Name: Microsoft DH SChannel Cryptographic Provider + + Provider Type: 18 - PROV\_DH\_SCHANNEL + + Provider Name: Microsoft Enhanced Cryptographic Provider v1.0 + + Provider Type: 1 - PROV\_RSA\_FULL + + Provider Name: Microsoft Enhanced DSS and Diffie-Hellman + Cryptographic Provider + + Provider Type: 13 - PROV\_DSS\_DH + + Provider Name: Microsoft Enhanced RSA and AES Cryptographic Provider + + Provider Type: 24 - PROV\_RSA\_AES + + Provider Name: Microsoft RSA SChannel Cryptographic Provider + + Provider Type: 12 - PROV\_RSA\_SCHANNEL + + Provider Name: Microsoft Strong Cryptographic Provider + + Provider Type: 1 - PROV\_RSA\_FULL + + Provider Name: Microsoft Software Key Storage Provider + + Provider Name: Microsoft Passport Key Storage Provider + + Provider Name: Microsoft Platform Crypto Provider + + Provider Name: Microsoft Smart Card Key Storage Provider + + CertUtil: -csplist command completed successfully. + +Create request inf file, the following is the example:: + + [Version] + + Signature= "$Windows NT$" + + [NewRequest] + + ValidityPeriod = Years + + ValidityPeriodUnits = 6 + + Subject = "CN=Corporation TODO Platform Key,O=TODO + Corporation,L=TODO\_City,S=TODO\_State,C=TODO\_Country" + + MachineKeySet = true + + RequestType=Cert + + Exportable = FALSE + + HashAlgorithm = SHA256 + + KeyAlgorithm = RSA + + KeyLength = 2048 + + KeyContainer = "{EA75381E-6D9B-4BDC-B6C7-5144C96507DD}" + + ProviderName = "Microsoft Strong Cryptographic Provider" + + KeyUsage = 0xf0 + +Generate PK. + +certreq.exe -new [PolicyFileIn [RequestFileOut]]:: + + C:\\PKtest> certreq.exe -new request.inf PKtest.cer + + Installed Certificate: + + Serial Number: 3f675d4b64156f9c48ccf30793121147 + + Subject: CN=Intel Platform Key, O=Intel, L=Shanghai, S=Shanghai, + C=CN + + NotBefore: 6/26/2019 10:40 AM + + NotAfter: 6/26/2025 10:50 AM + + Thumbprint: ff2771bd5bd1f7086ab96fb9532b594ed8619c3b + + Microsoft Strong Cryptographic Provider + + 3d40ebea7d109ee93b238b96721f0e6d\_4be58f30-7127-42f5-9b76-f47187495247 + + CertReq: Certificate Created and Installed + +Validating PK + +Using the following command to verify that the certificate has been +generated correctly. + +certutil -store -v my "":: + + C:\\PKtest> certutil -store -v my "3f675d4b64156f9c48ccf30793121147" + + my "Personal" + + ================ Certificate 0 ================ + + X509 Certificate: + + Version: 3 + + Serial Number: 3f675d4b64156f9c48ccf30793121147 + + Signature Algorithm: + + Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA + + Algorithm Parameters: + + 05 00 + + Issuer: + + CN=Intel Platform Key + + O=Intel + + L=Shanghai + + S=Shanghai + + C=CN + + Name Hash(sha1): 732312795479b01208e0ade51c695eddd8f2b2d7 + + Name Hash(md5): 9264adf01062b20e8fe4351369c55cc4 + + NotBefore: 6/26/2019 10:40 AM + + NotAfter: 6/26/2025 10:50 AM + + Subject: + + CN=Intel Platform Key + + O=Intel + + L=Shanghai + + S=Shanghai + + C=CN + + Name Hash(sha1): 732312795479b01208e0ade51c695eddd8f2b2d7 + + Name Hash(md5): 9264adf01062b20e8fe4351369c55cc4 + + Public Key Algorithm: + + Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA + + Algorithm Parameters: + + 05 00 + + Public Key Length: 2048 bits + + Public Key: UnusedBits = 0 + + 0000 30 82 01 0a 02 82 01 01 00 b9 72 bb ae ff 44 55 + + 0010 01 a5 53 6c bd b1 6e b1 32 4a e5 07 04 f9 97 41 + + 0020 49 a5 95 c9 77 b7 db c0 b0 0d 51 6a 17 d4 a1 91 + + 0030 21 8b 1c 14 8a 29 f2 45 78 c0 d3 d3 99 19 b6 de + + 0040 8b cd 43 05 61 95 d1 c1 84 97 83 c7 ce 93 c7 9a + + 0050 90 37 ba 9d 7a 2a d1 6b ad f6 ba da 6d 18 1a ae + + 0060 ec 16 80 fe 29 4e 25 8a 2d 22 bd fb 25 02 f3 f3 + + 0070 ad ae 0e df 37 4b 9d e0 b1 cb b8 40 d2 ff c8 bd + + 0080 6b bc 9f 61 68 be d4 33 61 01 b7 b9 ef f3 32 ee + + 0090 7e b4 24 c3 68 9c 19 85 4a d6 7f e6 8b 28 81 5f + + 00a0 7a 41 fa f7 0c 21 c2 10 1f df b2 89 9d 2d 1a b8 + + 00b0 ac 9f 09 11 c9 85 1d fb 96 00 55 95 73 d9 d5 ae + + 00c0 c2 9e 10 8b c8 7d ec 6c d9 b1 15 80 50 3d 4e 25 + + 00d0 cb 8a d7 fc 22 27 a7 be 71 15 22 86 0e 88 e9 c0 + + 00e0 b6 af e6 9b 56 0a 99 6f 88 c7 4c e3 15 dc 6f 03 + + 00f0 8a b3 21 cc 09 df 8c 3b aa c0 2d 31 0b 39 01 13 + + 0100 29 e4 f4 85 8e f7 69 db 05 02 03 01 00 01 + + Certificate Extensions: 2 + + 2.5.29.15: Flags = 1(Critical), Length = 4 + + Key Usage + + Digital Signature, Non-Repudiation, Key Encipherment, Data + Encipherment (f0) + + 2.5.29.14: Flags = 0, Length = 16 + + Subject Key Identifier + + 29c42c8b73d48fb46118895ae59806eac7bf0098 + + Signature Algorithm: + + Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA + + Algorithm Parameters: + + 05 00 + + Signature: UnusedBits=0 + + 0000 d4 89 92 e6 e1 ef 7e ce d3 c6 c2 b2 15 63 5c 68 + + 0010 ea 16 13 7e 90 81 e3 75 64 75 da ac 85 fc c6 3a + + 0020 65 3b 60 1e 81 2d 20 58 ec b3 07 3c a3 a8 8a 57 + + 0030 cf 33 a2 8c 08 fe 74 2b c5 d9 e7 f2 f7 69 8d ca + + 0040 68 81 33 3d 5c 25 63 60 17 51 4e 0c 1d bd de 68 + + 0050 07 52 c6 50 da d9 5e 5b bd 4f 33 84 0c f8 ea 61 + + 0060 f9 c3 00 db 78 f6 b2 4f 4e 4b 8d cf c9 0f d6 8a + + 0070 5c f2 8b 87 0d a5 a5 5e ab ce ac a4 ff dd d2 aa + + 0080 4c 22 8a c2 3e 23 7c de 4e 1c 18 f5 f9 a3 c1 4e + + 0090 b5 1e 9a af 92 0e 20 0e 17 82 2f 0c b4 c4 a3 f1 + + 00a0 32 5a 0f e8 63 3e 5e 36 a2 8c ea de 02 78 58 b8 + + 00b0 5a 0d d3 82 e4 b1 a6 72 9a dc 4a dc 5b 93 de 3c + + 00c0 2c ea b0 8d a5 6e 5c d6 c7 f8 78 ef 56 16 ed 7f + + 00d0 1e a5 5b a2 35 87 41 4d 5c 9d 34 c9 5b 82 68 94 + + 00e0 8a 52 9c 8e 80 50 0d d7 10 34 cb 9c 96 8a b3 5e + + 00f0 9c bb bd 07 b5 18 b0 ea d2 93 8f 79 e9 dd 32 7a + + Signature matches Public Key + + Root Certificate: Subject matches Issuer + + Key Id Hash(rfc-sha1): 29c42c8b73d48fb46118895ae59806eac7bf0098 + + Key Id Hash(sha1): 2e442e6469555a714423002b2e0748b373a27952 + + Key Id Hash(bcrypt-sha1): 66f3c2ecf18079b65d6de0b85be1786749a9eb75 + + Key Id Hash(bcrypt-sha256): + edd9c90796d56e97db92f506953da26c44d7e8640875c3b60e5788f4cd5f7058 + + Key Id Hash(md5): 99e508cd7c5c5e2077648312097c18ab + + Key Id Hash(sha256): + 3401abc0a80dc1731990b0a99a1b5c7e1e60e107a667b295ced40a2056e43ce4 + + Key Id Hash(pin-sha256): + 0wf9owhuRaJxiwsN4Mt8zAaXgTrp3dMJFopvr+oB1wA= + + Key Id Hash(pin-sha256-hex): + d307fda3086e45a2718b0b0de0cb7ccc0697813ae9ddd309168a6fafea01d700 + + Cert Hash(md5): e95f4760524981cf90bc3198e3075f44 + + Cert Hash(sha1): ff2771bd5bd1f7086ab96fb9532b594ed8619c3b + + Cert Hash(sha256): + 3abc3ab573d67e1fb491b2fd7e4ae0e5d9941ac7d55ee085c1d73d684891001a + + Signature Hash: + 4106dbf78737c3b54009b231eb9fe00e57a1ac6c94e0d5046e9bc7a62febde85 + + CERT\_REQUEST\_ORIGINATOR\_PROP\_ID(71): + + xzhao3-MOBL.ccr.corp.intel.com + + CERT\_KEY\_PROV\_INFO\_PROP\_ID(2): + + Key Container = + 3d40ebea7d109ee93b238b96721f0e6d\_4be58f30-7127-42f5-9b76-f47187495247 + + Simple container name: {EA75381E-6D9B-4BDC-B6C7-5144C96507DD} + + Provider = Microsoft Strong Cryptographic Provider + + ProviderType = 1 + + Flags = 20 (32) + + CRYPT\_MACHINE\_KEYSET -- 20 (32) + + KeySpec = 2 -- AT\_SIGNATURE + + CERT\_SUBJECT\_PUB\_KEY\_BIT\_LENGTH\_PROP\_ID(92): + + 0x00000800 (2048) + + CERT\_SHA1\_HASH\_PROP\_ID(3): + + ff2771bd5bd1f7086ab96fb9532b594ed8619c3b + + CERT\_SUBJECT\_PUBLIC\_KEY\_MD5\_HASH\_PROP\_ID(25): + + 99e508cd7c5c5e2077648312097c18ab + + CERT\_KEY\_IDENTIFIER\_PROP\_ID(20): + + 29c42c8b73d48fb46118895ae59806eac7bf0098 + + CERT\_SIGNATURE\_HASH\_PROP\_ID(15) disallowedHash: + + 4106dbf78737c3b54009b231eb9fe00e57a1ac6c94e0d5046e9bc7a62febde85 + + CERT\_MD5\_HASH\_PROP\_ID(4): + + e95f4760524981cf90bc3198e3075f44 + + CERT\_ACCESS\_STATE\_PROP\_ID(14): + + AccessState = 6 + + CERT\_ACCESS\_STATE\_SYSTEM\_STORE\_FLAG -- 2 + + CERT\_ACCESS\_STATE\_LM\_SYSTEM\_STORE\_FLAG -- 4 + + Provider = Microsoft Strong Cryptographic Provider + + ProviderType = 1 + + Simple container name: {EA75381E-6D9B-4BDC-B6C7-5144C96507DD} + + RSA + + PP\_KEYSTORAGE = 1 + + CRYPT\_SEC\_DESCR -- 1 + + KP\_PERMISSIONS = 3b (59) + + CRYPT\_ENCRYPT -- 1 + + CRYPT\_DECRYPT -- 2 + + CRYPT\_READ -- 8 + + CRYPT\_WRITE -- 10 (16) + + CRYPT\_MAC -- 20 (32) + + D:PAI(A;;GAGR;;;BA)(A;;GAGR;;;SY) + + Allow Full Control BUILTIN\\Administrators + + Allow Full Control NT AUTHORITY\\SYSTEM + + Private key is NOT exportable + + Signature test passed + + CertUtil: -store command completed successfully. + +Convert PKtest.cer from Base-64 to DER format. + +OVMF secure boot key only support DER encoded certificate. + +Step1: open certificate by double click PKtest.cer and click “Copy to +File…” + +|image0| + +Step2: Following the wizard and select the format of “DER encoded binary +X.509 (.CER)” + +|image1| + +Step3: Following the wizard to save file and finish export. + +|image2| + +You can also convert PKtestDER.cer extension to PKtestDER.crt. + +.cer file is the alternate form of .crt of Microsoft Convention. CRT and +CER can safely be interchanged is when the encoding type is identical. + +Download KEK and DB from Microsoft +=================================== + +KEK (Key Exchange Key) + ++-------------------------------------+---------------------------------+----------------------------------------------------+ +| Microsoft Corporation KEK CA 2011 | Allows updates to db and dbx. | https://go.microsoft.com/fwlink/p/?linkid=321185 | ++=====================================+=================================+====================================================+ ++-------------------------------------+---------------------------------+----------------------------------------------------+ + +Db (Allowed Signature database): + ++----------------------------------------+------------------------------------------------------------------------+----------------------------------------------------+ +| Microsoft Windows Production CA 2011 | This CA in the Signature Database (db) allows Windows to boot. | https://go.microsoft.com/fwlink/?LinkId=321192 | ++========================================+========================================================================+====================================================+ +| Microsoft Corporation UEFI CA 2011 | Microsoft signer for 3’rd party UEFI binaries via DevCenter program. | https://go.microsoft.com/fwlink/p/?LinkID=321194 | ++----------------------------------------+------------------------------------------------------------------------+----------------------------------------------------+ + +Compile OVMF with secure boot support +===================================== +:: + + git clone -b ovmf-acrn-waag + ssh://git@gitlab.devtools.intel.com:29418/projectacrn/edk2.git + + cd edk2 + + git submodule update --init CryptoPkg/Library/OpensslLib/openssl + + source edksetup.sh + + make -C BaseTools + + vim Conf/target.txt + + ACTIVE\_PLATFORM = OvmfPkg/OvmfPkgX64.dsc + + TARGET\_ARCH = X64 + + TOOL\_CHAIN\_TAG = GCC5 + + build -DFD\_SIZE\_2MB -DDEBUG\_ON\_SERIAL\_PORT=TRUE + **-DSECURE\_BOOT\_ENABLE** + + +Notes: + +- “source edksetup.sh”, this step is needed for compilation every time + a shell is created. + +- This will generate the fw section at + Build/OvmfX64/DEBUG\_GCC5/FV/OVMF\_CODE.fd or + Build/OvmfX64/RELEASE\_GCC5/FV/OVMF\_CODE.fd + + This will also generate an empty template VARS file at + Build/OvmfX64/DEBUG\_GCC5/FV/OVMF\_VARS.fd or + Build/OvmfX64/RELEASE\_GCC5/FV/OVMF\_VARS.fd + + Both OVMF\_CODE.fd and OVMF\_VARS.fd will be used later. + +- Make sure your GCC is 5.X. GCC 6 and above is NOT supported. + +Use QEMU to inject secure boot keys into OVMF +============================================= + +We follow the example in the following link to import PK, KEK and DB +into OVMF, Ubuntu16.04 used. +https://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm + +1. .. rubric:: Install KVM, QEMU + :name: install-kvm-qemu + +2. .. rubric:: Prepare the environment + :name: prepare-the-environment + + Step1: mkdir OVMFKeys + + Step2: copy the build out OVMF binary into OVMFKeys + + cp edk2/Build/OvmfX64/DEBUG\_GCC5/FV/OVMF\_CODE.fd OVMFKeys + + cp edk2/Build/OvmfX64/DEBUG\_GCC5/FV/OVMF\_VARS.fd OVMFKeys + + Step3: copy OVMF\_CODE\_QEMU.fd into OVMFKeys + + cp OVMF\_CODE\_QEMU.fd OVMFKeys + + Step4: cd OVMFKeys + + mkdir hda-contents + + Step5: Copy PK, KEK and DB into hda-contents + + cp PKtestDER.cer hda-contents + + cp MicCorKEKCA2011\_2011-06-24.crt hda-contents + + cp MicWinProPCA2011\_2011-10-19.crt hda-contents + +3. .. rubric:: Use QEMU to inject secure boot keys + :name: use-qemu-to-inject-secure-boot-keys + + Step1: Run qemu-system-x86\_64 to launch virtual machine + + $ cd OVMFKeys + + $ qemu-system-x86\_64 -L . -drive + if=pflash,format=raw,readonly,file=OVMF\_CODE\_QEMU.fd -drive + if=pflash,format=raw,file=OVMF\_VARS.fd -hda fat:hda-contents -net + none + + After boot up, you can see the UEFI shell. + + |image3| + + Enter “exit” to close UEFI shell and enter UEFI configuration menu. + + |image4| + + Go to secure boot configuration. + + Device Manager Secure Boot Configuration Secure Boot Mode + + Change from “Standard Mode” into “Custom Mode”. + + |image5| + + After change to “Custom Mode”, “Custom Secure Boot Options” will show + up, click and enter. + + |image6| + + Import PK + + PK Options Enroll PK Enroll PK Using File select the only one HD + space select PKtestDer.cer (Note: only DER format certificate is + supported.) + + |image7| + + Then, select “Commit Changes and Exit”, PK will be imported into + OVMF. + + Import KEK + + The process is the same as import PK, just select “KEK options” to + inject “Microsoft Corporation KEK CA 2011”. + + KEK Options Enroll KEK Enroll KEK Using File select the only one HD + space select MicCorKEKCA2011\_2011-06-24.crt Commit Changes and Exit + + Import DB + + The same process to inject “Microsoft Windows Production CA 2011”. + + DB Options Enroll Signature Enroll Signature Using File select the + only one HD space select MicWinProPCA2011\_2011-10-19.crt Commit + Changes and Exit + + Repeat the step to inject “Microsoft Corporation UEFI CA 2011”. + + DB Options Enroll Signature Enroll Signature Using File select the + only one HD space select MicCorUEFCA2011\_2011-06-27.crt Commit + Changes and Exit + + After import PK, KEK and DB, the secure boot state is “Enabled”. + + |image8| + +4. generate OVMF.fd for ACRN with the updated keys manually + + $ cat /path/to/OVMF\_VARS.fd /path/to/OVMF\_CODE.fd > OVMF.fd + +5. Update OVMF.fd into ACRNGT+OVMF+Win10 to start Windows. + +Note after enable Secure Boot +============================= + +1. According to Microsoft document, after enable secure boot, kernel + mode driver must get signed by a trusted certification authority + (CA).  + +2. A cross-signed driver using a SHA-1 or SHA-256 certificate issued + after July 29th, 2015 is not recommended for Windows 10. + +3. And after enable secure boot, standard mechanisms like kernel + debugging and testsigning will not be permitted. + +The reference link is as below:  + +https://docs.microsoft.com/en-us/windows/desktop/w8cookbook/secured-boot-signing-requirements-for-kernel-mode-drivers + +https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate + +.. |image0| image:: images/waag_secure_boot_image1.png + :width: 2.84167in + :height: 3.79892in +.. |image1| image:: images/waag_secure_boot_image2.png + :width: 4.03490in + :height: 4.15000in +.. |image2| image:: images/waag_secure_boot_image3.png + :width: 2.24133in + :height: 0.93333in +.. |image3| image:: images/waag_secure_boot_image5.png + :width: 5.29167in + :height: 4.16323in +.. |image4| image:: images/waag_secure_boot_image6.png + :width: 4.89167in + :height: 3.87936in +.. |image5| image:: images/waag_secure_boot_image7.png + :width: 5.08123in + :height: 4.01667in +.. |image6| image:: images/waag_secure_boot_image8.png + :width: 5.11338in + :height: 4.06667in +.. |image7| image:: images/waag_secure_boot_image9.png + :width: 5.15000in + :height: 4.09964in +.. |image8| image:: images/waag_secure_boot_image10.png + :width: 5.75047in + :height: 4.55000in