From 4759735c9919fcd90fcdb101f72ef489a1292ed4 Mon Sep 17 00:00:00 2001
From: Yonghua Huang <yonghua.huang@intel.com>
Date: Mon, 23 Nov 2020 10:17:11 +0800
Subject: [PATCH] doc: Setup secureboot with GRUB

Add guide to enable grub secure boot on ACRN.

Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
---
 doc/develop.rst                               |   1 +
 doc/tutorials/acrn-secure-boot-with-grub.rst  | 259 ++++++++++++++++++
 doc/tutorials/images/acrn_secureboot_flow.png | Bin 0 -> 10746 bytes
 doc/tutorials/waag-secure-boot.rst            |   2 +
 4 files changed, 262 insertions(+)
 create mode 100644 doc/tutorials/acrn-secure-boot-with-grub.rst
 create mode 100644 doc/tutorials/images/acrn_secureboot_flow.png

diff --git a/doc/develop.rst b/doc/develop.rst
index b233cde32..2b19faac3 100644
--- a/doc/develop.rst
+++ b/doc/develop.rst
@@ -72,6 +72,7 @@ Enable ACRN Features
    tutorials/setup_openstack_libvirt
    tutorials/acrn_on_qemu
    tutorials/using_grub
+   tutorials/acrn-secure-boot-with-grub
    tutorials/pre-launched-rt
    tutorials/enable_ivshmem
 
diff --git a/doc/tutorials/acrn-secure-boot-with-grub.rst b/doc/tutorials/acrn-secure-boot-with-grub.rst
new file mode 100644
index 000000000..3fbe82cff
--- /dev/null
+++ b/doc/tutorials/acrn-secure-boot-with-grub.rst
@@ -0,0 +1,259 @@
+.. _how-to-enable-acrn-secure-boot-with-grub:
+
+Enable ACRN Secure Boot with GRUB
+#################################
+
+This document shows how to enable ACRN secure boot with GRUB including:
+
+-  ACRN Secure Boot Sequence
+-  Generate GPG Key
+-  Setup Standalone GRUB EFI Binary
+-  Enable UEFI Secure Boot
+
+**Validation Environment:**
+
+- Hardware Platform: TGL-I7, Supported hardware described in
+  :ref:`hardware`.
+- ACRN Scenario: Industry
+- Service VM: Yocto & Ubuntu
+- GRUB: 2.04
+
+.. note::
+   Note that GRUB may stop booting in case of problems, make sure you
+   know how to recover a bootloader on your platform.
+
+ACRN Secure Boot Sequence
+*************************
+
+ACRN can be booted by Multiboot compatible bootloader, following diagram
+illustrates the boot sequence of ACRN with GRUB:
+
+.. image:: images/acrn_secureboot_flow.png
+   :align: center
+   :width: 800px
+
+
+For details on enabling GRUB on ACRN, see :ref:`using_grub`.
+
+From a secureboot point of view:
+
+- UEFI firmware verifies shim/GRUB
+- GRUB verifies ACRN, Service VM kernel, and pre-launched User VM kernel
+- Service VM OS kernel verifies the Device Model (``acrn-dm``) and User
+  VM OVMF bootloader (with the help of ``acrn-dm``)
+- User VM virtual bootloader (e.g. OVMF) starts the guest side verified boot process
+
+This document shows you how to enable GRUB to
+verify ACRN binaries such ``acrn.bin``, Service VM kernel (``bzImage``), and
+if present, a pre-launched User VM kernel image.
+
+.. rst-class:: numbered-step
+
+Generate GPG Key
+****************
+
+GRUB supports loading GPG signed files only if digital signatures are
+enabled. Here's an example of generating a GPG signing key::
+
+  mkdir --mode 0700 keys
+  gpg --homedir keys  --gen-key
+  gpg --homedir keys --export > boot.key
+
+The :command:`gpg --gen-key` generates a public and private key pair.
+The private key is used to sign GRUB configuration files and ACRN
+binaries. The public key will be embedded in GRUB and is used to verify
+GRUB configuration files or binaries GRUB tries to load.
+
+.. rst-class:: numbered-step
+
+Setup Standalone GRUB EFI Binary
+********************************
+
+Prepare Initial GRUB Configuration grub.init.cfg
+================================================
+
+Create file ``grub.init.cfg`` to store the following minimal GRUB
+configuration.  The environment variable ``check_signatures=enforce``
+tells GRUB to enable digital signatures::
+
+    set check_signatures=enforce
+    export check_signatures
+
+    search --no-floppy --fs-uuid --set=root ESP_UUID
+    configfile /grub.cfg
+    echo /grub.cfg did not boot the system, rebooting in 10 seconds.
+    sleep 10
+    reboot
+
+Replace the ESP_UUID with the UUID of your EFI system partition (found
+by running the :command:`lsblk -f`.  In the example output below,
+the UUID is ``24FC-BE7A``:
+
+.. code-block:: console
+    :emphasize-lines: 2
+
+    sda
+    ├─sda1 vfat   ESP    24FC-BE7A                            /boot/efi
+    ├─sda2 vfat   OS     7015-557F
+    ├─sda3 ext4   UBUNTU e8640994-b2a3-45ad-9b72-e68960fb22f0 /
+    └─sda4 swap          262d1113-64be-4910-a700-670b9d2277cc [SWAP]
+
+
+Enable Authentication in GRUB
+=============================
+
+With authentication enabled, a user/password is required to restrict
+access to the GRUB shell, where arbitrary commands could be run.
+A typical GRUB configuration fragment (added to ``grub.init.cfg``) might
+look like this::
+
+    set superusers="root"
+    export superusers
+    password_pbkdf2 root GRUB_PASSWORD_HASH
+
+Replace the ``GRUB_PASSWORD_HASH`` with the result of the :command:`grub-mkpasswd-pbkdf2`
+with your custom passphrase.
+
+Use this command to sign the :file:`grub.init.cfg` file with your private
+GPG key and create the :file:`grub.init.cfg.sig`::
+
+    gpg --homedir keys --detach-sign grub.init.cfg
+
+
+Create Standalone GRUB EFI Binary
+=================================
+
+Use the ``grub-mkstandalone`` tool to create a standalone GRUB EFI binary
+file with the buit-in modules and the signed ``grub.init.cfg`` file.
+The ``--pubkey`` option adds a GPG public key that will be used for
+verification. The public key ``boot.key`` is no longer required.
+
+.. note::
+    You should make a backup copy of your current GRUB image
+    (:file:`grubx64.efi`) before replacing it with the new signed GRUB image.
+    This would allow you to restore GRUB in case of errors updating it.
+
+Here's an example sequence to do this build::
+
+    #!/bin/bash
+    #
+
+    TARGET_EFI='path/to/grubx64.efi'
+
+    # GRUB doesn't allow loading new modules from disk when secure boot is in
+    # effect, therefore pre-load the required modules.
+
+    MODULES="all_video archelp boot bufio configfile crypto echo efi_gop efi_uga ext2 extcmd  \
+     fat font fshelp gcry_dsa gcry_rsa gcry_sha1 gcry_sha512 gettext gfxterm linux linuxefi ls \
+     memdisk minicmd mmap mpi normal part_gpt part_msdos password_pbkdf2 pbkdf2 reboot relocator \
+     search search_fs_file search_fs_uuid search_label sleep tar terminal verifiers video_fb"
+
+    grub-mkstandalone \
+     --directory /usr/lib/grub/x86_64-efi \
+     --format x86_64-efi \
+     --modules "$MODULES" \
+     --pubkey ./boot.key \
+     --output ./grubx64.efi  \
+     "boot/grub/grub.cfg=./grub.init.cfg" \
+     "boot/grub/grub.cfg.sig=./grub.init.cfg.sig"
+
+    echo "writing signed grub.efi to '$TARGET_EFI'"
+    sudo cp ./grubx64.efi "$TARGET_EFI"
+
+
+.. rst-class:: numbered-step
+
+Prepare grub.cfg
+****************
+
+Define the menu entry for your system in a new GRUB configuration :file:`grub.cfg`.
+For example::
+
+    # @/boot/efi/grub.cfg for grub secure boot
+    set timeout_style=menu
+    set timeout=5
+    set gfxmode=auto
+    set gfxpayload=keep
+    terminal_output gfxterm
+
+    menuentry "ACRN Multiboot Ubuntu Service VM" --users "" --id ubuntu-service-vm {
+
+    search --no-floppy --fs-uuid --set 3df12ea1-ef12-426b-be98-774665c7483a
+
+    echo 'loading ACRN...'
+    multiboot2 /boot/acrn/acrn.bin  root=PARTUUID="c8ee7d92-8935-4e86-9e12-05dbeb412ad6"
+    module2 /boot/bzImage Linux_bzImage
+    }
+
+Use the output of the :command:`blkid` to find the right values for the
+UUID (``--set``) and PARTUUID (``root=PARTUUID=`` parameter) of the root
+partition (e.g. `/dev/nvme0n1p2`) according to your your hardware.
+
+Copy this new :file:`grub.cfg` to your ESP (e.g. `/boot/efi/EFI/`).
+
+
+.. rst-class:: numbered-step
+
+Sign grub.cfg and ACRN Binaries
+*******************************
+
+The :file:`grub.cfg` and all ACRN binaries that will be loaded by GRUB
+**must** be signed with the same GPG key.
+
+Here's sequence example of signing the individual binaries::
+
+    gpg --homedir keys --detach-sign path/to/grub.cfg
+    gpg --homedir keys --detach-sign path/to/acrn.bin
+    gpg --homedir keys --detach-sign path/to/sos_kernel/bzImage
+
+Now, you can reboot and the system will boot with the signed GRUB EFI binary.
+GRUB will refuse to boot if any files it attempts to load have been tampered
+with.
+
+
+.. rst-class:: numbered-step
+
+Enable UEFI Secure Boot
+***********************
+
+Creating UEFI Secure Boot Key
+=============================
+
+-Generate your own keys for Secure Boot::
+
+    openssl req -new -x509 -newkey rsa:2048 -subj "/CN=PK/"  -keyout PK.key  -out PK.crt  -days 7300 -nodes -sha256
+    openssl req -new -x509 -newkey rsa:2048 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days 7300 -nodes -sha256
+    openssl req -new -x509 -newkey rsa:2048 -subj "/CN=db/"  -keyout db.key  -out db.crt  -days 7300 -nodes -sha256
+
+-Convert ``*.crt`` keys to the ESL format understood for UEFI::
+
+    cert-to-efi-sig-list PK.crt PK.esl
+    cert-to-efi-sig-list KEK.crt KEK.esl
+    cert-to-efi-sig-list db.crt db.esl
+
+-Sign ESL files::
+
+    sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth
+    sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth
+    sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth
+
+The keys to be enrolled in UEFI firmware: :file:`PK.der`, :file:`KEK.der`, :file:`db.der`.
+The keys to sign bootloader image: :file:`grubx64.efi`, :file:`db.key` , :file:`db.crt`.
+
+Sign GRUB Image With ``db`` Key
+================================
+
+    sbsign --key db.key --cert db.crt path/to/grubx64.efi
+
+:file:`grubx64.efi.signed` will be created, it will be your bootloader.
+
+Enroll UEFI Keys To UEFI Firmware
+=================================
+
+Enroll ``PK`` (:file:`PK.der`), ``KEK`` (:file:`KEK.der`) and ``db``
+(:file:`db.der`) in Secure Boot Configuration UI, which depends on your
+platform UEFI firmware.  In UEFI configuration menu UI, follow the steps
+in :ref:`this section <qemu_inject_boot_keys>` that shows how to enroll UEFI
+keys, using your own key files.  From now on, only EFI binaries
+signed with any ``db`` key (:file:`grubx64.efi.signed` in this case) can
+be loaded by UEFI firmware.
diff --git a/doc/tutorials/images/acrn_secureboot_flow.png b/doc/tutorials/images/acrn_secureboot_flow.png
new file mode 100644
index 0000000000000000000000000000000000000000..0a9183ef2d27b1f884468d1f28ec7fc0fdc37923
GIT binary patch
literal 10746
zcmdsdc{tQ<-@Z28N|dEUh(cpYl5H5ulC5Si6OpA7gOY}kWiTzu7Ak|nkY$XqBwIz8
z?%NhZ7-X-p(~y0gnfE*BuI}e~j^lT{$Meto`@=ZK;o3gS`8luibA^~d_4n)&+{MPm
zw#U#w*NlyAn;;w8mOuX33jD<)mA@4DwZ+3sUz_b^<DoI&%XZ|M^Jm!D@*;PyUD*MA
z=eT8H>A}XfFPHVRWsz<i$i@bWG}JwV@V2G(lADyeecDk6_|SZlW+r<>;irRIzTDf|
zEJh5=Ncbx{3-MvUz>%6<KG7>2HTtUBXHCVsFW<u+3ub>smA1j{3c2^$l(B`$F$|t6
zYRvI$|JFGbS2Q`IrdUue8gAS0(N+;Ng~>s-&o>4H_>Eft+j(|60oeI7?f>6DUp<D=
z>#+?_i*Ru%I&g4Ilq>;raxalh_UPi)l9SRte++@esC;akSIz6SCAgEVrF0Xv-Z}Hp
z#WG`13^x%N3}-tLY$>-pS|iXMzZbQOja?zjA^B;L$xB{w=$7|~9gAcUGkfbiwJSkv
z0yxht^jR`P2wxZ0UN+kR!wy5p3q`q@CJ~j{60XPv^0Iz^YXDw<qKh=Ix|}AzwgfA}
zg>z1?G~ai}o7^O>Z);+!RSk$JiV|pP5heO12GMv2aQARfy@ZwRrZ0KxXna(@I}fhe
zoSsl6@D1Uuyx83}W*RcR=Tyq)cXq7}ke7^euIm|Rdz-G(dO=cRa^SU!g3=3Gm@+%@
z7UyY?Wrs?t<17!XXe+SkVm#pgSC6xIJM~<cNrBWI?;1E2B|sdnBF^x(g(X4P_~ujK
z`-qKqe%+oRs?IBt4^>M225gY3;TEs4)CbDd4{RxE;!Wz&D<}!4<W}a&aT)G|1&RPB
zbXR|%y5q8#<$+JZXSfuMq@ik_8b%@TKKVYxsv|i`PyVoZ-L|%a!SE#2-?k)tzcdBQ
z|122p9sKL^RyBu5j>_#i)vZd<Pc4g)g!=T-9E6AocgMMB*3eJFd(H(>Tq~Pw$vjkw
z)IUZ__OCXl;O7}1ROV++Kz&R{JF7{))8Q{^&iKzq@7c%(fNMbVH`U~)5i&2VrEuLK
zz^l7!OYYpXkLsA9^B5YRsj)-~5f3F7YCM9^AMCMRlkKMSAX}*;`JXLc6D1N|cKkf>
z|1O3qvtu3@iD(x?gH?C1-GA1WZ&Isstb=18k?r!{0;~Q1-GHTFw_K=?jx~GW4{_ZK
ztTJ?a7i!mg?G^bKF3ZTQaT3q+m&dj4W4B^xW|@jE3{E9h?9JJoZp#l0o1a5~yrfIY
zYTa`*1Q$O>zVA^u#|kFK?$J8li?C>SVoG<sY)4%xs%h<ykHQr!Q;w1Eywtcm|9^0x
zL-<)d(NdF%*OHACUL;Hf*ddp`=xc$xbB$p(|FDhq>yB19p@%fOAXy)+B<Pt4)&g-j
zHzBo_Zg-aBmiMV*9}503v*q#bi7}GdBm#|z8mbcv2g5wn$D_(BPT2=+Z%j%)yJ67`
ztC;!)U*AleI)889wc`A<sf`76^i-=I!^Qu;QM}7=6=u$9cB`KOZ<Xe3xLfsI-w)~%
zx5qQ`W$r^S{>$!0oEBP0eVEyRPR3hb_Dm@u?5+ZvtK;t5geMzb;1&D#*n<s8f0ZXH
z{}DCR@|EB=tZ_(0P*36UsXy#{bvkrjYMwAd2ouo=&M&@XbMY)!`%X@LCIU%WJLt0M
zWJjAt{<Ol;8;Le9U6vzaIW<w4dF>NSYW?fGF^;!;CJ(-d!byLdaK3-S^0=_=ieqEN
z*JRWXDkCUP$Uv}!OUGp|QzCd?Qdz0u!m8(uLk?i(+EQWd)4HE4WI7bzfCVGcERQlG
zZ^k)l1hrB7-dCtfbd7a>*h4Az!8c!i2sO)ml}p_7*R|p}TakrZ-cBEUD9e+k1xv}2
zYRgCS3IYn#?Tg5kaq@vzz!yl38Ow?k0Pgp<u#&>PGx5dq3TAI4f48wQRn0l~?(KF|
zUF$O`jWBja^wW)uk*p_F825klQPmKinCKsNG&|pb&W`a`fS@u(5{l;@5x}X#O(sX6
zTP_+fcOc~I9WdJG5Kt|Js5Xxl9qs`fGk0p<>C1CjD;IxtI}yS^Y;xP1VmP||3jH~A
zDziF|J1FZEGwcHaDcg2X>GuFi9S<?m;P)w0gu2Gge6N``7cMB&P5>v@y6Z8aE)RqB
zpYW1F^vYwdBH;=L^GG6J1p}WX^t8azq9p?wB4Mp0BhRx9zsK6K25|+&kR!MektUfw
z=3}X}XKxNY^UGG+Q#fg8EK^D1jgyV#lJ{5CA90SMIhjg#VGskw<=u!H(Dboh5drn0
z%3wUPAbR{!oR&^F3;pQ_Op0V<X{O+c+a#^kZm3*@wN<C`r*p$W+0I|KLCRdEKBWF`
z)-Ok9kDT!0<OND~8gnaH?XKR5%r<6mhp*osJcaNu^Vg_44E3?={kJNo*Uviky+vi|
z!>>>Sg<cLl-(ASJ__(mI^2jt@iq^5BELV%{XB@)#d$*p(6z(NLo${^0rE_~UPik%T
zs5!BjmWsU3%p$nl@*|v?%Gy38vdqvGD;}&}n27)9_o#4HPwkDw`2J*h-!t`xAsazs
z<Fj?*M<!eOoSJ+tdbimA*~Z~NMN7R(lpccWy-~4z8LdB%_`e$1(|nO>pnD|Xb)j8T
zu4aeY8?EOG&H>wpBd%=XvWL{G>p#&%I6MO0%{h2kH$hNm14o=Dx8Ih7T&Tl`-gL{i
zE>3Mm87X8ei<uC_ABa#X0{>x_=__{lghEnfYb7WrixA75Nk$DSdOK5b?E}gAVL+Ku
zX~k~Ik-FdZcSRVAI2$CEb8JP|z^td40fstDv`0Tj2Mev<%9ROphEQ?l;>v9eK(gJE
z*$fPznm9X3udwKgu!wP|`qz%~g?Sc1s;@p1px_p;Qjkw?ck`RzMniLNh_>l;EstR7
zDh}@|2D>Q$M4i-4Ff(YO;`?|}b!w#YBm7ScWKcLK;s6dRR9u%L0T8#F1m@Q9PKWc5
z3xbKEIBj&c_9GSk`wwCKj#S*}_x`oisp#-Gb5H%WM>1EMKipFZhS!~Y5_rf<9I6+;
zm)n^vG7mMqJY!gx5)@ZOlmNJ2&Uzu-0Q;|`Q5M}3(mE60KufYnFGP@!mI;)p6D6uZ
z5G%4}mF!gUnFJn*WbS}D-YQ|Kv|806_DcX-zKv$=c2bO$B@m4&;LR1>9olrY%Y*#=
zqAeoWIrIKbcg_|v%BxPU_cNvvQ>fu*tL2<vjtsUhN>QBX_ojS>(Wdqhaqfkb_y}El
z(FIx=6d<!bM$8>(x2qS=z@i<~#dq)tPZGE!tU5%bMD+JhS=<ZpOU+KLn&=v<-bWO_
z91``|ys#!{X>H#l7ZiI)$6?Ko7}fh$D;o1MSfaPQJ=%LLp3`#@b;CXIX)rv6f8^-&
zP9La+ru9yj-XML&oXW2**+GX&|KUuKgS6SHW*;iTQ-Fu&*7EciXK}b<xYybHC4}Wh
zxUOhbs)4-{4Sluybq7ZoJl@KpUcCxr%HAT9+krAFd>Laqu6{xDe(ch#ra}?!DrX?Y
z)<dOfXZ>-)u2tVIbSP&UcB112!2EPqquu6Awx@!jRpAmIJejdUC}}gqptMIqOK4-Z
zvL>@_fC4!egZKf(lRMB37159G@D$eU(_f9YC@t9UTub?!tiN21NjcMMCN33C^N%oc
zvEG^QT@-MZe4R=;_%FlJ*FugCI#JK(syC>z`(SyW7Q!)wI9ldiMmQanWQaM`p*wP8
z#@s{*l1aEh=10}ZcS{|G;{Uv6=&(tn25nDUD8mi)2^Yt$&9wNuLd4}BIKs*fl8(7Y
zSE?Pca9t+Fv+pD7M*8AaJ=voqqJJ$<KRDZZ1qyzzKdgUwQb2N}(4dDnvWZ5;@MhZi
znCnB$Z;`(ughk@}ziEWINI2%dGthhM>c?*Ko&Co2cWKBa*zF~GOzA0z=}!_N+fDe5
zAY?jl9MCUa9Hy_hp()tjZ`#17RQaoNm4gWk;qBcJ24u(l)R|{*=r)|ibNA{6p-0}p
z|E|qE$4elkcjtJpIo}8Xmjt|>Fq2zziuu>a4=^i>_K^NF5_OP1%h!s!2`w@{Gw(<b
zC1Q44ZeByy@#bsFCA!qyA_aT+^|zH{?mk2z+|Irh5qv?d3u8Camdf2=^evky4V0@=
z#1%VOJoJ154=v<es+5bM>hxeW>2!jX{>F6;C{39$64r-Ii7EM6DR>mIE@|6}dKMq?
zs!gE?hv9N9cN?nCvTn~f-74gS#TzxFoiQxp(@HWlrV1f!J3_H`#VT~eB*7a4I8ifu
zw}7t$*js10okOI|6d{@CMXB%L%^&4KnheYmI%qV(VGr@i#;pXP(kvtHRO_$g={F(-
zQm)BD2Io?vog_o8^A1jU-e~a|S2s)1_sm>5n(x|f2t%;Q(0QV3Lgs9gc_E3NQ3_*b
z(rwF|b*xH7f|e@&{5-}UuuElc4Jb$V{tBp2Dy8jNrMsB%Z|6MsT~56J$&7Eol33M?
zx7Q_5`bHC0sH35(7e+GU8eh;GsBdrMxMVMU?r2Sq`m0WT0N3)UTlFZd3RE-~&`+9a
z3^q#HR@M*O*PmPz4(Hi3m(hh8dFHL48rcICgZAF7u562)f!;aLuJxG$+%eR4ohk<v
zm0|eeR3*yu(j;up!V+AdCxP&WxPn~=5crrm-O!T}`qOTwZfVR=D+l;#k%+XI=IXH9
z3qY}QB3f049UPXbA`RZID^MM};x$Gnje6IrE@$!Qb*oI`@iN>SlmmTATdtmsw!fB?
zZZL@VRCWPeQD9L<hMHPU%Vl*{AVmQ-pQwy~jmj+68%#($mrB2BIg;~`YmUPor;Es(
zuLNm@Ez~4l2^rFk>4Ey_CrH~}>L_gdP9VOdwm>{1Z;oRR*y9PQahFWGc$@W6QX-xj
zX6!91%Fty~In;s72sqeiqE8+rl2hqJF^lh}wCQX{N$nW%h99~DbT6V^_z~sY1Q!HG
z#kongMUFrAE&_*$c7?%ROoF6}LJpibV$0UJo+MtUVK!9+%(zG|g?ap;x^bsLO?8W(
zG*OqITd%#d8r0mlauYs#Fo`$%01_02w~8Z9677xo7v>Ac1``nSPuz9mp^99mZLvJW
zqxq&8Nq=D$sJII2qtc?I^9MmvXI`#*Y74}ZKX#IYLBpBv-mb*9JxY}Bwbv+(I%)1-
z;PP2~s06SC;L!i@Z*V%~qT+r~N6{c~;T-20C1t%u!+KNWSNf~k$k~o_h%u3YuN+vx
zXYSXHZrZ(+VW}Pz;ZJZ2)L3GPzREl~EDLMdFiL8HR99pHnhoowPEvpIi@hzF`Eku~
z0_IVWg-$W_7z;gqGt5hdgHkHdXi<PW_u;0xFnK4jB$SbuiRH94rt?m9`7PB4YQpKs
zZvw!XvlhH#KK0#i^BG>rF+=!V;=dW%m}pi>!hSWGT@{#^_o0*ZSJzztR=<9y#4VS%
z$ga$e`LOAs$L&sU1>ex$?%d;o<uh7Xt9FrOB6P?Q>A8T5Q}S^2A8}qCJ+Y&RA!M~U
zDoGB*u96e|&sZXn;Up}?_tr<V821FT_~FG{E^u|bxd+d)=B#1ygtaB+T7Uimplc<w
zTwrtGaTNPKykA~OXpTbC7|RB>sW?Q;&r8;yh}?R_N^daqon`Y`_4&sg6BrRItoQCg
zG2u&n)zQl~$Ds5Iy8JPZUfW=dNgnA2nV{*;UEND^6mWvqhn1i3h)$evF2KR)S-Fg;
zskLU?jFe4RT>r#LpRik9Aulnw>lSL7;l!D=0x+h|BPTXLi%L%n83=gT9<Ms&IZfy6
zANj7M5SA6bxcKSrkgN6c{s&Y_kpEm+jh#t4U~2N6Kh8O<rb4)CY`u`nrf`drn)-#X
zX88L3v4F1%B+sqG|I1mM=rzo_rU0ha$8#-2&w||zQH@{<+~rW%aC815jo~ZUo_@rX
zmng1S6%e-IVv@9gM_=|4vKaPCR-L~h>Oav9<B7J4@nW2$$a~V;h<OK5My}M!RP)m1
z7Ws3&D<#ARGjS+{^TMXi<GCj>c|LtuYK*s}^TDtoGJGC~{1mKf6$vuGTA&3jE@QOm
z^mPLH3;<2Qfe5%SoHhSSIC-yERBFyKV?Cn?Rf5C{RHke0^7q8p0cpr0Nj`wUvA26j
zhPjF)%s&)y5p;_+7M+yPz5p|vu5(u(8b*ybG5VXP^41o(14gsR*Uq<$d{yWz9hx`}
z17Ckj95+PBH0tb+*B`(wbd2~Ax$WK$H`v}>{%*6@)}*y)m!;Wdh!B14cO}#WT6jKI
zFQKJm@%nUGmhaKhLl8aEUz$_|bLI+$N?8VAvtfXuwc^!Z+Q4IheV&lk7N8zkjg9aJ
z^&eM|P+2Wo3Y_1$pN@XpuQwZ$`|g`(OrL${yQ!~!V`J?TR-||G%8}Kec|_q@^0xRl
zK2<|gSlVLgOrEAME@LjBzCvDdrDW^~b`Kb;Ha{*?|ECO>kLh}9RFV=Oyn`cSx<T?h
z#JJ_p9h09l#;*sCJvG(hGxm501;5JfZEiL!S$LIpK4FHimMjH1d5~DQK+{Efmg~2@
z0@=?+oSKhpc=i-S#dT5CG3fH8urA5W4j=L)7yS~ps?F}cF9Jf?vNt~W`(JZ>>zq>7
zLEhltdMMRK!XtE1phZtH$E|jw6T5?s^P((8;~y<PDr4+c0~_uvTHJ0O#u2YN&(mW`
zpE5mY5N=P}UH-=B7?eb$X5~k5$zE4!JG#Ey=x|p0vLMB`RA9bWrt}2Mz<{)3+_~HA
z>^d+#9YA;pt6=FEq=!T7%3dnPRA0&&zUr%~Or;pZk@Ot-fZ`k0pJ?g^<GS<UsSdlF
z=L=oS**!ZcR8K0!nYIIzx}J5lD3|yc?Mjjqa5>o{@GR}ZK|uecied-inRESE6XlnV
z54fHhAi_%fgVrRLSxE8i=TPbNK}cd|*$v_~Duu0zM5YsRap9WWVf~dP8qb!j&RhvF
zUUmKuYJ8247%=gU>GNbuagE*6ruo7%8$xNWF!AGJ#?=rXtD5%JGR~c{!k5}7jV;ID
zl&{)Fl*6NO@8G#^hnEuTfOCi&=bSj4^gVXa<A>^K<euO=)vyZaCh5p#YUI`$$pOf=
zT&7h5f!)_d9_k~78kcyqqaR-EwbKw!7+jcI<iHwgcC@nJUB~XymPM#@s6S7^oNi)b
z2%Ii%yk`zqVrbmyofTnHNkUirxrn&gbEf4QsCaSJzwy_7*P@I(UPa90q<_IDCKk;M
zmK*pcg!cD(-6t$JJbpqLbb=M@k4KpN5pigZqnb1<XXn*9AzN0Hzj$x5`3#0!T~KT0
zKGqmFC|^6`+jSV|3e?eXgQ^mY@(cq+V)1}&aQY?JcDN^G3$cbYJY{U{wcNwaxMWR_
zmzCHC8T!a)>|c=SlVRI)T1I{!G473DF982~d$>(oJn3Z`h9ww^ojuHE^*d+03Z{6d
z!fV<>i%E-QK6&mM^K?1XCbkc=!LirTNJ0x5as(mUK<U=7!m5tGDzb@#rGv-b&p==1
zGO|j}$MBTF$wOf!a9Aw>ie2!C*Yit@v61Cwb+?nURWGb#J_WmV`AW>w+R(AOcI&r(
z{>E#f13Dlkh&DFyvzFQdH<?QO!(8NOkfqTm3GUNksgH3{m#9CjEDqg4-d#hIvNV#E
zX`jOvAZD@kv4B7$wJGhFus3|dPI+OcuEg;8jw2G$?a7HV;TcOkYhq2EF6nx3PsIl{
z=>s?<TF$;ThfCINpl<Cr5OehFcG#x`UAcO7QM1LWEC-Mn6wmt$?3c+(Y?L=02%&Qk
zKbtaq1FtCFF{?^w_^fqepf5F^HBBNCq(-s4Wa@_`(Y#9aO4@h~>+vt`i{Q+XfwkNN
zDvBzzJoa}~J)wW2dt7pT*O4DHw|xwoPsprlEs#XW-8^gsFr-rWnw(`f2SZKRY_nwg
z%!ZU)-Dd5Flx!n^qX#d>hQBFl6Uli?EES1wCVF~xOq4$v<8po2Ab`(d-7SQ+|FFz9
z-*IWKd0cu+(Ck&=hZ;x>`J3xa7@>i7h}i=vAu(+Zjc3d8+aW)tm;qv=&LtXY;0F5f
zEc{g8&64M{QC@N2F8}ktSbB3l;zvip{Zz^$h8HTM;PoM5kG~aZVoIdvxbKJM+J<Xx
ztuhTMNQzD+$>T@$UMEscFs11ai2#Z2h>tTr0&RoYBqjH+Z-c@wWa1Sbg}PC~fLet!
zREuJt2g65ne`Q&xVPkvyJx{<g6zr5yMsR112bbDW(pKXcD+ze?!x`n5*-RT<i5iV>
zf}VjY6Z3JH%p2d_CVPtkmZugTZLFU+Crhy1xkq$q?*=;*m;g1@fltJ&yfjlphAq5(
zzEG1I_t2kM$GztosF_6@ESc|2>Sr2*zIlc#K5o4*C<Yniq#Pt3<x-$6wgMe2=WOfd
zUhk{k$5>+7?^Lq3v8x({ttJwn2wTc$*OdXBYLZWLXK54=2lhiPrUc_xZvSrFFBJ5k
zOh?`QSN-2jSbdKFNJJIQUq<h|LjIb(t{MI(I_j8hEyMj+K!uJ1OZ;3XrN)btb<11R
z>s`*mq9+wZY#S~Xn~Ma}9|m1z-TVI&&yLFjnlpc_?%}RtHD^j#5pld1zBroBqOmga
z>s9aYBf#L%@><`7L_%45rRPpxqJ>?Zda-(0>q)Tus7P;N<7JF9V&-w4yUj}IG$1Gg
zYX;~il&qNbaopl+SSsyd1%K~=O~RIFjceJ~;7ncijoFqgfo5vF*!F8c$8>#}4|n`G
z55^`Nxc4#8={jkCT=;_cwuQ|-Zhf^^`!vwy`f#xrjR@iVtfIlUDa-z`h1HT}IYi>*
z<xNuqEv5hd<kwc$yci}@kweD)^Z=hPu3#UaG&!WsJa_Yhb2|?KO_%WscCcYW-9-1$
zeNlR4IPX~Dk7xy&XYTSZWKw?|_p#9x17yUtRDRd9+AH67_P-R}(?tp@Oi?9NO(@Y2
z@nC3~u6I`pZ?v!QDZei|toDf-dJCP3Ws15?4S6vJgUH^-GH?2q>+Kl%xXVd`u}WwG
znb-*FCt{IP#?j%Sx5veDRBe=;YxUJc)QrdMw63{)>9$}Ai)5VxCOg91|FnIieF5}m
zIjbF2T}MbYiXHUvwl^FPoa>8Uj4w=spjPXUpVFhEeBkncSk1QRHM%tuVS4;?*rt%Y
zkpeTL37(w0xK7Xeo|>g+enuzE(2h-+Zlh(#FLSb1BLb@_9Y64`YEuKwb0<W;mlSA=
zV@vbqb0#f2HKB}Tre_LCfM6Fl^mVqe^|^5wm!Rf%p!t61!J(2nnW*B+^64A8Rd}?F
z|Mqf4XmogFxmfSSlO$Q?e#~q+xz`AT9(GL#y|s`sr~8Y^xol3iy|sRIpkfh95R&OI
ze)L{aXa|j=<1ioxdDqgSEKqfD%_m84=`^5?W>Y`yKzB~zSE}R#OpRX2vs##W?qeA(
z5<a-QB8lee{#l@7(q)Uo{&b<F70XJ{h!n)ijfcqgg#j!RORojkammI265k#4@CR_j
znd$qOKc5(c@tS2!xs7Ew0WT}=TmX(V6ULMHfhD!GQUY!GI@riI?mZtaCJx3%h=3<C
z8%57<+uYGyZIFM%4ZebU50~KuOhK$tQt{k(Db>6iO`@=}ju+|dgzbRnxsj^J|195x
z5Vrm9qgzW<o~ym1FlXBxXXz5$q)zqJr|wM)0q;E+?<H&_-FPTTy`x2KBk28pGe&bx
zKqLTtz29MN!vT}$9gU>Vd%M4v7Fwl9LZCE=C*8Vxq-`R1)?9~X%mD}lXVyc{=HAa7
z9t4c(b`rC+M?y(hAPgQhCEycc{{}N2ImlRkqqz|4<o}Qsga(`IM~52;*P|~tH59yG
zcM=f7|D0zELtMM^Ja%L`efeUJWuzn2G*3h!L-RrzdEvWKa8lQVCi%dWPejr;V-@q4
zjSQ=v4Y=J%8GlBU|5O=00#H-C4Qv%4h2iizl?J41sL`}ZW%|kywH)2TU6?o7m8i@B
zg|0_KS5EE*h~dAp!)->&c4VC6a8`wR<>4H4MUYfgYTjE*VWKz>tt#ECnv_3{^4;T`
zQR|_kxxSS$5nb1f`mkY0&1F4~aB#b-f!@XDl?v6O#fEd92|PL1VFd-l>;R4o?nR|Y
z3kmsV;4TB@KQPZ7GIk{JSC6jTI@$eBY!F{Am8RSWi1c2C<#gTLW{tG-5{h!Dr`5J6
zLPvZ*f2l2#Y1a7>7ZZk}Vw@W=5A@)54ty%B{V3X|=lFC<k|=otB;f2J1TYYlj6*j?
zB;}G!j1xSvd?1=fZ$^edKc}g<P7WzHfBi8RP!9ePV=LEA&dMcS9EVNv!LO3zmiwNH
z&WPk1pK9fCc8*VaeZ{H%u566!g8N`7A>iO8zo{P?@(X+e$+JrK8rOp?r%gTh9_2r_
z0Y<+dIRJdLwc7FnL-7};&-6_kX65p~hRGanBph(G*q;{VN)mpbV{fh}7st=~!8&}D
z-{-}ZO`V%nNXB@6R5zd%8Fc(bJ=Aft3zltNAMsvivy5)J_#t`sXnvIC#_I(DO7f3<
zfBdU!O1@pI-i+U?W0pq0Ay}i|6b>t%yG(~AF_zrs{lt7jN66;m_@&x%^v_oz!0L)x
zoo~Y7jb;u55@VLZaO4kxYCWCf1c<hB#vzGLC!s*!4gB*(3~;P$?$rf`(IY``lBhpW
zlcslG!G)HN*_|d37}u2pcFDV#EI3wz@X70e^@CTghXa7k%hb2QaLgj1P_aCu4m;d5
z0fmA~`_QtpYQoXuo~9o|&zVn&rYhoiSbh1^n`~}<OPSRYc83nUi8w?Yf2W_aM)_u{
zh&)Wo745nS4g_hnd1dN0Q7Hs|Dy4J%{<Ho-X&upP57ekZ)i^*sPGyX{ni66(=lv?5
z#5|#0-4r8_xBH117Z0+mxp9BptbOO#^f($}^Nzw#UFfLHMx+v?`C0;1YPIF(<0oM5
z@*a636P{2vPZxAGh@Ry+bz}5jEh$7Ck7VjjJc**5i*G!QN7W(2gb-lm#N$w<N8JCI
zP%_{%(nzbzQY!OeiUTr%M@vt(Yc3!MR{bB%c~t>&L0t3@@KR@8UHscpvOp0Vyw7^G
zv-z54y*dqsRedjmk8Qr>`2>X7$3>`(pjKyW#OAv);gUOzYuEY-`-rTgu0JlLBDevF
z(cgRvv|fGy4S#cX){7uuo(#cQzr1IO(oeX#Highl4x!E*_G)ANpb%Yi?o)W|V#6ws
z<Y)s+ot=LN*52Qqu>C(jKWf>5lei92(hEvQ%L2E(#cPM5TiDpniT$7bTx!c@Xzf0h
Xc&D%z8w5O%WHZ!*>b}&zeD8k%I`r6n

literal 0
HcmV?d00001

diff --git a/doc/tutorials/waag-secure-boot.rst b/doc/tutorials/waag-secure-boot.rst
index 6c4aed136..cdfe181f8 100644
--- a/doc/tutorials/waag-secure-boot.rst
+++ b/doc/tutorials/waag-secure-boot.rst
@@ -473,6 +473,8 @@ Notes:
 
    -  Make sure your GCC is 5.X. GCC 6 and above is NOT supported.
 
+.. _qemu_inject_boot_keys:
+
 Use QEMU to inject secure boot keys into OVMF
 *********************************************