doc: update acrn secureboot enablement

- Format some section title - Add one more section. Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
2025-07-29 14:37:36 +00:00 · 2020-12-05 20:35:18 +08:00 · 2020-12-05 20:35:18 +08:00 · d5bf1a76ff
commit d5bf1a76ff
parent 914ac534c0
1 changed files with 9 additions and 6 deletions
--- a/doc/tutorials/acrn-secure-boot-with-grub.rst
+++ b/doc/tutorials/acrn-secure-boot-with-grub.rst
@ -161,10 +161,8 @@ Here's an example sequence to do this build::
    sudo cp ./grubx64.efi "$TARGET_EFI"


-.. rst-class:: numbered-step
-
 Prepare grub.cfg
-****************
+================

 Define the menu entry for your system in a new GRUB configuration :file:`grub.cfg`.
 For example::
@ -192,10 +190,8 @@ partition (e.g. `/dev/nvme0n1p2`) according to your your hardware.
 Copy this new :file:`grub.cfg` to your ESP (e.g. `/boot/efi/EFI/`).


-.. rst-class:: numbered-step
-
 Sign grub.cfg and ACRN Binaries
-*******************************
+===============================

 The :file:`grub.cfg` and all ACRN binaries that will be loaded by GRUB
 **must** be signed with the same GPG key.
@ -237,6 +233,13 @@ Creating UEFI Secure Boot Key
    sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth
    sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth

+-Convert to DER format::
+
+    openssl x509 -outform DER -in PK.crt -out PK.der
+    openssl x509 -outform DER -in KEK.crt -out KEK.der
+    openssl x509 -outform DER -in db.crt -out db.der
+
+
 The keys to be enrolled in UEFI firmware: :file:`PK.der`, :file:`KEK.der`, :file:`db.der`.
 The keys to sign bootloader image: :file:`grubx64.efi`, :file:`db.key` , :file:`db.crt`.