github/acrn-hypervisor
1
0
Fork 0
mirror of https://github.com/projectacrn/acrn-hypervisor.git synced 2025-08-16 23:29:50 +00:00
Code Issues Projects Releases Wiki Activity

doc: update 'enable secure boot in windows'

Browse Source 
- use one command to generate x509 cert file,
   remove the intermediate file.

 - remove the "Keycontainer" field in INF file,
   which is not mandatory.

Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
This commit is contained in:
Yonghua Huang 2021-03-30 11:15:29 +08:00 committed by fitchbe
parent 49bcfae5e1
commit ebeb064d49
4 changed files with 13 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
doc/tutorials/images/waag_secure_boot_image1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 20 KiB

BIN
doc/tutorials/images/waag_secure_boot_image2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 32 KiB

BIN
doc/tutorials/images/waag_secure_boot_image3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.6 KiB

53
doc/tutorials/waag-secure-boot.rst
View File

@ -198,22 +198,24 @@ which we'll summarize below.
HashAlgorithm = SHA256 HashAlgorithm = SHA256
KeyAlgorithm = RSA KeyAlgorithm = RSA
KeyLength = 2048 KeyLength = 2048
KeyContainer = "{EA75381E-6D9B-4BDC-B6C7-5144C96507DD}"
ProviderName = "Microsoft Strong Cryptographic Provider" ProviderName = "Microsoft Strong Cryptographic Provider"
KeyUsage = 0xf0 KeyUsage = 0xf0
- Generate the Platform Key using ``certreq.exe``:: - Generate the Platform Key using ``certreq.exe``::
C:\\PKtest> certreq.exe -new request.inf PKtest.cer C:\WINDOWS\system32>certreq.exe -v -new -binary request.inf PKtestDER.cer
Installed Certificate: Cert: 4 -> 4
Serial Number: 3f675d4b64156f9c48ccf30793121147 Years: 6 -> 6
Subject: CN=Intel Platform Key, O=Intel, L=Shanghai, S=Shanghai, C=CN Installed Certificate:
NotBefore: 6/26/2019 10:40 AM Serial Number: 285c6f1ec39cc186495f8e55fa053593
NotAfter: 6/26/2025 10:50 AM Subject: CN=Intel Platform Key, O=Intel, L=Shanghai, S=Shanghai, C=CN
Thumbprint: ff2771bd5bd1f7086ab96fb9532b594ed8619c3b NotBefore: 3/30/2021 10:30 55.000s
Microsoft Strong Cryptographic Provider NotAfter: 3/30/2027 10:40 55.000s
3d40ebea7d109ee93b238b96721f0e6d_4be58f30-7127-42f5-9b76-f47187495247 Thumbprint: 8d79139f90b9fa47200eedbc8c29039869cc4adc
CertReq: Certificate Created and Installed Microsoft Strong Cryptographic Provider
c387aac7266d5db5d81da8a6aa21c703_163d773d-a567-4430-aabf-893dc207fa3d
CertReq: Certificate Created and Installed
- Validate the Platform Key certificate has been generated correctly:: - Validate the Platform Key certificate has been generated correctly::
@ -385,35 +387,6 @@ which we'll summarize below.
Signature test passed Signature test passed
CertUtil: -store command completed successfully. CertUtil: -store command completed successfully.
- Convert ``PKtest.cer`` from Base-64 to DER format.
OVMF secure boot key only supports DER encoded certificate.
1) open certificate by double clicking ``PKtest.cer`` and click "Copy to
File..."
.. image:: images/waag_secure_boot_image1.png
:align: center
:width: 600px
2) Follow the certificate export wizard and select the format as
"DER encoded binary X.509 (.CER)"
.. image:: images/waag_secure_boot_image2.png
:align: center
:width: 600px
3) Follow the wizard to save file and finish export
.. image:: images/waag_secure_boot_image3.png
:align: center
:width: 600px
You can rename ``PKtestDER.cer`` extension to ``PKtestDER.crt``.
A ``.cer`` file is an alternate form of ``.crt`` by Microsoft
Conventions. CRT and CER file extensions can be interchanged as
the encoding type is identical.
Download KEK and DB From Microsoft Download KEK and DB From Microsoft
********************************** **********************************