forked from brl/citadel
39 lines
1.7 KiB
Plaintext
39 lines
1.7 KiB
Plaintext
Currently, only one implementation of Secure Boot is available out of the box,
|
|
which is using a single signed EFI application to directly boot the kernel with
|
|
an optional initramfs.
|
|
|
|
This can be added to your build either through local.conf, or via your own
|
|
custom image recipe.
|
|
|
|
If you are adding it via local.conf, set the following variables:
|
|
|
|
IMAGE_FEATURES += "secureboot"
|
|
WKS_FILE = "generic-bootdisk.wks.in"
|
|
SECURE_BOOT_SIGNING_KEY = "/path/to/your/signing/key"
|
|
SECURE_BOOT_SIGNING_CERT = "/path/to/your/signing/cert"
|
|
IMAGE_CLASSES += "uefi-comboapp"
|
|
|
|
If working with an image recipe, you can inherit uefi-comboapp directly instead
|
|
of using the IMAGE_CLASSES variable.
|
|
|
|
The signing keys and certs can be created via openssl commands. Here's an
|
|
example:
|
|
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=your-subject/" -keyout \
|
|
your-key.key -out your-key.crt -days 365 -nodes -sha256
|
|
openssl x509 -in your-key.crt -out your-key.cer -outform DER
|
|
|
|
The .crt file is your SECURE_BOOT_SIGNING_CERT, and the .key file is your
|
|
SECURE_BOOT_SIGNING_KEY.
|
|
|
|
You should enroll the .crt key in your firmware under the PK, KEK, and DB
|
|
options (methods are different depending on your firmware). If a key should ever
|
|
become invalid, enroll it under DBX to blacklist it.
|
|
|
|
The comboapp can be further manipulated in a number of ways. You can modify the
|
|
kernel command line via the APPEND variable, you can change the default UUID via
|
|
the DISK_SIGNATURE_UUID variable, and you can modify the contents of the
|
|
initramfs via the INITRD_IMAGE or INITRD_LIVE variables.
|
|
|
|
A simple Secure Boot enabled image used for testing can be viewed at:
|
|
common/recipes-selftest/images/secureboot-selftest-image-signed.bb
|