Enable UEFI secure boot on Embedded system
What is UEFI boot ?
UEFI (Unified Extensible Firmware Interface) is the specification developed by UEFI Forum to standardize interfaces between firmware and the OS’s, aiming to replace legacy BIOS on PC architecture.
Now a days UEFI is everywhere. It has been the default on PC and server side, so now is on arm64 platforms.
Remember that grub can support U-Boot’s own APIs but only on arm port. No distributions support it on arm64 or x86.
In Secure Boot: How it works?
Let’s first understand the non-secure environment
Among others, UEFI Secure Boot is a new feature introduced in the latest U-Boot release, v2020.10.
It is, as the name suggests, a security framework in boot sequence which is designed to protect the system from malware being executed by ensuring that only trusted software, EFI applications and OS kernels, are loaded and executed in the middle of transferring the control from the firmware to the OS.
trusted boot chain start from HW root of trust and each module validated by previous stage.
How to build UEFI boot package ?
Step-1: Get and compile secure boot enabled UEFI firmware from http://www.uefi.org
Step-2: Compile kernel and initrd
Step-3: Generate RSA key and x509 certs
Step-4: Use generated keys to sign the kernel
Demo: Once you powered on the system press Esc so that you will see boot manager prompt
To set secure boot related configurations go to Device manager > secure boot configuration > secure boot mode > select custom mode as below:
Then configure custom secure boot options:
As discussed in secure-bootchain diagram UEFI partition should contain cert key to validate kernel+initrd and we can see various types of keys as shown above-
- PK option : platform key/master key
- KEK option: Key-exchange-key
- DB option: This is the option we would needed
It is kind of whitelist key => if signer is preset in DB list then it is allowed to execute and booting process proceed further.
Click on PK option > enroll signature > enroll using file -> choose .pub cert and commit
Click on DB option > enroll signature > enroll using file -> choose .pub cert and commit.
Now again boot with EFI internal shell and load signed kernel image-
If the signed kernel image is verified successfully you can see the log-
UEFI secure boot is enabled
Whoa !! That’s how UEFI secure boot works.
Part-2 : https://prashant-divate.medium.com/uefi-boot-and-rauc-integration-in-yocto-377bb9cd3df3
Don’t forget to like, comment, and subscribe to my youtube channel https://www.youtube.com/channel/UC0gLxk2vYC4LtbXyjBLy4sA for more tutorials on embedded systems and Linux.