Enable UEFI secure boot on Embedded system

Prashant Divate
3 min readAug 29, 2022

--

What is UEFI boot ?

UEFI (Unified Extensible Firmware Interface) is the specification developed by UEFI Forum to standardize interfaces between firmware and the OS’s, aiming to replace legacy BIOS on PC architecture.

Now a days UEFI is everywhere. It has been the default on PC and server side, so now is on arm64 platforms.

Remember that grub can support U-Boot’s own APIs but only on arm port. No distributions support it on arm64 or x86.

In Secure Boot: How it works?

Let’s first understand the non-secure environment

Among others, UEFI Secure Boot is a new feature introduced in the latest U-Boot release, v2020.10.

It is, as the name suggests, a security framework in boot sequence which is designed to protect the system from malware being executed by ensuring that only trusted software, EFI applications and OS kernels, are loaded and executed in the middle of transferring the control from the firmware to the OS.

trusted boot chain start from HW root of trust and each module validated by previous stage.

How to build UEFI boot package ?

Step-1: Get and compile secure boot enabled UEFI firmware from http://www.uefi.org

Step-2: Compile kernel and initrd

Step-3: Generate RSA key and x509 certs

Step-4: Use generated keys to sign the kernel

Demo: Once you powered on the system press Esc so that you will see boot manager prompt

To set secure boot related configurations go to Device manager > secure boot configuration > secure boot mode > select custom mode as below:

Then configure custom secure boot options:

As discussed in secure-bootchain diagram UEFI partition should contain cert key to validate kernel+initrd and we can see various types of keys as shown above-

  1. PK option : platform key/master key
  2. KEK option: Key-exchange-key
  3. DB option: This is the option we would needed

It is kind of whitelist key => if signer is preset in DB list then it is allowed to execute and booting process proceed further.

Click on PK option > enroll signature > enroll using file -> choose .pub cert and commit

Click on DB option > enroll signature > enroll using file -> choose .pub cert and commit.

Now again boot with EFI internal shell and load signed kernel image-

If the signed kernel image is verified successfully you can see the log-
UEFI secure boot is enabled

Whoa !! That’s how UEFI secure boot works.

Part-2 : https://prashant-divate.medium.com/uefi-boot-and-rauc-integration-in-yocto-377bb9cd3df3

Don’t forget to like, comment, and subscribe to my youtube channel https://www.youtube.com/channel/UC0gLxk2vYC4LtbXyjBLy4sA for more tutorials on embedded systems and Linux.

--

--

Prashant Divate

An Embedded Software Engineer. Artist by nature and developer by passion, passionate learner. Open source lover and after all a wonderful human being.