From nobody Fri May 17 02:41:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+105718+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+105718+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1685963642; cv=none; d=zohomail.com; s=zohoarc; b=dgsjrgJcH6NaMJ0/f5g5Tus9i6mA5xP4EQ0gtmNFg28R8ZY/yBkggT8YrdbdD0XUKUIDOMsvZHG19CKLYmBCAlWTnPt3APNMgZY5LWcPJRACaifEaVZwF4ndS3i3gFRTReOcWatiJ6gDtWZhx/nv2g5BsMqsPy+uq6h+lMJPhGc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1685963642; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To; bh=xS56Wah5ioG5YgGKW1xq+OjEnI30wF+tlMMFCnnmBI8=; b=NZEn7PleGy136HP3iH1nmf/+uGYlx3IdHXHTFGJPN4o/eZvhUgJHOv3e0yLFGu074VDoA5Z36Xmr5rzrb/DGOV3ggoDOi7ApoOjqbmOcFUj/2b038gPN3AnY0rpdegTWRMjUQmxZFreYEBxfhtR3hqWyYBC9TfkyVGa76LuRr/k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+105718+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1685963642074509.9568733452413; Mon, 5 Jun 2023 04:14:02 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id PPSOYY1788612xznOxRpbSP6; Mon, 05 Jun 2023 04:14:01 -0700 X-Received: from smtp.joursoir.net (smtp.joursoir.net [91.192.102.115]) by mx.groups.io with SMTP id smtpd.web10.487.1685742288440870719 for ; Fri, 02 Jun 2023 14:44:48 -0700 X-Received: from reeva (unknown [5.152.6.46]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.joursoir.net (Postfix) with ESMTPSA id 3AD6341A5D for ; Sat, 3 Jun 2023 00:44:42 +0300 (MSK) Date: Sat, 3 Jun 2023 01:44:40 +0400 From: "Joursoir" To: devel@edk2.groups.io Subject: [edk2-devel] [PATCH] OvmfPkg/README: Document Secure Boot Message-ID: <20230603014440.1be9afef@reeva> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,chat@joursoir.net X-Gm-Message-State: NhovQc10cLDimBjxemHFqT4Jx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1685963641; bh=ugrSmsjS11GsVi2otyhf4qXyTOL4uvg4nfQrrNQCVPE=; h=Content-Type:Date:From:Reply-To:Subject:To; b=lqY4SLH1uDyR1MfzWoEg41o0KTgN1/voUr/09K6hKXugbNj6ovbc+v0US8vm76z59NB SDLox9Uff4u4GDerxOrL5WBUEzSZZHE1Ugr0epJxbiRwgLJcZMJZAb0P0Ok3bed6n0tkL 1DWnm+YOGsq4jfOMvAbkT+lI9bVtjyR9X+I= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1685963643795100011 Content-Type: text/plain; charset="utf-8" Add the new section for Secure Boot. Signed-off-by: Alexander Goncharov --- OvmfPkg/README | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/OvmfPkg/README b/OvmfPkg/README index 0a408abf01..e106e19818 100644 --- a/OvmfPkg/README +++ b/OvmfPkg/README @@ -120,6 +120,42 @@ $ OvmfPkg/build.sh -a X64 qemu -cdrom /path/to/disk-image.iso To build a 32-bit OVMF without debug messages using GCC 4.8: $ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC48 =20 +=3D=3D=3D Secure Boot =3D=3D=3D + +Secure Boot is a security feature that ensures only trusted and digitally +signed software is allowed to run during the boot process. + +* In order to support Secure Boot, OVMF must be built with the + "-D SECURE_BOOT_ENABLE" option. + +* By default, OVMF is not shipped with any SecureBoot keys installed. The user + need to install them with "Secure Boot Configuration" utility in the firmware + UI, or enroll the default UEFI keys using the OvmfPkg/EnrollDefaultKeys app. + + For the EnrollDefaultKeys application, the hypervisor is expected to add a + string entry to the "OEM Strings" (Type 11) SMBIOS table. The string should + have the following format: + + 4e32566d-8e9e-4f52-81d3-5bb9715f9727: + + Such string can be generated with the following script, for example: + + sed \ + -e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \ + -e '/^-----END CERTIFICATE-----$/d' \ + PkKek1.pem \ + | tr -d '\n' \ + > PkKek1.oemstr + + - Using QEMU 5.2 or later, the SMBIOS type 11 field can be specified from a + file: + + -smbios type=3D11,path=3DPkKek1.oemstr \ + + - Using QEMU 5.1 or earlier, the string has to be passed as a value: + + -smbios type=3D11,value=3D"$(< PkKek1.oemstr)" + =3D=3D=3D SMM support =3D=3D=3D =20 Requirements: --=20 2.40.1 --=20 Joursoir -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#105718): https://edk2.groups.io/g/devel/message/105718 Mute This Topic: https://groups.io/mt/99337916/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-