diff options
Diffstat (limited to 'bsp/meta-intel/documentation/secureboot')
-rw-r--r-- | bsp/meta-intel/documentation/secureboot/README | 38 |
1 files changed, 0 insertions, 38 deletions
diff --git a/bsp/meta-intel/documentation/secureboot/README b/bsp/meta-intel/documentation/secureboot/README deleted file mode 100644 index 3d5703bb..00000000 --- a/bsp/meta-intel/documentation/secureboot/README +++ /dev/null @@ -1,38 +0,0 @@ -Currently, only one implementation of Secure Boot is available out of the box, -which is using a single signed EFI application to directly boot the kernel with -an optional initramfs. - -This can be added to your build either through local.conf, or via your own -custom image recipe. - -If you are adding it via local.conf, set the following variables: - -IMAGE_FEATURES += "secureboot" -WKS_FILE = "generic-bootdisk.wks.in" -SECURE_BOOT_SIGNING_KEY = "/path/to/your/signing/key" -SECURE_BOOT_SIGNING_CERT = "/path/to/your/signing/cert" -IMAGE_CLASSES += "uefi-comboapp" - -If working with an image recipe, you can inherit uefi-comboapp directly instead -of using the IMAGE_CLASSES variable. - -The signing keys and certs can be created via openssl commands. Here's an -example: -openssl req -new -x509 -newkey rsa:2048 -subj "/CN=your-subject/" -keyout \ -your-key.key -out your-key.crt -days 365 -nodes -sha256 -openssl x509 -in your-key.crt -out your-key.cer -outform DER - -The .crt file is your SECURE_BOOT_SIGNING_CERT, and the .key file is your -SECURE_BOOT_SIGNING_KEY. - -You should enroll the .crt key in your firmware under the PK, KEK, and DB -options (methods are different depending on your firmware). If a key should ever -become invalid, enroll it under DBX to blacklist it. - -The comboapp can be further manipulated in a number of ways. You can modify the -kernel command line via the APPEND variable, you can change the default UUID via -the DISK_SIGNATURE_UUID variable, and you can modify the contents of the -initramfs via the INITRD_IMAGE or INITRD_LIVE variables. - -A simple Secure Boot enabled image used for testing can be viewed at: -common/recipes-selftest/images/secureboot-selftest-image-signed.bb |