Secure Boot

Overview

Secure Boot relies on public and private key pairs to sign and verify components in the booting process. During booting, the previous component authenticates the digital signature of the next component. If the authentication is successful, the next component runs. If the authentication fails, the booting stops. Secure Boot ensures the integrity of each component during system booting and prevents unauthenticated components from being loaded and running, preventing security threats to the system and user data.

Components to be authenticated and loaded in sequence in Secure Boot are BIOS, shim, GRUB, and vmlinuz (kernel image).

Related EFI startup components are signed by the openEuler signature platform using signcode. The public key certificate is integrated into the signature database by the BIOS. During the boot, the BIOS verifies the shim. The shim and GRUB components obtain the public key certificate from the signature database of the BIOS and verify the next-level components.

Background and Solutions

In earlier openEuler versions, secure boot components are not signed. Therefore, the secure boot function cannot be directly used to ensure the integrity of system components.

In openEuler 22.03 LTS SP3 and later versions, openEuler uses the community signature platform to sign OS components, including the GRUB and vmlinuz components, and integrates the community signature root certificate in the shim component.

For the shim component, to facilitate end-to-end secure boot, the signature platform of the openEuler community is used for signature. After external CAs officially operate the secure boot component signature service, the signatures of these CAs will be integrated into the shim module of openEuler.

Enabling Secure Boot

Prerequisites

  • openEuler 22.03 LTS SP3 or later version is installed (openEuler 24.03 LTS or later is required if CFCA secure boot is used).
  • The openEuler everything repository is configured.
  • The UEFI boot mode is enabled.

Implementation Steps

Step 1: Obtain the secure boot certificate.

For openEuler certificates: Download from https://www.openeuler.org/en/security/security-bulletins/ under Certificate Center. The root certificate is labeled openEuler Shim Default CA (default-x509ca.cert).

For CFCA certificates: Download from https://www.cfca.com.cn/ (currently unavailable; contact openEuler Security Committee at openeuler-security@openeuler.org for access).

Step 2: Move the certificate to the /boot/efi/EFI directory.

shell
mv <certificate-file> /boot/efi/EFI/

Step 3: Install the shim-signed package (skip if not using CFCA-signed components).

shell
yum install -y shim-signed

Step 4: For CFCA shim, perform the following backup and replacement steps (skip if using openEuler-signed shim):

shell
mv /boot/efi/EFI/openEuler/shimx64.efi /boot/efi/EFI/openEuler/shimx64_bck.efi
mv /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/BOOTX64_bck.EFI
cp /boot/efi/EFI/BOOT/BOOTX64_CFCA.EFI /boot/efi/EFI/BOOT/BOOTX64.EFI
cp /boot/efi/EFI/BOOT/BOOTX64_CFCA.EFI /boot/efi/EFI/openEuler/shimx64.efi

Step 5: Import the root certificate into the BIOS db certificate store and enable secure boot in BIOS settings. Consult the BIOS manufacturer's documentation for specific instructions.

Step 6: After rebooting, verify the secure boot status.

shell
mokutil --sb
  • SecureBoot disabled: Secure boot is disabled.

  • SecureBoot enabled: Secure boot is enabled.

  • not supported: The system does not support secure boot.

Constraints

  • Software: The OS must be booted in UEFI mode.
  • Architecture: Arm or x86
  • Hardware: The BIOS must support the verification function related to secure boot.