Secure Boot ​

Secure Boot is a standard feature defined in the UEFI specification. It verifies the signature of each component level by level during system startup to ensure the integrity and authenticity of the boot sequence. The UEFI Secure Boot of the Linux system includes the following three procedures:

1. The BIOS uses its built-in certificate to verify the signature of the shim component.
2. The shim component uses its built-in certificate to verify the signature of the grub component.
3. The grub component verifies the signature of the kernel component through the interface provided by the shim component.

openEuler adds support for ShangMi (SM) algorithms to the pesign EFI signature tool and its nss algorithm library. That is, openEuler supports SM3 for hash calculation, SM2 for signing and verifying EFI files. In this way, the secure boot of openEuler can be implemented using SM algorithms.

Constraints ​

• The openEuler shim component supports SM-based Secure Boot, including verification of the GRUB signature by shim, and verification of the kernel signature by GRUB. The verification of the shim signature depends on the BIOS.
• An ARM64/x86 physical machine that supports UEFI Secure Boot is required.
• The pesign tool can sign signatures with a maximum level of 2.
• Currently, the pesign tool can only generate signatures but cannot verify signatures.

Preparations ​

1. The following software packages (or their later versions) must be installed:

   shell

   openssl-1.1.1m-15.oe2203.aarch64
   nss-3.72.0-4.oe2203.aarch64
   pesign-115-2.oe2203.aarch64
   shim-15.6-7.oe2203.aarch64
   crypto-policies-20200619-3.git781bbd4.oe2203.noarch

2. Download the source code of the openEuler shim component. Ensure that the version in the spec file is later than 15.6-7.

   shell

   git clone https://gitee.com/src-openeuler/shim.git -b openEuler-22.03-LTS-SP1 --depth 1

3. Install software packages required for building the shim component:

   shell

   yum install elfutils-libelf-devel gcc gnu-efi gnu-efi-devel openssl-devel make git rpm-build

4. Check whether the SM3 algorithm is enabled for nss. If not, modify the file content as follows:

   shell

   cat /usr/share/crypto-policies/DEFAULT/nss.txt | grep SM3
   config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048:SM3"

Generation of Keys and Certificates ​

1. Generate the key and certificate for signing the shim component. The shim signature is verified by the BIOS. As most BIOSs do not support SM algorithms, the RSA algorithm is used. For BIOSs that support SM algorithms you can generate the SM2 key and certificate by referring to the next step.

   shell

   openssl genrsa -out rsa.key 4096
   openssl req -new -key rsa.key -out rsa.csr -subj '/C=AA/ST=BB/O=CC/OU=DD/CN=secure boot BIOS'
   openssl x509 -req -days 365 -in rsa.csr -signkey rsa.key -out rsa.crt
   openssl x509 -in rsa.crt -out rsa.der -outform der

2. Generate the SM2 key and certificate for signing the GRUB and kernel components.

   shell

   openssl ecparam -genkey -name SM2 -out sm2.key
   openssl req -new -sm3 -key sm2.key -out sm2.csr -subj '/C=AA/ST=BB/O=CC/OU=DD/CN=secure boot shim'
   openssl x509 -req -days 3650 -signkey sm2.key -in sm2.csr -out sm2.crt
   openssl x509 -in sm2.crt -out sm2.der -outform der

3. Create an NSS database and import the keys and certificates generated in the preceding two steps to the NSS database.

   shell

   # The NSS database is organized in the form of directories. The storage location can be customized.
   mkdir certdb
   certutil -N -d certdb
   # Import the SM2 and RSA certificates to the NSS database and name them sm2 and rsa respectively.
   certutil -A -n sm2 -d certdb -t CT,CT,CT -i sm2.crt
   certutil -A -n rsa -d certdb -t CT,CT,CT -i rsa.crt
   # To import the SM2 and RSA keys to the NSS database, compress them into PKCS 12 files.
   openssl pkcs12 -export -out rsa.p12 -inkey rsa.key -in rsa.crt
   openssl pkcs12 -export -out sm2.p12 -inkey sm2.key -in sm2.crt
   pk12util -d certdb -i rsa.p12
   pk12util -d certdb -i sm2.p12

shim Component Building ​

1. Go to the shim source code directory, modify the configuration variables in shim.spec to enable the support for SM algorithms, and specify the built-in SM2 certificate.

   text

   %global enable_sm 1
   %global vendor_cert /path/to/sm2.der

2. Build the shim software package.

   shell

   rpmbuild -ba shim.spec --define "_sourcedir $PWD"

3. Install the built shim software package.

   shell

   rpm -Uvh ~/rpmbuild/RPMS/aarch64/shim-xxx.rpm

SM Signature for UEFI Files ​

1. Sign the shim component with the RSA key and certificate and replace the original one.

   shell

   # ARM64
   pesign -n certdb -c rsa -s -i /boot/efi/EFI/openEuler/shimaa64.efi -o shimaa64.efi.signed
   cp shimaa64.efi.signed /boot/efi/EFI/openEuler/shimaa64.efi
   # x86
   pesign -n certdb -c rsa -s -i /boot/efi/EFI/openEuler/shimx64.efi -o shimx64.efi.signed
   cp shimx64.efi.signed /boot/efi/EFI/openEuler/shimx64.efi

2. Sign the GRUB component with the SM2 key and certificate and replace the original one.

   shell

   # ARM64
   pesign -n certdb -c sm2 -s -i /boot/efi/EFI/openEuler/grubaa64.efi -o grubaa64.efi.signed -d sm3
   cp grubaa64.efi.signed /boot/efi/EFI/openEuler/grubaa64.efi
   # x86
   pesign -n certdb -c sm2 -s -i /boot/efi/EFI/openEuler/grubx64.efi -o grubx64.efi.signed -d sm3
   cp grubx64.efi.signed /boot/efi/EFI/openEuler/grubx64.efi

3. Sign the kernel component with the SM2 key and certificate and replace the original one. (Note that the file name contains the actual version number.)

   shell

   # For the ARM64 architecture,you need to decompress and sign the component, and compress it again.
   cp /boot/vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64 vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64.gz
   gzip -d vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64.gz
   pesign -n certdb -c sm2 -s -i vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64 -o vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64.signed -d sm3
   gzip vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64.signed
   cp vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64.signed.gz /boot/vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64
   # x86
   pesign -n certdb -c sm2 -s -i /boot/vmlinuz-5.10.0-126.0.0.66.oe2203.x86_64 -o vmlinuz-5.10.0-126.0.0.66.oe2203.x86_64.signed -d sm3
   cp vmlinuz-5.10.0-126.0.0.66.oe2203.x86_64.signed /boot/vmlinuz-5.10.0-126.0.0.66.oe2203.x86_64

4. Check the signature information. The following uses shim and GRUB as examples:

   shell

   pesign -S -i /boot/efi/EFI/openEuler/grubaa64.efi 
   pesign -S -i /boot/efi/EFI/openEuler/shimaa64.efi

Secure Boot ​

Enter the BIOS, import the certificate for signing the shim component, and enable the Secure Boot option. The operation method varies depending on the BIOS. The following uses the Kunpeng 2280 v2 server as an example:

1. Place the RSA certificate for signing the shim component in the /boot/efi/EFI/openEuler directory.

   shell

   cp rsa.der /boot/efi/EFI/openEuler

2. Restart the system.

3. Enter BIOS to enable Secure Boot:

   text

   Setup > Security > Secure Boot > Enable

4. Set the Secure Boot mode to custom:

   text

   Setup > Security > Secure Boot Certificate Configuration > Secure Boot Mode > Custom

5. Import the Secure Boot certificate:

   text

   Setup > Security > Secure Boot Certificate Configuration > Options Related to Secure Boot Custom Mode > DB Options > Import Signature > Add Signature by File > Select rsa.der > Save and exit.

6. Save the configuration and restart the system. The system is started successfully. Secure Boot is enabled.

   shell

   mokutil --sb-state
   SecureBoot enabled