Secure Boot 
Secure Boot is a standard feature defined in the UEFI specification. It verifies the signature of each component level by level during system startup to ensure the integrity and authenticity of the boot sequence. The UEFI Secure Boot of the Linux system includes the following three procedures:
- The BIOS uses its built-in certificate to verify the signature of the shim component.
- The shim component uses its built-in certificate to verify the signature of the grub component.
- The grub component verifies the signature of the kernel component through the interface provided by the shim component.
openEuler adds support for ShangMi (SM) algorithms to the pesign EFI signature tool and its nss algorithm library. That is, openEuler supports SM3 for hash calculation, SM2 for signing and verifying EFI files. In this way, the secure boot of openEuler can be implemented using SM algorithms.
Constraints 
- The openEuler shim component supports SM-based Secure Boot, including verification of the GRUB signature by shim, and verification of the kernel signature by GRUB. The verification of the shim signature depends on the BIOS.
- An ARM64/x86 physical machine that supports UEFI Secure Boot is required.
- The pesign tool can sign signatures with a maximum level of 2.
- Currently, the pesign tool can only generate signatures but cannot verify signatures.
Preparations 
- The following software packages (or their later versions) must be installed: shell- openssl-1.1.1m-15.oe2203.aarch64 nss-3.72.0-4.oe2203.aarch64 pesign-115-2.oe2203.aarch64 shim-15.6-7.oe2203.aarch64 crypto-policies-20200619-3.git781bbd4.oe2203.noarch
- Download the source code of the openEuler shim component. Ensure that the version in the spec file is later than 15.6-7. shell- git clone https://gitee.com/src-openeuler/shim.git -b openEuler-22.03-LTS-SP1 --depth 1
- Install software packages required for building the shim component: shell- yum install elfutils-libelf-devel gcc gnu-efi gnu-efi-devel openssl-devel make git rpm-build
- Check whether the SM3 algorithm is enabled for nss. If not, modify the file content as follows: shell- cat /usr/share/crypto-policies/DEFAULT/nss.txt | grep SM3 config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048:SM3"
Generation of Keys and Certificates 
- Generate the key and certificate for signing the shim component. The shim signature is verified by the BIOS. As most BIOSs do not support SM algorithms, the RSA algorithm is used. For BIOSs that support SM algorithms you can generate the SM2 key and certificate by referring to the next step. shell- openssl genrsa -out rsa.key 4096 openssl req -new -key rsa.key -out rsa.csr -subj '/C=AA/ST=BB/O=CC/OU=DD/CN=secure boot BIOS' openssl x509 -req -days 365 -in rsa.csr -signkey rsa.key -out rsa.crt openssl x509 -in rsa.crt -out rsa.der -outform der
- Generate the SM2 key and certificate for signing the GRUB and kernel components. shell- openssl ecparam -genkey -name SM2 -out sm2.key openssl req -new -sm3 -key sm2.key -out sm2.csr -subj '/C=AA/ST=BB/O=CC/OU=DD/CN=secure boot shim' openssl x509 -req -days 3650 -signkey sm2.key -in sm2.csr -out sm2.crt openssl x509 -in sm2.crt -out sm2.der -outform der
- Create an NSS database and import the keys and certificates generated in the preceding two steps to the NSS database. shell- # The NSS database is organized in the form of directories. The storage location can be customized. mkdir certdb certutil -N -d certdb # Import the SM2 and RSA certificates to the NSS database and name them sm2 and rsa respectively. certutil -A -n sm2 -d certdb -t CT,CT,CT -i sm2.crt certutil -A -n rsa -d certdb -t CT,CT,CT -i rsa.crt # To import the SM2 and RSA keys to the NSS database, compress them into PKCS 12 files. openssl pkcs12 -export -out rsa.p12 -inkey rsa.key -in rsa.crt openssl pkcs12 -export -out sm2.p12 -inkey sm2.key -in sm2.crt pk12util -d certdb -i rsa.p12 pk12util -d certdb -i sm2.p12
shim Component Building 
- Go to the shim source code directory, modify the configuration variables in shim.spec to enable the support for SM algorithms, and specify the built-in SM2 certificate. text- %global enable_sm 1 %global vendor_cert /path/to/sm2.der
- Build the shim software package. shell- rpmbuild -ba shim.spec --define "_sourcedir $PWD"
- Install the built shim software package. shell- rpm -Uvh ~/rpmbuild/RPMS/aarch64/shim-xxx.rpm
SM Signature for UEFI Files 
- Sign the shim component with the RSA key and certificate and replace the original one. shell- # ARM64 pesign -n certdb -c rsa -s -i /boot/efi/EFI/openEuler/shimaa64.efi -o shimaa64.efi.signed cp shimaa64.efi.signed /boot/efi/EFI/openEuler/shimaa64.efi # x86 pesign -n certdb -c rsa -s -i /boot/efi/EFI/openEuler/shimx64.efi -o shimx64.efi.signed cp shimx64.efi.signed /boot/efi/EFI/openEuler/shimx64.efi
- Sign the GRUB component with the SM2 key and certificate and replace the original one. shell- # ARM64 pesign -n certdb -c sm2 -s -i /boot/efi/EFI/openEuler/grubaa64.efi -o grubaa64.efi.signed -d sm3 cp grubaa64.efi.signed /boot/efi/EFI/openEuler/grubaa64.efi # x86 pesign -n certdb -c sm2 -s -i /boot/efi/EFI/openEuler/grubx64.efi -o grubx64.efi.signed -d sm3 cp grubx64.efi.signed /boot/efi/EFI/openEuler/grubx64.efi
- Sign the kernel component with the SM2 key and certificate and replace the original one. (Note that the file name contains the actual version number.) shell- # For the ARM64 architecture,you need to decompress and sign the component, and compress it again. cp /boot/vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64 vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64.gz gzip -d vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64.gz pesign -n certdb -c sm2 -s -i vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64 -o vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64.signed -d sm3 gzip vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64.signed cp vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64.signed.gz /boot/vmlinuz-5.10.0-126.0.0.66.oe2203.aarch64 # x86 pesign -n certdb -c sm2 -s -i /boot/vmlinuz-5.10.0-126.0.0.66.oe2203.x86_64 -o vmlinuz-5.10.0-126.0.0.66.oe2203.x86_64.signed -d sm3 cp vmlinuz-5.10.0-126.0.0.66.oe2203.x86_64.signed /boot/vmlinuz-5.10.0-126.0.0.66.oe2203.x86_64
- Check the signature information. The following uses shim and GRUB as examples: shell- pesign -S -i /boot/efi/EFI/openEuler/grubaa64.efi pesign -S -i /boot/efi/EFI/openEuler/shimaa64.efi
Secure Boot 
Enter the BIOS, import the certificate for signing the shim component, and enable the Secure Boot option. The operation method varies depending on the BIOS. The following uses the Kunpeng 2280 v2 server as an example:
- Place the RSA certificate for signing the shim component in the /boot/efi/EFI/openEuler directory. shell- cp rsa.der /boot/efi/EFI/openEuler
- Restart the system. 
- Enter BIOS to enable Secure Boot: text- Setup > Security > Secure Boot > Enable
- Set the Secure Boot mode to custom: text- Setup > Security > Secure Boot Certificate Configuration > Secure Boot Mode > Custom
- Import the Secure Boot certificate: text- Setup > Security > Secure Boot Certificate Configuration > Options Related to Secure Boot Custom Mode > DB Options > Import Signature > Add Signature by File > Select rsa.der > Save and exit.
- Save the configuration and restart the system. The system is started successfully. Secure Boot is enabled. shell- mokutil --sb-state SecureBoot enabled