RidgeRun Platform Security Manual/Getting Started/Secure Boot: Difference between revisions

RidgeRun Platform Security Manual/Getting Started/Secure Boot (view source)

Revision as of 15:10, 6 March 2025

139 bytes added , 6 March

→‎Generate RSA key pairs, certificates and EFI signature list File

Chidalgo

130

edits

❯

@@ Line 97: / Line 97: @@
 ==== Generate RSA key pairs, certificates and EFI signature list File ====
-In order to activate UEFI Secure Boot, first, let's generate the Platform Key(PK) RSA pair:
+In order to activate UEFI Secure Boot, first, let's generate the Platform Key(PK) and certificate:
 <syntaxhighlight lang="bash">
@@ Line 117: / Line 117: @@
 * -out PK.crt: This specifies the output file for the certificate, named PK.crt
-Convert an X.509 certificate into an EFI signature list.
+Generate the PK EFI signature list from X.509 certificate.
 <syntaxhighlight lang="bash">
@@ Line 127: / Line 127: @@
 * PK.esl: This is the output file, which will be the EFI signature list. The .esl extension is commonly used for EFI signature lists.
+Generate the KEK RSA key and certificate:
-Generate the KEK RSA Key Pair, Certificate, and EFI Signature List File:
 <syntaxhighlight lang="bash">
@@ Line 143: / Line 142: @@
 * -subj "/CN= Key Exchange Key/": Sets the subject of the certificate, which contains information about the certificate's owner.
 * -out KEK.crt: This specifies the output file for the certificate, named KEK.crt
+Generate the KEK EFI signature list from X.509 certificate.
 <syntaxhighlight lang="bash">
@@ Line 152: / Line 153: @@
 * KEK.esl: This is the output file, which will be the EFI signature list. The .esl extension is commonly used for EFI signature lists.
-Generate the db_1 and db_2 RSA Key Pair, Certificate, and EFI Signature List File
+Generate the db_1 RSA Key and certificate.
-* db_1:
 <syntaxhighlight lang="bash">
@@ Line 169: / Line 168: @@
 * -subj "/CN= My Signature Database/": Sets the subject of the certificate, which contains information about the certificate's owner.
 * -out db_1.crt: This specifies the output file for the certificate, named db_1.crt
+Generate the db_1 EFI signature list from X.509 certificate.
 <syntaxhighlight lang="bash>
@@ Line 178: / Line 179: @@
 * db_1.esl: This is the output file, which will be the EFI signature list. The .esl extension is commonly used for EFI signature lists.
-* db_2
+Generate the db_2 RSA Key and certificate.
 <syntaxhighlight lang="bash">
@@ Line 193: / Line 194: @@
 * -subj "/CN= My another Signature Database/": Sets the subject of the certificate, which contains information about the certificate's owner.
 * -out db_2.crt: This specifies the output file for the certificate, named db_2.crt
+Generate the db_2 EFI signature list from X.509 certificate.
 <syntaxhighlight lang="bash>
@@ Line 223: / Line 226: @@
 <syntaxhighlight lang="bash>
-uefi_keys$ uefi_keys$ ls
+uefi_keys$ ls
 db_1.crt  db_1.key  db_2.esl  KEK.crt  KEK.key  PK.esl  db_1.esl  db_2.crt  db_2.key  KEK.esl  PK.crt   PK.key
 </syntaxhighlight>