RidgeRun Platform Security Manual/Getting Started/Secure Boot: Difference between revisions

RidgeRun Platform Security Manual RidgeRun documentation is currently under development. Check back soon to get the full details of RidgeRun's support for this platform. Kindly Contact RidgeRun OR send an email to support@ridgerun.com if you have any inquiries.

Secure Boot

UEFI Secure Boot

How does UEFI Secure Boot Works?

UEFI Secure Boot employs RSA digital signatures to authenticate and verify the integrity of the code it loads during startup. Below are the main components used:

• Platform Key (PK) : Top-level key, is used to sign KEK.
• Key Exchange Key (KEK) : Keys used to sign Signatures Database.
• Signature Database (db) : Contains keys to sign UEFI payloads.

These keys and keys database are first saved in the form of UEFI authenticated variable. This is done so that when UEFI payloads are loaded, they are verified looking for the associated certificate/key and comparing it to the ones on db (key database). If they do not the have the right certificate/key, the boot process will not finish as expected. The UEFI payloads are:

• extlinux.conf
• initrd
• kernerl images (in rootfs, and in kernel and recovery partitions)
• kernel-dtb images (in rootfs, and in kernel-dtb and recovery-dtb partitions)
• BOOTAA64.efi

Set up working directory

Create a working directory. For this example it is going be nvidia-jetson:

mkdir nvidia-jetson

Download and extract the NVIDIA Jetson Board Support Package:

Download the Driver Package (BSP) and Sample Root Filesystem from the drivers section on the following link. Extract the downloaded files with the following commands:

tar xf Jetson_Linux_R36.4.0_aarch64.tbz2 -C nvidia-jetson/
sudo tar xpf Tegra_Linux_Sample-Root-Filesystem_R36.0.0_aarch64.tbz2 -C \
nvidia-jetson/Linux_for_Tegra/rootfs

Run the following scripts inside the Linux for tegra directory:

cd nvidia-jetson/Linux_for_Tegra

sudo ./tools/l4t_flash_prerequisites.sh

sudo ./apply_binaries.sh

Output should look like the following:

.
.
.
L4T BSP package installation completed!
Disabling NetworkManager-wait-online.service
Disable the ondemand service by changing the runlevels to 'K'
Success!

(Optional) Create a Default User

 sudo ./tools/l4t_create_default_user.sh -u <user_name> -p <password>

And we are ready to start the process to enable UEFI Secure Boot.

To enable UEFI Secure Boot, first install the following dependencies:

• openssl:

sudo apt install openssl

• device-tree-compiler:

sudo apt install device-tree-compiler

• efitools:

sudo apt install efitools

• uuid-runtime:

sudo apt install uuid-runtime

Generate RSA key pairs, certificates and EFI signature list File

In order to activate UEFI Secure Boot, first, let's generate the Platform Key(PK) RSA pair, certificate, and EFI signature list file:

mkdir uefi_keys
cd uefi_keys

openssl req -newkey rsa:2048 -nodes -keyout PK.key  -new -x509 -sha256 -days 3650 -subj "/CN=my Platform Key/" -out PK.crt

cert-to-efi-sig-list -g "${GUID}" PK.crt PK.esl

Generate the KEK RSA Key Pair, Certificate, and EFI Signature List File:

openssl req -newkey rsa:2048 -nodes -keyout KEK.key  -new -x509 -sha256 -days 3650 -subj "/CN=my Key Exchange Key/" -out KEK.crt

cert-to-efi-sig-list -g "${GUID}" KEK.crt KEK.esl

Generate the db_1 and db_2 RSA Key Pair, Certificate, and EFI Signature List File

• db_1:

openssl req -newkey rsa:2048 -nodes -keyout db_1.key  -new -x509 -sha256 -days 3650 -subj "/CN=my Signature Database key/" -out db_1.crt

cert-to-efi-sig-list -g "${GUID}" db_1.crt db_1.esl

• db_2

openssl req -newkey rsa:2048 -nodes -keyout db_2.key  -new -x509 -sha256 -days 3650 -subj "/CN=my another Signature Database key/" -out db_2.crt

cert-to-efi-sig-list -g "${GUID}" db_2.crt db_2.esl

Output should look like the following:

Generating a RSA private key
.............................+++++
.....+++++
writing new private key to 'PK.key'
-----

Generating a RSA private key
......+++++
.+++++
writing new private key to 'db_2.key'
-----

and you should get three files (.crt .esl .key):

uefi_keys$ ls
PK.crt  PK.esl  PK.key

Create the UEFI Keys Config File

Open a file named uefi_keys.conf with your prefered text editor and add these lines:

UEFI_DB_1_KEY_FILE="db_1.key";  # UEFI payload signing key
UEFI_DB_1_CERT_FILE="db_1.crt"; # UEFI payload signing key certificate

UEFI_DEFAULT_PK_ESL="PK.esl"
UEFI_DEFAULT_KEK_ESL_0="KEK.esl"

UEFI_DEFAULT_DB_ESL_0="db_1.esl"
UEFI_DEFAULT_DB_ESL_1="db_2.esl"

where:

• UEFI_DB_1_KEY_FILE and UEFI_DB_1_CERT_FILE is the key used to sign UEFI payloads
• UEFI_DEFAULT_PK_ES is the Platform Key.
• UEFI_DEFAULT_KEK_ESL_0 is the Key encryption key.
• UEFI_DEFAULT_DB_ESL_0 is for the file with the list of digital sigantures of trusted software.

Generate the UEFI Secure Boot DTBO

This device tree blob overlay is used to store the security keys in the form of UEFI authenticated variable. It is used during flashing time. To generate it:

sudo tools/gen_uefi_keys_dts.sh uefi_keys/uefi_keys.conf

Flash the board with the --uefi_keys option

Now to activate UEFI Secure Boot, run the flash command with the uefi_keys option. Fon an NVIDIA Jetson Orin Nano with an SD Card, the command is:

sudo ./tools/kernel_flash/l4t_initrd_flash.sh --external-device mmcblk0p1 -c tools/kernel_flash/flash_l4t_external.xml -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --uefi-keys uefi_keys/uefi_keys.conf --showlogs --network usb0 jetson-orin-nano-devkit internal

• • • • add outputs.