Enable Secure Boot for Edge Microvisor Toolkit#

In most production scenarios, you should consider using Secure Boot for your system, ensuring it is protected against advanced attacks. Here are the steps required to do so, using:

  • ISO Image - manually sign extensible firmware interface (EFI) binaries, generating local signing certificates, rebuilding packages, and testing the secure boot functionality.

  • RAW or VHD/X - configure BIOS with signed production keys of a RAW/VHD Edge Microvisor image.

RAW and VHD Image#

Production images of Edge Microvisor are signed by Intel. Secure Boot prevents unauthorized bootloaders and operating systems from starting, ensuring that only code signed with a trusted key is executed. For custom signed OS images, you need to enroll your certificate into the firmware’s trusted key database.

Step 1: Verify your Certificate File#

Make sure you have the certificate file, for example, edge-readonly-3.0.20250401.0515-signed.der, which contains your public key. Many systems accept DER format, but some firmware might require PEM.

Step 2: Convert DER to PEM (if necessary)#

Although DER is a common format for many BIOS implementations, some UEFI/BIOS systems may require PEM format. To convert a DER file to PEM using OpenSSL:

Open a Terminal/Command Prompt. Run the following command:

openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEM

This converts certificate.der into PEM-formatted file certificate.pem.

Step 3: Enroll the Certificate in the UEFI/BIOS#

  • Restart Your Computer:

    • Enter your UEFI/BIOS setup by pressing F2, Del, or Esc during startup (refer to your system’s manual if needed).

  • Navigate to the Secure Boot or Security Section:

    • Look for a menu labeled Secure Boot, Security, or similar.

  • Enroll the Custom Key:

    • Find the key/certificate management option such as Manage Keys, Enroll Key, or Add Certificate.

    • Choose the file selection option and locate your certificate file (use certificate.der or certificate.pem depending on your firmware requirements).

    • Follow the on-screen instructions to enroll the key.

Step 4: Enable Secure Boot#

  • Locate the Secure Boot Setting:

    • Within the UEFI/BIOS menu, find the Secure Boot option.

  • Enable Secure Boot:

    • Change the setting to Enabled.

    • Save your changes and exit the UEFI/BIOS setup.

  • Reboot:

    • Your system will now check the OS image signature against the enrolled certificate during boot.

ISO Image#

Prerequisites#

Make sure Secure Boot is disabled.

Install Required Tools for signing and building packages:

sudo tdnf install dnf-utils pesign nss-tools efivar rpmdevtools openssl kernel-devel keyutils dos2unix vim-extra

Add User to the pesign Group:

sudo usermod -a -G pesign $(whoami)

cd ~

Log out and log back in for the changes to take effect.

Step 1: Generate Local Signing Certificates#

Complete the following steps to create local self-signed certificates:

Download the pesign source package:

base_url=$(grep -E '^\s*baseurl' /etc/yum.repos.d/*.repo | awk -F= '{print $2}' | sed 's/^[ \t]*//')

package=$(tdnf repoquery --source pesign | tail -1)
wget $base_url/SRPMS/$package.rpm

mkdir pesign-files
rpmdev-extract -C pesign-files pesign-*.src.rpm
cd pesign-files/pesign-*.src
tar xvf pesign-*.tar.bz2
cd pesign-*/src/certs

Create a self-signed CA and a signing certificate:

export KEY=KeyInShim

./make-certs $KEY emt@edgemicrovisortoolkit.com all codesign 1.3.6.1.4.1.311.10.3.1

certutil -d /etc/pki/pesign -A -n 'my CA' -t CT,CT,CT -i ca.crt
pk12util -d /etc/pki/pesign -i $KEY.p12
certutil -d /etc/pki/pesign -A -i $KEY.crt -n $KEY -t u

Repeat the steps for additional keys, such as KeyInDB.

export KEY=KeyInDB
# Repeat the steps.

cd ~

Make sure your rpm %_topdir is ~/rpmbuild; if not you should edit your ~/.rpmmacros to include:

mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
%_topdir %(echo $HOME)/rpmbuild

If file ~/.rpmmacros does not exist in home directory, create one:

vi ~/.rpmmacros

Step 2: Rebuild the shim-unsigned Package#

Extract KeyInShim to a DER file:

certutil -d /etc/pki/pesign -L -n KeyInShim -r > ~/key-in-shim.der

Rebuild the shim-unsigned package:

base_url=$(grep -E '^\s*baseurl' /etc/yum.repos.d/*.repo | awk -F= '{print $2}' | sed 's/^[ \t]*//')

shim_unsigned_package=$(tdnf repoquery --source shim-unsigned-x64 | tail -1 | sed 's/\.src$//')
wget $base_url/SRPMS/$shim_unsigned_package.src.rpm

rpm -i $shim_unsigned_package.src.rpm
cd ~/rpmbuild
cp ~/key-in-shim.der SOURCES/azurelinux-ca-20230216.der
rpmbuild -bb SPECS/shim-unsigned-x64.spec
sudo tdnf install RPMS/x86_64/$shim_unsigned_package.x86_64.rpm

cd ~

Step 3: Build the shim Package#

Install the shim SRPM:

base_url=$(grep -E '^\s*baseurl' /etc/yum.repos.d/*.repo | awk -F= '{print $2}' | sed 's/^[ \t]*//')

shim_package=$(tdnf repoquery --source shim | grep -v "unsigned" | tail -1 | sed 's/\.src$//')
wget $base_url/SRPMS/$shim_package.src.rpm

rpm -i $shim_package.src.rpm

Sign the binaries:

cd ~/rpmbuild
pesign -s -i /usr/share/shim/*/x64/mmx64.efi -o SOURCES/mmx64.efi -c KeyInShim --force

pesign -s -i /usr/share/shim/*/x64/fbx64.efi -o SOURCES/fbx64.efi -c KeyInShim --force

pesign -s -i /usr/share/shim/*/x64/shimx64.efi -o SOURCES/shimx64.efi -c KeyInDB --force
rpmbuild -bb SPECS/shim.spec

Step 4: Install the new shim-x64 Package#

Install the new package and reboot with secure boot disabled:

sudo tdnf install RPMS/x86_64/$shim_package.x86_64.rpm

Ensure that the $shim_package.x86_64.rpm package is installed properly. If you encounter any messages, such as “Nothing to do”, you can attempt to reinstall the package.

sudo tdnf reinstall --allowerasing RPMS/x86_64/$shim_package.x86_64.rpm

cd ~

Step 5: Sign the Boot Loader and Kernel#

Copy the EFI binaries:

sudo cp /boot/efi/EFI/BOOT/grubx64.efi .
sudo sh -c 'cp /boot/vmlinuz-* .'

Sign the binaries:

sudo pesign -s -i grubx64.efi -o /boot/efi/EFI/BOOT/grubx64.efi -c KeyInShim --force

sudo sh -c 'pesign -s -i vmlinuz-* -o /boot/vmlinuz-* -c KeyInShim --force'

Step 6: Enroll KeyInDB into UEFI DB#

Export KeyInDB to a DER file:

certutil -d /etc/pki/pesign -L -n KeyInDB -r > key-in-db.der

Copy the certificate to the ESP partition:

sudo cp key-in-db.der /boot/efi/EFI/

Add the certificate to the UEFI DB:

sudo systemctl reboot --firmware-setup

Navigate to:

System Bios Settings → System Security → Secure Boot Configuration → Secure Boot Mode (set to <Custom Mode>).

Custom Secure Boot Options → DB Options → Enroll Signature → Enroll Signature Using key-in-db.der file into the database.

Step 7: Enable Secure Boot and Test#

Re-enable secure boot in the firmware menu and reboot. Verify that the system boots successfully with secure boot enabled.