UEFI Secure Boot

UEFI secure boot is available on a number mion supported switches, with the initial secure boot code merged into mion. To enable UEFI secure boot in the switch firmware, ONIE and mion:

1. Enable Secure Boot in the firmware (BIOS) of the system (if supported) -- the steps to take differ depending on the system in question
2. Generate the required key pairs (PK, KEK, DB) and configure them in the BIOS
3. Build and install a Secure Boot enabled version of ONIE -- this has to be completed in two steps:

• first, build the shim and either have it signed by a certificate authority or self sign it
• build ONIE with secure boot enabled and point it at the signed shim

4. Build and install a mion image with the following flags enabled (either in local.conf or in the image config)

• INSTALL_TYPE="initramfs" -- resulting in a bzImage/initramfs only install (rather than a full install to disk)
• SECURE_BOOT_ENABLED="true"
• SECURE_BOOT_SIGNING_{KEY,CERT}="..." -- sets the key and cert (from the steps above) used to sign the kernel

NOTE: The secure boot implementation in mion only covers the signing and verification of the kernel bzImage; the mion initramfs is not signed or verified. This is intended to serve as a foundation for further secure boot work -- more details will be available in a future task