2024年5月18日发(作者：qq通讯录恢复联系人)

Secure Boot for Linux on

HPE Servers

Enhanced security for your Linux environment

Contents

What is Secure Boot?............................................................................................................................................................................................................................................................. 2

Chain of trust ................................................................................................................................................................................................................................................................................ 2

HPE Server support for Secure Boot ...................................................................................................................................................................................................................... 3

Limitations of Secure Boot ............................................................................................................................................................................................................................................... 3

Secure Boot on HPE Servers .......................................................................................................................................................................................................................................... 3

Enabling/Disabling Secure Boot .................................................................................................................................................................................................................................. 3

Signing a kernel module and loading the associated key in the MOK ..................................................................................................................................... 4

Building and Booting a Custom Kernel ................................................................................................................................................................................................................. 6

Resources ......................................................................................................................................................................................................................................................................................... 8

Technical white paper

Technical white paper

Page 2

Secure Boot for high performance computing software, as defined in

the UEFI specification, provides an industry standard defense against

potential malware attacks. Without Secure Boot, malware can attack

systems during pre-boot by targeting the system-embedded firmware

during the interval between BIOS initiation and operating system

load. Malware inserted at this point compromises the security of the

operating system, no matter how secure. Secure Boot protects the

system by preventing the insertion of malware during the pre-boot

process.

This technical white paper introduces Secure Boot technology and

explains what it is, how it works and how to use it on UEFI based

HPE servers running Linux®.

What is Secure Boot?

Secure Boot, a high performance computing software solution, is a method to restrict which binaries can be executed to boot the system.

With Secure Boot, the system BIOS will only allow the execution of boot loaders that carry the cryptographic signature of trusted entities.

In other words, anything run in the BIOS must be “signed” with a key that the system knows is trustworthy. With each reboot of the server,

every executed component is verified. This prevents malware from hiding embedded code in the boot chain.

Secure Boot is:

• Intended to prevent boot-sector malware or kernel code injection.

• Hardware-based code signing.

• Extension of the UEFI BIOS architecture.

• Optional with the ability to enable or disable it through the BIOS.

For a more detailed description of what Secure Boot is and how it works, see the Resources section.

Chain of trust

SLES11 SP3, RHEL 7.0 and greater distributions support a chain of trust which goes down to the kernel module level. Loadable kernel modules

must be signed with a trusted key or they cannot be loaded into the kernel.

The following trusted keys are stored in UEFI NVRAM variables:

• Database (DB)—Signature database that contains well know keys. Only binaries that can be verified against the DB are executed by the BIOS.

• Forbidden Signature Database (DBX)—Keys that are blacklisted. Attempting to load an object with a key that matches an entry in the DBX

will be denied.

• Machine Owner Key (MOK)—User added keys for kernel modules they want to install.

• Platform Key (PK)—The key installed by the hardware vendor.

• Key Exchange Key (KEK)—The key required to update the signature database.

The user must have physical access to the system console to add/modify keys or enable/disable Secure Boot through the UEFI configuration menu.