Secure Boot - Chelsio Communications Terminator Series Installation And User Manual

Chapter XXV. Unified Boot

Secure Boot

Secure Boot, a high-performance computing software solution is a method to restrict which
binaries can be executed to boot the system. With Secure Boot, the system BIOS will only allow
the execution of boot loaders that carry the cryptographic signature of trusted entities. In other
words, anything run in the BIOS must be "signed" with a key that the system knows is trustworthy.
With each reboot of the server, every executed component is verified.
This is not supported in the current release.
Note
The following example describes the method to enable Secure Boot on HP ProLiant servers.
Steps may differ slightly on other platforms:
i. During system boot, press F9 to run the System Utilities.
ii. Select System Configuration.
iii. Select BIOS/Platform Configuration (RBSU).
iv. Select Server Security.
v. Select Secure Boot Settings.
vi. Select Advanced Secure Boot Options.
vii. Provide the Platform Key (PK), Key Exchange Key (KEK) and Allowed Signature Database
(DB) to the respective uEFI NVRAM variables.
•
Windows:
▪ PK: Will be generated at the discretion of the platform owner (OEM).
more information.
▪ KEK:
http://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt
▪ Windows DB:
10-19.crt
▪ uEFI DB:
27.crt
▪ Signature GUID for all the above keys: 77fa9abd-0359-4d32-bd60-28f4e78f784b
•
Linux:
▪ Use the same values for PK, KEK, Windows DB, uEFI DB and Signature ID as
mentioned above.
▪ In addition, provide the following values:
o chcert.cer: Provided in ChelsioUwire-x.x.x.x/Uboot/chelsio_key/
o Signature GUID for chcert.cer: 0b74ace7-6136-a493-19a9-6104d6d1e432
viii. Reboot the system, run System Utilities and go to Secure Boot Settings.
ix. Select and enable Secure Boot Enforcement and reboot the system.
Chelsio Unified Wire for Linux
http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-
http://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-
Click here for
351