diff --git a/docs/dasharo-menu-docs/device-manager.md b/docs/dasharo-menu-docs/device-manager.md index 1a27ecfe3a..2bf7161ce6 100644 --- a/docs/dasharo-menu-docs/device-manager.md +++ b/docs/dasharo-menu-docs/device-manager.md @@ -74,47 +74,66 @@ example. This submenu allows configuring UEFI Secure Boot functionality. -![](/images/menus/secure_boot.jpeg){ class="center" } +![](/images/menus/secure_boot_main1.png){ class="center" } + +By default, Dasharo firmware boots with the default keys/certificates enrolled +(see [Custom mode and key management](#custom-mode-and-key-management)) and +default UEFI Secure Boot state depending on platform (in most cases disabled). ### Enabling Secure Boot -By default, Dasharo firmware doesn't have UEFI Secure Boot enabled. -Additionally, keys for UEFI Secure Boot are not enrolled, as we do not make -assumptions about which CA the user trusts. To enable Secure Boot for booting -common OSes signed with Microsoft keys (Windows and Linux distros using the -shim bootloader), select the `Reset Secure Boot keys` option. The `Attempt -Secure Boot` option will now be available and selected, and Secure Boot will be -used on next boot. +Switching the `Enable Secure Boot` option will enable or disable Secure Boot +on next boot. + +![](/images/menus/secure_boot_main2.png){ class="center" } + +The `Enable Secure Boot` option will be available (not grayed out) only if the +keys/certificates are provisioned. You may see below image if you erase your +Secure Boot keys/certificates or don't have PK enrolled: + +![](/images/menus/secure_boot_main3.png){ class="center" } ### Custom mode and key management -The following keys are enrolled by default when resetting Secure Boot keys: +The basic menu allows only enabling or disabling Secure Boot. For advanced +options, switch the `Secure Boot Mode` from `Standard Mode` to `Custom Mode`, +which will cause the `Advanced Secure Boot Keys Management` submenu to appear. + +![](/images/menus/secure_boot_main4.png){ class="center" } + +`Advanced Secure Boot Keys Management` menu content looks as follows: + +![](/images/menus/secure_boot_advanced1.png){ class="center" } -* [Microsoft KEK certificate](https://go.microsoft.com/fwlink/?LinkId=321185), -* Microsoft Signature Database (db) consisting of: - - [Microsoft Windows Production PCA 2011](https://go.microsoft.com/fwlink/p/?linkid=321192) - to allow Windows OS Loader to load, - - [Microsoft Corporation UEFI CA 2011](https://go.microsoft.com/fwlink/p/?linkid=321194) - to load OEM-approved UEFI drivers and applications (e.g. [shim](https://github.com/rhboot/shim)), -* Microsoft Forbidden Signature Database (dbx) published as - [UEFI Revocation List File on uefi.org](https://www.uefi.org/revocationlistfile), -* Dasharo Platform Key (PK) certificate maintained by the Dasharo team. When - custom application and UEFI driver signing is desired, this key may be replaced - with the user's own PK. +* `Reset to default Secure Boot Keys` will cause the following keys/certificates + to be enrolled: + - [Microsoft KEK certificate](https://go.microsoft.com/fwlink/?LinkId=321185), + - Microsoft Signature Database (db) consisting of: + + [Microsoft Windows Production PCA 2011](https://go.microsoft.com/fwlink/p/?linkid=321192) + to allow Windows OS Loader to load, + + [Microsoft Corporation UEFI CA 2011](https://go.microsoft.com/fwlink/p/?linkid=321194) + to load OEM-approved UEFI drivers and applications (e.g. [shim](https://github.com/rhboot/shim)), + - Microsoft Forbidden Signature Database (dbx) published as + [UEFI Revocation List File on uefi.org](https://www.uefi.org/revocationlistfile), + - Dasharo Platform Key (PK) certificate maintained by the Dasharo team. When + custom application and UEFI driver signing is desired, this key may be replaced + with the user's own PK. -> To learn more, please visit -> [Windows Secure Boot Key Creation and Management Guidance](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11). + > To learn more about those certificates, please visit + > [Windows Secure Boot Key Creation and Management Guidance](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11). -To use your own keys, choose `Custom Mode` in `Secure Boot Mode`: + ![](/images/menus/secure_boot_advanced2.png){ class="center" } -![](/images/menus/secure_boot_custom.jpeg){ class="center" } +* `Erase to default Secure Boot Keys` will erase all Secure Boot keys and certificates + currently provisioned: -An additional entry appears below for configuring keys and certificates: + ![](/images/menus/secure_boot_advanced3.png){ class="center" } -![](/images/menus/secure_boot_custom.jpeg){ class="center" } + ![](/images/menus/secure_boot_advanced4.png){ class="center" } -Here one may delete and enroll particular keys, certificates and database -signatures. +One may also delete and enroll individual keys, certificates and database +signatures via `PK/KEK/DB/DBX/DBT Options` (scroll the menu down if `DBT +Options` are not visible). ## TCG2 Configuration diff --git a/docs/images/menus/secure_boot.jpeg b/docs/images/menus/secure_boot.jpeg deleted file mode 100644 index ea72e797a2..0000000000 Binary files a/docs/images/menus/secure_boot.jpeg and /dev/null differ diff --git a/docs/images/menus/secure_boot_advanced1.png b/docs/images/menus/secure_boot_advanced1.png new file mode 100644 index 0000000000..62fb914120 Binary files /dev/null and b/docs/images/menus/secure_boot_advanced1.png differ diff --git a/docs/images/menus/secure_boot_advanced2.png b/docs/images/menus/secure_boot_advanced2.png new file mode 100644 index 0000000000..166f2b18c1 Binary files /dev/null and b/docs/images/menus/secure_boot_advanced2.png differ diff --git a/docs/images/menus/secure_boot_advanced3.png b/docs/images/menus/secure_boot_advanced3.png new file mode 100644 index 0000000000..bc4b8cb846 Binary files /dev/null and b/docs/images/menus/secure_boot_advanced3.png differ diff --git a/docs/images/menus/secure_boot_advanced4.png b/docs/images/menus/secure_boot_advanced4.png new file mode 100644 index 0000000000..1222a80661 Binary files /dev/null and b/docs/images/menus/secure_boot_advanced4.png differ diff --git a/docs/images/menus/secure_boot_custom.jpeg b/docs/images/menus/secure_boot_custom.jpeg deleted file mode 100644 index 9a90d420ea..0000000000 Binary files a/docs/images/menus/secure_boot_custom.jpeg and /dev/null differ diff --git a/docs/images/menus/secure_boot_custom_options.jpeg b/docs/images/menus/secure_boot_custom_options.jpeg deleted file mode 100644 index 7449e56897..0000000000 Binary files a/docs/images/menus/secure_boot_custom_options.jpeg and /dev/null differ diff --git a/docs/images/menus/secure_boot_main1.png b/docs/images/menus/secure_boot_main1.png new file mode 100644 index 0000000000..27cd726e5c Binary files /dev/null and b/docs/images/menus/secure_boot_main1.png differ diff --git a/docs/images/menus/secure_boot_main2.png b/docs/images/menus/secure_boot_main2.png new file mode 100644 index 0000000000..c4ee81ee48 Binary files /dev/null and b/docs/images/menus/secure_boot_main2.png differ diff --git a/docs/images/menus/secure_boot_main3.png b/docs/images/menus/secure_boot_main3.png new file mode 100644 index 0000000000..1cd6077dca Binary files /dev/null and b/docs/images/menus/secure_boot_main3.png differ diff --git a/docs/images/menus/secure_boot_main4.png b/docs/images/menus/secure_boot_main4.png new file mode 100644 index 0000000000..9278fa813b Binary files /dev/null and b/docs/images/menus/secure_boot_main4.png differ diff --git a/mkdocs.yml b/mkdocs.yml index 8bf6b57064..6877f59b3f 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -411,6 +411,7 @@ nav: - 'M.2 automatic SATA/NVMe switching support': unified-test-documentation/dasharo-compatibility/31I-nvme-switching.md - 'miniPCIe slot verification': unified-test-documentation/dasharo-compatibility/31K-minipcie-verification.md - 'eMMC support': unified-test-documentation/dasharo-compatibility/31M-emmc-support.md + - 'PCI Express ports': unified-test-documentation/dasharo-compatibility/31R-pcie-ports.md - 'SATA LED and PC speaker error indication': unified-test-documentation/dasharo-compatibility/31S-sata-led-and-pc-speaker-error-indication.md - 'Firmware locally building and flashing': unified-test-documentation/dasharo-compatibility/326b-firmware-building-locally.md - 'Firmware update using fwupd': unified-test-documentation/dasharo-compatibility/320-fwupd-firmware-update.md