In most production scenarios, you should consider using Secure Boot for your system, ensuring it is protected against advanced attacks. Here are the steps required to do so, using:
- ISO Image - manually sign extensible firmware interface (EFI) binaries, generating local signing certificates, rebuilding packages, and testing the secure boot functionality.
- RAW or VHD/X - configure BIOS with signed production keys of a RAW/VHD Edge Microvisor Toolkit image.
Production images of Edge Microvisor Toolkit are signed by Intel. Secure Boot prevents unauthorized bootloaders and operating systems from starting, ensuring that only code signed with a trusted key is executed. For custom signed OS images, you need to enroll your certificate into the firmware’s trusted key database.
Make sure you have the certificate file, for example, edge-readonly-3.0.20250401.0515-signed.der,
which contains your public key. Many systems accept DER format, but some firmware might
require PEM.
Although DER is a common format for many BIOS implementations, some UEFI/BIOS systems may require PEM format. To convert a DER file to PEM using OpenSSL:
Open a Terminal/Command Prompt. Run the following command:
openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEMThis converts certificate.der into PEM-formatted file certificate.pem.
- Restart Your Computer:
- Enter your UEFI/BIOS setup by pressing F2, Del, or Esc during startup (refer to your system's manual if needed).
- Navigate to the Secure Boot or Security Section:
- Look for a menu labeled Secure Boot, Security, or similar.
- Enroll the Custom Key:
- Find the key/certificate management option such as Manage Keys, Enroll Key, or Add Certificate.
- Choose the file selection option and locate your certificate file (use
certificate.derorcertificate.pemdepending on your firmware requirements). - Follow the on-screen instructions to enroll the key.
- Locate the Secure Boot Setting:
- Within the UEFI/BIOS menu, find the Secure Boot option.
- Enable Secure Boot:
- Change the setting to Enabled.
- Save your changes and exit the UEFI/BIOS setup.
- Reboot:
- Your system will now check the OS image signature against the enrolled certificate during boot.
Make sure Secure Boot is disabled.
Install Required Tools for signing and building packages:
sudo tdnf install dnf-utils pesign nss-tools efivar rpmdevtools openssl kernel-devel keyutils dos2unix vim-extraAdd User to the pesign Group:
sudo usermod -a -G pesign $(whoami)cd ~Log out and log back in for the changes to take effect.
Complete the following steps to create local self-signed certificates:
Download the pesign source package:
base_url=$(grep -E '^\s*baseurl' /etc/yum.repos.d/*.repo | awk -F= '{print $2}' | sed 's/^[ \t]*//')
package=$(tdnf repoquery --source pesign | tail -1)
wget $base_url/SRPMS/$package.rpm
mkdir pesign-files
rpmdev-extract -C pesign-files pesign-*.src.rpm
cd pesign-files/pesign-*.src
tar xvf pesign-*.tar.bz2
cd pesign-*/src/certsCreate a self-signed CA and a signing certificate:
export KEY=KeyInShim
./make-certs $KEY emt@edgemicrovisortoolkit.com all codesign 1.3.6.1.4.1.311.10.3.1
certutil -d /etc/pki/pesign -A -n 'my CA' -t CT,CT,CT -i ca.crt
pk12util -d /etc/pki/pesign -i $KEY.p12
certutil -d /etc/pki/pesign -A -i $KEY.crt -n $KEY -t uRepeat the steps for additional keys, such as KeyInDB.
export KEY=KeyInDB
# Repeat the steps.cd ~Make sure your rpm %_topdir is ~/rpmbuild; if not you should edit your ~/.rpmmacros to include:
mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
%_topdir %(echo $HOME)/rpmbuildIf file ~/.rpmmacros does not exist in home directory, create one:
vi ~/.rpmmacrosExtract KeyInShim to a DER file:
certutil -d /etc/pki/pesign -L -n KeyInShim -r > ~/key-in-shim.derRebuild the shim-unsigned package:
base_url=$(grep -E '^\s*baseurl' /etc/yum.repos.d/*.repo | awk -F= '{print $2}' | sed 's/^[ \t]*//')
shim_unsigned_package=$(tdnf repoquery --source shim-unsigned-x64 | tail -1 | sed 's/\.src$//')
wget $base_url/SRPMS/$shim_unsigned_package.src.rpm
rpm -i $shim_unsigned_package.src.rpm
cd ~/rpmbuild
cp ~/key-in-shim.der SOURCES/azurelinux-ca-20230216.der
rpmbuild -bb SPECS/shim-unsigned-x64.spec
sudo tdnf install RPMS/x86_64/$shim_unsigned_package.x86_64.rpmcd ~Install the shim SRPM:
base_url=$(grep -E '^\s*baseurl' /etc/yum.repos.d/*.repo | awk -F= '{print $2}' | sed 's/^[ \t]*//')
shim_package=$(tdnf repoquery --source shim | grep -v "unsigned" | tail -1 | sed 's/\.src$//')
wget $base_url/SRPMS/$shim_package.src.rpm
rpm -i $shim_package.src.rpmSign the binaries:
cd ~/rpmbuild
pesign -s -i /usr/share/shim/*/x64/mmx64.efi -o SOURCES/mmx64.efi -c KeyInShim --force
pesign -s -i /usr/share/shim/*/x64/fbx64.efi -o SOURCES/fbx64.efi -c KeyInShim --force
pesign -s -i /usr/share/shim/*/x64/shimx64.efi -o SOURCES/shimx64.efi -c KeyInDB --force
rpmbuild -bb SPECS/shim.specInstall the new package and reboot with secure boot disabled:
sudo tdnf install RPMS/x86_64/$shim_package.x86_64.rpmEnsure that the $shim_package.x86_64.rpm package is installed properly. If you encounter any messages, such as "Nothing to do", you can attempt to reinstall the package.
sudo tdnf reinstall --allowerasing RPMS/x86_64/$shim_package.x86_64.rpmcd ~Copy the EFI binaries:
sudo cp /boot/efi/EFI/BOOT/grubx64.efi .
sudo sh -c 'cp /boot/vmlinuz-* .'Sign the binaries:
sudo pesign -s -i grubx64.efi -o /boot/efi/EFI/BOOT/grubx64.efi -c KeyInShim --force
sudo sh -c 'pesign -s -i vmlinuz-* -o /boot/vmlinuz-* -c KeyInShim --force'Export KeyInDB to a DER file:
certutil -d /etc/pki/pesign -L -n KeyInDB -r > key-in-db.derCopy the certificate to the ESP partition:
sudo cp key-in-db.der /boot/efi/EFI/Add the certificate to the UEFI DB:
sudo systemctl reboot --firmware-setupNavigate to:
System Bios Settings → System Security → Secure Boot Configuration → Secure Boot Mode (set to <Custom Mode>).
Custom Secure Boot Options → DB Options → Enroll Signature → Enroll Signature Using key-in-db.der file into the database.
Re-enable secure boot in the firmware menu and reboot. Verify that the system boots successfully with secure boot enabled.
You can try Slim Bootloader for the deployment of Edge Microvisor Toolkit on your machine. Refer to the Boot Optimization section for more details.