Field of the Invention
The present invention relates to the use of a UEFI Secure Boot procedure to facilitate the use of authorized software and devices, such as Option ROMs and operating system boot loaders.
Background of the Related Art
Secure Boot prevents “unauthorized” operating systems and software from loading during the startup process. When Secure Boot is enabled, Secure Boot checks each piece of software, including the UEFI drivers (Option ROMs) and the operating system, against a database of known-good signatures. If each piece of software can be verified, the firmware runs the software and the operating system. The UEFI firmware includes the signature database (DB), revoked signatures database (DBX), and the Key Enrollment Key database (KEK). These databases are stored on the UEFI flash at the time of manufacturing.
The signature database (DB) and the revoked signatures database (DBX) list the signatures or image hashes of UEFI applications, operating system loaders (such as the Microsoft Operating System Loader, or Boot Manager), and UEFI drivers that can be loaded on the server, and the revoked images for items that are no longer trusted and may not be loaded. The Key Enrollment Key database (KEK) is a separate database of signing keys that can be used to update the signature database and revoked signatures database. The developer of the operating system requires a specified key to be included in the KEK database so that the developer can add new operating systems to the signature database or add known bad images to the revoked signatures database. After these databases have been added, and after final firmware verification and testing, the firmware is locked from editing, except for updates that are signed with the correct key or updates by a physically present user who is using the firmware menu, and then generates a platform key (PK).
The UEFI allows Secure Boot to be selectively “enabled” or “disabled”. If Secure Boot is disabled, then any image may be run without verifying or authorizing the image. If Secure Boot is enabled, a set of default digital certificates and/or signatures are used to boot any OS or use any Option ROMs. The default digital certificates and/or signatures may be provided by the original equipment manufacturer of the node. If an image cannot be verified, then the OS or driver will not be loaded.