[uefi-secure-boot-guide] fweimer: Add instructions for enabling Microsoft Secure Boot (06c2b58)
fweimer at fedoraproject.org
fweimer at fedoraproject.org
Fri Feb 15 16:13:04 UTC 2013
Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git
On branch : fweimer
>---------------------------------------------------------------
commit 06c2b58cd73cc6f566cbf4a22a21be5df1d83930
Author: Florian Weimer <fweimer at redhat.com>
Date: Fri Feb 15 17:08:23 2013 +0100
Add instructions for enabling Microsoft Secure Boot
>---------------------------------------------------------------
en-US/System_Configuration.xml | 259 ++++++++++++++++++++++++++++++++++++++
en-US/UEFI_Secure_Boot_Guide.xml | 1 +
2 files changed, 260 insertions(+), 0 deletions(-)
diff --git a/en-US/System_Configuration.xml b/en-US/System_Configuration.xml
new file mode 100644
index 0000000..9955fb6
--- /dev/null
+++ b/en-US/System_Configuration.xml
@@ -0,0 +1,259 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % BOOK_ENTITIES SYSTEM "UEFI_Secure_Boot_Guide.ent">
+%BOOK_ENTITIES;
+]>
+<chapter id="chap-UEFI_Secure_Boot_Guide-System_Configuration">
+<title>System Configuration</title>
+<para>
+This chapter describes how to configure systems for use with UEFI
+Secure Boot. The required steps vary from system to system because
+they depend on how the firmware implements the UEFI specification, but
+the descriptions should give you an idea where to look
+</para>
+<warning>
+<title>System can become unbootable</title>
+<para>
+If the operating systems installed on your machine do not provide
+UEFI boot loaders, or if those boot loaders are not accepted by
+the new Secure Boot configuration because the signatures are
+not recognized, your system will no longer boot after switching on
+Secure Boot.
+</para>
+</warning>
+<section id="sect-UEFI_Secure_Boot_Guide-System_Configuration-Enter">
+<title>Entering the UEFI firmware</title>
+<para>
+When the system is booting, try pressing the <keycap>Enter</keycap>,
+<keycap>Del</keycap>, <keycap>F1</keycap> or <keycap>Esc</keycap>
+keys. Usually, instructions will appear telling you how to enter the
+firmware, similar to <xref linkend="fig-Secure_Boot-Enter_The_Firmware"/>
+(which still refers to the UEFI firmware as
+<emphasis>BIOS Setup Utility</emphasis>, so you are expected to press
+<keycap>F1</keycap>).
+</para>
+<figure id="fig-Secure_Boot-Enter_The_Firmware">
+ <title>Firmware activation instructions</title>
+<literallayout class="monospaced">
+┌───────────────────────────────────────────────────────────┐
+│ Startup Interrupt Menu │
+│───────────────────────────────────────────────────────────│
+│ Press one of the following keys to continue: │
+│ │
+│ ESC to resume normal startup │
+│ F1 to enter the BIOS Setup Utility │
+│ F12 to choose a temporary startup device │
+│ │
+│ Press ENTER to continue │
+│ │
+└─────────────────────────────9─────────────────────────────┘
+</literallayout>
+</figure>
+<para>
+You may want to insert a USB stick to prevent a full operating system
+from booting, so that you can reboot more quickly and try out
+different keys faster.
+</para>
+<para>
+If the firmware is protected by a password and you do not know this
+password, you need to check your system or mainboard manual for
+password reset instructions.
+</para>
+<para>
+Once you have entered the firmware, a screen similar to
+<xref linkend="fig-Secure_Boot-Firmware_Start_Screen"/>
+will be shown.
+</para>
+<figure id="fig-Secure_Boot-Firmware_Start_Screen">
+<title>UEFI firmware start screen</title>
+<literallayout class="monospaced">
+ Lenovo BIOS Setup Utility
+ Main Devices Advanced Power Security Startup Exit
+┌─────────────────────────────────────────────────────────────────────────────────────────────────┐
+│ │
+│► System Summary │
+│► System Time & Date │
+│ │
+│ Machine Type and Model 0896A9G │
+│ System Brand ID Lenovo Product │
+│ System Serial Number RUYWEQZ │
+│ Asset Tag INVALID │
+│ System UUID 1846F489-64F1-4714-83D8-A02FD2C79AD1 │
+│ Ethernet MAC address D5-3D-7E-60-29-2C │
+│ BIOS Revision Level F1KT44AUS │
+│ Boot Block Revision Level F144A │
+│ BIOS Date (MM/DD/YY) 12/21/2012 │
+│ License Status │
+│ Language [English] │
+│ │
+│ │
+│ │
+│ │
+│ │
+│ │
+│ │
+│ │
+└─────────────────────────────────────────────────────────────────────────────────────────────────┘
+ F1 Help ↑↓ Select Item +/- Chane Values F9 Setup Defaults
+ ESC Exit ←→ Select Menu Enter Select►Sub-Menu F10 Save and Exit
+</literallayout>
+</figure>
+</section>
+
+<section>
+<title>Enabling Microsoft Secure Boot</title>
+<para>
+Systems which do not ship with Microsoft Windows 8 typically do not
+enable UEFI Secure Boot (or its Microsoft variant). However, these
+systems still contain the Microsoft keys in the firmware, and enabling
+Microsoft Secure Boot is relatively straightforward.
+</para>
+<para>
+For example, on a Lenovo desktop system, you need to enter the
+firmware as described in <xref
+linkend="sect-UEFI_Secure_Boot_Guide-System_Configuration-Enter"/>.
+Then press the <keycap>→</keycap> key until you reach the
+<emphasis>Exit</emphasis> tab, as shown in
+<xref linkend="fig-Secure_Boot-OS_Optimized_Defaults"/>.
+</para>
+<figure id="fig-Secure_Boot-OS_Optimized_Defaults">
+<title>UEFI firmware Exit tab</title>
+<literallayout class="monospaced">
+ Lenovo BIOS Setup Utility
+ Main Devices Advanced Power Security Startup Exit
+┌─────────────────────────────────────────────────────────────────┬───────────────────────────────┐
+│ │ Help Message │
+│ Save Changes and Exit │───────────────────────────────│
+│ Discard Changes and Exit │Some settings below are │
+│ │changed accordingly. Select │
+│ Load Optimal Defaults │"Enabled" to meet Microsoft(R) │
+│ OS Optimized Defaults [Disabled] │Windows 8 (R) Certification │
+│ │Requirement. │
+│ │Affected settings are CSM │
+│ │Support, Boot mode, Boot │
+│ │Priority, Secure Boot, Secure │
+│ │RollBack Prevention. │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+└─────────────────────────────────────────────────────────────────┴───────────────────────────────┘
+ F1 Help ↑↓ Select Item +/- Chane Values F9 Setup Defaults
+ ESC Exit ←→ Select Menu Enter Select►Sub-Menu F10 Save and Exit
+</literallayout>
+</figure>
+<para>
+Press <keycap>↓</keycap> to select the <emphasis>OS Optimized
+Defaults</emphasis> entry. Press <keycap>Enter</keycap> to change the
+settings. A confirmation dialog will appear, and need to choose
+<emphasis>Yes</emphasis>.
+(See <xref linkend="fig-Secure_Boot-OS_Optimized_Defaults_Conformation"/>).
+</para>
+<figure id="fig-Secure_Boot-OS_Optimized_Defaults_Conformation">
+<title>UEFI firmware confirmation for OS Optimized Defaults</title>
+<literallayout class="monospaced">
+ Lenovo BIOS Setup Utility
+ Main Devices Advanced Power Security Startup Exit
+┌─────────────────────────────────────────────────────────────────┬───────────────────────────────┐
+│ │ Help Message │
+│ Save Changes and Exit │───────────────────────────────│
+│ Discard Changes and Exit │Some settings below are │
+│ │changed accordingly. Select │
+│ Load Optimal Defaults │"Enabled" to meet Microsoft(R) │
+│ OS Optimized Defaults ┌───────────────────────────────────────────┐ws 8 (R) Certification │
+│ │ Attention! │rement. │
+│ ├───────────────────────────────────────────┤ted settings are CSM │
+│ │ If OS Optimized Defaults is changed to │rt, Boot mode, Boot │
+│ │ Enable, some settings including Secure │ity, Secure Boot, Secure │
+│ │ Boot,CSM,IPV4 and IPV6 will be changed. │ack Prevention. │
+│ │ Do you really want to continue? │ │
+│ │ Select Yes to continue to Enable the OS │ │
+│ │ Optimized Defaults. │ │
+│ │ Select No to discontinue the operation. │ │
+│ │ │ │
+│ │ │ │
+│ │ [Yes] [No] │ │
+│ └───────────────────────────────────────────┘ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+└─────────────────────────────────────────────────────────────────┴───────────────────────────────┘
+ F1 Help ↑↓ Select Item +/- Chane Values F9 Setup Defaults
+ ESC Exit ←→ Select Menu Enter Select►Sub-Menu F10 Save and Exit
+</literallayout>
+</figure>
+<para>
+Afterwards, check that <emphasis>OS Optimized Defaults</emphasis> has
+changed to <emphasis>Enabled</emphasis>. Press <keycap>←</keycap>
+several times until you reach the <emphasis>Security</emphasis> tab
+and check that <emphasis>Secure Boot</emphasis> is enabled,
+as in <xref linkend="fig-Secure_Boot-Firmware_Security_Tab"/>.
+</para>
+<figure id="fig-Secure_Boot-Firmware_Security_Tab">
+<title>UEFI firmware Security tab</title>
+<literallayout class="monospaced">
+ Lenovo BIOS Setup Utility
+ Main Devices Advanced Power Security Startup Exit
+┌─────────────────────────────────────────────────────────────────┬───────────────────────────────┐
+│ Image Execution Policy │ Help Message │
+│─────────────────────────────────────────────────────────────────│───────────────────────────────│
+│ Secure Boot Status User Mode │Select whether to enable or │
+│ Secure Boot [Enabled] │disable Secure Boot │
+│ │[Enabled] Enable Secure │
+│ Reset to Setup Mode │Boot,BIOS will prevent │
+│ │un-authorised OS be loaded. │
+│ │[Disable] Disables Secure │
+│ │Boot. │
+│ │ │
+│ │ . │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+│ │ │
+└─────────────────────────────────────────────────────────────────┴───────────────────────────────┘
+ F1 Help ↑↓ Select Item +/- Chane Values F9 Setup Defaults
+ ESC Exit ←→ Select Menu Enter Select►Sub-Menu F10 Save and Exit
+</literallayout>
+</figure>
+<para>
+Return to the <emphasis>Exit</emphasis> tab, choose <emphasis>Save
+Changes and Exit</emphasis>, and press <keycap>Enter</keycap>.
+Confirm saving the settings, and reboot. Microsoft Secure Boot is now
+enabled.
+</para>
+</section>
+
+<section>
+<title>Known issues</title>
+<para>
+When &PRODUCT; is installed on an UEFI system, existing boot loaders
+(for example, the code found in the Master Boot Record) are not
+overwritten. Therefore, &PRODUCT; has considerably less control over
+the boot process. In some cases, systems cannot dual-boot between
+&PRODUCT; and other operating systems. Even if &PRODUCT; is selected
+manually in the firmware boot loader selection dialog
+(<emphasis>choose a temporary startup device</emphasis>
+in <xref linkend="fig-Secure_Boot-Enter_The_Firmware"/>), the other
+operating system is started. This is not a problem with UEFI Secure
+Boot; on the affected systems, it also happens with Secure Boot
+disabled.
+</para>
+</section>
+</chapter>
diff --git a/en-US/UEFI_Secure_Boot_Guide.xml b/en-US/UEFI_Secure_Boot_Guide.xml
index bb4cb0d..b594a0b 100644
--- a/en-US/UEFI_Secure_Boot_Guide.xml
+++ b/en-US/UEFI_Secure_Boot_Guide.xml
@@ -7,6 +7,7 @@
<xi:include href="Book_Info.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Preface.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="What_is_Secure_Boot.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="System_Configuration.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Implementation_of_Secure_Boot.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Tools.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Using_your_own_keys.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
More information about the docs-commits
mailing list