docs/doc/source/security/kubernetes/use-uefi-secure-boot.rst


.. fyl1552681364538
.. _use-uefi-secure-boot:

====================
Use UEFI Secure Boot
====================

Secure Boot is supported in |UEFI| installations only. It is not used when
booting |prod| as a legacy boot target.

|prod| currently does not support switching from legacy to UEFI mode after a
system has been installed. Doing so requires a reinstall of the system. This
also means that upgrading from a legacy install to a secure boot install
\(UEFI\) is not supported.

When upgrading a |prod| system from a version which does not support secure
boot to a version that does, do not enable secure boot in UEFI firmware until
the upgrade is complete.

For each node that is going to use secure boot, you must populate the |prod|
public certificate/key in the |UEFI| Secure Boot authorized database in
accordance with the board manufacturer's process. This must be done for each
node before starting installation.

You may need to work with your hardware vendor to have the certificate
installed.

There is often an option in the UEFI setup utility which allows a user to
browse to a file containing a certificate to be loaded in the authorized
database. This option may be hidden in the UEFI setup utility unless UEFI
mode is enabled, and secure boot is enabled.

The UEFI implementation may or may not require a |TPM| device to be
present and enabled before providing for secure boot functionality. Refer to
you server board's manufacturer's documentation.

Many motherboards ship with Microsoft secure boot certificates
pre-programmed in the UEFI certificate database. These certificates may be
required to boot UEFI drivers for video cards, RAID controllers, or NICs
\(for example, the PXE boot software for a NIC may have been signed by a
Microsoft certificate\). While certificates can usually be removed from the
certificate database \(again, this is UEFI implementation specific\) it
may be required that you keep the Microsoft certificates to allow for
complete system operation.

Mixed combinations of secure boot and non-secure boot nodes are supported.
For example, a controller node may secure boot, while a worker node may not.
Secure boot must be enabled in the UEFI firmware of each node for that node
to be protected by secure boot.
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. fyl1552681364538`
			`.. _use-uefi-secure-boot:`

			`====================`
			`Use UEFI Secure Boot`
			`====================`

			`Secure Boot is supported in \|UEFI\| installations only. It is not used when`
			`booting \|prod\| as a legacy boot target.`

			`\|prod\| currently does not support switching from legacy to UEFI mode after a`
			`system has been installed. Doing so requires a reinstall of the system. This`
			`also means that upgrading from a legacy install to a secure boot install`
			`\(UEFI\) is not supported.`

			`When upgrading a \|prod\| system from a version which does not support secure`
			`boot to a version that does, do not enable secure boot in UEFI firmware until`
			`the upgrade is complete.`

			`For each node that is going to use secure boot, you must populate the \|prod\|`
			`public certificate/key in the \|UEFI\| Secure Boot authorized database in`
			`accordance with the board manufacturer's process. This must be done for each`
			`node before starting installation.`

			`You may need to work with your hardware vendor to have the certificate`
			`installed.`

			`There is often an option in the UEFI setup utility which allows a user to`
			`browse to a file containing a certificate to be loaded in the authorized`
			`database. This option may be hidden in the UEFI setup utility unless UEFI`
			`mode is enabled, and secure boot is enabled.`

			`The UEFI implementation may or may not require a \|TPM\| device to be`
			`present and enabled before providing for secure boot functionality. Refer to`
			`you server board's manufacturer's documentation.`

			`Many motherboards ship with Microsoft secure boot certificates`
			`pre-programmed in the UEFI certificate database. These certificates may be`
			`required to boot UEFI drivers for video cards, RAID controllers, or NICs`
			`\(for example, the PXE boot software for a NIC may have been signed by a`
			`Microsoft certificate\). While certificates can usually be removed from the`
			`certificate database \(again, this is UEFI implementation specific\) it`
			`may be required that you keep the Microsoft certificates to allow for`
			`complete system operation.`

			`Mixed combinations of secure boot and non-secure boot nodes are supported.`
			`For example, a controller node may secure boot, while a worker node may not.`
			`Secure boot must be enabled in the UEFI firmware of each node for that node`
			`to be protected by secure boot.`