Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Enabling Secure Boot from the UEFI firmware

How to enable Secure Boot and enroll the keys.

Note: Certificates are installed from the UEFI, not from Vyatta NOS, which should be done before booting a live image. An existing image must be upgraded to a Vyatta NOS version that supports Secure Boot before enabling Secure Boot in the firmware.
Certificates must be installed in the databases in the following order:
  1. DB certificate in DB
  2. KEK certificate in KEK
  3. PK certificate in PK

The following steps describe how to install certificates on Vyatta NOS from the SuperMicro E300-8D for Secure Boot.

  1. At the bootsplash, press F11 to get the boot selection menu, and then select Enter Setup.
  2. In the firmware screen, navigate to the Security tab.
  3. Set CSM Support to Disabled.
  4. Enter the Secure Boot Menu submenu.
  5. Enter the Key Management submenu.
  6. Under Authorized Signatures, select Append Key, select No to load from external media, and then select the AT DB certificate from the external media.
  7. Repeat the same process for the Vyatta KEK certificate under the Key Exchange Key (KEK) option, and for the Vyatta PK certificate under the Platform Key (PK) option.
  8. Go up one level, and set Secure Boot to Enabled.
    The keys are now enrolled and Secure Boot is enabled. It is no longer possible to boot or live CD any image that is not signed. Before continuing, set the device drivers in EFI mode as follows:
    1. Under the Advanced tab in the top-level selection, go to the PCIe/PCI/PnP Configuration submenu
    2. Set the following options to EFI:
      • M.2 PCI-E 3.0 X4 OPROM
      • CPU SLOT6 PCI-E 3.0 X8 OPROM
      • CPU SLOT7 PCI-E 3.0 X8 OPROM
      • PCI-E 2.0 X1 OPROM
      • Onboard LAN OPROM Type
      • Onboard Video OPROM
    3. Save the settings and restart by navigating to the Save & Exit tab in the top-level selection and choosing Save Changes and Reset.
The changes will be saved, Secure boot is enabled and the device drivers are set.