Enabling Secure Boot from the UEFI firmware
How to enable Secure Boot and enroll the keys.
- DB certificate in DB
- KEK certificate in KEK
- PK certificate in PK
The following steps describe how to install certificates on Vyatta NOS from the SuperMicro E300-8D for Secure Boot.
- At the bootsplash, press F11 to get the boot selection menu, and then select Enter Setup.
- In the firmware screen, navigate to the Security tab.
- Set CSM Support to Disabled.
- Enter the Secure Boot Menu submenu.
- Enter the Key Management submenu.
- Under Authorized Signatures, select Append Key, select No to load from external media, and then select the AT DB certificate from the external media.
- Repeat the same process for the Vyatta KEK certificate under the Key Exchange Key (KEK) option, and for the Vyatta PK certificate under the Platform Key (PK) option.
- Go up one level, and set Secure Boot to Enabled.The keys are now enrolled and Secure Boot is enabled. It is no longer possible to boot or live CD any image that is not signed. Before continuing, set the device drivers in EFI mode as follows:
- Under the Advanced tab in the top-level selection, go to the PCIe/PCI/PnP Configuration submenu
- Set the following options to EFI:
- M.2 PCI-E 3.0 X4 OPROM
- CPU SLOT6 PCI-E 3.0 X8 OPROM
- CPU SLOT7 PCI-E 3.0 X8 OPROM
- PCI-E 2.0 X1 OPROM
- Onboard LAN OPROM Type
- Onboard Video OPROM
- Save the settings and restart by navigating to the Save & Exit tab in the top-level selection and choosing Save Changes and Reset.