IBM Support

How to enable secure boot on the HMC

How To


Summary

This document contains the steps required to enable secure boot on the HMC.

Objective

Guide the user through the process of enabling or re-enabling secure boot on the HMC.

Environment

Secure boot was introduced in the 7063-CR2 HMC with v10r1.1010.
Pre-requisites:
  • 7063-CR2 HMC at v10r1.1010 or newer
  • PNOR: IBM-mowgli-ibm-OP9_v2.5_4.123-prod or newer
  • BMC: op940.hmc-11-0-g459255f1af or newer

Steps

Enabling (or re-enabling) Secure Boot on 7063-CR2 HMCs

1 . Update the firmware on the HMC to the following minimum levels, or newer:

  • PNOR: IBM-mowgli-ibm-OP9_v2.5_4.123-prod
  • BMC: op940.hmc-11-0-g459255f1af

2. Upgrade or install the HMC with v10r1.1010 or newer

3. Check firmware verification is enabled by accessing Petitboot.

Petitboot -> System Information

Scroll down to section "Secure & trusted boot"  and verify the "FW verification" field shows enabled.

System Information FW verification enabled

If FW verification shows disabled:

  • Shutdown the HMC
  • Remove the system backplane
  • Flip the Secure boot jumper (J1_CP0) from pins 2-3 (debug/unsecure) to pins 1-2 (secure)

Secure Boot jumper location

Secure Boot jumper enabled

4. As hscroot, use the sendfile command to copy the PK, and db files  from the HMC file system to a remote system. These files are available in HMC v10r1.1010 and newer:

sendfile -f /opt/hsc/data/secureboot/PK.auth -h <ip> -d <dir> -u <username> -n PK.auth -s

sendfile -f /opt/hsc/data/secureboot/db.auth -h <ip> -d <dir> -u <username> -n db.auth–s

Where:

  • <ip> is the IP address of the remote system
  • <dir> is the directory in the remote system where the files will be store

NOTE: The sendfile command is used because the files are stored in a location that does not allow copying to removable media directly from the HMC.

5. On the remote system, copy the PK.auth, and db.auth files to a USB drive

Alternatively, an iso file may be created, containing the two files. This iso file can then be mounted remotely via the Virtual Media feature of the BMC. One method to create an iso file from a directory is to use the mkisofs command in Linux:

mkisofs -o secureboot.iso  <dir with auth files>

6. Boot the HMC to Petitboot and select Exit to Shell

If the files were copied to a USB drive, insert it now.

If the files were combined into an iso file to be remotely mounted via virtual, start the virtual media session from the BMC web UI.

7. Run the mount command to verify the automatic mount point

Example of automatic mount location for USB drive.

The mount point is /var/petitboot/mnt/dev/sda1

Adjust as necessary for your drive.

locate USB mount point

Example of automatic mount location for ISO file over Virtual Media.

The mount point is /var/petitboot/mnt/dev/sdb
locate virtual media mount

8. Change directory to the location of the keys in the media

Example for mount point /var/petitboot/mnt/dev/sda1

cd /var/petitboot/mnt/dev/sda1

ls

PK.auth    db.auth

9. Write the content of the PK key, and db files to system firmware with these two commands:

cat PK.auth > /sys/firmware/secvar/vars/PK/update

cat db.auth > /sys/firmware/secvar/vars/db/update

10. Reboot the system by running the command "reboot"

reboot

11. Stop the system at Petitboot again and select System Information to confirm the section Secure & trusted boot reflects:

  • FW verification: enabled
  • FW measurement: enabled
  • OS verification: enforcing

Secure Boot all enforcing

12. Exit the shell and back on the main Petitboot menu, select Hardware Management Console

13. Verify the HMC reports secure boot as enabled:

lshmc --boot

secure_boot=1

This concludes the procedure.

Additional Information

What is Secure Boot?

Secure boot is a feature that when enabled, prevents the HMC from booting from an image that has not been signed by the manufacturer.

  • For secure boot to be fully enabled on the HMC, both firmware verification must be enabled, and the OS must be "enforcing" verification.
  • The Secure Boot jumper is set to the "enabled" position on all 7063-CR2 HMCs by default. This controls whether the firmware verification is enabled. If firmware verification is disabled, OS verification will also be disabled.
  • HMC v10r1.1010 is required for the  OS verification of Secure boot to be enforcing.
  • Once OS verification is enforced, the HMC can only be booted by a signed image (ie. v10r1.1010 and newer)
Replacement of the following parts, disables Secure boot. It can be re-enabled using the procedure outlined in this document:
  • System Backplane
  • Trusted Platform Module (TPM)

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"7063-CR2","label":"Hardware Management Console (7063-CR2)"},"ARM Category":[],"ARM Case Number":[],"Platform":[{"code":"PF025","label":"Platform Independent"}]}]

Document Information

Modified date:
29 March 2022

UID

ibm16489435

Page Feedback