doc/secureboot: remove README

This is no longer tested, hence drop it. Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2024-04-16 10:50:28 +0800
committer: Anuj Mittal <anuj.mittal@intel.com> 2024-04-17 12:20:29 +0800
commit: 0093d9f2eaf97063c81bc73736ebe7c29a69200f (patch)
tree: 005be8eb1a2e1448990cf8430a017208684fe746 /documentation
parent: 84f39e69be15d63b0932ff02b7616382e3bdce65 (diff)
download: meta-intel-0093d9f2eaf97063c81bc73736ebe7c29a69200f.tar.gz
1 files changed, 0 insertions, 38 deletions
diff --git a/documentation/secureboot/README b/documentation/secureboot/README
deleted file mode 100644
index 3d5703bb..00000000
--- a/documentation/secureboot/README
+++ /dev/null
@@ -1,38 +0,0 @@
-Currently, only one implementation of Secure Boot is available out of the box,
-which is using a single signed EFI application to directly boot the kernel with
-an optional initramfs.
-This can be added to your build either through local.conf, or via your own
-custom image recipe.
-If you are adding it via local.conf, set the following variables:
-IMAGE_FEATURES += "secureboot"
-WKS_FILE = "generic-bootdisk.wks.in"
-SECURE_BOOT_SIGNING_KEY = "/path/to/your/signing/key"
-SECURE_BOOT_SIGNING_CERT = "/path/to/your/signing/cert"
-IMAGE_CLASSES += "uefi-comboapp"
-If working with an image recipe, you can inherit uefi-comboapp directly instead
-of using the IMAGE_CLASSES variable.
-The signing keys and certs can be created via openssl commands. Here's an
-example:
-openssl req -new -x509 -newkey rsa:2048 -subj "/CN=your-subject/" -keyout \
-your-key.key -out your-key.crt -days 365 -nodes -sha256
-openssl x509 -in your-key.crt -out your-key.cer -outform DER
-The .crt file is your SECURE_BOOT_SIGNING_CERT, and the .key file is your
-SECURE_BOOT_SIGNING_KEY.
-You should enroll the .crt key in your firmware under the PK, KEK, and DB
-options (methods are different depending on your firmware). If a key should ever
-become invalid, enroll it under DBX to blacklist it.
-The comboapp can be further manipulated in a number of ways. You can modify the
-kernel command line via the APPEND variable, you can change the default UUID via
-the DISK_SIGNATURE_UUID variable, and you can modify the contents of the
-initramfs via the INITRD_IMAGE or INITRD_LIVE variables.
-A simple Secure Boot enabled image used for testing can be viewed at:
-common/recipes-selftest/images/secureboot-selftest-image-signed.bb
author	Lee Chee Yang <chee.yang.lee@intel.com>	2024-04-16 10:50:28 +0800
committer	Anuj Mittal <anuj.mittal@intel.com>	2024-04-17 12:20:29 +0800
commit	0093d9f2eaf97063c81bc73736ebe7c29a69200f (patch)
tree	005be8eb1a2e1448990cf8430a017208684fe746 /documentation
parent	84f39e69be15d63b0932ff02b7616382e3bdce65 (diff)
download	meta-intel-0093d9f2eaf97063c81bc73736ebe7c29a69200f.tar.gz

diff --git a/documentation/secureboot/README b/documentation/secureboot/README deleted file mode 100644 index 3d5703bb..00000000 --- a/documentation/secureboot/README +++ /dev/null
@@ -1,38 +0,0 @@
1	Currently, only one implementation of Secure Boot is available out of the box,
2	which is using a single signed EFI application to directly boot the kernel with
3	an optional initramfs.
4
5	This can be added to your build either through local.conf, or via your own
6	custom image recipe.
7
8	If you are adding it via local.conf, set the following variables:
9
10	IMAGE_FEATURES += "secureboot"
11	WKS_FILE = "generic-bootdisk.wks.in"
12	SECURE_BOOT_SIGNING_KEY = "/path/to/your/signing/key"
13	SECURE_BOOT_SIGNING_CERT = "/path/to/your/signing/cert"
14	IMAGE_CLASSES += "uefi-comboapp"
15
16	If working with an image recipe, you can inherit uefi-comboapp directly instead
17	of using the IMAGE_CLASSES variable.
18
19	The signing keys and certs can be created via openssl commands. Here's an
20	example:
21	openssl req -new -x509 -newkey rsa:2048 -subj "/CN=your-subject/" -keyout \
22	your-key.key -out your-key.crt -days 365 -nodes -sha256
23	openssl x509 -in your-key.crt -out your-key.cer -outform DER
24
25	The .crt file is your SECURE_BOOT_SIGNING_CERT, and the .key file is your
26	SECURE_BOOT_SIGNING_KEY.
27
28	You should enroll the .crt key in your firmware under the PK, KEK, and DB
29	options (methods are different depending on your firmware). If a key should ever
30	become invalid, enroll it under DBX to blacklist it.
31
32	The comboapp can be further manipulated in a number of ways. You can modify the
33	kernel command line via the APPEND variable, you can change the default UUID via
34	the DISK_SIGNATURE_UUID variable, and you can modify the contents of the
35	initramfs via the INITRD_IMAGE or INITRD_LIVE variables.
36
37	A simple Secure Boot enabled image used for testing can be viewed at:
38	common/recipes-selftest/images/secureboot-selftest-image-signed.bb