Exercise \- Feature Customization - Verified Boot
Note
In this exercise, we’ll learn how to enable and verify Verified Boot, it will demonstrate that boot stage signature verification will fail if a user modifies a byte in one of the stages
You can execute SBL with the following steps:
Use HEX editor to modify one byte in the SBL image:
1.) Rebuild SBL by using the following command:
python BuildLoader.py build qemu2.) Completion: you will see
Done [qemu]on the screen after compile completed3.) Check Flash Map on stage2 offset located at where (example here stage2 is located at 0x18000000)
4.) Open
SlimBootloader.binon<sbl_tree>\Outputs\qemu\5.) Goto offset
0x18000000and select one byte to modify it to0x00, and save the image
6.) Example here updated offset
0x18000025(Make sure to SAVE the changes!)
Execute SBL on QEMU by using the following command
Windows:
"C:\Program Files\qemu\qemu-system-x86_64.exe" -m 256M -machine q35 -serial stdio -pflash Outputs\qemu\SlimBootloader.binLinux:
qemu-system-x86_64 -m 256M -machine q35 -serial mon:stdio -nographic -pflash Outputs/qemu/SlimBootloader.bin
Boot up failed on stage 1B
Modify board configuration file, CHANGE the line in file
<sbl_tree>\Platform\QemuBoardPkg\BoardConfig.pyself.HAVE_VERIFIED_BOOT = 0
Rebuild SBL by using the following command:
python BuildLoader.py build qemu
Completion: you will see
Done [qemu]on the screen after compile completedUse HEX editor to modify one byte in the SlimBootloader image:
1.) Open
SlimBootloader.binon<sbl_tree>\Outputs\qemu\2.) Goto offset
0x18000025and modify it to0x00, and SAVE the image3.) Execute SBL on QEMU by using the following command:
Windows:
"C:\Program Files\qemu\qemu-system-x86_64.exe" -m 256M -machine q35 -serial stdio -pflash Outputs\qemu\SlimBootloader.bin
Linux:
qemu-system-x86_64 -m 256M -machine q35 -serial mon:stdio -nographic -pflash Outputs/qemu/SlimBootloader.bin
Tip
BoardConfig.py contains lots of options for customization. Most of the SBL static features and Flash image layout can be customized here.