Topics created by george1421

Target disk subsystem

In this section we are going to test the target computer’s performance to create a 1 GB file on local storage using the linux dd command. The dd command will create this 1GB file and time the creation process for us. Just be aware that this is a data distructive test. The contents of your local storage device will be erased during the test. Don’t perform this storage bandwidth test on a disk where you can not afford to lose the data.

The hardest step in the process is finding the local storage device name, removing all partitions on the disk, and then creating a new partition for our testing.

First lets find the name of your local storage disk. We will use the lsblk command to locate the linux device name. In the figure below you see the linux device name is sda for a sata attached disk, It has 2 partitions sda1 sda2

Below is an example of an NVMe disk. In this case the device name is nume0n1 and the partition numbers are p1 p2 p3 p4.

For the rest of this section we will assume you have a NVMe drive so we will use that naming convention. So we know the NVMe device name is nume0n1. Lets use the fdisk utility to remove all of the existing partitions on the disk. Don’t forget I mentioned this is a data destructive test.

Use the d command to remove all of the existing partitions on the disk. Then use the w command to write the blank partition table to disk. You can confirm the partitions are gone with the p command. Now finally create a new partition using the n then p primary, 1 first partition and then pick the defaults for the remainder. Now use the w write command to write the partitions to disk and the q command to quit fdisk. Finally ensure the OS is in sync with the disk by keying in sync twice at the FOS Linux command prompt.

You can confirm your changes my once again using the lsblk command.

Now that we have our test partition we need to format it. Lets format this nvme first partition using this command.

The output of this command should look similar to this

Hang on we are almost done with the setup. The next step is to create a directory mount point and to connect the nvme partition to the directory mount point.

Issue the following command to confirm the partition is mounted.

The line we are looking for is this one. It shows that the device /dev/nvme0n1p1 is connected to the /ntfs path.

Finally we’ve made it to the benchmarking point. Now we will use the dd command to create a 1GB file on the local disk.

In this case the dd command created the 1GB file in about a 1/2 second at a rate of 2.0 GB/s. This results is withing the expected range.

I can give you a few numbers off the top of my head that are reasonable results.
SATA HDD (spinning disk) 40-90MB/s
SATA SSD 350-520MB/s
NVMe 950-3500MB/s

If your results are within the above ranges for the selected storage device this part of the test was successful.

Preparing the FOG server with the prerequisites

Reboot the FOG server and then install the required packages

Create the Secure Boot PKI infrastructure

Lets create the working directories

Now lets create our bash file to create the PKI infrastructure

Insert the following text into that bash script.

Make the script we just created executable
Change into the secureboot directory and finally run the bash script.

I will tell you that when you run the mkkeys.sh you may get run time errors. You will need to research on your own what is missing and add that to your fog server using the apt-get package tool. I developed this process and a linux mint server and the duplicated it on a debian 10 fog server. I think I have all of the packages above that is needed. But YMMV.

Create the Secure Boot signed enrollment boot loader

Lets get the efitools package so we can built the enrollment bootloaders

Change into the efitools directory and run make to build the templates.

I will tell you that when you run the make commandyou may get run time errors. You will need to research on your own what is missing and add that to your fog server’s environment using the apt-get package tool. I developed this process and a linux mint server and the duplicated it on a debian 10 fog server. I think I have all of the packages above that is needed. But YMMV.

Now that we have the templates created we need to download the current secure boot key chains that are created by the hardware manufacture. My plan is to take the original certificate database, tack on the FOG certificates onto the end and then upload the combined certificates back to the target hardware. So for completeness I’ll show you how I downloaded the original certificates. To save you some time, I’ll include these files in a zip file a bit later in this post.

For this bit one of my dev fog servers runs on real hardware. I used these commands under debian to extract these generic certificates from the target computer’s bios. The computer I extracted them from was a Dell Precision 3620. So these certificates and certificate store is fairly new.

The following certificates (not really the correct word to use, but for my sanity I’ll call them certificates) are the only ones we are interested in (hw_KEK.esl, hw_db.esl, hw_dbx.esl). As I said above, you don’t need to do the above part because I’ll provide these generic certificates. note: 15-Dec-23 the hw_dbx.esl file might not be created if the dbx database is empty. If this is the case you should ignore the commands that use that file. Thank you @jfernandz for the updated inforamtion

Now lets bring everything together

At this point we are going to take the hardware certificates we downloaded from the uefi firmware and tag the FOG certificates onto the end.

Lets rebuild the signed boot loaders with the updated certificates

/opt/fog/secureboot/efitools/EnrollKeys.efi is the boot loader we will use to auto insert the updated security keys into the uefi firmware. So lets copy that file to the /tftpboot

The other two key files from this process that we will need is the FOG certificate private and public keys.

/opt/fog/secureboot/efikeys/DB.crt
/opt/fog/secureboot/efikeys/DB.key

In the next post we will go through and sign all of the boot files needed to secure boot into FOG.

Sample download with certificates
Here are the microsoft certificates that I downloaded from my Dell Desktop computer running debian. If you want this file you will need to download it and change the extension to .zip from .txt to be able to extract the contents. These keys are not unique, serialized, or unique. Every computer that is secure boot capable have these default keys installed.

ms_hwcerts.zip.txt