Sovereign Boot Provisioning Wizard
Introduction and motivation
Sovereign Boot Provisioning Wizard is an UEFI application designed to guide end users through the provisioning of UEFI Secure Boot. The objective is to offer a user-controllable mechanism for managing platform trust relationships and establishing UEFI Secure Boot infrastructure, with a primary focus on transparency, informed consent, and usability.
Unlike traditional firmware interfaces, which expose UEFI Secure Boot as a collection of loosely connected toggleable settings and unmanaged certificate stores, this application presents a coherent, wizard-like experience. Its purpose is to make the process of reviewing and enrolling platform keys intuitive for users who are not security experts.
Specification
The application is implemented based on the Sovereign Boot Provisioning Wizard Specification (current revision v0.1.0).
Releases
RC1 - 2025-06-30
Added
- First engineering release of the Sovereign Boot Provisioning Wizard
- Basic parsing of boot options: displaying description, hardware path and file path
- Integration of the Sovereign Boot Provisioning Wizard into UEFI Boot Manager:
- wizard is invoked during boot when system is unprovisioned
- wizard is invoked when system is provisioned and the boot option does not pass the UEFI Secure Boot verification
- Integration of the Sovereign Boot Provisioning Wizard into UEFI firmware
setup:
- wizard can be disabled/enabled in the UEFI Secure Boot Configuration menu
- wizard can be manually invoked from the UEFI Secure Boot Configuration menu
- disabling the wizard causes to reset the UEFI Secure Boot keys to defaults
Binaries
SBOM
- coreboot based on 24.12 revision qemu_q35_sovereign_boot-rc1
- Dasharo EDKII fork based on edk2-stable202408.01 revision sovereign-boot-rc1
Building
Follow the instructions for
QEMU (qemu_full
target).
Testing
Currently implemented set of functionalities can be validated using OSFV.
-
Clone the repository and checkout the revision with tests:
git clone https://github.com/Dasharo/open-source-firmware-validation.git git checkout fce9dbc78007fb94c23070974834e47784205af4
-
Set up the testing environment as described in README.md.
- Download the
qemu_q35.rom
binary from Binaries section and place it in theopen-source-firmware-validation
directory. - Obtain the DTS v2.5.0 image from the DTS release
page and place it, e.g. in
$HOME
directory. -
Start the QEMU with the following command in separate window/tab in the
open-source-firmware-validation
directory:HDD_PATH=~/dts-base-image-v2.5.0.wic ./scripts/ci/qemu-run.sh graphic os
-
Start the test suite in the window where test environment was prepared:
robot -L TRACE -v rte_ip:127.0.0.1 \ -v snipeit:no -v config:qemu \ dasharo-security/sovereign-boot.robot