-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial implementation for Secure boot support #1589
Conversation
Could we have a single image type or does presence of a signature disrupt the booting when secure boot is disabled? |
I don't see a new image type added in the commits, so is this already present? I would like to understand whether this means to have additional images for every cloud or if we have the same number of images as before but only an additional qemu script. |
5e8b1fa
to
c5ad6c3
Compare
c5ad6c3
to
accb4f1
Compare
accb4f1
to
f7c9ab9
Compare
f7c9ab9
to
dc51c38
Compare
dc51c38
to
d3e68b7
Compare
CI Running (dropped shim cros_workon) http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/1278/cldsv/ |
No, we can merge the same into the qemu_uefi, and one can toggle from BIOS to disable Secureboot, and Flatcar would boot just fine. I created a new variant as I'm still working for the implementation on the other cloud providers and tests. The reason for creating the PR is so that after merge we can deprecate the shim repo. |
...tainer/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r9.ebuild
Outdated
Show resolved
Hide resolved
CI Passed. |
cecb523
to
c11b36e
Compare
c11b36e
to
1c6728c
Compare
1c6728c
to
07a55c5
Compare
Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
Add the linux.mod file back Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: Jeremi Piotrowski <[email protected]>
This is just the contents of the section, but the section itself is written by grub-mkimage. sbat.csv needs to be passed with --sbat. Signed-off-by: Jeremi Piotrowski <[email protected]> Signed-off-by: Sayan Chowdhury <[email protected]>
We have an existing qemu_uefi_secure format definition, but it is necessary to update it so that it actually works. Qemu needs to be passed the correct flags to enable SMM, we need to switch to the Q35 machine, and we need to copy over the secboot variant of the OVMF firmware.
Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
Co-authored-by: Mathieu Tortuyaux <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
3dcef9f
to
48d806b
Compare
@@ -0,0 +1,23 @@ | |||
# Copyright (c) 2024 The Flatcar Maintainers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dunno if this question was answered. Does it block the PR?
Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
a9a650b
to
7db81c2
Compare
Initial implementation for Secure boot support
This PR updates shim to use upstream, adds test secure boot keys, and a new qemu_uefi_secure format which produces a Secure Boot.
To be merged with https://github.com/flatcar/jenkins-os/pull/325
How to use
Testing done
CI Running http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/1276/cldsv/
changelog/
directory (user-facing change, bug fix, security fix, update)/boot
and/usr
size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.