Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azure: added option for additionalSignatures #79

Merged
merged 3 commits into from
Sep 5, 2024
Merged

azure: added option for additionalSignatures #79

merged 3 commits into from
Sep 5, 2024

Conversation

mkulke
Copy link
Contributor

@mkulke mkulke commented Sep 4, 2024
edited
Loading

A feature has recently been make public allowing to seed custom certificates to Image Versions in azure, which allows TrustedLaunch/SecureBoot for e.g. custom kernels that have been signed with custom keys.

Note: The additional keys will be appear in a machine's UEFI db if it has been launched w/ SecureBoot enabled.

Note: The provisioning of UEFI certs does not yet work if image versions are referenced via their CommunityGallery Id, support for this is pending.

$ mokutil --sb-state
SecureBootEnabled

$ keyctl list %.platform
...
966898153: ---lswrv     0     0 asymmetric: mkosi of magnuskulke: 22d8f39cb9d11b0f179ca7bbb247857aca63bade
...

$ dmesg | grep mkosi
[    2.933854] integrity: Loaded X.509 cert 'mkosi of magnuskulke: 22d8f39cb9d11b0f179ca7bbb247857aca63bade'

katexochen
katexochen approved these changes Sep 4, 2024
View reviewed changes
Copy link
Member

@katexochen katexochen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

README.md Outdated Show resolved Hide resolved
azure/uploader.go Outdated Show resolved Hide resolved
mkulke and others added 3 commits September 5, 2024 09:32
@mkulke
azure: added option for additionalSignatures
245cb59 
A feature has recently been make public allowing to seed custom
certificates to Image Versions in azure, which allows
TrustedLaunch/SecureBoot for e.g. custom kernels that have been signed
with custom keys.

Note: The additional keys will be appear in a machine's UEFI db if it
has been launched w/ SecureBoot enabled.

```bash
$ mokutil --sb-state
SecureBootEnabled

$ keyctl list %.platform
...
966898153: ---lswrv     0     0 asymmetric: mkosi of magnuskulke: 22d8f39cb9d11b0f179ca7bbb247857aca63bade
...

$ dmesg | grep mkosi
[    2.933854] integrity: Loaded X.509 cert 'mkosi of magnuskulke: 22d8f39cb9d11b0f179ca7bbb247857aca63bade'
```

Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
@mkulke @katexochen
Update README.md
bbe011f 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
@mkulke @katexochen
Update azure/uploader.go
8ff9f9f 
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
@mkulke mkulke force-pushed the mkulke/add-additionalsignatures-option-for-azure branch from 2817954 to 8ff9f9f Compare September 5, 2024 07:33
@katexochen katexochen merged commit c8a482d into edgelesssys:main Sep 5, 2024
7 of 8 checks passed
@mkulke mkulke deleted the mkulke/add-additionalsignatures-option-for-azure branch September 5, 2024 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@katexochen katexochen katexochen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mkulke @katexochen