Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the infrastructure for shim signing & aarch64 support #2292

Closed
wants to merge 27 commits into from

Conversation

sayanchowdhury
Copy link
Member

@sayanchowdhury sayanchowdhury commented Sep 6, 2024

TODO before merge

  • Bump shim pacakge revision

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)

  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

@sayanchowdhury sayanchowdhury requested a review from a team September 6, 2024 15:51
@sayanchowdhury sayanchowdhury changed the title Add the infrastructure for shim signing [WIP] Add the infrastructure for shim signing Sep 6, 2024
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pkgcheck will complain about using spaces rather than tabs.

@sayanchowdhury sayanchowdhury changed the title [WIP] Add the infrastructure for shim signing Add the infrastructure for shim signing Sep 16, 2024
@sayanchowdhury sayanchowdhury changed the title Add the infrastructure for shim signing Add the infrastructure for shim signing & aarch64 support Oct 23, 2024
@sayanchowdhury
Copy link
Member Author

I've pulled in @chewi commits into this PR.

Copy link

sayanchowdhury and others added 24 commits November 6, 2024 13:17
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
The new arm64 firmware supporting Secure Boot (see next commit) is in
QCOW2 format only, avoiding the extra space taken up by the 64MB
padding. Supporting both raw and QCOW2 images would be messy, so switch
entirely to QCOW2.

Only the 4MB images are in QCOW2 format on amd64, so also switch away
from the 2MB images. 4MB images are now the default for most
distributions as they are needed to apply certain Windows updates.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
edk2-bin now supports multiple platforms, including QEMU on arm64, so we
no longer need to use Fedora's build. Note that the Secure Boot
implementation is currently insecure as it lacks SMM, which is needed to
protect the EFI variable store.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Rather than starting with a blank image, reuse the image that already
has the Microsoft certificates and the latest DBX revocation list
applied. Gentoo also applies the Red Hat certificates, which we don't
need, but this is okay.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We initially thought we would need Red Hat's patch set. Then it looked
like we wouldn't because the TPM Event Log appeared to work without it.
We later discovered that on amd64, it only works with Secure Boot
disabled. The patch set also fixes Secure Boot on arm64, which would
have otherwise needed a couple of patches from Canonical.

We have to drop Gentoo's patches because they conflict, but they don't
affect Flatcar anyway.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Kola's logic for choosing BIOS vs EFI isn't too smart, and not
specifying --qemu-ovmf-vars leads to it passing -bios to QEMU. This
doesn't make sense for arm64, but it did work anyway with the old
firmware in raw format. The new firmware in QCOW2 format doesn't work
this way.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We always use the board's GRUB now.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
It's from Gentoo commit d286faf494dcb60f81f0de921fa623d952962fc1.
It's from Gentoo commit 69e4044b72d971f5603df77793db86c40e582e2e.
It's from Gentoo commit 768b3c1959debce15854362ff7db176cda76c055.
It's from Gentoo commit 82ec02943f7f0ddaa87f623cee138608571a3978.
It hasn't been added to Gentoo yet.
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
p11-kit is a dependency of azure-keyvault-pkcs11, but we will also use
it directly to fetch the certificate from Azure Key Vault.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This fix has been submitted to Red Hat. It will hopefully be merged
soon.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
These are only needed when you are going to ship DB updates to existing
systems, which we are not going to do. Our EFI variables are only for
testing. End users are expected to use EFI variables provided by their
hosts or hardware vendors. We presumably provided these before because
some PK and KEK does need to be provided, but we can now use the
Microsoft and Red Hat ones provided via Gentoo's edk2 package.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
The cross issues that were previously addressed by our fork are no
longer an issue since p11-kit migrated to Meson.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants