-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the infrastructure for shim signing & aarch64 support #2292
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sayanchowdhury
had a problem deploying
to
development
September 6, 2024 15:51
— with
GitHub Actions
Error
sayanchowdhury
changed the title
Add the infrastructure for shim signing
[WIP] Add the infrastructure for shim signing
Sep 6, 2024
tormath1
reviewed
Sep 9, 2024
sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r1.ebuild
Outdated
Show resolved
Hide resolved
jepio
reviewed
Sep 10, 2024
sdk_container/src/third_party/coreos-overlay/sys-boot/shim-signed/shim-signed-15.8.ebuild
Outdated
Show resolved
Hide resolved
21 tasks
chewi
requested changes
Sep 10, 2024
sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/sys-boot/shim-signed/shim-signed-15.8.ebuild
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/sys-boot/shim-signed/shim-signed-15.8.ebuild
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/sys-boot/shim-signed/shim-signed-15.8.ebuild
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pkgcheck
will complain about using spaces rather than tabs.
sayanchowdhury
had a problem deploying
to
development
September 16, 2024 08:56
— with
GitHub Actions
Error
sayanchowdhury
had a problem deploying
to
development
September 16, 2024 20:09
— with
GitHub Actions
Error
sayanchowdhury
had a problem deploying
to
development
September 16, 2024 20:17
— with
GitHub Actions
Error
sayanchowdhury
had a problem deploying
to
development
September 16, 2024 21:21
— with
GitHub Actions
Error
sayanchowdhury
had a problem deploying
to
development
September 16, 2024 21:28
— with
GitHub Actions
Error
sayanchowdhury
had a problem deploying
to
development
September 16, 2024 21:35
— with
GitHub Actions
Error
sayanchowdhury
changed the title
[WIP] Add the infrastructure for shim signing
Add the infrastructure for shim signing
Sep 16, 2024
sayanchowdhury
force-pushed
the
sayan/add-shim-signing
branch
from
September 16, 2024 21:45
9d51045
to
f5251a0
Compare
sayanchowdhury
temporarily deployed
to
development
September 16, 2024 21:45
— with
GitHub Actions
Inactive
sayanchowdhury
force-pushed
the
sayan/add-shim-signing
branch
from
October 23, 2024 07:20
f5251a0
to
ded52e9
Compare
sayanchowdhury
had a problem deploying
to
development
October 23, 2024 07:20
— with
GitHub Actions
Error
sayanchowdhury
changed the title
Add the infrastructure for shim signing
Add the infrastructure for shim signing & aarch64 support
Oct 23, 2024
I've pulled in @chewi commits into this PR. |
Build action triggered: https://github.com/flatcar/scripts/actions/runs/11475028486 |
sayanchowdhury
force-pushed
the
sayan/add-shim-signing
branch
from
October 23, 2024 07:34
ded52e9
to
6f55563
Compare
sayanchowdhury
had a problem deploying
to
development
October 23, 2024 07:34
— with
GitHub Actions
Error
sayanchowdhury
had a problem deploying
to
development
October 24, 2024 16:43
— with
GitHub Actions
Error
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
The new arm64 firmware supporting Secure Boot (see next commit) is in QCOW2 format only, avoiding the extra space taken up by the 64MB padding. Supporting both raw and QCOW2 images would be messy, so switch entirely to QCOW2. Only the 4MB images are in QCOW2 format on amd64, so also switch away from the 2MB images. 4MB images are now the default for most distributions as they are needed to apply certain Windows updates. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
edk2-bin now supports multiple platforms, including QEMU on arm64, so we no longer need to use Fedora's build. Note that the Secure Boot implementation is currently insecure as it lacks SMM, which is needed to protect the EFI variable store. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Rather than starting with a blank image, reuse the image that already has the Microsoft certificates and the latest DBX revocation list applied. Gentoo also applies the Red Hat certificates, which we don't need, but this is okay. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We initially thought we would need Red Hat's patch set. Then it looked like we wouldn't because the TPM Event Log appeared to work without it. We later discovered that on amd64, it only works with Secure Boot disabled. The patch set also fixes Secure Boot on arm64, which would have otherwise needed a couple of patches from Canonical. We have to drop Gentoo's patches because they conflict, but they don't affect Flatcar anyway. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Kola's logic for choosing BIOS vs EFI isn't too smart, and not specifying --qemu-ovmf-vars leads to it passing -bios to QEMU. This doesn't make sense for arm64, but it did work anyway with the old firmware in raw format. The new firmware in QCOW2 format doesn't work this way. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We always use the board's GRUB now. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
It's from Gentoo commit d286faf494dcb60f81f0de921fa623d952962fc1.
It's from Gentoo commit 69e4044b72d971f5603df77793db86c40e582e2e.
It's from Gentoo commit 768b3c1959debce15854362ff7db176cda76c055.
It's from Gentoo commit 82ec02943f7f0ddaa87f623cee138608571a3978.
It hasn't been added to Gentoo yet.
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
p11-kit is a dependency of azure-keyvault-pkcs11, but we will also use it directly to fetch the certificate from Azure Key Vault. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This fix has been submitted to Red Hat. It will hopefully be merged soon. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
These are only needed when you are going to ship DB updates to existing systems, which we are not going to do. Our EFI variables are only for testing. End users are expected to use EFI variables provided by their hosts or hardware vendors. We presumably provided these before because some PK and KEK does need to be provided, but we can now use the Microsoft and Red Hat ones provided via Gentoo's edk2 package. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
The cross issues that were previously addressed by our fork are no longer an issue since p11-kit migrated to Meson. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
chewi
force-pushed
the
sayan/add-shim-signing
branch
from
November 6, 2024 13:36
08cb93c
to
8550839
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TODO before merge
Bump shim pacakge revision
Changelog entries added in the respective
changelog/
directory (user-facing change, bug fix, security fix, update)Inspected CI output for image differences:
/boot
and/usr
size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.