-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New PXE loader "Grub2 UEFI SecureBoot (target OS)" #857
Conversation
This feature consists of two patches, one for foreman and one for smart-proxy. This patch introduces a new loader of kind `:PXEGrub2TargetOS` which allows to provide host-specific Network Bootstrap Programs (NPB) in order to enable network based installations for SecureBoot-enabled hosts. SecureBoot expects to follow a chain of trust from the start of the host to the loading of Linux kernel modules. The very first shim that is loaded basically determines which distribution is allowed to be booted or kexec'ed until next reboot. The existing "Grub2 UEFI SecureBoot" is not sufficiant as it limits the possible installations to the vendor of the Foreman (Smart Proxy) host system. Providing a shim and GRUB2 by the vendor of the to-be-installed operating systems allows Foreman to install any operating system on SecureBoot-enabled hosts over network. To achieve this, the host's DHCP filename option is set to a shim path in a directory that is host-specific (contains MAC address). Corresponding shim and GRUB2 bianries are copied into that directory along with the generated GRUB2 confiugration files as we know from "Grub2 UEFI". Required binaries must be provided once in `/usr/local/share/bootloader-universe/<os>/`. These binaries can be manually retrieved from the installation media and is not part of this patchset. Full example: ------------- [root@vm ~]# hammer host info --id 241 | grep -E "(MAC address|Operating System)" MAC address: 00:50:56:b4:75:5e Operating System: Ubuntu 22.04 LTS [root@vm ~]# tree /usr/local/share/bootloader-universe/ /usr/local/share/bootloader-universe/ |-- centos | |-- grubx64.efi | `-- shimx64.efi `-- ubuntu |-- grubx64.efi `-- shimx64.efi [root@vm ~]# hammer host update --id 241 --build true [root@vm ~]# tree /var/lib/tftpboot/grub2/00-50-56-b4-75-5e/ /var/lib/tftpboot/grub2/00-50-56-b4-75-5e/ |-- grub.cfg |-- grub.cfg-00:50:56:b4:75:5e |-- grub.cfg-01-00-50-56-b4-75-5e |-- grubx64.efi |-- shimx64.efi `-- targetos [root@vm ~]# grep -B2 00-50-56-b4-75-5e /var/lib/dhcpd/dhcpd.leases hardware ethernet 00:50:56:b4:75:5e; fixed-address 192.168.145.84; supersede server.filename = "grub2/00-50-56-b4-75-5e/shimx64.efi"; [root@vm ~]# pesign -S -i /var/lib/tftpboot/grub2/00-50-56-b4-75-5e/grubx64.efi | grep Canonical The signer's common name is Canonical Ltd. Secure Boot Signing (2021 v1)
Can one of the admins verify this patch? |
This adds a section about new SecureBoot support. It only works in combination with the following patchset: theforeman/foreman#9638 theforeman/smart-proxy#857 RFC: https://community.theforeman.org/t/add-secureboot-support-for-arbitrary-distributions/32601/1
This adds a section about new SecureBoot support. It only works in combination with the following patchset: theforeman/foreman#9638 theforeman/smart-proxy#857 RFC: https://community.theforeman.org/t/add-secureboot-support-for-arbitrary-distributions/32601/1
This adds a section about new SecureBoot support. It only works in combination with the following patchset: theforeman/foreman#9638 theforeman/smart-proxy#857 RFC: https://community.theforeman.org/t/add-secureboot-support-for-arbitrary-distributions/32601/1
This adds a section about new SecureBoot support. It only works in combination with the following patchset: theforeman/foreman#9638 theforeman/smart-proxy#857 RFC: https://community.theforeman.org/t/add-secureboot-support-for-arbitrary-distributions/32601/1
This adds a section about new SecureBoot support. It only works in combination with the following patchset: theforeman/foreman#9638 theforeman/smart-proxy#857 RFC: https://community.theforeman.org/t/add-secureboot-support-for-arbitrary-distributions/32601/1
…" PXE loaders This adds a section about new SecureBoot support. It only works in combination with the following patchset: theforeman/foreman#9638 theforeman/smart-proxy#857 RFC: https://community.theforeman.org/t/add-secureboot-support-for-arbitrary-distributions/32601/1
/packit build |
No config file for packit (e.g. For more info, please check out the documentation or contact the Packit team. You can also use our CLI command |
2 similar comments
No config file for packit (e.g. For more info, please check out the documentation or contact the Packit team. You can also use our CLI command |
No config file for packit (e.g. For more info, please check out the documentation or contact the Packit team. You can also use our CLI command |
This feature consists of two patches, one for foreman and one for smart-proxy.
This patch introduces a new loader of kind
:PXEGrub2TargetOS
which allows to provide host-specific Network Bootstrap Programs (NPB) in order to enable network based installations for SecureBoot-enabled hosts.SecureBoot expects to follow a chain of trust from the start of the host to the loading of Linux kernel modules. The very first shim that is loaded basically determines which distribution is allowed to be booted or kexec'ed until next reboot.
The existing "Grub2 UEFI SecureBoot" is not sufficiant as it limits the possible installations to the vendor of the Foreman (Smart Proxy) host system.
Providing a shim and GRUB2 by the vendor of the to-be-installed operating systems allows Foreman to install any operating system on SecureBoot-enabled hosts over network.
To achieve this, the host's DHCP filename option is set to a shim path in a directory that is host-specific (contains MAC address). Corresponding shim and GRUB2 bianries are copied into that directory along with the generated GRUB2 confiugration files as we know from "Grub2 UEFI".
Required binaries must be provided once in
/usr/local/share/bootloader-universe/<os>/
. These binaries can be manually retrieved from the installation media and is not part of this patchset.Full example: