Add the infrastructure for shim signing & aarch64 support #2292
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sayanchowdhury
had a problem deploying
to
development
GitHub Actions
Error
sayanchowdhury
changed the title
tormath1
reviewed
Sep 9, 2024
sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r1.ebuild
Outdated
Show resolved
Hide resolved
jepio
reviewed
Sep 10, 2024
sdk_container/src/third_party/coreos-overlay/sys-boot/shim-signed/shim-signed-15.8.ebuild
Outdated
Show resolved
Hide resolved
21 tasks
chewi
requested changes
Sep 10, 2024
sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/sys-boot/shim-signed/shim-signed-15.8.ebuild
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/sys-boot/shim-signed/shim-signed-15.8.ebuild
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/sys-boot/shim-signed/shim-signed-15.8.ebuild
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
pkgcheck will complain about using spaces rather than tabs.
sayanchowdhury
had a problem deploying
to
development
GitHub Actions
Error
sayanchowdhury
had a problem deploying
to
development
GitHub Actions
Error
sayanchowdhury
had a problem deploying
to
development
GitHub Actions
Error
sayanchowdhury
had a problem deploying
to
development
GitHub Actions
Error
sayanchowdhury
had a problem deploying
to
development
GitHub Actions
Error
sayanchowdhury
had a problem deploying
to
development
GitHub Actions
Error
sayanchowdhury
changed the title
sayanchowdhury
force-pushed
the
sayan/add-shim-signing
branch
from
9d51045
to
f5251a0
Compare
sayanchowdhury
temporarily deployed
to
development
GitHub Actions
Inactive
sayanchowdhury
force-pushed
the
sayan/add-shim-signing
branch
from
f5251a0
to
ded52e9
Compare
sayanchowdhury
had a problem deploying
to
development
GitHub Actions
Error
sayanchowdhury
changed the title
|
I've pulled in @chewi commits into this PR. |
|
Build action triggered: https://github.com/flatcar/scripts/actions/runs/11475028486 |
sayanchowdhury
force-pushed
the
sayan/add-shim-signing
branch
from
ded52e9
to
6f55563
Compare
sayanchowdhury
had a problem deploying
to
development
GitHub Actions
Error
sayanchowdhury
had a problem deploying
to
development
GitHub Actions
Error
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Also adjust to using board packages for shim Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Unfortunately, it pulls in a number of dependencies. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
virt-fw-vars handles X.509 conversion and QCOW2 conversion transparently and can update all the variables in a single invocation. Bonus: Asking it to list the variables doesn't cause a segfault due to the feature not really being implemented. :D The 00000000-0000-0000-0000-000000000000 owner GUID is what flash-var used to set, as we didn't specify the -g argument. We will probably be assigned a real one later. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Gentoo has moved this package so that it can support multiple platforms. The newer version is needed for Secure Boot support on arm64. This is newer than the version that QEMU is currently pinned to so unpin it via the USE flag. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
The new arm64 firmware supporting Secure Boot (see next commit) is in QCOW2 format only, avoiding the extra space taken up by the 64MB padding. Supporting both raw and QCOW2 images would be messy, so switch entirely to QCOW2. Only the 4MB images are in QCOW2 format on amd64, so also switch away from the 2MB images. 4MB images are now the default for most distributions as they are needed to apply certain Windows updates. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
edk2-bin now supports multiple platforms, including QEMU on arm64, so we no longer need to use Fedora's build. Note that the Secure Boot implementation is currently insecure as it lacks SMM, which is needed to protect the EFI variable store. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Rather than starting with a blank image, reuse the image that already has the Microsoft certificates and the latest DBX revocation list applied. Gentoo also applies the Red Hat certificates, which we don't need, but this is okay. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We initially thought we would need Red Hat's patch set. Then it looked like we wouldn't because the TPM Event Log appeared to work without it. We later discovered that on amd64, it only works with Secure Boot disabled. The patch set also fixes Secure Boot on arm64, which would have otherwise needed a couple of patches from Canonical. We have to drop Gentoo's patches because they conflict, but they don't affect Flatcar anyway. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Kola's logic for choosing BIOS vs EFI isn't too smart, and not specifying --qemu-ovmf-vars leads to it passing -bios to QEMU. This doesn't make sense for arm64, but it did work anyway with the old firmware in raw format. The new firmware in QCOW2 format doesn't work this way. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We always use the board's GRUB now. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
It's from Gentoo commit d286faf494dcb60f81f0de921fa623d952962fc1.
It's from Gentoo commit 69e4044b72d971f5603df77793db86c40e582e2e.
It's from Gentoo commit 768b3c1959debce15854362ff7db176cda76c055.
It's from Gentoo commit 82ec02943f7f0ddaa87f623cee138608571a3978.
It hasn't been added to Gentoo yet.
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
p11-kit is a dependency of azure-keyvault-pkcs11, but we will also use it directly to fetch the certificate from Azure Key Vault. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This fix has been submitted to Red Hat. It will hopefully be merged soon. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
These are only needed when you are going to ship DB updates to existing systems, which we are not going to do. Our EFI variables are only for testing. End users are expected to use EFI variables provided by their hosts or hardware vendors. We presumably provided these before because some PK and KEK does need to be provided, but we can now use the Microsoft and Red Hat ones provided via Gentoo's edk2 package. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
The cross issues that were previously addressed by our fork are no longer an issue since p11-kit migrated to Meson. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
chewi
force-pushed
the
sayan/add-shim-signing
branch
from
fe25568
to
eaf7e4e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TODO before merge
Bump shim pacakge revision
Changelog entries added in the respective
changelog/directory (user-facing change, bug fix, security fix, update)Inspected CI output for image differences:
/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.