Skip to content
This repository was archived by the owner on May 7, 2021. It is now read-only.

gcp: Add UEFI_COMPATIBLE and SECURE_BOOT #1060

Merged
merged 1 commit into from
Oct 8, 2019
Merged

gcp: Add UEFI_COMPATIBLE and SECURE_BOOT #1060

merged 1 commit into from
Oct 8, 2019

Conversation

cgwalters
Copy link
Member

For FCOS we support both. Mainly I'm adding these because
they seem to be prerequisites for accessing the "vTPM" which
is part of the "Shielded Cloud" umbrella. We want access to the vTPM
to enable support for LUKS bound to vTPM for example. Also,
for OpenShift, I think at some point we want to enable using TPM
as a "strong identity" for nodes.

jlebon
jlebon approved these changes Sep 20, 2019
View reviewed changes
Copy link
Member

@jlebon jlebon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haven't played much with GCP, but this looks reasonable to me!

@cgwalters
Copy link
Member Author

This gets me a vTPM, though for some reason it still doesn't seem to be booting in UEFI mode with Secure Boot.

ajeddeloh
ajeddeloh reviewed Sep 20, 2019
View reviewed changes
platform/api/gcloud/image.go
&compute.GuestOsFeature{
Type: "UEFI_COMPATIBLE",
},
&compute.GuestOsFeature{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bgilbert do you know if CL+GCE supports this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UEFI should work. Secure Boot does not.

bgilbert
bgilbert previously requested changes Sep 20, 2019
View reviewed changes
Copy link
Contributor

@bgilbert bgilbert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SECURE_BOOT will need to condition on the OS.

@bgilbert
Copy link
Contributor

Actually, let's condition both flags on the OS. We shouldn't change the CL image configuration at this point.

@cgwalters
Copy link
Member Author

cgwalters commented Oct 1, 2019
edited
Loading

How do we condition on the OS? Does that imply adding a new CLI argument here and passing it from cosa?

(When can we create a cl-stable branch for mantle and not have to think about possibly breaking CL in mantle PRs?)

@bgilbert
Copy link
Contributor

bgilbert commented Oct 1, 2019

How do we condition on the OS? Does that imply adding a new CLI argument here and passing it from cosa?

plume, which we should be using, already knows what OS it's releasing. For ore we'd have to add a CLI argument.

@cgwalters
gcp: Add UEFI_COMPATIBLE and SECURE_BOOT
01ef893 
For FCOS we support both.  Mainly I'm adding these because
they seem to be prerequisites for accessing the "vTPM" which
is part of the "Shielded Cloud" umbrella.  We want access to the vTPM
to enable support for LUKS bound to vTPM for example.  Also,
for OpenShift, I think at some point we want to enable using TPM
as a "strong identity" for nodes.
@cgwalters cgwalters force-pushed the gcp-uefi-secure-boot branch from 947b6fc to 01ef893 Compare October 1, 2019 18:49
@cgwalters
Copy link
Member Author

OK updated to pass an arg.

plume, which we should be using, already knows what OS it's releasing.

Yeah...it just hurts my head to even try to think about adding a fourth case for plume. It's really the opposite direction for RHCOS anyways, where the "release" is not directly to users but through the installer or a release image.

@arithx
Copy link
Contributor

arithx commented Oct 2, 2019

(When can we create a cl-stable branch for mantle and not have to think about possibly breaking CL in mantle PRs?)

We talked about this OOB and are going to start preparing to branch mantle for CL.

@bgilbert bgilbert dismissed their stale review October 8, 2019 03:37

Superseded

@arithx
Copy link
Contributor

arithx commented Oct 8, 2019

We had some OOB discussions around whether this should be gated post branching for CL. There were some concerns raised about whether or not Fedora Cloud Base would have similar restrictions on those options. Going to merge this as is and we can revisit it at a later date.

@arithx arithx merged commit 94b34c8 into coreos:master Oct 8, 2019
@cgwalters cgwalters mentioned this pull request Oct 22, 2019
Closed
@cgwalters cgwalters mentioned this pull request Nov 7, 2019
Merged
@cgwalters cgwalters mentioned this pull request Jan 15, 2020
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
4 more reviewers

@ajeddeloh ajeddeloh ajeddeloh left review comments

@arithx arithx arithx approved these changes

@jlebon jlebon jlebon approved these changes

@bgilbert bgilbert bgilbert left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cgwalters @bgilbert @arithx @ajeddeloh @jlebon