CP-12697 Enable SB for AWS on first boot (no shim) #543

tonynguien · 2025-08-22T17:26:12Z

Background

Secure boot have keys (auth files) enrolled in the instance's EFI firmware. Given we deliver an VM image, we want to enroll the keys on the instance's first boot.

Solution

A new delphix-sb-enroll.service that enrolls the keys and immediately reboots the system. This way our appliance will boot with secure boot as early as possible, before delphix-platform.service runs for the first time.

The delphix-sb-enroll service will activate secure-boot only for VMs running on AWS, i.e. does nothing for VMs on other cloud platforms. And enrollment is done only once, subsequent reboots have no effect.

Testing Done

AWS installation

delphix@ip-10-110-210-77:~$ sudo dpkg -i delphix-platform-aws_2025.08.22.17_amd64.deb
(Reading database ... 180788 files and directories currently installed.)
Preparing to unpack delphix-platform-aws_2025.08.22.17_amd64.deb ...
+ case $1 in
+ systemctl disable delphix.target
Removed "/etc/systemd/system/default.target.wants/delphix.target".
+ systemctl disable delphix-platform.service
Removed "/etc/systemd/system/delphix.target.wants/delphix-platform.service".
....
+ systemctl enable delphix.target
Created symlink /etc/systemd/system/default.target.wants/delphix.target → /usr/lib/systemd/system/delphix.target.
+ systemctl unmask delphix-sb-enroll.service
+ systemctl enable delphix-sb-enroll.service
Created symlink /etc/systemd/system/multi-user.target.wants/delphix-sb-enroll.service → /usr/lib/systemd/system/delphix-sb-enroll.service.
+ id -u postgres
++ id -u postgres
+ [[ 65437 -ne 65437 ]]
+ DEFAULT_UDEV_NET_SETUP_LINK_DIR=/usr/lib/udev/rules.d
+ MODIFIED_UDEV_NET_SETUP_LINK_DIR=/etc/udev/rules.d
+ [[ ! -e /usr/lib/udev/rules.d/80-net-setup-link.rules ]]
++ get-appliance-platform
+ [[ aws == \a\w\s ]]
+ mkdir -p /etc/udev/rules.d
+ cp /usr/lib/udev/rules.d/80-net-setup-link.rules /etc/udev/rules.d
+ sed -i 's/NAME=="", ENV{ID_NET_NAME}!="", NAME="$env{ID_NET_NAME}"/NAME=="", ENV{ID_NET_NAME_MAC}!="", NAME="$env{ID_NET_NAME_MAC}"/' /etc/udev/rules.d/80-net-setup-link.rules
++ uname -r
+ update-initramfs -u -t -k 6.14.0-1010-dx2025082120-f9bbb315e-aws
update-initramfs: Generating /boot/initrd.img-6.14.0-1010-dx2025082120-f9bbb315e-aws
Couldn't find EFI system partition. It is recommended to mount it to /boot or /efi.
Alternatively, use --esp-path= to specify path to mount point.
+ exit 0
delphix@ip-10-110-210-77:~$ sudo init 6

Secure boot is enabled after reboot

delphix@ip-10-110-210-77:~$ bootctl status | grep -i "secure boot"
Couldn't find EFI system partition. It is recommended to mount it to /boot or /efi.
Alternatively, use --esp-path= to specify path to mount point.
   Secure Boot: enabled (user)

Verified service ran and rebooted

delphix@ip-10-110-210-77:~$ sudo journalctl -xu delphix-sb-enroll
Aug 22 18:43:57 ip-10-110-210-77 systemd[1]: Starting delphix-sb-enroll.service - Enroll Secure Boot variables (PK/KEK/db) from .auth files...
░░ Subject: A start job for unit delphix-sb-enroll.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit delphix-sb-enroll.service has begun execution.
░░
░░ The job identifier is 114.
Aug 22 18:43:58 ip-10-110-210-77 sb_enroll_efivars.sh[4516]: [sb-enroll] AWS detected (via DMI)
Aug 22 18:43:58 ip-10-110-210-77 sudo[4560]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/efi-updatevar -f /var/delphix/server/sb_keys//db.auth db
Aug 22 18:43:58 ip-10-110-210-77 sudo[4560]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Aug 22 18:43:58 ip-10-110-210-77 sudo[4560]: pam_unix(sudo:session): session closed for user root
Aug 22 18:43:58 ip-10-110-210-77 sb_enroll_efivars.sh[4516]: [sb-enroll] db: update submitted
Aug 22 18:43:58 ip-10-110-210-77 sudo[4865]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/efi-updatevar -f /var/delphix/server/sb_keys//KEK.auth KEK
Aug 22 18:43:58 ip-10-110-210-77 sudo[4865]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Aug 22 18:43:58 ip-10-110-210-77 sudo[4865]: pam_unix(sudo:session): session closed for user root
Aug 22 18:43:58 ip-10-110-210-77 sb_enroll_efivars.sh[4516]: [sb-enroll] KEK: update submitted
Aug 22 18:43:58 ip-10-110-210-77 sudo[4891]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/efi-updatevar -f /var/delphix/server/sb_keys//PK.auth PK
Aug 22 18:43:58 ip-10-110-210-77 sudo[4891]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Aug 22 18:43:58 ip-10-110-210-77 sudo[4891]: pam_unix(sudo:session): session closed for user root
Aug 22 18:43:58 ip-10-110-210-77 sb_enroll_efivars.sh[4516]: [sb-enroll] PK: update submitted
Aug 22 18:43:58 ip-10-110-210-77 sb_enroll_efivars.sh[4516]: [sb-enroll] Rebooting...
Aug 22 18:43:59 ip-10-110-210-77 systemd[1]: delphix-sb-enroll.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support

Azure installation

delphix@tonyn-azure-sb1:~$ sudo dpkg -i delphix-platform-azure_2025.08.22.17_amd64.deb
(Reading database ... 208638 files and directories currently installed.)
Preparing to unpack delphix-platform-azure_2025.08.22.17_amd64.deb ...
+ case $1 in
+ systemctl disable delphix.target
Removed "/etc/systemd/system/default.target.wants/delphix.target".
+ systemctl disable delphix-platform.service
Removed "/etc/systemd/system/delphix.target.wants/delphix-platform.service".
+ systemctl disable delphix-rpool-upgrade.service
Removed "/etc/systemd/system/delphix.target.wants/delphix-rpool-upgrade.service".
....
+ systemctl enable delphix-rpool-upgrade.service
Created symlink /etc/systemd/system/delphix.target.wants/delphix-rpool-upgrade.service → /usr/lib/systemd/system/delphix-rpool-upgrade.service.
+ systemctl enable delphix.target
Created symlink /etc/systemd/system/default.target.wants/delphix.target → /usr/lib/systemd/system/delphix.target.
+ systemctl unmask delphix-sb-enroll.service
+ systemctl enable delphix-sb-enroll.service
Created symlink /etc/systemd/system/multi-user.target.wants/delphix-sb-enroll.service → /usr/lib/systemd/system/delphix-sb-enroll.service.
+ id -u postgres
++ id -u postgres
+ [[ 65437 -ne 65437 ]]
+ DEFAULT_UDEV_NET_SETUP_LINK_DIR=/usr/lib/udev/rules.d
+ MODIFIED_UDEV_NET_SETUP_LINK_DIR=/etc/udev/rules.d
+ [[ ! -e /usr/lib/udev/rules.d/80-net-setup-link.rules ]]
++ get-appliance-platform
+ [[ azure == \a\w\s ]]
+ exit 0

Verify service does nothing on start (not AWS)

delphix@tonyn-azure-sb1:~$ systemctl status delphix-sb-enroll
○ delphix-sb-enroll.service - Enroll Secure Boot variables (PK/KEK/db) from .auth files
     Loaded: loaded (/usr/lib/systemd/system/delphix-sb-enroll.service; enabled; preset: enabled)
     Active: inactive (dead)
       Docs: man:efi-updatevar(1)
delphix@tonyn-azure-sb1:~$ sudo systemctl start delphix-sb-enroll
delphix@tonyn-azure-sb1:~$
delphix@tonyn-azure-sb1:~$
delphix@tonyn-azure-sb1:~$
delphix@tonyn-azure-sb1:~$ systemctl status delphix-sb-enroll
○ delphix-sb-enroll.service - Enroll Secure Boot variables (PK/KEK/db) from .auth files
     Loaded: loaded (/usr/lib/systemd/system/delphix-sb-enroll.service; enabled; preset: enabled)
     Active: inactive (dead) since Fri 2025-08-22 18:55:46 UTC; 4s ago
       Docs: man:efi-updatevar(1)
    Process: 15674 ExecStart=/var/lib/delphix-sb-enroll/sb_enroll_efivars.sh (code=exited, status=0/SUCCESS)
   Main PID: 15674 (code=exited, status=0/SUCCESS)
        CPU: 8ms
        
delphix@tonyn-azure-sb1:~$ sudo journalctl -xu delphix-sb-enroll
Aug 22 18:55:46 tonyn-azure-sb1 systemd[1]: Starting delphix-sb-enroll.service - Enroll Secure Boot variables (PK/KEK/db) from .auth files...
░░ Subject: A start job for unit delphix-sb-enroll.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit delphix-sb-enroll.service has begun execution.
░░
░░ The job identifier is 1633.
Aug 22 18:55:46 tonyn-azure-sb1 sb_enroll_efivars.sh[15674]: [sb-enroll] Not AWS; skipping Secure Boot enrollment.
Aug 22 18:55:46 tonyn-azure-sb1 systemd[1]: delphix-sb-enroll.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit delphix-sb-enroll.service has successfully entered the 'dead' state.

files/common/var/lib/delphix-sb-enroll/sb_enroll_efivars.sh

files/common/lib/systemd/system/delphix-sb-enroll.service

files/common/var/lib/delphix-sb-enroll/sb_enroll_efivars.sh

files/common/lib/systemd/system/delphix-sb-enroll.service

PR URL: https://www.github.com/delphix/delphix-platform/pull/543

tonynguien force-pushed the dlpx/pr/tonynguien/d4df8892-d479-4a6d-812e-f60b5052cd6b branch 2 times, most recently from 5425f17 to bd9bb49 Compare August 22, 2025 17:35

sebroy reviewed Aug 22, 2025

View reviewed changes

files/common/var/lib/delphix-sb-enroll/sb_enroll_efivars.sh Outdated Show resolved Hide resolved

files/common/lib/systemd/system/delphix-sb-enroll.service Outdated Show resolved Hide resolved

tonynguien force-pushed the dlpx/pr/tonynguien/d4df8892-d479-4a6d-812e-f60b5052cd6b branch 5 times, most recently from e52e9b1 to 3e5d398 Compare August 24, 2025 21:45

tonynguien requested review from david-mendez1 and prakashsurya August 25, 2025 15:52

tonynguien marked this pull request as ready for review August 25, 2025 15:52

tonynguien requested a review from sebroy August 25, 2025 15:52

sebroy requested changes Aug 25, 2025

View reviewed changes

files/common/var/lib/delphix-sb-enroll/sb_enroll_efivars.sh Show resolved Hide resolved

files/common/lib/systemd/system/delphix-sb-enroll.service Outdated Show resolved Hide resolved

tonynguien force-pushed the dlpx/pr/tonynguien/d4df8892-d479-4a6d-812e-f60b5052cd6b branch 4 times, most recently from b1faaed to 57348fd Compare August 25, 2025 18:05

tonynguien requested a review from sebroy August 25, 2025 18:15

tonynguien force-pushed the dlpx/pr/tonynguien/d4df8892-d479-4a6d-812e-f60b5052cd6b branch 2 times, most recently from 5249591 to 1ad2520 Compare August 26, 2025 16:00

sebroy approved these changes Aug 26, 2025

View reviewed changes

david-mendez1 approved these changes Aug 26, 2025

View reviewed changes

tonynguien force-pushed the dlpx/pr/tonynguien/d4df8892-d479-4a6d-812e-f60b5052cd6b branch from 1ad2520 to 27d7712 Compare August 27, 2025 17:56

CP-12697 Enable SB for AWS on first boot (no shim)

e39ead1

PR URL: https://www.github.com/delphix/delphix-platform/pull/543

tonynguien force-pushed the dlpx/pr/tonynguien/d4df8892-d479-4a6d-812e-f60b5052cd6b branch from 27d7712 to e39ead1 Compare August 27, 2025 22:04

tonynguien merged commit 9f3eab3 into develop Aug 27, 2025
22 of 24 checks passed

tonynguien deleted the dlpx/pr/tonynguien/d4df8892-d479-4a6d-812e-f60b5052cd6b branch August 27, 2025 22:16

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CP-12697 Enable SB for AWS on first boot (no shim) #543

CP-12697 Enable SB for AWS on first boot (no shim) #543

Uh oh!

tonynguien commented Aug 22, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

4 participants

CP-12697 Enable SB for AWS on first boot (no shim) #543

CP-12697 Enable SB for AWS on first boot (no shim) #543

Uh oh!

Conversation

tonynguien commented Aug 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Background

Solution

Testing Done

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

4 participants

tonynguien commented Aug 22, 2025 •

edited

Loading