Skip to content

CP-12697 Enable SB for AWS on first boot (no shim) #543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 27, 2025
Merged

CP-12697 Enable SB for AWS on first boot (no shim) #543

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions debian/postinst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,9 @@ configure)
systemctl enable delphix-rpool-upgrade.service
systemctl enable delphix.target

systemctl unmask delphix-sb-enroll.service
systemctl enable delphix-sb-enroll.service

if ! id -u postgres >/dev/null; then
# When installing postgres, a postgres user is created unless it
# already exists. To have a consistent UID accross installations
Expand Down
18 changes: 18 additions & 0 deletions files/common/lib/systemd/system/delphix-sb-enroll.service
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
[Unit]
Description=Enroll Secure Boot variables (PK/KEK/db) from .auth files
Documentation=man:efi-updatevar(1)
DefaultDependencies=no
Before=delphix-platform.service
After=var-delphix.mount local-fs.target
ConditionPathExists=/var/delphix/server/sb_certs/

[Service]
Type=oneshot
Environment=SB_AUTH_DIR=/var/delphix/server/sb_certs/
ExecStart=/var/lib/delphix-sb-enroll/sb-enroll-efivars.sh
# Prevent accidental re-runs the same boot unless you change the inputs
RemainAfterExit=no

[Install]
WantedBy=delphix-platform.service

51 changes: 51 additions & 0 deletions files/common/var/lib/delphix-sb-enroll/sb-enroll-efivars.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
#!/bin/bash
set -euo pipefail

AUTH_DIR="${SB_AUTH_DIR:-/var/delphix/server/sb_certs/}"

log() { printf '[sb-enroll] %s\n' "$*" >&2; }
die() {
log "ERROR: $*"
exit 1
}

# Do nothing if Secure Boot is already enabled.
sb=$(od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-* | awk '{print $NF}')
[[ $sb -eq 1 ]] && exit 0

#
# Run only on AWS.
#
# Expand this logic to support additional clouds.
#
if [[ $(get-appliance-platform) = "aws" ]]; then
log "AWS detected"
else
log "Not AWS; skipping Secure Boot enrollment."
exit 0
fi

[[ -d /sys/firmware/efi/efivars ]] || die "Not booted in UEFI mode (/sys/firmware/efi/efivars missing)."

# Ensure efivars is mounted (usually is on Ubuntu)
if ! mountpoint -q /sys/firmware/efi/efivars; then
log "Mounting efivarfs..."
sudo mount -t efivarfs efivarfs /sys/firmware/efi/efivars
fi

[[ -d "$AUTH_DIR" ]] || die "Auth directory not found: $AUTH_DIR"

apply_auth() {
local var="$1" # db, KEK, PK
local file="$AUTH_DIR/${var}.auth"

sudo efi-updatevar -f "$file" "$var"
log "${var}: update submitted"
}

apply_auth db
apply_auth KEK
apply_auth PK

log "Rebooting..."
init 6
Loading