✨ Enable secureboot for all flavors (minus alpine) #2140
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
leap 15.5:
Fedora 38:
|
|
Debian bookworm:
Ubuntu 23.10(probably the rest):
|
|
looks like on ubuntu is failing to find the actual shim and using the fallback so that is why it cant find the proper named thingie. So it may be a package missing |
|
yeah and the root problem is:
So the solution is to try and pick the |
|
Using fix kairos-io/enki#25 resutls in proper isos with secureboot for all distros (minus alpine) |
|
with that merged and pacakge bumped, the only missing fix is for agent:
The default grub config already does an |
Itxaka
force-pushed
the
efi_secureboot
branch
from
b2989d3
to
bc52b3d
Compare
Itxaka
commented
Jan 12, 2024
Itxaka
commented
Jan 12, 2024
Itxaka
force-pushed
the
efi_secureboot
branch
from
666c81c
to
7ba9253
Compare
|
kairos-io/kairos-agent#203 fixes ubuntu boot. |
This PR brings new deps, bumps builders and agent to bring secureboot in all flavors but alpine (more ont hat below) Currently to enable secureboot in a given X flavor we need to make sure to use the artifacts from that falvor specifically as they are all signed with the distro owner key, so the chain of validation works as expected. shim (dual signed Microsoft and distro owner) -> grub (distro owner signed) -> kernel (distro owner signed) So unless there comes a time where the shim is signed by Microsoft and ALL the distro owners (so you can chainload all grubs and kernel signed by all of them) we need to specifically use the distro artifacts so the signatures match. This PR brings a new enki version(inside osbuilder) which builds the iso using the specifci distro artifacts (instead of generic ones as we used to do). It also makes sure that all distros include the grub and shim signed artifacts in the base images. Also brings a new framework that drops the generic grub artifacts (not used) and it also brings a new agent that uses those new artifacts during installation instead of the generic ones. Unfortunately Alpine does not provide signed artifacts so SecureBoot is not supported under Alpine until they provide those. We still use our generic artifacts to enable uefi support for Alpine Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
Itxaka
force-pushed
the
efi_secureboot
branch
from
e1291e2
to
36d71e8
Compare
|
latest fixes should fix:
|
|
both fixes deployed via framework 2.6.3, needs manual QA |
Signed-off-by: Itxaka <itxaka@kairos.io>
Itxaka
force-pushed
the
efi_secureboot
branch
from
9a0ae1f
to
63e8cd1
Compare
jimmykarily
reviewed
Jan 16, 2024
Signed-off-by: Itxaka <itxaka@kairos.io>
Signed-off-by: Itxaka <itxaka@kairos.io>
jimmykarily
approved these changes
Jan 16, 2024
robarnold
pushed a commit
to marinatedconcrete/config
that referenced
this pull request
May 20, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [kairos-io/kairos](https://togithub.com/kairos-io/kairos) | major | `v2.5.0` -> `v3.0.11` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>kairos-io/kairos (kairos-io/kairos)</summary> ### [`v3.0.11`](https://togithub.com/kairos-io/kairos/releases/tag/v3.0.11) [Compare Source](https://togithub.com/kairos-io/kairos/compare/v3.0.10...v3.0.11) **Full Changelog**: kairos-io/kairos@v3.0.10...v3.0.11 ### [`v3.0.10`](https://togithub.com/kairos-io/kairos/releases/tag/v3.0.10) [Compare Source](https://togithub.com/kairos-io/kairos/compare/v3.0.9...v3.0.10) #### Updated - Bumps framework to v2.7.32 - Bumps kairos-agent to v2.8.14 (part of the framework) #### Fixes - Prevent unwanted yaml fields to be marshalled: Fixes some step duplication when triggering the install via events like providers do - Avoid adding an extra line to os-release output: We were adding an extra line at the end of the os-release file, which some software had problems dealing with #### Improvements - `kairos-agent state` will now show SecureBoot state of the node (on/off) - `kairos-agent state` will now show the common name of the EFI certificates in the node if any - `kairos-agent state` will now show a list of encrypted partitions by label and by device if any  **Full Changelog**: kairos-io/kairos@v3.0.9...v3.0.10 ### [`v3.0.9`](https://togithub.com/kairos-io/kairos/releases/tag/v3.0.9) [Compare Source](https://togithub.com/kairos-io/kairos/compare/v3.0.8...v3.0.9) - 🐛 Fix broken pipeline for arm rpi Tumbleweed (caused by Python package being much bigger) by [@​mauromorales](https://togithub.com/mauromorales) [kairos-io/kairos#2524 - 🐛 Move nfs-utils to common build target in opensuse flavor by [@​kaiehrhardt](https://togithub.com/kaiehrhardt) [kairos-io/kairos#2495 - 🐛 UKI custom mounts breaking the cos-layout file by [@​kreeuwijk](https://togithub.com/kreeuwijk) [kairos-io/packages#839 (actual fix) release fix ([c95475c](https://togithub.com/kairos-io/kairos/pull/2524/commits/c95475c3e45c266c5cf9fc1ca2c96d446432dad4)) - ✨ Ubuntu 24.04 artifacts by [@​mauromorales](https://togithub.com/mauromorales) [#​2527](https://togithub.com/kairos-io/kairos/issues/2527) **Full Changelog**: kairos-io/kairos@v3.0.8...v3.0.9 ### [`v3.0.8`](https://togithub.com/kairos-io/kairos/releases/tag/v3.0.8) [Compare Source](https://togithub.com/kairos-io/kairos/compare/v3.0.7...v3.0.8) Backported fixes for agent: - Bumps yip for duplicated name of steps (was causing unexpected issues with users sometimes) Issue: [kairos-io/kairos#2488 #### Updated packages |Category|Name|Old version|New Version| |--|--|--|--| |fips|kairos-agent|[v2.8.12](https://togithub.com/kairos-io/kairos-agent/releases/tag/v2.8.12)|[v2.8.13](https://togithub.com/kairos-io/kairos-agent/releases/tag/v2.8.13)| |system|kairos-agent|[v2.8.12](https://togithub.com/kairos-io/kairos-agent/releases/tag/v2.8.12)|[v2.8.13](https://togithub.com/kairos-io/kairos-agent/releases/tag/v2.8.13)| *** **Full Changelog**: kairos-io/kairos@v3.0.7...v3.0.8 ### [`v3.0.7`](https://togithub.com/kairos-io/kairos/releases/tag/v3.0.7) [Compare Source](https://togithub.com/kairos-io/kairos/compare/v3.0.6...v3.0.7) Backported fixes for agent and immucore: - Bumps yip for user id reuse - Adds sync calls before and after mounting - \[UKI] Fixes hooks in uki install - \[UKI] Fixes mounting oem before running rootfs stage under uki #### Updated packages |Category|Name|Old version|New Version| |--|--|--|--| |fips|kairos-agent|[v2.8.11](https://togithub.com/kairos-io/kairos-agent/releases/tag/v2.8.11)|[v2.8.12](https://togithub.com/kairos-io/kairos-agent/releases/tag/v2.8.12)| |system|kairos-agent|[v2.8.11](https://togithub.com/kairos-io/kairos-agent/releases/tag/v2.8.11)|[v2.8.12](https://togithub.com/kairos-io/kairos-agent/releases/tag/v2.8.12)| |system|immucore|[v0.1.25](https://togithub.com/kairos-io/immucore/releases/tag/v0.1.25)|[v0.1.26](https://togithub.com/kairos-io/immucore/releases/tag/v0.1.26)| |fips|immucore|[v0.1.25](https://togithub.com/kairos-io/immucore/releases/tag/v0.1.25)|[v0.1.26](https://togithub.com/kairos-io/immucore/releases/tag/v0.1.26)| *** **Full Changelog**: kairos-io/kairos@v3.0.6...v3.0.7 ### [`v3.0.6`](https://togithub.com/kairos-io/kairos/releases/tag/v3.0.6) [Compare Source](https://togithub.com/kairos-io/kairos/compare/v3.0.5...v3.0.6) #### What's Changed - fix(orin): disable ISCSI in the initramfs generation by [@​mudler](https://togithub.com/mudler) in [kairos-io/kairos#2476 **Full Changelog**: kairos-io/kairos@v3.0.5...v3.0.6 ### [`v3.0.5`](https://togithub.com/kairos-io/kairos/releases/tag/v3.0.5) [Compare Source](https://togithub.com/kairos-io/kairos/compare/v3.0.4...v3.0.5) **Full Changelog**: kairos-io/kairos@v3.0.4...v3.0.5 ### [`v3.0.4`](https://togithub.com/kairos-io/kairos/releases/tag/v3.0.4) [Compare Source](https://togithub.com/kairos-io/kairos/compare/v3.0.3...v3.0.4) ####⚠️ Known issues 🐛 Raspberry: EFI booting no longer supported on kernels shipped with ubuntu > 22.04 [kairos-io/kairos#2249 We haven't been able to address the following issues on Alpine: :bug: It's not possible to login on an Alpine 3.18 RPi [#​2439](https://togithub.com/kairos-io/kairos/issues/2439) 🐛 Filesystem expansion on rpi4 doesn't work with Alpine [kairos-io/kairos#1995 🐛 cgroup_memory not mounted in Alpine rpi4 [kairos-io/kairos#2002 🐛 Upgrade on alpine arm errors [kairos-io/kairos#2135 🐛 reset from the GRUB menu on alpine, gets stuck in an endless loop [kairos-io/kairos#2136 Deprecation warnings: Reading of `/etc/elemental/config.yaml` is working again but will be deprecated in favor of `/etc/kairos/config.yaml` #### What's Changed - Fix Reboot hangs for UKI images [#​2384](https://togithub.com/kairos-io/kairos/issues/2384) by [@​Itxaka](https://togithub.com/Itxaka) - Remove snap from Ubuntu based images by [@​mauromorales](https://togithub.com/mauromorales) in [kairos-io/kairos#2415 **Full Changelog**: kairos-io/kairos@v3.0.3...v3.0.4 ### [`v3.0.3`](https://togithub.com/kairos-io/kairos/releases/tag/v3.0.3) [Compare Source](https://togithub.com/kairos-io/kairos/compare/v3.0.2...v3.0.3) ####⚠️ Known issues 🐛 Raspberry: EFI booting no longer supported on kernels shipped with ubuntu > 22.04 [kairos-io/kairos#2249 We haven't been able to address the following issues on Alpine: :bug: It's not possible to login on an Alpine 3.18 RPi [#​2439](https://togithub.com/kairos-io/kairos/issues/2439) 🐛 Filesystem expansion on rpi4 doesn't work with Alpine [kairos-io/kairos#1995 🐛 cgroup_memory not mounted in Alpine rpi4 [kairos-io/kairos#2002 🐛 Upgrade on alpine arm errors [kairos-io/kairos#2135 🐛 reset from the GRUB menu on alpine, gets stuck in an endless loop [kairos-io/kairos#2136 Deprecation warnings: Reading of `/etc/elemental/config.yaml` is working again but will be deprecated in favor of `/etc/kairos/config.yaml` #### What's Changed - Fixes issue with the `bootentry` command in the agent when dealing with UKI by [@​mauromorales](https://togithub.com/mauromorales) in [kairos-io/kairos#2410 **Full Changelog**: kairos-io/kairos@v3.0.2...v3.0.3 ### [`v3.0.2`](https://togithub.com/kairos-io/kairos/releases/tag/v3.0.2) [Compare Source](https://togithub.com/kairos-io/kairos/compare/v3.0.1...v3.0.2) > \[!CAUTION] > NOTE: The OpenSUSE Tumbleweed flavor of this release was affected by the xz backdoor (https://nvd.nist.gov/vuln/detail/CVE-2024-3094). For this reason all affected artifacts have been removed, both from quay.io (container images) and from GitHub. If you used the Tumbleweed artifacts of Kairos `3.0.1` or `3.0.2` you should immediately stop the affected machines and re-install a version which is not affected. If those systems were exposed to the internet (if ssh was possible) and they included passwords or keys, it's advised that you rotate those credentials. > > Read more: > > - https://news.opensuse.org/2024/03/29/xz-backdoor/ > - https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/ ####⚠️ Known issues 🐛 Raspberry: EFI booting no longer supported on kernels shipped with ubuntu > 22.04 [kairos-io/kairos#2249 We haven't been able to address the following issues on Alpine: :bug: It's not possible to login on an Alpine 3.18 RPi [#​2439](https://togithub.com/kairos-io/kairos/issues/2439) 🐛 Filesystem expansion on rpi4 doesn't work with Alpine [kairos-io/kairos#1995 🐛 cgroup_memory not mounted in Alpine rpi4 [kairos-io/kairos#2002 🐛 Upgrade on alpine arm errors [kairos-io/kairos#2135 🐛 reset from the GRUB menu on alpine, gets stuck in an endless loop [kairos-io/kairos#2136 Deprecation warnings: Reading of `/etc/elemental/config.yaml` is working again but will be deprecated in favor of `/etc/kairos/config.yaml` #### What's Changed - 🤖 Run fedora and ubuntu uki tests by [@​Itxaka](https://togithub.com/Itxaka) in [kairos-io/kairos#2366 - Replace a full test with a line in another test by [@​jimmykarily](https://togithub.com/jimmykarily) in [kairos-io/kairos#2368 - Reduce fedora uki image size by [@​mauromorales](https://togithub.com/mauromorales) in [kairos-io/kairos#2365 - chore(deps): update earthly/earthly docker tag to v0.8.6 by [@​renovate](https://togithub.com/renovate) in [kairos-io/kairos#2359 - 🤖 Allow manual testing of branches for uki jobs by [@​Itxaka](https://togithub.com/Itxaka) in [kairos-io/kairos#2373 - Do installation of kernel at the end of dockerfile by [@​mauromorales](https://togithub.com/mauromorales) in [kairos-io/kairos#2374 - chore(deps): update quay.io/kairos/osbuilder-tools docker tag to v0.200.8 by [@​renovate](https://togithub.com/renovate) in [kairos-io/kairos#2382 - fix(deps): update module github.com/kairos-io/kairos-sdk to v0.0.27 by [@​renovate](https://togithub.com/renovate) in [kairos-io/kairos#2383 - chore(deps): update dependency kairos-io/kairos-framework to v2.7.19 by [@​renovate](https://togithub.com/renovate) in [kairos-io/kairos#2391 - Test that after-reset is run when in UKI mode by [@​jimmykarily](https://togithub.com/jimmykarily) in [kairos-io/kairos#2331 - 🤖 Bump osbuilder and drop keys by [@​Itxaka](https://togithub.com/Itxaka) in [kairos-io/kairos#2381 - fix(deps): update module github.com/kairos-io/kairos-sdk to v0.0.28 by [@​renovate](https://togithub.com/renovate) in [kairos-io/kairos#2394 - bump framework image by [@​mudler](https://togithub.com/mudler) in [kairos-io/kairos#2407 **Full Changelog**: kairos-io/kairos@v3.0.1...v3.0.2 ### [`v3.0.1`](https://togithub.com/kairos-io/kairos/releases/tag/v3.0.1) [Compare Source](https://togithub.com/kairos-io/kairos/compare/v3.0.0...v3.0.1) > \[!CAUTION] > NOTE: The OpenSUSE Tumbleweed flavor of this release was affected by the xz backdoor (https://nvd.nist.gov/vuln/detail/CVE-2024-3094). For this reason all affected artifacts have been removed, both from quay.io (container images) and from GitHub. If you used the Tumbleweed artifacts of Kairos `3.0.1` or `3.0.2` you should immediately stop the affected machines and re-install a version which is not affected. If those systems were exposed to the internet (if ssh was possible) and they included passwords or keys, it's advised that you rotate those credentials. > > Read more: > > - https://news.opensuse.org/2024/03/29/xz-backdoor/ > - https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/ ####⚠️ Known issues 🐛 Raspberry: EFI booting no longer supported on kernels shipped with ubuntu > 22.04 [kairos-io/kairos#2249 We haven't been able to address the following issues on Alpine: :bug: It's not possible to login on an Alpine 3.18 RPi [#​2439](https://togithub.com/kairos-io/kairos/issues/2439) 🐛 Filesystem expansion on rpi4 doesn't work with Alpine [kairos-io/kairos#1995 🐛 cgroup_memory not mounted in Alpine rpi4 [kairos-io/kairos#2002 🐛 Upgrade on alpine arm errors [kairos-io/kairos#2135 🐛 reset from the GRUB menu on alpine, gets stuck in an endless loop [kairos-io/kairos#2136 Deprecation warnings: Reading of `/etc/elemental/config.yaml` is working again but will be deprecated in favor of `/etc/kairos/config.yaml` #### What's Changed - Add docs versioning item in the template by [@​mauromorales](https://togithub.com/mauromorales) in [kairos-io/kairos#2317 - Update earthly/earthly Docker tag to v0.8.5 by [@​renovate](https://togithub.com/renovate) in [kairos-io/kairos#2333 - Install nohang from source for ubuntu by [@​liyimeng](https://togithub.com/liyimeng) in [kairos-io/kairos#2318 - Update softprops/action-gh-release digest to [`9d7c94c`](https://togithub.com/kairos-io/kairos/commit/9d7c94c) by [@​renovate](https://togithub.com/renovate) in [kairos-io/kairos#2320 - Update koalaman/shellcheck-alpine Docker tag to v0.10.0 by [@​renovate](https://togithub.com/renovate) in [kairos-io/kairos#2321 - Update quay.io/kairos/osbuilder-tools Docker tag to v0.200.6 - autoclosed by [@​renovate](https://togithub.com/renovate) in [kairos-io/kairos#2339 - Update dependency kairos-io/kairos-framework to v2.7.15 by [@​renovate](https://togithub.com/renovate) in [kairos-io/kairos#2344 - Move nfs-common to common build target in ubuntu flavor by [@​kaiehrhardt](https://togithub.com/kaiehrhardt) in [kairos-io/kairos#2340 - chore(deps): update quay.io/kairos/osbuilder-tools docker tag to v0.200.7 by [@​renovate](https://togithub.com/renovate) in [kairos-io/kairos#2350 - chore(deps): update quay.io/luet/base docker tag to v0.35.1 by [@​renovate](https://togithub.com/renovate) in [kairos-io/kairos#2352 - Bump framework to v2.7.17 by [@​mauromorales](https://togithub.com/mauromorales) in [kairos-io/kairos#2357 #### New Contributors - [@​liyimeng](https://togithub.com/liyimeng) made their first contribution in [kairos-io/kairos#2318 - [@​kaiehrhardt](https://togithub.com/kaiehrhardt) made their first contribution in [kairos-io/kairos#2340 **Full Changelog**: kairos-io/kairos@v3.0.0...v3.0.1 ### [`v3.0.0`](https://togithub.com/kairos-io/kairos/releases/tag/v3.0.0) [Compare Source](https://togithub.com/kairos-io/kairos/compare/v2.5.0...v3.0.0) ####⚠️ Known issues 🐛 Raspberry: EFI booting no longer supported on kernels shipped with ubuntu > 22.04 [kairos-io/kairos#2249 We haven't been able to address the following issues on Alpine: 🐛 Filesystem expansion on rpi4 doesn't work with Alpine [kairos-io/kairos#1995 🐛 cgroup_memory not mounted in Alpine rpi4 [kairos-io/kairos#2002 🐛 Upgrade on alpine arm errors [kairos-io/kairos#2135 🐛 reset from the GRUB menu on alpine, gets stuck in an endless loop [kairos-io/kairos#2136 Deprecation warnings: Reading of `/etc/elemental/config.yaml` is working again but will be deprecated in favor of `/etc/kairos/config.yaml` #### New and noteworthy - ✨ Enable secureboot for all flavors (minus alpine) by [@​Itxaka](https://togithub.com/Itxaka) in [kairos-io/kairos#2140 - 📖 Docs now have versioning starting with 3.0.0 #### What's Changed - Add scp to fedora by [@​jimmykarily](https://togithub.com/jimmykarily) in [kairos-io/kairos#2154 - Remove duplicated zfs installation on rhel by [@​mauromorales](https://togithub.com/mauromorales) in [kairos-io/kairos#2161 - \[uki] Provide proper artifacts for auto-key-enrollment by [@​Itxaka](https://togithub.com/Itxaka) in [kairos-io/kairos#2172 - 🤖 Allow passing flags to enki and bump version by [@​Itxaka](https://togithub.com/Itxaka) in [kairos-io/kairos#2193 - 🐛 Do not recompress compressed firmware by [@​Itxaka](https://togithub.com/Itxaka) in [kairos-io/kairos#2237 - Have different compression depending on the ubuntu release by [@​mauromorales](https://togithub.com/mauromorales) in [kairos-io/kairos#2270 - Slim down Ubuntu by [@​mauromorales](https://togithub.com/mauromorales) in [kairos-io/kairos#2284 - Publish uki base image by [@​mauromorales](https://togithub.com/mauromorales) in [kairos-io/kairos#2290 **Full Changelog**: kairos-io/kairos@v2.5.0...v3.0.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/marinatedconcrete/config). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjM2My41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR brings new deps, bumps builders and agent to bring secureboot in all flavors but alpine (more ont hat below)
Currently to enable secureboot in a given X flavor we need to make sure to use the artifacts from that falvor specifically as they are all signed with the distro owner key, so the chain of validation works as expected.
shim (dual signed Microsoft and distro owner) -> grub (distro owner signed) -> kernel (distro owner signed)
So unless there comes a time where the shim is signed by Microsoft and ALL the distro owners (so you can chainload all grubs and kernel signed by all of them) we need to specifically use the distro artifacts so the signatures match.
This PR brings a new enki version(inside osbuilder) which builds the iso using the specifci distro artifacts (instead of generic ones as we used to do).
It also makes sure that all distros include the grub and shim signed artifacts in the base images.
Also brings a new framework that drops the generic grub artifacts (not used) and it also brings a new agent that uses those new artifacts during installation instead of the generic ones.
Unfortunately Alpine does not provide signed artifacts so SecureBoot is not supported under Alpine until they provide those. We still use our generic artifacts to enable uefi support for Alpine
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #