Support Secure Boot in OVMF Environment #8131
Comments
|
from the error it seems it failed to write the EFI variables, seems the firmware is passed in as readonly as opposed to read/write. Talosctl supports generating keys in DER format |
|
I created the UEFI disk without pre enrolled Keys, so I think it should be in setup mode? Are you sure, that the default keys (the one that ship with the talks secure boot iso) are in DER format? |
probably not the ones in the iso, but you can always generate your own keys |
|
Yes, this seems doable, but it's ultimately forcing me to operate or provide a private registry for the custom built talos image. Is there a chance to provide the official secure iso with keys, that work with OVMF? |
|
Yeh, i think we can fix that |
|
Awesome, thank you 😁 |
|
|
|
We still need to inlcude those files in the iso, I'll take care of that |
|
@5olu7ion I took a look at the issue again, from the image it seems it reported a security violation I wonder if even manually enrolling would even fail with the same error 🤔 , could you confirm you can manually enroll any random key from a usb stick? |
|
Yeah, you are right, I also stumbled over this particular message. I tried importing it manually (screenshots 2/3). There I got the DER compatibility issue. I will try importing a random Key. Edit: I remember, that importing the db.auth worked fine |
did that enroll the key? |
|
Nope, it still threw the security violation. I checked it again, and I see, that enrolling the the db.auth, also enrolls the kek.auth, but not the PK.auth. When enrolling the *.auth files in OVMF, you have to switch to custom mode, but this seems to reset to standard after an unsuccessful (security violation) boot. I set up OVMF without default keys. Maybe I'm doing something fundamentally wrong, but the fact, that OVMF complains about PEM format, and you currently don't ship DER certificates led me to create this issue. I also opened a discussion for PEM Support in OVMF, but there is no activity ;-) |
|
We'll add the der certs to the iso, do you if there's some standard path where it should exist, or will just put it under something like |
|
I'm sorry, there is no hint in the whitepaper: https://www.linux-kvm.org/downloads/lersek/ovmf-whitepaper-c770f8c.txt |
|
@la7eralus could you test a custom iso? I can share on the talos slack |
|
Yeah sure, I will sign up |
Add the uki signing cert into iso. Fixes: siderolabs#8131 Signed-off-by: Noel Georgi <git@frezbo.dev>
Add the uki signing cert into iso. Fixes: siderolabs#8131 Signed-off-by: Noel Georgi <git@frezbo.dev>
|
If someone stumbles over this issue: The signing cert is located under EFI/keys/uki-signing-cert.der in all secureboot iso's since 1.7.0. Big shoutout to Siderolabs and especially frezbo for making this work :-) |
Feature Request
Support Secure Boot in OVMF Environment
Description
I'm running Talos in Proxmox (QEMU), and want to enable Secure Boot and TPM Encryption. Unfortunately the Keys cant be enrolled automatically:
So I tried to import the keys manually (loader/keys/auto/*.auth):
It seems like OVMF only supports Keys in der format (and not pem).
The text was updated successfully, but these errors were encountered: