Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for signing secureboot artifacts using AWS KMS #8197

Closed
Tracked by #8010
defreng opened this issue Jan 23, 2024 · 2 comments · Fixed by #8226
Closed
Tracked by #8010

Support for signing secureboot artifacts using AWS KMS #8197

defreng opened this issue Jan 23, 2024 · 2 comments · Fixed by #8226

Comments

@defreng
Copy link

defreng commented Jan 23, 2024

Feature Request

Currently, the imager only supports Azure Key Vault as a key management solution for signing artifacts without requiring direct access to the private keys.

We are bound to AWS offerings on our side and would like to use AWS KMS for the same purpose. This bring a little extra complication, as AWS KMS doesn't offer signed certificates for the contained keys.

The option we were thinking about are:

  • Sign artifacts with a key stored on AWS KMS
  • load the certificate chain that needs to be embedded into the binary from a provided file (this one would have to be generated by external tooling, matching the private key stored in KMS)
@smira smira mentioned this issue Jan 26, 2024
Closed
@smira
Copy link
Member

smira commented Jan 31, 2024

@defreng you said you had some draft PR for it?

@edgrz edgrz mentioned this issue Feb 1, 2024
Merged
7 tasks
@edgrz
Copy link

edgrz commented Feb 1, 2024

hey @smira the PR mentioned above is the draft PR I have prepared and tested successfully.

smira pushed a commit to edgrz/talos that referenced this issue Feb 15, 2024
@smira
feat: support AWS KMS for the SecureBoot signing
f78a808 
Fixes siderolabs#8197

Signed-off-by: pardomue <edgar_ruben.pardo_munoz@roche.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira pushed a commit to edgrz/talos that referenced this issue Feb 16, 2024
@smira
feat: support AWS KMS for the SecureBoot signing
e10551d 
Fixes siderolabs#8197

Signed-off-by: pardomue <edgar_ruben.pardo_munoz@roche.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira pushed a commit to edgrz/talos that referenced this issue Feb 16, 2024
@smira
feat: support AWS KMS for the SecureBoot signing
2c86727 
Fixes siderolabs#8197

Signed-off-by: pardomue <edgar_ruben.pardo_munoz@roche.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira pushed a commit to smira/talos that referenced this issue Feb 21, 2024
@smira
feat: support AWS KMS for the SecureBoot signing
0aab627 
Fixes siderolabs#8197

Signed-off-by: pardomue <edgar_ruben.pardo_munoz@roche.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 5372188)
smira pushed a commit to smira/talos that referenced this issue Feb 21, 2024
@smira
feat: support AWS KMS for the SecureBoot signing
7d13782 
Fixes siderolabs#8197

Signed-off-by: pardomue <edgar_ruben.pardo_munoz@roche.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 5372188)
dsseng pushed a commit to dsseng/talos that referenced this issue Mar 7, 2024
@dsseng
feat: support AWS KMS for the SecureBoot signing
953806c 
Fixes siderolabs#8197

Signed-off-by: pardomue <edgar_ruben.pardo_munoz@roche.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implementing secureboot imager leveraging AWS KMS as signer edgrz/talos
3 participants
@smira @defreng @edgrz