Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for Secure Boot #2501

Closed
Tracked by #3169
bcressey opened this issue Oct 17, 2022 · 5 comments
Closed
Tracked by #3169

add support for Secure Boot #2501

bcressey opened this issue Oct 17, 2022 · 5 comments
Assignees
@bcressey
Labels
area/core Issues core to the OS (variant independent) status/in-progress This issue is currently being worked on type/enhancement New feature or request

Comments

@bcressey
Copy link
Contributor

What I'd like:
On platforms where Secure Boot is supported, I'd like strong cryptographic verification of all components from the bootloader to the running kernel.

Any alternatives you've considered:
None.
@bcressey bcressey added type/enhancement New feature or request priority/p0 area/core Issues core to the OS (variant independent) labels Oct 17, 2022
@bcressey bcressey self-assigned this Oct 17, 2022
@bcressey
Copy link
Contributor Author

bcressey commented Oct 17, 2022
edited
Loading

This has been in-flight for a while on a branch in my personal fork but is now nearing the point where the full picture is visible and pieces can start to be merged. There's also some work related to #2486 since I'd like to support the resigning workflow described there as a prerequisite.

Tasks related to resigning images:

  • Refactor image and symlink handling, to simplify bundling up artifacts from the image build step.
  • Move OVA creation into the image build step.
  • Implement import-images and export-images tasks to store and retrieve artifacts from the repo.
  • Implement resign-images task.

Tasks related to Secure Boot:

  • Update GRUB to fix Boothole 3 vulnerabilities.
  • Package shim for initial bootloader verification.
  • Add SBAT info for GRUB.
  • Add scripts to create necessary keys and certificates for Secure Boot signing.
  • Add modules to GRUB to enable signed config files.
  • Add feature flag to enable Secure Boot for variants.
  • Sign bootloader, kernel, GRUB config when Secure Boot is enabled.
  • Publish AMIs and OVAs with required Secure Boot metadata.

@markusboehme markusboehme mentioned this issue Oct 18, 2022
Merged
21 tasks
@bcressey bcressey mentioned this issue Oct 20, 2022
Merged
@bcressey
Copy link
Contributor Author

bcressey commented Nov 8, 2022

I dropped the task related to a separate firmware build step, since @markusboehme has a patch that allows embedding the GPG public key into a section in the grub binary, which allows for "just in time" key modification without the need to rebuild grub from source.

@stmcginnis stmcginnis added status/needs-triage Pending triage or re-evaluation and removed priority/p0 labels Dec 1, 2022
@bcressey bcressey added status/in-progress This issue is currently being worked on and removed status/needs-triage Pending triage or re-evaluation labels Jan 7, 2023
This was referenced Jan 7, 2023
Merged
Merged
@markusboehme
Copy link
Member

I dropped the task related to a separate firmware build step, since @markusboehme has a patch that allows embedding the GPG public key into a section in the grub binary, which allows for "just in time" key modification without the need to rebuild grub from source.

For the record, these patches are available at https://github.com/markusboehme/bottlerocket/tree/feature/grub-pubkey-section

@jpmcb jpmcb mentioned this issue Jan 30, 2023
Closed
16 tasks
@foersleo foersleo mentioned this issue Feb 2, 2023
Closed
@foersleo foersleo mentioned this issue Mar 30, 2023
Open
@stmcginnis stmcginnis mentioned this issue Apr 8, 2023
Closed
8 tasks
@bcressey bcressey mentioned this issue Apr 24, 2023
Closed
@bcressey bcressey mentioned this issue May 10, 2023
Merged
@stmcginnis stmcginnis mentioned this issue Jun 5, 2023
Closed
14 tasks
@bcressey
Copy link
Contributor Author

@yeazelm is working on the image resigning tasks in #2486 and bottlerocket-os/twoliter#176.

@bcressey
Copy link
Contributor Author

Resolving now that #3097 is merged! 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bcressey bcressey

Labels
area/core Issues core to the OS (variant independent) status/in-progress This issue is currently being worked on type/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bcressey @stmcginnis @markusboehme