New PXE loader "Grub2 UEFI SecureBoot (target OS)"

This adds a section about new SecureBoot support. It only works in combination with the following patchset: theforeman/foreman#9638 theforeman/smart-proxy#857 RFC: https://community.theforeman.org/t/add-secureboot-support-for-arbitrary-distributions/32601/1
theforeman · Apr 13, 2023 · d63ad98 · d63ad98
1 parent 89e6c06
commit d63ad98
Showing 1 changed file with 53 additions and 0 deletions.
diff --git a/guides/common/modules/con_using-pxe-to-provision-hosts.adoc b/guides/common/modules/con_using-pxe-to-provision-hosts.adoc
@@ -51,3 +51,56 @@ endif::[]
 For BIOS provisioning, you must associate a PXELinux template with the operating system.
 For UEFI provisioning, you must associate a PXEGrub2 template with the operating system.
 If you associate both PXELinux and PXEGrub2 templates, {Project} can deploy configuration files for both on a TFTP server, so that you can switch between PXE loaders easily.
+
+.SecureBoot Support
+
+SecureBoot expects to follow a chain of trust from the start of the host to the loading of Linux kernel modules.
+The very first shim that is loaded basically determines which distribution is allowed to be booted or kexec’ed until next reboot.
+
+The following assumes host systems with enabled SecureBoot (User Mode) and default platform certificates.
+If you are using custom keys, you have to sign the corresponding components accordingly.
+
+To make this POC working you need to provide all shim and GRUB2 binaries manually under /usr/local/share/bootloader-universe/<os>/. Don’t forget to set read permissions for foreman-proxy user. You need to set SELinux to permissive when testing.
+
+Create the following directory structure on the server.
+The subdirectories of operating systems you want to support must correspond to the names of the operating systems in lower case.
+[options="nowrap" subs="+quotes"]
+----
+# mkdir /usr/local/share/bootloader-universe/{sles,ubuntu,centos}/
+----
+
+Extract shim and GRUB2 binaries from corresponding distribution packages and copy them into their subdirectories.
+
+Every subdirectory must contain `shimx64.efi` and `grubx64.efi` file with permission mask `u=r,g=r,o=r`.
+
+You should end up with something like:
+[options="nowrap" subs="+quotes"]
+----
+# tree /usr/local/share/bootloader-universe/
+/usr/local/share/bootloader-universe/
+|-- centos
+|   |-- grubx64.efi
+|   `-- shimx64.efi
+|-- sles
+|   |-- grubx64.efi
+|   `-- shimx64.efi
+`-- ubuntu
+    |-- grubx64.efi
+    `-- shimx64.efi
+----
+
+For UEFI systems with enabled SecureBoot, use the *Grub2 UEFI SecureBoot (target OS)* option.
+This automatically creates a host specific subdirectory (based on MAC address) in the TFTP directory and copies corresponding binaries into it.
+
+Example result:
+[options="nowrap" subs="+quotes"]
+----
+# tree /var/lib/tftpboot/grub2/00-50-56-b4-75-5e/
+/var/lib/tftpboot/grub2/00-50-56-b4-75-5e/
+|-- grub.cfg
+|-- grub.cfg-00:50:56:b4:75:5e
+|-- grub.cfg-01-00-50-56-b4-75-5e
+|-- grubx64.efi
+|-- shimx64.efi
+`-- targetos
+----