Add SecureBoot support for arbitrary operating systems to "Grub2 UEFI" PXE loaders #2145
Conversation
|
The PR preview for a71639b is available at theforeman-foreman-documentation-preview-pr-2145.surge.sh The following output files are affected by this PR: |
jloeser
force-pushed
the
secureboot-support-poc
branch
2 times, most recently
from
7be85e5
to
419b2a7
Compare
goarsna
force-pushed
the
secureboot-support-poc
branch
from
419b2a7
to
c297863
Compare
guides/common/modules/proc_configuring-server-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
|
Converted to draft PR for now because the linked PRs in foreman and smart_proxy have not been merged yet. |
guides/common/modules/proc_configuring-server-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_configuring-server-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
pr-processor
bot
added
the
Waiting on contributor
pr-processor
bot
added
Needs re-review
and removed
Waiting on contributor
There was a problem hiding this comment.
Some open questions for Goars or Jan.
@apinnick Do you ACK the capitalization of "Secure Boot"? And should it be "Secure Boot-enabled hosts" or "hosts with Secure Boot enabled"?
Rest LGTM from a writers perspective.
guides/common/modules/proc_configuring-server-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_configuring-server-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_configuring-server-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_configuring-server-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
pr-processor
bot
added
Waiting on contributor
@maximiliankolb I prefer "UEFI Secure Boot" because it is a UEFI security feature but I have no objection to "Secure Boot". |
guides/common/modules/proc_configuring-server-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
pr-processor
bot
added
Needs re-review
and removed
Waiting on contributor
maximiliankolb
changed the title
goarsna
force-pushed
the
secureboot-support-poc
branch
from
7aca375
to
63efbf5
Compare
|
Hi there, For reference as the PRs mentioned in the first post in this PR are not valid anymore:
Thanks for all your reviews and input! |
pr-processor
bot
added
Waiting on contributor
There was a problem hiding this comment.
Applied all feedback minus moving the attributes. Kindly re-review @Lennonka
guides/common/modules/proc_configuring-server-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_configuring-server-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_configuring-server-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
|
Thanks for the ACK. Code in "foreman" has not been merged yet. I'll press the button as soon as the other PRs are accepted too. |
Lennonka
added
the
Waiting for code
guides/common/modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-hosts.adoc
Show resolved
Hide resolved
| ifeval::["{client-os}" == "Debian"] | ||
| * Ensure that `ar` and `xz` are installed on your {SmartProxy}. | ||
| endif::[] | ||
| ifeval::["{client-os}" == "Ubuntu"] | ||
| * Ensure that `ar`, `xz`, and `zstd` are installed on your {SmartProxy}. | ||
| endif::[] | ||
| ifeval::["{client-pkg-ext}" == "rpm"] | ||
| * Ensure that `cpio` is installed on your {SmartProxy}. | ||
| endif::[] |
There was a problem hiding this comment.
Why don't we make these packaging dependencies if they're required?
There was a problem hiding this comment.
At the time of packaging/installing Smart Proxy, you don't know yet which Client OS you want to provision/manage with Foreman.
| * Ensure that `cpio` is installed on your {SmartProxy}. | ||
| endif::[] | ||
|
|
||
| .Procedure |
There was a problem hiding this comment.
If this is all common, why don't we ship a helper script that takes several inputs and saves it to the correct places? That makes both the procedure and testing easier. We can also ensure all commands we use are properly ensured via packaging dependencies.
There's precedent for this: https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm is installed (here for RPM). Then the documentation refers to this:
There was a problem hiding this comment.
This is a great idea; I will try and investigate. It's not trivial to get the correct RPM/DEB package and extract the right binary. Two examples from orcharhino docs: Setup Secure Boot for SLES & Setup Secure Boot for Debian. From a user perspective, it would be very handy.
For now, I think docs are the way to go. I will ping you once I have a draft PR in smart-proxy.
guides/common/modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
pr-processor
bot
added
the
Waiting on contributor
maximiliankolb
force-pushed
the
secureboot-support-poc
branch
from
6aae85a
to
429b413
Compare
pr-processor
bot
added
Needs re-review
and removed
Waiting on contributor
guides/common/modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
| ifeval::["{client-os}" == "Debian"] | ||
| * Ensure that `ar` and `xz` are installed on your {SmartProxy}. | ||
| endif::[] | ||
| ifeval::["{client-os}" == "Ubuntu"] | ||
| * Ensure that `ar`, `xz`, and `zstd` are installed on your {SmartProxy}. | ||
| endif::[] | ||
| ifeval::["{client-pkg-ext}" == "rpm"] | ||
| * Ensure that `cpio` is installed on your {SmartProxy}. | ||
| endif::[] |
There was a problem hiding this comment.
At the time of packaging/installing Smart Proxy, you don't know yet which Client OS you want to provision/manage with Foreman.
| * Ensure that `cpio` is installed on your {SmartProxy}. | ||
| endif::[] | ||
|
|
||
| .Procedure |
There was a problem hiding this comment.
This is a great idea; I will try and investigate. It's not trivial to get the correct RPM/DEB package and extract the right binary. Two examples from orcharhino docs: Setup Secure Boot for SLES & Setup Secure Boot for Debian. From a user perspective, it would be very handy.
For now, I think docs are the way to go. I will ping you once I have a draft PR in smart-proxy.
|
FYI: @nofaralfasi and I had a discussion last week that resulted in some changes we want to implement on the Smart Proxy side which are summarized in the Smart Proxy PR. These changes also will affect this PR. Further updates will follow soonish / in the upcoming weeks (as soon as I have time to work on this again). |
maximiliankolb
force-pushed
the
secureboot-support-poc
branch
from
429b413
to
96d95e9
Compare
| Use SecureBoot options to enable a client to download the `shim.efi` bootstrap bootloader that then loads the signed `grubx64.efi`. | ||
| Other PXE loaders like PXELinux UEFI, Grub2 ELF or iPXE Chain, require additional configuration. These workflows are not documented at the moment. | ||
| For BIOS systems, select the *PXELinux BIOS* option to enable a provisioned node to download the `pxelinux.0` file over TFTP. | ||
| For UEFI systems, select the *Grub2 UEFI* option to enable a TFTP client to download `grubx64.efi` file, or select the *Grub2 UEFI HTTP* option to enable an UEFI HTTP client to download `grubx64.efi` with the HTTP Boot feature. |
There was a problem hiding this comment.
This is outside the scope of this PR. Just FYI.
GRUB is an acronym. The UI labels should be "GRUB2 ..."
|
Per the last comment, I'm moving this back to draft. |
goarsna
force-pushed
the
secureboot-support-poc
branch
from
96d95e9
to
f6c2951
Compare
|
Rebased |
goarsna
force-pushed
the
secureboot-support-poc
branch
from
f6c2951
to
83ed4dc
Compare
|
I updated the PR to reflect the discussed changes. Thanks @maximiliankolb for marking it as ready. |
guides/common/modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-hosts.adoc
Outdated
Show resolved
Hide resolved
Affects "Grub2 UEFI" PXE loaders * PR in foreman: theforeman/foreman#9864 * PR in smart-proxy: theforeman/smart-proxy#877 * RFC: https://community.theforeman.org/t/add-secureboot-support-for-arbitrary-distributions/32601/1
goarsna
force-pushed
the
secureboot-support-poc
branch
from
83ed4dc
to
a71639b
Compare
| @@ -0,0 +1,105 @@ | |||
| [id="configuring-{smart-proxy-context}-to-provision-{client-os-context}-on-Secure-Boot-enabled-hosts"] | |||
| = Configuring {SmartProxy} to provision {client-os} on Secure Boot enabled hosts | |||
There was a problem hiding this comment.
| = Configuring {SmartProxy} to provision {client-os} on Secure Boot enabled hosts | |
| = Configuring {SmartProxy} to provision {client-os} on Secure Booted hosts |
Would this be acceptable? It would make the title shorter.
There was a problem hiding this comment.
IMO we should leave this as is. Hosts with enabled "Secure Boot" are "securely booted", that's right. But "Secure Boot" is the proper name for the mechanism and the protocol used to achieve this and the term is also used in the UEFI specification (see page 1411).
But i have to admit the title is pretty long 🙈
There was a problem hiding this comment.
That's okay. I don't have any other ideas how to make it shorter 😆
There was a problem hiding this comment.
"[...] on Secure Booted hosts" doesn't make any sense here. Please keep "[...] Secure Boot enabled hosts" as suggested by @goarsna.
This adds a section about new SecureBoot support. It only works in combination with the following patchset:
theforeman/foreman#9864
theforeman/smart-proxy#877
RFC: https://community.theforeman.org/t/add-secureboot-support-for-arbitrary-distributions/32601/1