From 9e91cc13515a204008c65424116811aeff46e78e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20L=C3=B6ser?= Date: Tue, 28 Feb 2023 13:16:40 +0100 Subject: [PATCH] Fixes #36833 - Add SecureBoot support for arbitrary operating systems to "Grub2 UEFI" PXE loaders MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This feature consists of four patches, one each for foreman, smart-proxy, foreman-installer, and puppet-foreman_proxy. This patch adds support for individual Network Bootstrap Programs (NBP) in order to enable network based installations of SecureBoot enabled hosts for arbitrary operating systems. SecureBoot expects to follow a chain of trust from the initial boot of the host to the loading of Linux kernel modules. The very first shim that is loaded determines which distribution is allowed to be booted or kexec'ed until next reboot. Currently the "Grub2 UEFI SecureBoot" PXE loaders use NBPs provided by the vendor of the Foreman/Smart Proxy host system. All hosts receive and execute the same binary. On SecureBoot enabled hosts, this limits installations to operating systems by the vendor of the Foreman/ Smart Proxy host system. Providing shim and GRUB2 by the vendor of the operating system to be installed allows Foreman to install any operating system on SecureBoot enabled hosts over network. To achieve this, the host's DHCP filename option is set to a shim/GRUB2 binary in a host specific directory based on their MAC address. Corresponding shim and GRUB2 binaries are copied into that directory along with the generated GRUB2 configuration files. When provisioning a host, the Smart Proxy checks in a dedicated directory inside the TFTP root - the so called "bootloader universe" - if NBPs are present matching the operating system, operating system version, and architecture of the host to be installed. If this is the case, these NBPs are copied from the bootloader universe directory to the host specific directory. If not, as a fallback the default NBPs provided by the vendor of the Foreman/Smart Proxy host system are copied from the `:tftproot:/grub2` directory to the host specific directory. Up to now, shim and GRUB2 binaries have to be retrieved and set up in the bootloader universe directory manually according to the documentation. An automatic way to provide OS dependent NBPs will be added in future. In case there are no NBPs present in the bootloader universe matching the operating system, operating system version, and architecture of the host to be installed, the behaviour of the "Grub2 UEFI" PXE loaders does not change to the behavior prior to this feature. Implementation notes: --------------------- * To be future proof (e.g. to be able to provide NBPs in the bootloader universe for other PXE loaders without running into any filename conflicts) and for better structure, the PXE kind is prepended as a first directory level inside the bootloader universe. * The operating system version inside the bootloader universe consists of the major and minor version (if applicable) of the operating system separated by a dot (`.`). If no NBPs are configured for a specific operating system version the fallback directory `default` is used. * To simplify things on Foreman side in future, symlinks are used for the shim (boot-sb.efi) and GRUB2 (boot.efi) binaries. * Inside the TFTP root directory a new directory `host-config` is created for storing all the host specific directories. * Inside the TFTP root directory a new directory `bootloader-universe` is created for storing all the OS specific boot files. * For storage efficiency the shim and GRUB2 binaries from the bootloader universe or the `:tftproot:/grub2` directory are symlinked to the host specific directory. Full example: ------------- [root@vm ~]# hammer host info --id 241 | grep -E "(MAC address|Operating System)" MAC address: 00:50:56:b4:75:5e Operating System: AlmaLinux 8.9 [root@vm ~]# tree /var/lib/tftpboot/bootloader-universe/ /var/lib/tftpboot/bootloader-universe/ └── pxegrub2 └── almalinux ├── 8.9 │ └── x86_64 │ ├── boot.efi -> grubx64.efi │ ├── boot-sb.efi -> shimx64.efi │ ├── grubx64.efi │ └── shimx64.efi └── default └── x86_64 ├── boot.efi -> grubx64.efi ├── boot-sb.efi -> shimx64.efi ├── grubx64.efi └── shimx64.efi [root@vm ~]# hammer host update --id 241 --build true [root@vm ~]# tree /var/lib/tftpboot/host-config /var/lib/tftpboot/host-config └── 00-50-56-a3-41-a8 └── grub2 ├── boot.efi -> ../../../bootloader-universe/grubx64.efi ├── boot-sb.efi -> ../../../bootloader-universe/shimx64.efi ├── grub.cfg ├── grub.cfg-00:50:56:a3:41:a8 ├── grub.cfg-01-00-50-56-a3-41-a8 ├── grubx64.efi -> ../../../bootloader-universe/grubx64.efi ├── os_info └── shimx64.efi -> ../../../bootloader-universe/shimx64.efi [root@vm ~]# grep -B2 00-50-56-b4-75-5e /var/lib/dhcpd/dhcpd.leases hardware ethernet 00:50:56:b4:75:5e; fixed-address 192.168.145.84; supersede server.filename = "host-config/00-50-56-b4-75-5e/grub2/boot-sb.efi"; [root@vm ~]# pesign -S -i /var/lib/tftpboot/host-config/00-50-56-b4-75-5e/grub2/boot-sb.efi | grep "Microsoft Windows UEFI Driver Publisher" The signer's common name is Microsoft Windows UEFI Driver Publisher --- modules/tftp/server.rb | 115 ++++++++++++++++++++++++++++++++-- modules/tftp/tftp_api.rb | 5 +- modules/tftp/tftp_plugin.rb | 2 + test/tftp/integration_test.rb | 2 +- test/tftp/tftp_server_test.rb | 85 ++++++++++++++++++++++++- 5 files changed, 199 insertions(+), 10 deletions(-) diff --git a/modules/tftp/server.rb b/modules/tftp/server.rb index 98218d8bd..32e7f83e4 100644 --- a/modules/tftp/server.rb +++ b/modules/tftp/server.rb @@ -63,6 +63,19 @@ def delete_file(file) logger.debug "TFTP: Skipping a request to delete a file which doesn't exists" end end + + def delete_host_dir(mac) + host_dir = File.join(path, 'host-config', dashed_mac(mac).downcase) + logger.debug "TFTP: Removing directory '#{host_dir}'." + FileUtils.rm_rf host_dir + end + + def setup_bootloader(mac:, os:, release:, arch:, bootfile_suffix:) + end + + def dashed_mac(mac) + mac.tr(':', '-') + end end class Syslinux < Server @@ -75,7 +88,7 @@ def pxe_default end def pxeconfig_file(mac) - ["#{pxeconfig_dir}/01-" + mac.tr(':', "-").downcase] + ["#{pxeconfig_dir}/01-" + dashed_mac(mac).downcase] end end class Pxelinux < Syslinux; end @@ -90,13 +103,96 @@ def pxe_default end def pxeconfig_file(mac) - ["#{pxeconfig_dir}/menu.lst.01" + mac.delete(':').upcase, "#{pxeconfig_dir}/01-" + mac.tr(':', '-').upcase] + ["#{pxeconfig_dir}/menu.lst.01" + mac.delete(':').upcase, "#{pxeconfig_dir}/01-" + dashed_mac(mac).upcase] end end class Pxegrub2 < Server - def pxeconfig_dir - "#{path}/grub2" + def bootloader_path(os, release, arch) + [release, "default"].each do |version| + bootloader_path = File.join(path, 'bootloader-universe/pxegrub2', os, version, arch) + + logger.debug "TFTP: Checking if bootloader universe is configured for OS '#{os}' version '#{version}' (#{arch})." + + if Dir.exist?(bootloader_path) + logger.debug "TFTP: Directory '#{bootloader_path}' exists." + return bootloader_path + end + + logger.debug "TFTP: Directory '#{bootloader_path}' does not exist." + end + nil + end + + def bootloader_universe_symlinks(bootloader_path, pxeconfig_dir_mac) + Dir.glob(File.join(bootloader_path, '*.efi')).map do |source_file| + { source: source_file, symlink: File.join(pxeconfig_dir_mac, File.basename(source_file)) } + end + end + + def default_symlinks(bootfile_suffix, pxeconfig_dir_mac) + pxeconfig_dir = pxeconfig_dir() + + grub_source = "grub#{bootfile_suffix}.efi" + shim_source = "shim#{bootfile_suffix}.efi" + + [ + { source: grub_source, symlink: "boot.efi" }, + { source: grub_source, symlink: grub_source }, + { source: shim_source, symlink: "boot-sb.efi" }, + { source: shim_source, symlink: shim_source }, + ].map do |link| + { source: File.join(pxeconfig_dir, link[:source]), symlink: File.join(pxeconfig_dir_mac, link[:symlink]) } + end + end + + def create_symlinks(symlinks) + symlinks.each do |link| + relative_source_path = Pathname.new(link[:source]).relative_path_from(Pathname.new(link[:symlink]).parent).to_s + + logger.debug "TFTP: Creating relative symlink: #{link[:symlink]} -> #{relative_source_path}" + FileUtils.ln_s(relative_source_path, link[:symlink], force: true) + end + end + + # Configures bootloader files for a host in its host-config directory + # + # @param mac [String] The MAC address of the host + # @param os [String] The lowercase name of the operating system of the host + # @param release [String] The major and minor version of the operating system of the host + # @param arch [String] The architecture of the operating system of the host + # @param bootfile_suffix [String] The architecture specific boot filename suffix + def setup_bootloader(mac:, os:, release:, arch:, bootfile_suffix:) + pxeconfig_dir_mac = pxeconfig_dir(mac) + + logger.debug "TFTP: Deploying host specific bootloader files to '#{pxeconfig_dir_mac}'." + + FileUtils.mkdir_p(pxeconfig_dir_mac) + FileUtils.rm_f(Dir.glob("#{pxeconfig_dir_mac}/*.efi")) + + bootloader_path = bootloader_path(os, release, arch) + + if bootloader_path + logger.debug "TFTP: Creating symlinks from bootloader universe." + symlinks = bootloader_universe_symlinks(bootloader_path, pxeconfig_dir_mac) + else + logger.debug "TFTP: Creating symlinks from default bootloader files." + symlinks = default_symlinks(bootfile_suffix, pxeconfig_dir_mac) + end + create_symlinks(symlinks) + end + + def del(mac) + super mac + delete_host_dir mac + end + + def pxeconfig_dir(mac = nil) + if mac + File.join(path, 'host-config', dashed_mac(mac).downcase, 'grub2') + else + File.join(path, 'grub2') + end end def pxe_default @@ -104,7 +200,14 @@ def pxe_default end def pxeconfig_file(mac) - ["#{pxeconfig_dir}/grub.cfg-01-" + mac.tr(':', '-').downcase, "#{pxeconfig_dir}/grub.cfg-#{mac.downcase}"] + pxeconfig_dir_mac = pxeconfig_dir(mac) + [ + "#{pxeconfig_dir_mac}/grub.cfg", + "#{pxeconfig_dir_mac}/grub.cfg-01-#{dashed_mac(mac).downcase}", + "#{pxeconfig_dir_mac}/grub.cfg-#{mac.downcase}", + "#{pxeconfig_dir}/grub.cfg-01-" + dashed_mac(mac).downcase, + "#{pxeconfig_dir}/grub.cfg-#{mac.downcase}", + ] end end @@ -146,7 +249,7 @@ def pxe_default end def pxeconfig_file(mac) - ["#{pxeconfig_dir}/01-" + mac.tr(':', "-").downcase + ".ipxe"] + ["#{pxeconfig_dir}/01-" + dashed_mac(mac).downcase + ".ipxe"] end end diff --git a/modules/tftp/tftp_api.rb b/modules/tftp/tftp_api.rb index 1bc6276c7..02f3b2948 100644 --- a/modules/tftp/tftp_api.rb +++ b/modules/tftp/tftp_api.rb @@ -18,8 +18,9 @@ def instantiate(variant, mac = nil) Object.const_get("Proxy").const_get('TFTP').const_get(variant.capitalize).new end - def create(variant, mac) + def create(variant, mac, os: nil, release: nil, arch: nil, bootfile_suffix: nil) tftp = instantiate variant, mac + log_halt(400, "TFTP: Failed to setup host specific bootloader directory: ") { tftp.setup_bootloader(mac: mac, os: os, release: release, arch: arch, bootfile_suffix: bootfile_suffix) } log_halt(400, "TFTP: Failed to create pxe config file: ") { tftp.set(mac, (params[:pxeconfig] || params[:syslinux_config])) } end @@ -48,7 +49,7 @@ def create_default(variant) end post "/:variant/:mac" do |variant, mac| - create variant, mac + create variant, mac, os: params[:targetos], release: params[:release], arch: params[:arch], bootfile_suffix: params[:bootfile_suffix] end delete "/:variant/:mac" do |variant, mac| diff --git a/modules/tftp/tftp_plugin.rb b/modules/tftp/tftp_plugin.rb index d4dc06450..bb92bed53 100644 --- a/modules/tftp/tftp_plugin.rb +++ b/modules/tftp/tftp_plugin.rb @@ -2,6 +2,8 @@ module Proxy::TFTP class Plugin < ::Proxy::Plugin plugin :tftp, ::Proxy::VERSION + capability :bootloader_universe + rackup_path File.expand_path("http_config.ru", __dir__) default_settings :tftproot => '/var/lib/tftpboot', diff --git a/test/tftp/integration_test.rb b/test/tftp/integration_test.rb index a9b88a8f8..9b621e7f9 100644 --- a/test/tftp/integration_test.rb +++ b/test/tftp/integration_test.rb @@ -14,7 +14,7 @@ def test_features mod = response['tftp'] refute_nil(mod) assert_equal('running', mod['state'], Proxy::LogBuffer::Buffer.instance.info[:failed_modules][:tftp]) - assert_equal([], mod['capabilities']) + assert_equal(["bootloader_universe"], mod['capabilities']) expected_settings = { 'tftp_servername' => 'tftp.example.com' } assert_equal(expected_settings, mod['settings']) diff --git a/test/tftp/tftp_server_test.rb b/test/tftp/tftp_server_test.rb index 42d6f1071..80a8c5c41 100644 --- a/test/tftp/tftp_server_test.rb +++ b/test/tftp/tftp_server_test.rb @@ -46,6 +46,10 @@ def test_create_default end @subject.create_default @content end + + def test_dashed_mac + assert "aa-bb-cc-dd-ee-ff", @subject.dashed_mac(@mac) + end end class HelperServerTest < Test::Unit::TestCase @@ -111,11 +115,90 @@ def setup_paths class TftpPxegrub2ServerTest < Test::Unit::TestCase include TftpGenericServerSuite + def setup + @arch = "x86_64" + @bootfile_suffix = "x64" + @os = "redhat" + @release = "9.4" + super + end + def setup_paths @subject = Proxy::TFTP::Pxegrub2.new - @pxe_config_files = ["grub2/grub.cfg-01-aa-bb-cc-dd-ee-ff", "grub2/grub.cfg-aa:bb:cc:dd:ee:ff"] + @pxe_config_files = [ + "host-config/aa-bb-cc-dd-ee-ff/grub2/grub.cfg", + "host-config/aa-bb-cc-dd-ee-ff/grub2/grub.cfg-01-aa-bb-cc-dd-ee-ff", + "host-config/aa-bb-cc-dd-ee-ff/grub2/grub.cfg-aa:bb:cc:dd:ee:ff", + "grub2/grub.cfg-01-aa-bb-cc-dd-ee-ff", + "grub2/grub.cfg-aa:bb:cc:dd:ee:ff", + ] @pxe_default_files = ["grub2/grub.cfg"] end + + def test_pxeconfig_dir + assert_equal File.join(@subject.path, "host-config", @subject.dashed_mac(@mac).downcase, "grub2"), @subject.pxeconfig_dir(@mac) + assert_equal File.join(@subject.path, "grub2"), @subject.pxeconfig_dir() + end + + def test_release_specific_bootloader_path + release_specific_bootloader_path = File.join(@subject.path, "bootloader-universe/pxegrub2", @os, @release, @arch) + Dir.stubs(:exist?).with(release_specific_bootloader_path).returns(true).once + assert_equal release_specific_bootloader_path, @subject.bootloader_path(@os, @release, @arch) + end + + def test_default_bootloader_path + release_specific_bootloader_path = File.join(@subject.path, "bootloader-universe/pxegrub2", @os, @release, @arch) + default_bootloader_path = File.join(@subject.path, "bootloader-universe/pxegrub2", @os, "default", @arch) + Dir.stubs(:exist?).with(release_specific_bootloader_path).returns(false).once + Dir.stubs(:exist?).with(default_bootloader_path).returns(true).once + assert_equal default_bootloader_path, @subject.bootloader_path(@os, @release, @arch) + end + + def test_bootloader_universe_symlinks + temp_dir = Dir.mktmpdir() + pxeconfig_dir_mac = @subject.pxeconfig_dir(@mac) + symlinks = [ + { source: File.join(temp_dir, "dummy1.efi"), symlink: File.join(pxeconfig_dir_mac, "dummy1.efi") }, + { source: File.join(temp_dir, "dummy2.efi"), symlink: File.join(pxeconfig_dir_mac, "dummy2.efi") }, + ] + symlinks.each do |entry| + FileUtils.touch(entry[:source]) + end + assert_equal( + symlinks.sort_by { |entry| entry[:source] }, + @subject.bootloader_universe_symlinks(temp_dir, pxeconfig_dir_mac).sort_by { |entry| entry[:source] } + ) + end + + def test_default_symlinks + pxeconfig_dir = @subject.pxeconfig_dir + pxeconfig_dir_mac = @subject.pxeconfig_dir(@mac) + symlinks = [ + { source: File.join(pxeconfig_dir, "grub#{@bootfile_suffix}.efi"), symlink: File.join(pxeconfig_dir_mac, "boot.efi") }, + { source: File.join(pxeconfig_dir, "grub#{@bootfile_suffix}.efi"), symlink: File.join(pxeconfig_dir_mac, "grub#{@bootfile_suffix}.efi") }, + { source: File.join(pxeconfig_dir, "shim#{@bootfile_suffix}.efi"), symlink: File.join(pxeconfig_dir_mac, "boot-sb.efi") }, + { source: File.join(pxeconfig_dir, "shim#{@bootfile_suffix}.efi"), symlink: File.join(pxeconfig_dir_mac, "shim#{@bootfile_suffix}.efi") }, + ] + assert_equal symlinks, @subject.default_symlinks(@bootfile_suffix, @subject.pxeconfig_dir(@mac)) + end + + def test_create_symlinks + symlinks = [ + { source: "/path/to/source1", symlink: "/path/to/symlink1" }, + { source: "/path/to/source2", symlink: "/another/path/to/symlink2" }, + ] + FileUtils.expects(:ln_s).with("source1", "/path/to/symlink1", {:force => true}).once + FileUtils.expects(:ln_s).with("../../../path/to/source2", "/another/path/to/symlink2", {:force => true}).once + @subject.create_symlinks(symlinks) + end + + def test_del + pxe_config_files.each do |file| + @subject.expects(:delete_file).with(file).once + end + @subject.expects(:delete_host_dir).with(@mac).once + @subject.del @mac + end end class TftpPoapServerTest < Test::Unit::TestCase