-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFE] Support Secure Boot #501
Comments
I think we also need to change the way we use the |
Hello! I am trying to install flatcar linux on my home PC. I am getting a "Secure Boot Violation: Invalid signature detected. Check Secure Boot Policy in Setup", after using the |
@saulshanabrook |
I am correct in assuming that this PR along with some CA/signing infra changes you pointed out would resolve this issue? |
Yes. The real work will be the CA/signing infra to get our shim trusted by the official UEFI CA. |
Will secure boot support come after Flatcar finishes its ideal implementation of systemd-boot? I only just got a grasp on how secure boot works today (PK, KEK, db, dbx) and a small glimpse of what seems like a stringent process of approval. I would think at least the bootloader situation (shim -> systemd-boot) should be pretty well cemented before working through the mainstream UEFI signature approval process. Resources: https://techcommunity.microsoft.com/blog/hardwaredevcenter/updated-uefi-signing-requirements/1062916 https://github.com/rhboot/shim/wiki/reviewer-guidelines There is no rush. I’m just trying to get a gauge of how prioritized this is. I’m hoping Flatcar becomes what I use for a lot, but without secure boot I’m leaning towards using other operating systems on bare metal and Flatcar in VMs which is okay, just I would love to manage an immutable fleet of Flatcar machines running Kubernetes clusters and minimizing downtime with Nebraska. Some people say I don’t have to worry about secure boot and that it’s not actually that secure, but I would like to see it because I think it carries some enterprise legitimacy with its signature approval process. Thank you for all you have contributed so far, and congratulations on being accepted as a CNCF incubating project! |
Work for secure boot support is in the end phases, we're going to be submitting the shim (together with our signing process and boot chain) for review in the coming weeks. This is not coupled to switching to systemd-boot, it will be based on the existing grub based boot process. Here are some PRs if you're interested:
|
Current situation
Flatcar currently does not support Secure Boot. We use a really old fork of shim and grub, and our artifacts are not signed in a way that works on machines with official UEFI CA keys.
Impact
Users can't run UEFI with Secure Boot enabled. This doesn't only affect bare metal installs but also some VMs (e.g. Azure Trusted Launch https://azure.microsoft.com/en-us/blog/announcing-preview-of-azure-trusted-launch-for-virtual-machines/).
Ideal future situation
Flatcar images contain EFI boot firmware signed with official UEFI CA keys, which make them compatible with Secure Boot on default provisioned UEFI firmware.
Implementation options
We still have https://github.com/kinvolk/flatcar-scripts/blob/main/image_inject_bootchain around. Our grub and kernel binaries are signed for secure boot but only with a dev key. We'll need to:
Additional information
[ Please Add any information that does not fit into any of the above sections here ]
The text was updated successfully, but these errors were encountered: