From 7be85e525e46946db0a2e71c8fdf6b291abe72fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20L=C3=B6ser?= Date: Fri, 25 Aug 2023 14:27:35 +0200 Subject: [PATCH] Updating SecureBoot section Add examples how to fetch & extract required shim and GRUB2 binaries. RFC: https://community.theforeman.org/t/add-secureboot-support-for-arbitrary-distributions/32601/1 --- .../con_using-pxe-to-provision-hosts.adoc | 53 +++++++++++++++++-- 1 file changed, 49 insertions(+), 4 deletions(-) diff --git a/guides/common/modules/con_using-pxe-to-provision-hosts.adoc b/guides/common/modules/con_using-pxe-to-provision-hosts.adoc index 3ad53851db6..de318a5a243 100644 --- a/guides/common/modules/con_using-pxe-to-provision-hosts.adoc +++ b/guides/common/modules/con_using-pxe-to-provision-hosts.adoc @@ -60,19 +60,64 @@ The very first shim that is loaded basically determines which distribution is al The following assumes host systems with enabled SecureBoot (User Mode) and default platform certificates. If you are using custom keys, you have to sign the corresponding components accordingly. -To make this POC working you need to provide all shim and GRUB2 binaries manually under /usr/local/share/bootloader-universe//. Don’t forget to set read permissions for foreman-proxy user. You need to set SELinux to permissive when testing. +To make this POC working you need to provide all shim and GRUB2 binaries manually under `/usr/local/share/bootloader-universe//`. +You need to set SELinux to permissive when testing. -Create the following directory structure on the server. +Create the following directory structure on the server according to your needs and supported operating systems: +[options="nowrap" subs="+quotes"] +---- +[root@or ~]# install -o foreman-proxy -g foreman-proxy -d /usr/local/share/bootloader-universe/{almalinux,rocky_linux,ubuntu}/ +---- The subdirectories of operating systems you want to support must correspond to the names of the operating systems in lower case. + +Example how to find the correct directory name: [options="nowrap" subs="+quotes"] ---- -# mkdir /usr/local/share/bootloader-universe/{sles,ubuntu,centos}/ +[root@orcharhino ~]# hammer os list | grep "Rocky Linux" | tail -n1 | cut -d ' ' -f1 | xargs hammer os info --id | sed -nE "s/^Name:\s+(.*)$/\L\1/p" +rocky_linux ---- Extract shim and GRUB2 binaries from corresponding distribution packages and copy them into their subdirectories. - +Example how to extract shim and GRUB2 binaries (Rocky Linux): +[options="nowrap" subs="+quotes"] +---- +[root@or /tmp]# wget http://dl.rockylinux.org/pub/rocky/9/BaseOS/x86_64/os/Packages/s/shim-x64-15.6-1.el9.rocky.0.2.x86_64.rpm +[root@or /tmp]# rpm2cpio ./shim-x64-15.6-1.el9.rocky.0.2.x86_64.rpm | cpio -idv +[root@or /tmp]# cp ./boot/efi/EFI/rocky/shimx64.efi /usr/local/share/bootloader-universe/rocky_linux/ +[root@or /tmp]# wget http://dl.rockylinux.org/pub/rocky/9/BaseOS/x86_64/os/Packages/g/grub2-efi-x64-2.06-61.el9_2.1.rocky.0.2.x86_64.rpm +[root@or /tmp]# rpm2cpio ./grub2-efi-x64-2.06-61.el9_2.1.rocky.0.2.x86_64.rpm | cpio -idv +[root@or /tmp]# cp ./boot/efi/EFI/rocky/grubx64.efi /usr/local/share/bootloader-universe/rocky_linux/ +---- Every subdirectory must contain `shimx64.efi` and `grubx64.efi` file with permission mask `u=r,g=r,o=r`. +There might be multiple shim binaries inside a package. +To find the correct one you can check for the signer's common name "Microsoft Windows UEFI Driver Publisher" with the following command (Rocky Linux): +[options="nowrap" subs="+quotes"] +---- +[root@or /tmp]# pesign -S -i ./boot/efi/EFI/rocky/shimx64.efi +--------------------------------------------- +certificate address is 0x7febc0ea8ec8 +Content was not encrypted. +Content is detached; signature cannot be verified. +The signer's common name is Microsoft Windows UEFI Driver Publisher +No signer email address. +No signing time included. +There were certs or crls included. +--------------------------------------------- +---- + +Depending on the distribution the repositories, package names and package formats (.rpm vs. .deb) will vary. +The following table is intended to help: +[width="79%",cols="48%,19%,33%",options="header",] +|=== +|OS |Package name |Binary path |Download/Repository +|almalinux |shim-x64 |./boot/efi/EFI/almalinux/shimx64.efi |https://repo.almalinux.org/almalinux/9/BaseOS/x86_64/os/Packages/ +|almalinux |grub2-efi-x64 |./boot/efi/EFI/almalinux/grubx64.efi |https://repo.almalinux.org/almalinux/9/BaseOS/x86_64/os/Packages/ +|rocky_linux |shim-x64 |./boot/efi/EFI/rocky/shimx64.efi |http://dl.rockylinux.org/pub/rocky/9/BaseOS/x86_64/os/Packages/s/ +|rocky_linux |grub2-efi-x64 |./boot/efi/EFI/rocky/grubx64.efi |http://dl.rockylinux.org/pub/rocky/9/BaseOS/x86_64/os/Packages/g/ +|ubuntu |shim-signed |./usr/lib/shim/shimx64.efi.signed |https://packages.ubuntu.com/jammy/amd64/shim-signed +|ubuntu |grub-efi-amd64-signed|./usr/lib/grub/x86_64-efi-signed/grubnetx64.efi.signed |https://packages.ubuntu.com/jammy/grub-efi-amd64-signed + You should end up with something like: [options="nowrap" subs="+quotes"] ----