-
Notifications
You must be signed in to change notification settings - Fork 95
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Secure Boot support for arbitrary Client OS
Affects "Grub2 UEFI" PXE loaders * PR in foreman: theforeman/foreman#9864 * PR in smart-proxy: theforeman/smart-proxy#877 * RFC: https://community.theforeman.org/t/add-secureboot-support-for-arbitrary-distributions/32601/1
- Loading branch information
1 parent
bc36214
commit 96d95e9
Showing
3 changed files
with
230 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
113 changes: 113 additions & 0 deletions
113
...odules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-hosts.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,113 @@ | ||
[id="configuring-{smart-proxy-context}-to-provision-{client-os-context}-on-Secure-Boot-enabled-hosts"] | ||
= Configuring {SmartProxy} to provision {client-os} on Secure Boot enabled hosts | ||
|
||
Secure Boot follows a chain of trust from the start of the host to the loading of Linux kernel modules. | ||
The first shim that is loaded determines which distribution can be booted or loaded by using a `kexec` system call until the next reboot. | ||
|
||
To provision {client-os} on Secure Boot enabled hosts with the *Grub2 UEFI SecureBoot* and *Grub2 UEFI HTTPS SecureBoot* PXE loaders, you have to provide signed shim and GRUB2 binaries provided by the vendor of your operating system. | ||
|
||
[IMPORTANT] | ||
==== | ||
ifdef::satellite[] | ||
You have to perform the following configuration steps on each TFTP {SmartProxy} for a subnet to provision Secure Boot enabled hosts on that subnet. | ||
endif::[] | ||
ifndef::satellite[] | ||
You have to perform the following configuration steps on each TFTP proxy for a subnet to provision Secure Boot enabled hosts on that subnet. | ||
endif::[] | ||
==== | ||
|
||
The following example works for {client-os} on x86_64 architecture. | ||
|
||
.Prerequisites | ||
ifeval::["{client-os}" == "Debian"] | ||
* Ensure that `ar` and `xz` are installed on your {SmartProxy}. | ||
endif::[] | ||
ifeval::["{client-os}" == "Ubuntu"] | ||
* Ensure that `ar`, `xz`, and `zstd` are installed on your {SmartProxy}. | ||
endif::[] | ||
ifeval::["{client-pkg-ext}" == "rpm"] | ||
* Ensure that `cpio` is installed on your {SmartProxy}. | ||
endif::[] | ||
|
||
.Procedure | ||
. On your {SmartProxy}, configure the directory to store the shim and GRUB2 binaries required for provisioning Secure Boot enabled hosts: | ||
+ | ||
[options="nowrap" subs="+quotes,verbatim,attributes"] | ||
---- | ||
# {foreman-installer} --foreman-proxy-tftp-bootloader-universe _My_Bootloader_Directory_ | ||
---- | ||
+ | ||
Replace _My_Bootloader_Directory_ with the absolute path where you want to store the shim and GRUB2 binaries. | ||
. Set the path for the shim and GRUB2 binaries for the operating system of your host: | ||
+ | ||
[options="nowrap" subs="+quotes,verbatim,attributes"] | ||
---- | ||
# BOOTLOADER_PATH="_My_Bootloader_Directory_/pxegrub2/_{secureboot-os-name}_/default/x86_64" | ||
---- | ||
+ | ||
If you require specific versions of the shim and GRUB2 binaries for the version of the operating system of your host, replace `default` with the *Major* and *Minor* version of the operating system separated by a dot. | ||
If no *Minor* version is set, replace `default` with the *Major* version. | ||
+ | ||
{Team} recommends to not use version-specific shim and GRUB2 binaries unless it is really necessary. | ||
. Create the directory to store the shim and GRUB2 binaries for the operating system of your host: | ||
+ | ||
[options="nowrap" subs="+quotes,verbatim,attributes"] | ||
---- | ||
# install -o foreman-proxy -g foreman-proxy -d $BOOTLOADER_PATH | ||
---- | ||
. Download the shim and GRUB2 packages for the operating system of your host: | ||
+ | ||
[options="nowrap" subs="+quotes,verbatim,attributes"] | ||
---- | ||
# wget -O /tmp/{grub_efi_downloaded_package_name} _https://{server-example-com}/{grub_efi_downloaded_package_name}_ | ||
# wget -O /tmp/{shim_efi_downloaded_package_name} _https://{server-example-com}/{shim_efi_downloaded_package_name}_ | ||
---- | ||
+ | ||
You can download the `{grub_efi_package_name}` package from {grub_efi_download_url}. | ||
You can download the `{shim_efi_package_name}` package from {shim_efi_download_url}. | ||
. Extract the shim and GRUB2 binaries: | ||
+ | ||
[options="nowrap" subs="+quotes,verbatim,attributes"] | ||
---- | ||
# {extract_grub} | ||
# {extract_shim} | ||
---- | ||
. Make the shim and GRUB2 binaries available for host provisioning: | ||
+ | ||
[options="nowrap" subs="+quotes,verbatim,attributes"] | ||
---- | ||
# cp {grub_efi_tmp_binary_path} $BOOTLOADER_PATH/grubx64.efi | ||
# cp {shim_efi_tmp_binary_path} $BOOTLOADER_PATH/shimx64.efi | ||
# ln -sr $BOOTLOADER_PATH/grubx64.efi $BOOTLOADER_PATH/boot.efi | ||
# ln -sr $BOOTLOADER_PATH/shimx64.efi $BOOTLOADER_PATH/boot-sb.efi | ||
# chmod 644 $BOOTLOADER_PATH/grubx64.efi | ||
# chmod 644 $BOOTLOADER_PATH/shimx64.efi | ||
---- | ||
ifeval::["{client-pkg-ext}" == "deb"] | ||
. Link the `grub.cfg` file from the TFTP servers `grub2` folder to the legacy `grub` folder: | ||
+ | ||
[options="nowrap" subs="+quotes,verbatim,attributes"] | ||
---- | ||
# ln --relative --symbolic /var/lib/tftpboot/grub2/grub.cfg /var/lib/tftpboot/grub/grub.cfg | ||
---- | ||
endif::[] | ||
|
||
.Verification | ||
* Verify the contents of your bootloader directory: | ||
+ | ||
[options="nowrap" subs="+quotes,verbatim,attributes"] | ||
---- | ||
# tree _My_Bootloader_Directory_ | ||
_My_Bootloader_Directory_ | ||
└── pxegrub2 | ||
└── _{secureboot-os-name}_ | ||
└── default | ||
└── x86_64 | ||
├── boot.efi -> grubx64.efi | ||
├── boot-sb.efi -> shimx64.efi | ||
├── grubx64.efi | ||
└── shimx64.efi | ||
---- | ||
|
||
.Next steps | ||
* You can now provision Secure Boot enabled {client-os} hosts by using the *Grub2 UEFI SecureBoot* and *Grub2 UEFI HTTPS SecureBoot* PXE loaders. |