Add SecureBoot support for arbitrary operating systems to "Grub2 UEFI" PXE loaders

[jloeser]

This adds a section about new SecureBoot support. It only works in combination with the following patchset:

theforeman/foreman#9864
theforeman/smart-proxy#877

RFC: https://community.theforeman.org/t/add-secureboot-support-for-arbitrary-distributions/32601/1

[github-actions]

The PR preview for ab8d56e is available at theforeman-foreman-documentation-preview-pr-2145.surge.sh

The following output files are affected by this PR:

• Provisioning_Hosts/index-foreman-deb.html
• Provisioning_Hosts/index-foreman-el.html
• Provisioning_Hosts/index-katello.html
• Provisioning_Hosts/index-orcharhino.html
• Provisioning_Hosts/index-satellite.html

show diff

show diff as HTML

[maximiliankolb]

Converted to draft PR for now because the linked PRs in foreman and smart_proxy have not been merged yet.

[maximiliankolb]

Some open questions for Goars or Jan.

@apinnick Do you ACK the capitalization of "Secure Boot"? And should it be "Secure Boot-enabled hosts" or "hosts with Secure Boot enabled"?

Rest LGTM from a writers perspective.

[apinnick]

@apinnick Do you ACK the capitalization of "Secure Boot"? And should it be "Secure Boot-enabled hosts" or "hosts with Secure Boot enabled"?

@maximiliankolb I prefer "UEFI Secure Boot" because it is a UEFI security feature but I have no objection to "Secure Boot".

[goarsna]

Hi there,
after discussions with @lzap and others on the community thread, we changed the implementation to a new approach, that extends the existing Grub2 UEFI SecureBoot and Grub2 UEFI HTTPS SecureBoot PXE loaders to support Secure Boot for arbitrary operating systems. With that, I also had to rework the documentation, so another round of review is needed...

For reference as the PRs mentioned in the first post in this PR are not valid anymore:
The PRs this documentation PR belongs to are

• Fixes #36834 - Add SecureBoot support for arbitrary operating systems to "Grub2 UEFI" PXE loaders foreman#9864
• Fixes #36833 - Add SecureBoot support for arbitrary operating systems to "Grub2 UEFI" PXE loaders smart-proxy#877
• Fixes #36940 - Add SecureBoot support for arbitrary operating systems to "Grub2 UEFI" PXE loaders puppet-foreman_proxy#821

Thanks for all your reviews and input!

[ekohl]

Why don't we make these packaging dependencies if they're required?

[maximiliankolb]

At the time of packaging/installing Smart Proxy, you don't know yet which Client OS you want to provision/manage with Foreman.

[ekohl]

If this is all common, why don't we ship a helper script that takes several inputs and saves it to the correct places? That makes both the procedure and testing easier. We can also ensure all commands we use are properly ensured via packaging dependencies.

There's precedent for this: https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm is installed (here for RPM). Then the documentation refers to this:

foreman-documentation/guides/common/modules/con_configuring-project-to-manage-the-lifecycle-of-a-host-registered-to-a-freeipa-realm.adoc

Lines 29 to 33 in 3259af8

	. Create a realm proxy user, `realm-{smart-proxy-context}`, and the relevant roles in {FreeIPA}:
	+
	[options="nowrap", subs="+quotes,verbatim,attributes"]
	----
	# foreman-prepare-realm admin realm-{smart-proxy-context}

[maximiliankolb]

This is a great idea; I will try and investigate. It's not trivial to get the correct RPM/DEB package and extract the right binary. Two examples from orcharhino docs: Setup Secure Boot for SLES & Setup Secure Boot for Debian. From a user perspective, it would be very handy.

For now, I think docs are the way to go. I will ping you once I have a draft PR in smart-proxy.

[maximiliankolb]

Rebased to "master".

[maximiliankolb]

At the time of packaging/installing Smart Proxy, you don't know yet which Client OS you want to provision/manage with Foreman.

[maximiliankolb]

This is a great idea; I will try and investigate. It's not trivial to get the correct RPM/DEB package and extract the right binary. Two examples from orcharhino docs: Setup Secure Boot for SLES & Setup Secure Boot for Debian. From a user perspective, it would be very handy.

For now, I think docs are the way to go. I will ping you once I have a draft PR in smart-proxy.

[goarsna]

FYI: @nofaralfasi and I had a discussion last week that resulted in some changes we want to implement on the Smart Proxy side which are summarized in the Smart Proxy PR. These changes also will affect this PR. Further updates will follow soonish / in the upcoming weeks (as soon as I have time to work on this again).

[apinnick]

This is outside the scope of this PR. Just FYI.

GRUB is an acronym. The UI labels should be "GRUB2 ..."

[ekohl]

Per the last comment, I'm moving this back to draft.

[goarsna]

Rebased

[goarsna]

I updated the PR to reflect the discussed changes. Thanks @maximiliankolb for marking it as ready.

[Lennonka]

A couple of nitpicks.

[maximiliankolb]

one tiny suggestion, rest LGTM. Thanks for the patience.

[Lennonka]

One more thing. I think it would be better to include these under Configuring provisioning resources rather than Using PXE. Would you considering moving them there?

On one hand, I think it belongs to configuring resources before the user starts using them. Also, I'm planning splitting Provisioning hosts into 3 guides and a couple of improvements for all 3 new provisioning guides.
On the other hand, I'm not entirely sure. AFAIK, SB is only supported in PXE and UEFI HTTP boot, not in Discovery or boot disk, so from this perspective, this place also looks right.

[goarsna]

Hey @Lennonka, I would vote for leaving it under "Using PXE...".
As you said in your last sentence, it is only supported in PXE and UEFI HTTP boot and also there the configuration only has to be done in case one wants to use Secure Boot. Putting it under "Configuring Provisioning Resources" could connote that it is a general feature or it is a essential configuration step.