Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard

Published 20 hours ago verified publisher icon flatcar

[Tracking] TPM 2.0/Secure Boot workstream

Open jepio opened this issue 3 years ago • 30 comments

Rough first draft, currently not ordered:

  • [x] update grub https://github.com/flatcar/scripts/pull/1082
  • [x] update ignition https://github.com/flatcar-linux/Flatcar/issues/387
  • [x] update shim
  • [x] update EDK2 OVMF (?)
  • [x] investigate SBAT
  • [x] run some secure boot enabled tests in CI:
    • [x] https://github.com/flatcar/mantle/pull/556
  • [ ] #1211
  • [x] import tpm2-tools - done together with clevis
  • [x] package clevis
    • [x] https://github.com/flatcar/scripts/pull/1560
  • [x] kernel lockdown:
    • [x] https://github.com/flatcar/scripts/pull/2299
  • [ ] include shim in aarch64 build
  • [x] ensure clevis works (in ignition or from OS)
  • [ ] setup signing infrastructure
    • [ ] https://github.com/flatcar/scripts/pull/2292
  • [ ] update pcr policy build infrastructure
  • [ ] Decide on which Grub to move forward with rhboot/grub2 or vanilla grub (ref https://github.com/flatcar/Flatcar/issues/630#issuecomment-2047399252)
  • [ ] submit signed shim for review
    • [ ] https://github.com/flatcar/shim-review/tree/sayan/add-dockerfile

jepio avatar Feb 16 '22 15:02 jepio

Mantle now publishes GCP images with UEFI features including vTPM enabled. With Azure CommunityGalleries we can also enable vTPM support on our images. AWS has GA'd their vTPM, but requires switching the AMI to UEFI boot mode (dropping compat with Xen HVM instances). We will need to consider publishing separate ami's for UEFI and BIOS boot.

Secure boot has not been tackled yet, but started thinking about signing procedures and key handling.

jepio avatar May 13 '22 08:05 jepio

As a side note, Clevis (and friends) are now available on ::guru: https://github.com/gentoo/guru/tree/master/app-crypt/clevis. Including Clevis should then follow the same process as including a package from ::gentoo overlay (https://www.flatcar.org/docs/latest/reference/developer-guides/sdk-modifying-flatcar/#add-or-update-a-package).

Butane clevis restriction should also be dropped once done: https://github.com/coreos/butane/blob/87a7a686aff511dd13a6b873baf9a7d005170737/config/flatcar/v1_0/translate.go#L37-L41

tormath1 avatar Aug 31 '22 07:08 tormath1

@tormath1 Trying to add Clevis takes me into dependency hell. I'm essentially doing https://www.flatcar.org/docs/latest/reference/developer-guides/sdk-modifying-flatcar/#add-or-update-a-package but with gentoo/guru instead of gentoo/gentoo

krishjainx avatar Jun 06 '23 01:06 krishjainx

@krishjainx yes, there are some dependencies like jose and luksmeta that needs to be pulled too. Back in the days @jepio started a PoC for Clevis: https://github.com/flatcar/coreos-overlay/commits/jepio/wip-clevis you can base your work on this (or rebase his branch)

tormath1 avatar Jun 06 '23 07:06 tormath1

The preliminary support for clevis can be found at https://github.com/flatcar/scripts/pull/909. I will return to working on this shortly. I encountered some issues after working on it with an alpha tag and then transitioning it to another branch based on master. So, I will need to rebase and test it with the new SDK container locally. If someone is interested in taking over my work, please feel free to have a look. @tormath1

krishjainx avatar Jun 14 '23 10:06 krishjainx

On EFI we are now missing tpm eventlog access from linux because that depends on the linuxefi boot protocol which is a downstream RH grub patch. I think we'll need to switch to using https://github.com/rhboot/grub2

jepio avatar Apr 10 '24 12:04 jepio