omni icon indicating copy to clipboard operation
omni copied to clipboard
verified publisher icon siderolabs

[bug] Secure Boot image has error in installation process

Open baughj opened this issue 7 months ago • 1 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Current Behavior

When using a secure boot image (generated with Download Image -> check Secure Boot option) and creating a cluster, an error is seen during installation about failed to install bootloader: error copying /usr/install/amd64/vmlinuz.efi.signed due to the file not being present. The result is that Talos is installed, but without a bootloader.

This is on a Supermicro H12-SSL with secure boot mode enabled (eg in setup mode and previously the Omni keys were installed).

Expected Behavior

Installation and creation of a cluster with secure boot and encryption enabled should succeed.

Steps To Reproduce

  1. From Home, click "Download Installation Media".
  2. Select Options: ISO (amd64).
  3. Click Secure Boot.
  4. Download and attempt to use image.

What browsers are you seeing the problem on?

No response

Anything else?

No response

baughj avatar May 08 '25 14:05 baughj

I had the same issue with the following:

  • ISO (arm64)
  • Hetzner Cloud (arm64)

For Hetzner it seems to be able to install, but then it is unable to do upgrades. I am not certain why, as I did not debug it much. But it works flawlessly when I am not using SecureBoot.

I did check the config, and in all cases it seems the secure boot install image is not set, so that is probably related.

devantler avatar May 09 '25 08:05 devantler

I've tried with Talos 1.10.5, Omni 0.52 and Proxmox. Seems to work fine. Which Talos version did you use there?

Do you still see the issue?

Unix4ever avatar Jul 14 '25 15:07 Unix4ever

I do not remember, but I can test it again sometime this week.

devantler avatar Jul 14 '25 16:07 devantler

Omni Backend Version: v0.52.0

Step 1 - downloaded secure boot image from UI.

Image

Step 2 - Booted server from image in HCloud (Hetzner Cloud)

Image Image

Note that server does not show as booted with secureboot enabled.

Step 3 - Add machine to a cluster as a worker

Image Image

Step 4 - Success but no secure boot 😢

Image Image 
    install:
        disk: /dev/sda
        extraKernelArgs:
            - security=apparmor
        image: factory.talos.dev/hcloud-installer/7bf49ebf9beb07507834374ecaedd2a262bc1c62133724f3aa60f8912f908a7c:v1.10.5
        wipe: false
Image Image

So all in all this seems to now allow images downloaded with the secureboot option to boot on Hetzner, but it also seems that secureboot is not correctly enabled.

> GitHub Link to Hetzner resources.

devantler avatar Jul 15 '25 14:07 devantler

Talos and Omni can't control platform side of the stack (e.g. Hetzner) - so how to enable SecureBoot on Hetzner machines, and whether that is even possible stays a question for Hetzner. SecureBoot image is signed, but configuring UEFI firmware for SecureBoot is out of reach of Talos and Omni.

Talos correctly reports the status (not securebooted): https://www.talos.dev/v1.10/talos-guides/install/bare-metal-platforms/secureboot/

smira avatar Jul 15 '25 14:07 smira

Thanks, that makes sense. I am not able to find any docs on which Hetzner servers that run with UEFI, so I am left guessing which servers to test it on. I would love to help out by testing this for the community, but otherwise this issue is resolved for me.

EDIT: For anyone looking there is a little documentation on UEFI and SecureBoot for their dedicated server offering suggesting it is not well supported.

devantler avatar Jul 15 '25 15:07 devantler

Yeah, I had impression that it's something specific to Hetzner.

Unix4ever avatar Jul 15 '25 17:07 Unix4ever

The default behavior of systemd-boot is to enroll keys if it's safe, you can try generating an image from factory with force enroll option and see if keys could be enrolled forcefully, otherwise you'd have to enroll the keys manually prior to booting

frezbo avatar Jul 16 '25 05:07 frezbo