siderolabs
Trusted (Secure Boot) PoC
Implement a PoC of Trusted Boot using QEMU + Secure Boot UEFI firmware. We can cut corners, the idea is to discover the path towards the solution.
See https://0pointer.de/blog/brave-new-trusted-boot-world.html
Time box: 1 week
### Tasks
- [ ] https://github.com/siderolabs/talos/issues/7266
- [ ] https://github.com/siderolabs/talos/issues/7470
- [x] move UKI generation to imager
- [ ] https://github.com/siderolabs/talos/issues/7514
- [ ] https://github.com/siderolabs/talos/issues/7258
- [ ] #7256
- [ ] https://github.com/siderolabs/talos/issues/7257
- [ ] https://github.com/siderolabs/talos/issues/7259
- [ ] https://github.com/siderolabs/talos/issues/7260
- [ ] https://github.com/siderolabs/talos/issues/7274
- [ ] https://github.com/siderolabs/talos/issues/7276
- [ ] https://github.com/siderolabs/talos/issues/7261
- [ ] https://github.com/siderolabs/talos/issues/7267
- [ ] https://github.com/siderolabs/talos/issues/7272
- [ ] https://github.com/siderolabs/talos/issues/7273
- [ ] https://github.com/siderolabs/talos/issues/7275
- [ ] #7324
- [ ] https://github.com/siderolabs/talos/issues/7373
- [ ] https://github.com/siderolabs/talos/issues/7383
- [ ] https://github.com/siderolabs/talos/issues/7412
- [ ] https://github.com/siderolabs/talos/issues/7742
Bonus point: TPM-based disk encryption
I'm sure you're already aware of this, but systemd-cryptenroll is typically the way this is done on desktops. Not sure if it applies here, but I hope the reference is helpful at least.
Bonus point: TPM-based disk encryption
I'm sure you're already aware of this, but systemd-cryptenroll is typically the way this is done on desktops. Not sure if it applies here, but I hope the reference is helpful at least.
This has been implemented similar to systemd-cryptenroll, jut in talos itself (we didn't want to bring in another binary and related toolchain)
