Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EFI & Secure Boot #155

Merged
merged 2 commits into from
Nov 7, 2024
Merged

EFI & Secure Boot #155

merged 2 commits into from
Nov 7, 2024

Conversation

nofaralfasi
Copy link
Contributor

@nofaralfasi nofaralfasi commented Jul 22, 2024

EFI and Secure Boot support for Libvirt.

Required for: theforeman/foreman#10321

@nofaralfasi
Copy link
Contributor Author

I encountered an issue with the changes in this PR. For VMs not created by Foreman (either manually or by another tool), the firmware type is not always set, making it unclear what the firmware type is.
This affects the display of the correct firmware for these hosts in Foreman.

Copy link
Contributor

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please look at my os_loader implementation around https://github.com/fog/fog-libvirt/pull/134/files#r1686901783. I'm not sure why @stejskalleos dropped the os_loader, but from reading https://libvirt.org/kbase/secureboot.html and seeing libvirt 8.0.0 is in EL8 then I suspect you can't use EL8 libvirt & secureboot this way.

Technically we an probe for the version (look for libversion in the code). It would be nice to throw a clean error if we detect too old versions like EL7 hypervisors.

tests/libvirt/models/compute/server_tests.rb Outdated Show resolved Hide resolved
lib/fog/libvirt/requests/compute/list_domains.rb Outdated Show resolved Hide resolved
@nofaralfasi
Copy link
Contributor Author

Please look at my os_loader implementation around https://github.com/fog/fog-libvirt/pull/134/files#r1686901783. I'm not sure why @stejskalleos dropped the os_loader, but from reading https://libvirt.org/kbase/secureboot.html and seeing libvirt 8.0.0 is in EL8 then I suspect you can't use EL8 libvirt & secureboot this way.

You are right; their documentation can be confusing. I was reading from https://libvirt.org/formatdomain.html#bios-bootloader:
Attribute secure can be used to tell the hypervisor that the firmware is capable of Secure Boot feature. It cannot be used to enable or disable the feature itself in the firmware.

But I guess that's not true for older versions.

@ekohl
Copy link
Contributor

ekohl commented Jul 23, 2024

I agree it's often confusing. I'd recommend setting up an EL8 hypervisor (Foreman can connect to libvirt using SSH) and try it out. Often the best way

.select { |feature| feature[:enabled] == 'yes' }
.map { |feature| feature[:name] }

required_features = ['secure-boot', 'enrolled-keys']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK you don't need enrolled-keys for secure-boot. That's just the default set of keys, but users can define their own keys and sign their own kernels.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to their documentation, enrolled-keys are needed for SB. Is it necessary to also provide an option for the user to add their own keys?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://libvirt.org/kbase/secureboot.html#additional-information says that without enrolled-keys it allows running unsigned code, but I wonder if that's really true. This last bit clarifies with how I think it's supposed to work:

The main difference between using a build of EDKII that has Secure Boot support but without keys enrolled and one that doesn't have Secure Boot support at all is that, with the former, you could enroll your own keys and securely run an operating system that you've built and signed yourself. If you are only planning to run existing, off-the-shelf operating system images, then the two configurations are functionally equivalent.

So the idea is that enrolled-keys contains the default keys, but if you don't have or want those you can enroll your own keys.

lib/fog/libvirt/requests/compute/list_domains.rb Outdated Show resolved Hide resolved
@nofaralfasi
Copy link
Contributor Author

I have another idea on how to implement this. Moving it to WIP until it's ready.

Co-authored-by: Ewoud Kohl van Wijngaarden <[email protected]>
@nofaralfasi nofaralfasi force-pushed the sb_libvirt branch 2 times, most recently from 5a05cd7 to 1f88090 Compare September 8, 2024 14:31
@nofaralfasi nofaralfasi marked this pull request as ready for review September 8, 2024 14:33
@nofaralfasi nofaralfasi changed the title [WIP] EFI & Secure Boot EFI & Secure Boot Sep 8, 2024
@nofaralfasi nofaralfasi force-pushed the sb_libvirt branch 2 times, most recently from 534c382 to ba8b95c Compare September 15, 2024 09:11
Copy link
Contributor

@stejskalleos stejskalleos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🍏 LGTM

Tested together with theforeman/foreman#10321, BIOS, UEFI & Secure Boot works fine.

attribute :firmware
attribute :firmware_features
attribute :secure_boot
attribute :loader
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to myself:
The loader element points to a specific boot binary (BIOS/UEFI), while firmware refers to the type or particular features used to configure or load the guest VM.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think those could be good comments around the attributes.

To me loader implies it's singular, but when I look at the code I see it's a list, so should it be

Suggested change
attribute :loader
attribute :loaders

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The loader is not a list, it's a single tag with multiple attributes.

Copy link
Contributor Author

@nofaralfasi nofaralfasi Nov 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And since we're using the same terminology as Libvirt, I believe there's no need to define "firmware" or "loader" as they should already be familiar to users. See https://libvirt.org/formatdomain.html#bios-bootloader.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But in the code I see it's iterated over which made me think it was a list.

loader&.each do |key, value|
  xml.loader(key => value)
end

Technically I guess it's a hash, but loader still made me expect a string.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a hash, e.g., loader: { "secure" => "yes" }.

@stejskalleos
Copy link
Contributor

@ekohl, can we get this so the theforeman/foreman#10321 can be included in the next Foreman's release?

@stejskalleos
Copy link
Contributor

@ekohl @nofaralfasi, any progress here? Can we merge? It's blocking our other work, which is waiting for this.

Copy link
Contributor

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this looks good to me. Some minor implementation notes

- Renamed firmware-related attributes to align with VMware conventions.
- Added the `loader` attribute to determine if SB is enabled.
@ekohl
Copy link
Contributor

ekohl commented Nov 7, 2024

I'm merging both commits for proper attribution.

@ekohl ekohl merged commit 273feae into fog:master Nov 7, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants