Commits on Sep 19, 2024

1. Fixes #36834 - Add SecureBoot support for arbitrary operating systems… …

   … to "Grub2 UEFI" PXE loaders
   
   This feature consists of four patches, one each for foreman,
   smart-proxy, foreman-installer, and puppet-foreman_proxy.
   
   This patch adds support for individual Network Bootstrap Programs (NBP)
   in order to enable network based installations of SecureBoot enabled
   hosts for arbitrary operating systems.
   
   SecureBoot expects to follow a chain of trust from the initial boot of
   the host to the loading of Linux kernel modules. The very first shim
   that is loaded determines which distribution is allowed to be booted or
   kexec'ed until next reboot.
   
   Currently the "Grub2 UEFI SecureBoot" PXE loaders use NBPs provided by
   the vendor of the Foreman/Smart Proxy host system. All hosts receive and
   execute the same binary. On SecureBoot enabled hosts, this limits
   installations to operating systems by the vendor of the Foreman/
   Smart Proxy host system.
   
   Providing shim and GRUB2 by the vendor of the operating system to be
   installed allows Foreman to install any operating system on SecureBoot
   enabled hosts over network.
   
   To achieve this, the host's DHCP filename option is set to a shim/GRUB2
   binary in a host specific directory based on their MAC address.
   Corresponding shim and GRUB2 binaries are copied into that directory
   along with the generated GRUB2 configuration files.
   When provisioning a host, the Smart Proxy checks in a dedicated
   directory inside the TFTP root - the so called "bootloader universe" -
   if NBPs are present matching the operating system, operating system
   version, and architecture of the host to be installed. If this is the
   case, these NBPs are copied from the bootloader universe directory to
   the host specific directory. If not, as a fallback the default NBPs
   provided by the vendor of the Foreman/Smart Proxy host system are
   copied from the `:tftproot:/grub2` directory to the host specific
   directory.
   
   Up to now, shim and GRUB2 binaries have to be retrieved and set up in
   the bootloader universe directory manually according to the
   documentation. An automatic way to provide OS dependent NBPs will be
   added in future.
   
   In case there are no NBPs present in the bootloader universe matching
   the operating system, operating system version, and architecture of
   the host to be installed, the behaviour of the "Grub2 UEFI" PXE
   loaders does not change to the behavior prior to this feature.
   
   Implementation notes:
   ---------------------
   * To be future proof (e.g. to be able to provide NBPs in the bootloader
     universe for other PXE loaders without running into any filename
     conflicts) and for better structure, the PXE kind is prepended as a
     first directory level inside the bootloader universe.
   * The operating system version inside the bootloader universe consists
     of the major and minor version (if applicable) of the operating system
     separated by a dot (`.`). If no NBPs are configured for a specific
     operating system version the fallback directory `default` is used.
   * To simplify things on Foreman side in future, symlinks are used for
     the shim (boot-sb.efi) and GRUB2 (boot.efi) binaries.
   * Inside the TFTP root directory a new directory `host-config` is
     created for storing all the host specific directories.
   * Inside the TFTP root directory a new directory `bootloader-universe`
     is created for storing all the OS specific boot files.
   * For storage efficiency the shim and GRUB2 binaries from the
     bootloader universe or the `:tftproot:/grub2` directory are
     symlinked to the host specific directory.
   
   Full example:
   -------------
   [root@vm ~]# hammer host info --id 241 | grep -E "(MAC address|Operating System)"
   MAC address: 00:50:56:b4:75:5e
   Operating System: AlmaLinux 8.9
   
   [root@vm ~]# tree /var/lib/tftpboot/bootloader-universe/
   /var/lib/tftpboot/bootloader-universe/
   └── pxegrub2
       └── almalinux
           ├── 8.9
           │   └── x86_64
           │       ├── boot.efi -> grubx64.efi
           │       ├── boot-sb.efi -> shimx64.efi
           │       ├── grubx64.efi
           │       └── shimx64.efi
           └── default
               └── x86_64
                   ├── boot.efi -> grubx64.efi
                   ├── boot-sb.efi -> shimx64.efi
                   ├── grubx64.efi
                   └── shimx64.efi
   
   [root@vm ~]# hammer host update --id 241 --build true
   
   [root@vm ~]# tree /var/lib/tftpboot/host-config
   /var/lib/tftpboot/host-config
   └── 00-50-56-a3-41-a8
       └── grub2
           ├── boot.efi -> ../../../bootloader-universe/grubx64.efi
           ├── boot-sb.efi -> ../../../bootloader-universe/shimx64.efi
           ├── grub.cfg
           ├── grub.cfg-00:50:56:a3:41:a8
           ├── grub.cfg-01-00-50-56-a3-41-a8
           ├── grubx64.efi -> ../../../bootloader-universe/grubx64.efi
           ├── os_info
           └── shimx64.efi -> ../../../bootloader-universe/shimx64.efi
   
   [root@vm ~]# grep -B2 00-50-56-b4-75-5e /var/lib/dhcpd/dhcpd.leases
   hardware ethernet 00:50:56:b4:75:5e;
   fixed-address 192.168.145.84;
   supersede server.filename = "host-config/00-50-56-b4-75-5e/grub2/boot-sb.efi";
   
   [root@vm ~]# pesign -S -i /var/lib/tftpboot/host-config/00-50-56-b4-75-5e/grub2/boot-sb.efi | grep "Microsoft Windows UEFI Driver Publisher"
   The signer's common name is Microsoft Windows UEFI Driver Publisher

   

   Jan Löser authored and goarsna committed Sep 19, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 0d81289
   • Browse repository at this point

   Copy the full SHA

   0d81289 View commit details

   Browse the repository at this point in the history