Support Secure Boot in GCP

[cgwalters]

In https://github.com/coreos/mantle/pull/1060 I enabled the flag for SB, but it fails on startup.

Playing around in an Ubuntu image flagged with SB, I notice this:

root@walters-ubuntu-sb-test5:~# ls -al /boot/efi/EFI/Google/gsetup/
total 4
drwxr-xr-x 5 root root  512 Nov 13 04:36 .
drwxr-xr-x 3 root root  512 Nov 13 04:36 ..
drwxr-xr-x 2 root root  512 Nov 13 04:36 KEK
drwxr-xr-x 2 root root  512 Nov 13 04:36 PK
-rwxr-xr-x 1 root root   22 Nov 13 04:36 boot
drwxr-xr-x 2 root root 1024 Nov 13 04:36 db
root@walters-ubuntu-sb-test5:~# 

Which doesn't seem owned by any package.

[cgwalters]

And the only other OS that I see flagged in GCP as SB capable is their "container optimized" OS, e.g. cos-stable-79-12607-80-0.

One thing that confused me is that /boot/efi looked mostly clean, but in fact the ESP isn't mounted there by default. Doing mount /dev/sda12 /boot/efi, I see the same Google/GSetup stuff there.

[cgwalters]

So I could try extracting these binaries/keys and add them to FCOS on GCP, but I'd really like to know their provenance and rationale for existence.

[cgwalters]

I pointed @mjg59 at this thread a while back and we had a private email discussion about it; the gist of it is he said the requirement for those binaries is probably a bug, but we haven't continued since.

[zmarano]

Hi all, we have removed the need for gsetup and it is officially deprecated. As long as you are using the shim signed by the standard Microsoft key secure boot should work if enabled.