Open pnpavlov opened 2 months ago
Azure Secure Boot and Trusted Boot features are summarized as Trusted Launch features. They include Secure Boot, TPMv2 support and Integrity Monitoring, similar to AWS and GCP. Trusted boot is supported for certain Operating Systems (see below) from the Azure Marketplace, but also as Azure Gallery images and VHDs.
In Azure it is currently not possible to use Trusted Launch for non-supported Operating Systems, as it is possible with AWS and GCP using custom signed images. Only some Operating Systems like Debian, SUSE, RedHat, Ubuntu are supported with Trusted Launch features. The images of these OS's are signed using the Microsoft 3rd party CA certificates.
Furthermore only Generation 2 VMs are supported.
From 08/22/2024 there is a preview feature "Secure Boot UEFI keys" available, that allows kernel drivers / modules to be signed with custom private keys. This feature allows to inject custom UEFI keys into the vTPM and thus allows checking the validity of kernel modules during boot time. However, this feature can't be used to enable secure boot for non-Micrsoft-signed OS's like GL, nor is this supported, neither it seems to work technically.
This feature has some limitations:
Leave GL secure boot / trusted boot disabled for GL Pro's:
Ask Microsoft to provide support for custom signed GL images Pro's:
Agree with Microsoft to sign GL images with Microsoft 3rd party CA certificates Pro's:
Research and document in this issue how secureboot on GCP can be enabled.