search

siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.
https://www.talos.dev
Mozilla Public License 2.0
6.33k stars 507 forks source link

Building custom SecureBoot assets using external signer #8958

Open stereobutter opened 1 month ago

stereobutter commented 1 month ago

Feature Request

We'd like to build and sign our own secure boot assets with imager using an external signer (AWS KMS in our case).

Description

Looking at the implementation of imager it appears that using AzureVault and AWS KMS for signing secure boot assets is already implemented even though its not in the docs[^1].

If I read the code correctly I'd need a profile.yaml with something like the following (for AWS KMS)

input:
  secureboot:
    secureBootSigner: 
       awsKMSKeyID: <my-key-id>
       awsRegion: <some-aws-region>
       awsCertPath: <some-path>
    pcrSigner: 
       awsKMSKeyID: <my-key-id>
       awsRegion: <some-aws-region>
    platformKeyPath: /secureboot/PK.auth
    keyExchangeKeyPath: /secureboot/KEK.auth
    signatureKeyPath: /secureboot/db.auth

One thing I believe is missing here is that for creating PK.auth, KEK.auth and db.auth support for external signers is also needed but isn't implemented in talosctl gen secureboot database yet and only file based signing is possible at the moment. Also what is the reason for not building PK.auth, KEK.auth and db.auth inside imager?

In summary what I believe needs to happen for people to start using external signers for building secure boot assets using imager:

  1. Fix the profile.yaml from the console output in the current docs
  2. Implement external signer support for talosctl gen secureboot database
  3. Write a guide for the docs

I'd be happy to contribute both 1. and 3. BTW

[^1]: the profile.yaml shown as console output in the docs is outdated and do not reflect changes made a while ago (see https://github.com/siderolabs/talos/commit/f38eaaab87f77f33b0317d4405c84575023ee0da#diff-f1102a4b824be9c19b07c7223cf85e05e3dafc29cbf75b35d2ddae32011e5afaL78-L82)

smira commented 1 month ago

Also what is the reason for not building PK.auth, KEK.auth and db.auth inside imager?

They are built automatically actually, you don't need to pass them yourself, unless you are not happy with generated default ones.

So it should just work out of the box, but yes, docs are missing.