image: allow toggling secure boot in image upload

This commit is contained in:
Malte Poll 2023-09-18 12:17:04 +02:00 committed by Malte Poll
parent c6ea596eb9
commit 3543fe140e
9 changed files with 74 additions and 41 deletions

View File

@ -83,20 +83,24 @@ func runAWS(cmd *cobra.Command, _ []string) error {
out = outF
}
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
if err != nil {
return err
}
uploadReq := &osimage.UploadRequest{
Provider: flags.provider,
Version: flags.version,
AttestationVariant: flags.attestationVariant,
SBDatabase: sbDatabase,
UEFIVarStore: uefiVarStore,
SecureBoot: flags.secureBoot,
Size: size,
Timestamp: flags.timestamp,
Image: file,
}
if flags.secureBoot {
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
if err != nil {
return err
}
uploadReq.SBDatabase = sbDatabase
uploadReq.UEFIVarStore = uefiVarStore
}
return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out)
}

View File

@ -84,20 +84,24 @@ func runAzure(cmd *cobra.Command, _ []string) error {
out = outF
}
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
if err != nil {
return err
}
uploadReq := &osimage.UploadRequest{
Provider: flags.provider,
Version: flags.version,
AttestationVariant: flags.attestationVariant,
SBDatabase: sbDatabase,
UEFIVarStore: uefiVarStore,
SecureBoot: flags.secureBoot,
Size: size,
Timestamp: flags.timestamp,
Image: file,
}
if flags.secureBoot {
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
if err != nil {
return err
}
uploadReq.SBDatabase = sbDatabase
uploadReq.UEFIVarStore = uefiVarStore
}
return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out)
}

View File

@ -23,6 +23,7 @@ type commonFlags struct {
pki string
provider cloudprovider.Provider
attestationVariant string
secureBoot bool
version versionsapi.Version
timestamp time.Time
region string
@ -49,6 +50,10 @@ func parseCommonFlags(cmd *cobra.Command) (commonFlags, error) {
if err != nil {
return commonFlags{}, err
}
secureBoot, err := cmd.Flags().GetBool("secure-boot")
if err != nil {
return commonFlags{}, err
}
version, err := cmd.Flags().GetString("version")
if err != nil {
return commonFlags{}, err
@ -97,6 +102,7 @@ func parseCommonFlags(cmd *cobra.Command) (commonFlags, error) {
rawImage: rawImage,
pki: pki,
attestationVariant: attestationVariant,
secureBoot: secureBoot,
version: ver,
timestamp: timestmp,
region: region,

View File

@ -84,20 +84,24 @@ func runGCP(cmd *cobra.Command, _ []string) error {
out = outF
}
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
if err != nil {
return err
}
uploadReq := &osimage.UploadRequest{
Provider: flags.provider,
Version: flags.version,
AttestationVariant: flags.attestationVariant,
SBDatabase: sbDatabase,
UEFIVarStore: uefiVarStore,
SecureBoot: flags.secureBoot,
Size: size,
Timestamp: flags.timestamp,
Image: file,
}
if flags.secureBoot {
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
if err != nil {
return err
}
uploadReq.SBDatabase = sbDatabase
uploadReq.UEFIVarStore = uefiVarStore
}
return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out)
}

View File

@ -25,6 +25,7 @@ func NewImageCmd() *cobra.Command {
cmd.SetOut(os.Stdout)
cmd.PersistentFlags().String("raw-image", "", "Path to os image in CSP specific format that should be uploaded.")
cmd.PersistentFlags().Bool("secure-boot", false, "Enables secure boot support.")
cmd.PersistentFlags().String("pki", "", "Base path to the PKI (secure boot signing) files.")
cmd.PersistentFlags().String("attestation-variant", "", "Attestation variant of the image being uploaded.")
cmd.PersistentFlags().String("version", "", "Shortname of the os image version.")

View File

@ -67,20 +67,24 @@ func runNOP(cmd *cobra.Command, provider cloudprovider.Provider, _ []string) err
out = outF
}
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
if err != nil {
return err
}
uploadReq := &osimage.UploadRequest{
Provider: flags.provider,
Version: flags.version,
AttestationVariant: flags.attestationVariant,
SBDatabase: sbDatabase,
UEFIVarStore: uefiVarStore,
SecureBoot: flags.secureBoot,
Size: size,
Timestamp: flags.timestamp,
Image: file,
}
if flags.secureBoot {
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
if err != nil {
return err
}
uploadReq.SBDatabase = sbDatabase
uploadReq.UEFIVarStore = uefiVarStore
}
return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out)
}

View File

@ -110,7 +110,7 @@ func (u *Uploader) Upload(ctx context.Context, req *osimage.UploadRequest) ([]ve
if err != nil {
return nil, fmt.Errorf("importing snapshot: %w", err)
}
primaryAMIID, err := u.createImageFromSnapshot(ctx, req.Version, imageName, snapshotID, req.UEFIVarStore)
primaryAMIID, err := u.createImageFromSnapshot(ctx, req.Version, imageName, snapshotID, req.SecureBoot, req.UEFIVarStore)
if err != nil {
return nil, fmt.Errorf("creating image from snapshot: %w", err)
}
@ -297,16 +297,21 @@ func (u *Uploader) ensureSnapshotDeleted(ctx context.Context, snapshotName, regi
return nil
}
func (u *Uploader) createImageFromSnapshot(ctx context.Context, version versionsapi.Version, imageName, snapshotID string, uefiVarStore secureboot.UEFIVarStore) (string, error) {
func (u *Uploader) createImageFromSnapshot(ctx context.Context, version versionsapi.Version, imageName, snapshotID string, enableSecureBoot bool, uefiVarStore secureboot.UEFIVarStore) (string, error) {
u.log.Debugf("Creating image %s in %s", imageName, u.region)
ec2C, err := u.ec2(ctx, u.region)
if err != nil {
return "", fmt.Errorf("creating ec2 client: %w", err)
}
uefiData, err := uefiVarStore.ToAWS()
if err != nil {
return "", fmt.Errorf("creating uefi data: %w", err)
var uefiData *string
if enableSecureBoot {
awsUEFIData, err := uefiVarStore.ToAWS()
if err != nil {
return "", fmt.Errorf("creating uefi data: %w", err)
}
uefiData = toPtr(awsUEFIData)
}
createReq, err := ec2C.RegisterImage(ctx, &ec2.RegisterImageInput{
Name: &imageName,
Architecture: ec2types.ArchitectureValuesX8664,
@ -324,7 +329,7 @@ func (u *Uploader) createImageFromSnapshot(ctx context.Context, version versions
EnaSupport: toPtr(true),
RootDeviceName: toPtr("/dev/xvda"),
TpmSupport: ec2types.TpmSupportValuesV20,
UefiData: &uefiData,
UefiData: uefiData,
VirtualizationType: toPtr("hvm"),
})
if err != nil {

View File

@ -82,7 +82,7 @@ func (u *Uploader) Upload(ctx context.Context, req *osimage.UploadRequest) ([]ve
u.log.Errorf("post-cleaning: deleting blob: %v", err)
}
}()
imageRef, err := u.createImage(ctx, req.Version, imageName, blobName, req.SBDatabase)
imageRef, err := u.createImage(ctx, req.Version, imageName, blobName, req.SecureBoot, req.SBDatabase)
if err != nil {
return nil, fmt.Errorf("creating image: %w", err)
}
@ -134,10 +134,18 @@ func (u *Uploader) ensureBlobDeleted(ctx context.Context, blobName string) error
return u.bucket.Object(blobName).Delete(ctx)
}
func (u *Uploader) createImage(ctx context.Context, version versionsapi.Version, imageName, blobName string, sbDatabase secureboot.Database) (string, error) {
func (u *Uploader) createImage(ctx context.Context, version versionsapi.Version, imageName, blobName string, enableSecureBoot bool, sbDatabase secureboot.Database) (string, error) {
u.log.Debugf("Creating image %s", imageName)
blobURL := u.blobURL(blobName)
family := u.imageFamily(version)
var initialState *computepb.InitialStateConfig
if enableSecureBoot {
initialState = &computepb.InitialStateConfig{
Pk: pk(&sbDatabase),
Keks: keks(&sbDatabase),
Dbs: dbs(&sbDatabase),
}
}
req := computepb.InsertImageRequest{
ImageResource: &computepb.Image{
Name: &imageName,
@ -154,11 +162,7 @@ func (u *Uploader) createImage(ctx context.Context, version versionsapi.Version,
{Type: toPtr("VIRTIO_SCSI_MULTIQUEUE")},
{Type: toPtr("UEFI_COMPATIBLE")},
},
ShieldedInstanceInitialState: &computepb.InitialStateConfig{
Pk: pk(&sbDatabase),
Keks: keks(&sbDatabase),
Dbs: dbs(&sbDatabase),
},
ShieldedInstanceInitialState: initialState,
},
Project: u.project,
}

View File

@ -21,6 +21,7 @@ type UploadRequest struct {
Provider cloudprovider.Provider
Version versionsapi.Version
AttestationVariant string
SecureBoot bool
SBDatabase secureboot.Database
UEFIVarStore secureboot.UEFIVarStore
Size int64