image: allow toggling secure boot in image upload

2024-09-19 15:56:03 +00:00 · 2023-09-18 12:17:04 +02:00 · 2023-09-18 12:17:04 +02:00 · 3543fe140e
commit 3543fe140e
parent c6ea596eb9
9 changed files with 74 additions and 41 deletions
--- a/image/upload/internal/cmd/aws.go
+++ b/image/upload/internal/cmd/aws.go
@ -83,20 +83,24 @@ func runAWS(cmd *cobra.Command, _ []string) error {
 		out = outF
 	}

-	sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
-	if err != nil {
-		return err
-	}
-
 	uploadReq := &osimage.UploadRequest{
 		Provider:           flags.provider,
 		Version:            flags.version,
 		AttestationVariant: flags.attestationVariant,
-		SBDatabase:         sbDatabase,
-		UEFIVarStore:       uefiVarStore,
+		SecureBoot:         flags.secureBoot,
 		Size:               size,
 		Timestamp:          flags.timestamp,
 		Image:              file,
 	}
+
+	if flags.secureBoot {
+		sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
+		if err != nil {
+			return err
+		}
+		uploadReq.SBDatabase = sbDatabase
+		uploadReq.UEFIVarStore = uefiVarStore
+	}
+
 	return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out)
 }
--- a/image/upload/internal/cmd/azure.go
+++ b/image/upload/internal/cmd/azure.go
@ -84,20 +84,24 @@ func runAzure(cmd *cobra.Command, _ []string) error {
 		out = outF
 	}

-	sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
-	if err != nil {
-		return err
-	}
-
 	uploadReq := &osimage.UploadRequest{
 		Provider:           flags.provider,
 		Version:            flags.version,
 		AttestationVariant: flags.attestationVariant,
-		SBDatabase:         sbDatabase,
-		UEFIVarStore:       uefiVarStore,
+		SecureBoot:         flags.secureBoot,
 		Size:               size,
 		Timestamp:          flags.timestamp,
 		Image:              file,
 	}
+
+	if flags.secureBoot {
+		sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
+		if err != nil {
+			return err
+		}
+		uploadReq.SBDatabase = sbDatabase
+		uploadReq.UEFIVarStore = uefiVarStore
+	}
+
 	return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out)
 }
--- a/image/upload/internal/cmd/flags.go
+++ b/image/upload/internal/cmd/flags.go
@ -23,6 +23,7 @@ type commonFlags struct {
 	pki                string
 	provider           cloudprovider.Provider
 	attestationVariant string
+	secureBoot         bool
 	version            versionsapi.Version
 	timestamp          time.Time
 	region             string
@ -49,6 +50,10 @@ func parseCommonFlags(cmd *cobra.Command) (commonFlags, error) {
 	if err != nil {
 		return commonFlags{}, err
 	}
+	secureBoot, err := cmd.Flags().GetBool("secure-boot")
+	if err != nil {
+		return commonFlags{}, err
+	}
 	version, err := cmd.Flags().GetString("version")
 	if err != nil {
 		return commonFlags{}, err
@ -97,6 +102,7 @@ func parseCommonFlags(cmd *cobra.Command) (commonFlags, error) {
 		rawImage:           rawImage,
 		pki:                pki,
 		attestationVariant: attestationVariant,
+		secureBoot:         secureBoot,
 		version:            ver,
 		timestamp:          timestmp,
 		region:             region,
--- a/image/upload/internal/cmd/gcp.go
+++ b/image/upload/internal/cmd/gcp.go
@ -84,20 +84,24 @@ func runGCP(cmd *cobra.Command, _ []string) error {
 		out = outF
 	}

-	sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
-	if err != nil {
-		return err
-	}
-
 	uploadReq := &osimage.UploadRequest{
 		Provider:           flags.provider,
 		Version:            flags.version,
 		AttestationVariant: flags.attestationVariant,
-		SBDatabase:         sbDatabase,
-		UEFIVarStore:       uefiVarStore,
+		SecureBoot:         flags.secureBoot,
 		Size:               size,
 		Timestamp:          flags.timestamp,
 		Image:              file,
 	}
+
+	if flags.secureBoot {
+		sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
+		if err != nil {
+			return err
+		}
+		uploadReq.SBDatabase = sbDatabase
+		uploadReq.UEFIVarStore = uefiVarStore
+	}
+
 	return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out)
 }
--- a/image/upload/internal/cmd/image.go
+++ b/image/upload/internal/cmd/image.go
@ -25,6 +25,7 @@ func NewImageCmd() *cobra.Command {
 	cmd.SetOut(os.Stdout)

 	cmd.PersistentFlags().String("raw-image", "", "Path to os image in CSP specific format that should be uploaded.")
+	cmd.PersistentFlags().Bool("secure-boot", false, "Enables secure boot support.")
 	cmd.PersistentFlags().String("pki", "", "Base path to the PKI (secure boot signing) files.")
 	cmd.PersistentFlags().String("attestation-variant", "", "Attestation variant of the image being uploaded.")
 	cmd.PersistentFlags().String("version", "", "Shortname of the os image version.")
--- a/image/upload/internal/cmd/nop.go
+++ b/image/upload/internal/cmd/nop.go
@ -67,20 +67,24 @@ func runNOP(cmd *cobra.Command, provider cloudprovider.Provider, _ []string) err
 		out = outF
 	}

-	sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
-	if err != nil {
-		return err
-	}
-
 	uploadReq := &osimage.UploadRequest{
 		Provider:           flags.provider,
 		Version:            flags.version,
 		AttestationVariant: flags.attestationVariant,
-		SBDatabase:         sbDatabase,
-		UEFIVarStore:       uefiVarStore,
+		SecureBoot:         flags.secureBoot,
 		Size:               size,
 		Timestamp:          flags.timestamp,
 		Image:              file,
 	}
+
+	if flags.secureBoot {
+		sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
+		if err != nil {
+			return err
+		}
+		uploadReq.SBDatabase = sbDatabase
+		uploadReq.UEFIVarStore = uefiVarStore
+	}
+
 	return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out)
 }
--- a/internal/osimage/aws/awsupload.go
+++ b/internal/osimage/aws/awsupload.go
@ -110,7 +110,7 @@ func (u *Uploader) Upload(ctx context.Context, req *osimage.UploadRequest) ([]ve
 	if err != nil {
 		return nil, fmt.Errorf("importing snapshot: %w", err)
 	}
-	primaryAMIID, err := u.createImageFromSnapshot(ctx, req.Version, imageName, snapshotID, req.UEFIVarStore)
+	primaryAMIID, err := u.createImageFromSnapshot(ctx, req.Version, imageName, snapshotID, req.SecureBoot, req.UEFIVarStore)
 	if err != nil {
 		return nil, fmt.Errorf("creating image from snapshot: %w", err)
 	}
@ -297,16 +297,21 @@ func (u *Uploader) ensureSnapshotDeleted(ctx context.Context, snapshotName, regi
 	return nil
 }

-func (u *Uploader) createImageFromSnapshot(ctx context.Context, version versionsapi.Version, imageName, snapshotID string, uefiVarStore secureboot.UEFIVarStore) (string, error) {
+func (u *Uploader) createImageFromSnapshot(ctx context.Context, version versionsapi.Version, imageName, snapshotID string, enableSecureBoot bool, uefiVarStore secureboot.UEFIVarStore) (string, error) {
 	u.log.Debugf("Creating image %s in %s", imageName, u.region)
 	ec2C, err := u.ec2(ctx, u.region)
 	if err != nil {
 		return "", fmt.Errorf("creating ec2 client: %w", err)
 	}
-	uefiData, err := uefiVarStore.ToAWS()
-	if err != nil {
-		return "", fmt.Errorf("creating uefi data: %w", err)
+	var uefiData *string
+	if enableSecureBoot {
+		awsUEFIData, err := uefiVarStore.ToAWS()
+		if err != nil {
+			return "", fmt.Errorf("creating uefi data: %w", err)
+		}
+		uefiData = toPtr(awsUEFIData)
 	}
+
 	createReq, err := ec2C.RegisterImage(ctx, &ec2.RegisterImageInput{
 		Name:         &imageName,
 		Architecture: ec2types.ArchitectureValuesX8664,
@ -324,7 +329,7 @@ func (u *Uploader) createImageFromSnapshot(ctx context.Context, version versions
 		EnaSupport:         toPtr(true),
 		RootDeviceName:     toPtr("/dev/xvda"),
 		TpmSupport:         ec2types.TpmSupportValuesV20,
-		UefiData:           &uefiData,
+		UefiData:           uefiData,
 		VirtualizationType: toPtr("hvm"),
 	})
 	if err != nil {
--- a/internal/osimage/gcp/gcpupload.go
+++ b/internal/osimage/gcp/gcpupload.go
@ -82,7 +82,7 @@ func (u *Uploader) Upload(ctx context.Context, req *osimage.UploadRequest) ([]ve
 			u.log.Errorf("post-cleaning: deleting blob: %v", err)
 		}
 	}()
-	imageRef, err := u.createImage(ctx, req.Version, imageName, blobName, req.SBDatabase)
+	imageRef, err := u.createImage(ctx, req.Version, imageName, blobName, req.SecureBoot, req.SBDatabase)
 	if err != nil {
 		return nil, fmt.Errorf("creating image: %w", err)
 	}
@ -134,10 +134,18 @@ func (u *Uploader) ensureBlobDeleted(ctx context.Context, blobName string) error
 	return u.bucket.Object(blobName).Delete(ctx)
 }

-func (u *Uploader) createImage(ctx context.Context, version versionsapi.Version, imageName, blobName string, sbDatabase secureboot.Database) (string, error) {
+func (u *Uploader) createImage(ctx context.Context, version versionsapi.Version, imageName, blobName string, enableSecureBoot bool, sbDatabase secureboot.Database) (string, error) {
 	u.log.Debugf("Creating image %s", imageName)
 	blobURL := u.blobURL(blobName)
 	family := u.imageFamily(version)
+	var initialState *computepb.InitialStateConfig
+	if enableSecureBoot {
+		initialState = &computepb.InitialStateConfig{
+			Pk:   pk(&sbDatabase),
+			Keks: keks(&sbDatabase),
+			Dbs:  dbs(&sbDatabase),
+		}
+	}
 	req := computepb.InsertImageRequest{
 		ImageResource: &computepb.Image{
 			Name: &imageName,
@ -154,11 +162,7 @@ func (u *Uploader) createImage(ctx context.Context, version versionsapi.Version,
 				{Type: toPtr("VIRTIO_SCSI_MULTIQUEUE")},
 				{Type: toPtr("UEFI_COMPATIBLE")},
 			},
-			ShieldedInstanceInitialState: &computepb.InitialStateConfig{
-				Pk:   pk(&sbDatabase),
-				Keks: keks(&sbDatabase),
-				Dbs:  dbs(&sbDatabase),
-			},
+			ShieldedInstanceInitialState: initialState,
 		},
 		Project: u.project,
 	}
--- a/internal/osimage/osimage.go
+++ b/internal/osimage/osimage.go
@ -21,6 +21,7 @@ type UploadRequest struct {
 	Provider           cloudprovider.Provider
 	Version            versionsapi.Version
 	AttestationVariant string
+	SecureBoot         bool
 	SBDatabase         secureboot.Database
 	UEFIVarStore       secureboot.UEFIVarStore
 	Size               int64