diff --git a/image/upload/internal/cmd/aws.go b/image/upload/internal/cmd/aws.go index 7adfc9ece..b2c4f0058 100644 --- a/image/upload/internal/cmd/aws.go +++ b/image/upload/internal/cmd/aws.go @@ -83,20 +83,24 @@ func runAWS(cmd *cobra.Command, _ []string) error { out = outF } - sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki) - if err != nil { - return err - } - uploadReq := &osimage.UploadRequest{ Provider: flags.provider, Version: flags.version, AttestationVariant: flags.attestationVariant, - SBDatabase: sbDatabase, - UEFIVarStore: uefiVarStore, + SecureBoot: flags.secureBoot, Size: size, Timestamp: flags.timestamp, Image: file, } + + if flags.secureBoot { + sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki) + if err != nil { + return err + } + uploadReq.SBDatabase = sbDatabase + uploadReq.UEFIVarStore = uefiVarStore + } + return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out) } diff --git a/image/upload/internal/cmd/azure.go b/image/upload/internal/cmd/azure.go index a34f26f33..18491bd07 100644 --- a/image/upload/internal/cmd/azure.go +++ b/image/upload/internal/cmd/azure.go @@ -84,20 +84,24 @@ func runAzure(cmd *cobra.Command, _ []string) error { out = outF } - sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki) - if err != nil { - return err - } - uploadReq := &osimage.UploadRequest{ Provider: flags.provider, Version: flags.version, AttestationVariant: flags.attestationVariant, - SBDatabase: sbDatabase, - UEFIVarStore: uefiVarStore, + SecureBoot: flags.secureBoot, Size: size, Timestamp: flags.timestamp, Image: file, } + + if flags.secureBoot { + sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki) + if err != nil { + return err + } + uploadReq.SBDatabase = sbDatabase + uploadReq.UEFIVarStore = uefiVarStore + } + return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out) } diff --git a/image/upload/internal/cmd/flags.go b/image/upload/internal/cmd/flags.go index 4b066d5b7..b0cf85f6d 100644 --- a/image/upload/internal/cmd/flags.go +++ b/image/upload/internal/cmd/flags.go @@ -23,6 +23,7 @@ type commonFlags struct { pki string provider cloudprovider.Provider attestationVariant string + secureBoot bool version versionsapi.Version timestamp time.Time region string @@ -49,6 +50,10 @@ func parseCommonFlags(cmd *cobra.Command) (commonFlags, error) { if err != nil { return commonFlags{}, err } + secureBoot, err := cmd.Flags().GetBool("secure-boot") + if err != nil { + return commonFlags{}, err + } version, err := cmd.Flags().GetString("version") if err != nil { return commonFlags{}, err @@ -97,6 +102,7 @@ func parseCommonFlags(cmd *cobra.Command) (commonFlags, error) { rawImage: rawImage, pki: pki, attestationVariant: attestationVariant, + secureBoot: secureBoot, version: ver, timestamp: timestmp, region: region, diff --git a/image/upload/internal/cmd/gcp.go b/image/upload/internal/cmd/gcp.go index 7973636f4..a4dc139f8 100644 --- a/image/upload/internal/cmd/gcp.go +++ b/image/upload/internal/cmd/gcp.go @@ -84,20 +84,24 @@ func runGCP(cmd *cobra.Command, _ []string) error { out = outF } - sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki) - if err != nil { - return err - } - uploadReq := &osimage.UploadRequest{ Provider: flags.provider, Version: flags.version, AttestationVariant: flags.attestationVariant, - SBDatabase: sbDatabase, - UEFIVarStore: uefiVarStore, + SecureBoot: flags.secureBoot, Size: size, Timestamp: flags.timestamp, Image: file, } + + if flags.secureBoot { + sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki) + if err != nil { + return err + } + uploadReq.SBDatabase = sbDatabase + uploadReq.UEFIVarStore = uefiVarStore + } + return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out) } diff --git a/image/upload/internal/cmd/image.go b/image/upload/internal/cmd/image.go index 323bef7e2..0f4e94e4c 100644 --- a/image/upload/internal/cmd/image.go +++ b/image/upload/internal/cmd/image.go @@ -25,6 +25,7 @@ func NewImageCmd() *cobra.Command { cmd.SetOut(os.Stdout) cmd.PersistentFlags().String("raw-image", "", "Path to os image in CSP specific format that should be uploaded.") + cmd.PersistentFlags().Bool("secure-boot", false, "Enables secure boot support.") cmd.PersistentFlags().String("pki", "", "Base path to the PKI (secure boot signing) files.") cmd.PersistentFlags().String("attestation-variant", "", "Attestation variant of the image being uploaded.") cmd.PersistentFlags().String("version", "", "Shortname of the os image version.") diff --git a/image/upload/internal/cmd/nop.go b/image/upload/internal/cmd/nop.go index 3d75c4f4f..f6da987ba 100644 --- a/image/upload/internal/cmd/nop.go +++ b/image/upload/internal/cmd/nop.go @@ -67,20 +67,24 @@ func runNOP(cmd *cobra.Command, provider cloudprovider.Provider, _ []string) err out = outF } - sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki) - if err != nil { - return err - } - uploadReq := &osimage.UploadRequest{ Provider: flags.provider, Version: flags.version, AttestationVariant: flags.attestationVariant, - SBDatabase: sbDatabase, - UEFIVarStore: uefiVarStore, + SecureBoot: flags.secureBoot, Size: size, Timestamp: flags.timestamp, Image: file, } + + if flags.secureBoot { + sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki) + if err != nil { + return err + } + uploadReq.SBDatabase = sbDatabase + uploadReq.UEFIVarStore = uefiVarStore + } + return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out) } diff --git a/internal/osimage/aws/awsupload.go b/internal/osimage/aws/awsupload.go index 407a5ac40..d5d097f47 100644 --- a/internal/osimage/aws/awsupload.go +++ b/internal/osimage/aws/awsupload.go @@ -110,7 +110,7 @@ func (u *Uploader) Upload(ctx context.Context, req *osimage.UploadRequest) ([]ve if err != nil { return nil, fmt.Errorf("importing snapshot: %w", err) } - primaryAMIID, err := u.createImageFromSnapshot(ctx, req.Version, imageName, snapshotID, req.UEFIVarStore) + primaryAMIID, err := u.createImageFromSnapshot(ctx, req.Version, imageName, snapshotID, req.SecureBoot, req.UEFIVarStore) if err != nil { return nil, fmt.Errorf("creating image from snapshot: %w", err) } @@ -297,16 +297,21 @@ func (u *Uploader) ensureSnapshotDeleted(ctx context.Context, snapshotName, regi return nil } -func (u *Uploader) createImageFromSnapshot(ctx context.Context, version versionsapi.Version, imageName, snapshotID string, uefiVarStore secureboot.UEFIVarStore) (string, error) { +func (u *Uploader) createImageFromSnapshot(ctx context.Context, version versionsapi.Version, imageName, snapshotID string, enableSecureBoot bool, uefiVarStore secureboot.UEFIVarStore) (string, error) { u.log.Debugf("Creating image %s in %s", imageName, u.region) ec2C, err := u.ec2(ctx, u.region) if err != nil { return "", fmt.Errorf("creating ec2 client: %w", err) } - uefiData, err := uefiVarStore.ToAWS() - if err != nil { - return "", fmt.Errorf("creating uefi data: %w", err) + var uefiData *string + if enableSecureBoot { + awsUEFIData, err := uefiVarStore.ToAWS() + if err != nil { + return "", fmt.Errorf("creating uefi data: %w", err) + } + uefiData = toPtr(awsUEFIData) } + createReq, err := ec2C.RegisterImage(ctx, &ec2.RegisterImageInput{ Name: &imageName, Architecture: ec2types.ArchitectureValuesX8664, @@ -324,7 +329,7 @@ func (u *Uploader) createImageFromSnapshot(ctx context.Context, version versions EnaSupport: toPtr(true), RootDeviceName: toPtr("/dev/xvda"), TpmSupport: ec2types.TpmSupportValuesV20, - UefiData: &uefiData, + UefiData: uefiData, VirtualizationType: toPtr("hvm"), }) if err != nil { diff --git a/internal/osimage/gcp/gcpupload.go b/internal/osimage/gcp/gcpupload.go index 2950fe74b..873814b9d 100644 --- a/internal/osimage/gcp/gcpupload.go +++ b/internal/osimage/gcp/gcpupload.go @@ -82,7 +82,7 @@ func (u *Uploader) Upload(ctx context.Context, req *osimage.UploadRequest) ([]ve u.log.Errorf("post-cleaning: deleting blob: %v", err) } }() - imageRef, err := u.createImage(ctx, req.Version, imageName, blobName, req.SBDatabase) + imageRef, err := u.createImage(ctx, req.Version, imageName, blobName, req.SecureBoot, req.SBDatabase) if err != nil { return nil, fmt.Errorf("creating image: %w", err) } @@ -134,10 +134,18 @@ func (u *Uploader) ensureBlobDeleted(ctx context.Context, blobName string) error return u.bucket.Object(blobName).Delete(ctx) } -func (u *Uploader) createImage(ctx context.Context, version versionsapi.Version, imageName, blobName string, sbDatabase secureboot.Database) (string, error) { +func (u *Uploader) createImage(ctx context.Context, version versionsapi.Version, imageName, blobName string, enableSecureBoot bool, sbDatabase secureboot.Database) (string, error) { u.log.Debugf("Creating image %s", imageName) blobURL := u.blobURL(blobName) family := u.imageFamily(version) + var initialState *computepb.InitialStateConfig + if enableSecureBoot { + initialState = &computepb.InitialStateConfig{ + Pk: pk(&sbDatabase), + Keks: keks(&sbDatabase), + Dbs: dbs(&sbDatabase), + } + } req := computepb.InsertImageRequest{ ImageResource: &computepb.Image{ Name: &imageName, @@ -154,11 +162,7 @@ func (u *Uploader) createImage(ctx context.Context, version versionsapi.Version, {Type: toPtr("VIRTIO_SCSI_MULTIQUEUE")}, {Type: toPtr("UEFI_COMPATIBLE")}, }, - ShieldedInstanceInitialState: &computepb.InitialStateConfig{ - Pk: pk(&sbDatabase), - Keks: keks(&sbDatabase), - Dbs: dbs(&sbDatabase), - }, + ShieldedInstanceInitialState: initialState, }, Project: u.project, } diff --git a/internal/osimage/osimage.go b/internal/osimage/osimage.go index 780df2320..a7f61b672 100644 --- a/internal/osimage/osimage.go +++ b/internal/osimage/osimage.go @@ -21,6 +21,7 @@ type UploadRequest struct { Provider cloudprovider.Provider Version versionsapi.Version AttestationVariant string + SecureBoot bool SBDatabase secureboot.Database UEFIVarStore secureboot.UEFIVarStore Size int64