Back

@KekunPlazas Great! Thanks!

@siosm @KekunPlazas unless I'm mistaken, @EndlessOS has always supported secure boot (it’s required for our optional PAYG stuff), and is the original OSTree-based distro. I don’t know the specifics but I’m sure @wjt could nerd out about it more than I can.

@cassidy @siosm @EndlessOS @wjt Unless I'm mistaken Linux distros typically support SecureBoot… up to a certain point. We typically supported the first steps of the chain of trust, allowing to run on SecureBoot systems, but not the last ones. Frankly, I barely understand any of this as I never studied it in depth. I should have added "Confidence of a white guy who knows nothing about a topic but will nonetheless talk about it" as a content warning.

@KekunPlazas @cassidy @EndlessOS @wjt The difficult part is to have a Secure Boot signed UKI. Most distributions have a Secure Boot signed kernel only, leaving the initramfs and kernel command line unsigned.

It's easier right now to set up a system with S.B. signed UKI with disk images and systemd tools compared to ostree or bootable containers.

We are working on making it easier for bootable containers.

@siosm @KekunPlazas @cassidy on regular Endless OS, I'm pretty sure the initramfs is signed as well as the kernel (though I could be wrong) though they're not a UKI and kernel command line parameters are accepted. On our Pay As You Go edition we use a UKI, I think since before that acronym was invented, with a big EFI blob containing kernel & initramfs which is booted from sd-boot which is signed by our own CA (which the firmware is configured to require). Both are ostree systems.

@wjt @KekunPlazas @cassidy Interesting! I wasn't aware! Can you link me (when you have some time) to the code? Thanks!

@siosm @KekunPlazas @cassidy The UKI is built in our ostree builder which for historical & time reasons is closed-source. But the command fits in a toot so I'll reply with that... We then send it to an internal signing service. We don't have any measurement or signing of the root filesystem.

@siosm

vmlinuz_match=(vmlinuz*)
vmlinuz_file=${vmlinuz_match[0]}
KVER=${vmlinuz_match#vmlinuz-}

dracut /usr/lib/modules/${KVER}/payg-image.efi ${KVER} \
-k /usr/lib/modules/${KVER} --uefi \
--uefi-stub=/usr/lib/systemd/boot/efi/linuxx64.efi.stub \
--kernel-image=${vmlinuz_file} \
--kernel-cmdline "eospayg efi_no_storage_paranoia rd.shell=0" \
--force-drivers "endlessdog" \
--add "eos-payg eos-payg-nonfree"

@siosm The other weird thing we have is a patch for ostree (and possibly sd-boot? can't remember) to fake symlinks with text files on the FAT ESP, which we could probably replace now that the Linux FAT implementation supports atomically swapping two directories. I don't think there's anything else particularly magic.

@swick @KekunPlazas In theory yes, but in practice it generally does not matter as you will always open another untrusted (dm-crypt protected) filesystem at some point that could compromise your kernel. This is explicitly addressed in the talk I linked.