# Support Secure Boot on Flatcar This document is to track the effort of the supporting Secure Boot on Flatcar. Tracking issue: https://github.com/flatcar/Flatcar/issues/630 Tasks ----- - [x] A. Update GRUB to 2.06 The GRUB shipped with Flatcar Container Linux is at the version 2.02, maintained via the flatcar/grub with custom patches for the A/B partitioning, TPM and secure boot support. The idea here is to drop the patches not required, and port the patches into coreos-overlay and apply over the GRUB sources. This would help to drop the flatcar/grub repository. * PR: https://github.com/flatcar/Flatcar/issues/630 * Merged on Aug 25, 2023 * Available in Alpha 3717.0.0 since Sep 6, 2023 https://www.flatcar.org/releases#release-3760.2.0 * Available in Stable since Jan 18, 2024 https://www.flatcar.org/releases#release-3760.2.0 - [x] B. Update Ignition & Afterburn Flatcar uses Ignition, and maintains a copy present from the fork of the CoreOS Container Linux. The supported version is v2. The upstream ignition introduced backward-incomptabile Ingition v3. To progress with this issue, we would require to support Ignition v3, along with the latest Afterburn release. Issue: https://github.com/flatcar/Flatcar/issues/387 * Ignition v3 support in addition to v1, v2 is available from Alpha 3185.0.0, Stable 3227.2.0 * Afterburn 5.2.0 support is available in Alpha 3227.0.0, Stable 3227.2.0 - [ ] C. Update SHIM - [x] Update SHIM - [x] Update EDK2 OVMF - [x] Investigate in SBAT - [ ] Integrate SHIM in aarch64 build To enable secure boot, a key piece is to upgrade shim. shim is currently at a version from 2015, and similar to grub maintains a seperate repo, flatcar/shim. We would require to update shim to the current latest version of shim 15.x This would also require to update the dependent packages edk2-aarch64, mokutil etc. For shim to successfully load GRUB, GRUB must be installed with a Secure Boot Advanced Targeting (SBAT) section embedded into the EFI file. Thus, this would require GRUB update and looking into the SBAT schmge * PR: https://github.com/flatcar/scripts/pull/1589 * Merged on Feb 26th * Available in Alpha 3913.0.0 since Mar 20 * Yet to be promoted to Stable - [ ] Support testing of the Secure Boot Images on cloud providers - [ ] Enable Secure Boot Testing in Mantle - [ ] Enable Secure Boot tests in CI - [ ] QEMU_UEFI - [ ] Azure - [ ] AWS - [ ] Openstack Flatcar automated release, and testing is highly dependent on CI. Thus to test Secure Boot images, we would require to enable enable CI tests, and add tests for the same to mantle. - [x] Disk Encrytion / LUKS Support - [x] Add/Enable Clevis - [x] Add/Enable tpm2-tools * PR https://github.com/flatcar/scripts/pull/1560 * Merged on March 14th * Available in Alpha 3913.0.0 since Mar 20 * Yet to be promoted to Stable - [ ] Signing Infrastructure - [ ] Update PCR Policy build infrastructure For Secure Boot, we would require a signing infrastrcture with appropriate keys and integrated into the release process. - [ ] Submit Shim for review - https://github.com/rhboot/shim-review - https://github.com/rhboot/shim-review/blob/main/docs/submitting.md - https://techcommunity.microsoft.com/t5/hardware-dev-center/updated-uefi-signing-requirements/ba-p/1062916