From fefb26f63b3d3596a7283a606aaf81caea5a4244 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Mon, 2 Nov 2020 09:28:18 +0100 Subject: [PATCH] Support testing secure boot Change-Id: Iea5cc9849a3e63a3419f896b780fc384b3c99751 --- .../bifrost-create-vm-nodes/defaults/main.yml | 31 ++++++++++++++++++- .../tasks/prepare_libvirt.yml | 22 ++++++------- .../notes/secure-boot-07d1503cd034f9d3.yaml | 6 ++++ 3 files changed, 45 insertions(+), 14 deletions(-) create mode 100644 releasenotes/notes/secure-boot-07d1503cd034f9d3.yaml diff --git a/playbooks/roles/bifrost-create-vm-nodes/defaults/main.yml b/playbooks/roles/bifrost-create-vm-nodes/defaults/main.yml index e294fd75f..4297f4c51 100644 --- a/playbooks/roles/bifrost-create-vm-nodes/defaults/main.yml +++ b/playbooks/roles/bifrost-create-vm-nodes/defaults/main.yml @@ -2,7 +2,6 @@ # defaults file for bifrost-create-vm-nodes baremetal_json_file: '/tmp/baremetal.json' baremetal_nodes_json: '/tmp/nodes.json' -default_boot_mode: '' test_vm_memory_size: "3072" test_vm_num_nodes: 1 test_vm_domain_type: "qemu" @@ -35,6 +34,12 @@ test_vm_logdir: "/var/log/libvirt/baremetal_logs" # NOTE(pas-ha) next two are generic values for most OSes, overridden by distro-specifc vars test_vm_emulator: "/usr/bin/qemu-system-x86_64" test_vm_machine: "q35" +# Forces machines to use secure boot. Only compatible with virtual media, +# requires using a real ramdisk (not tinyIPA) matching the host distribution, +# as well as a real instance image (not cirros). +test_vm_secure_boot: false +default_boot_mode: "{{ 'uefi' if test_vm_secure_boot | bool else '' }}" + # NOTE(pas-ha) not really tested with non-local qemu connections test_vm_libvirt_uri: "{{ lookup('env', 'LIBVIRT_CONNECT_URI') | default('qemu:///system', true) }}" # Settings related to installing bifrost in a virtual environment @@ -56,3 +61,27 @@ force_update_repos: true # Conditional variables utilized based on CI or manual testing options. copy_from_local_path: false + +# NOTE(dtantsur): secure boot capable firmware goes second because some systems +# (e.g. Ubuntu) provide it but refuse to boot. However, CentOS provides only +# secure boot capable firmware, and it works for both secure und normal boot. +efi_loader_locations_normal: + - /usr/share/edk2/ovmf/OVMF_CODE.fd + - /usr/share/edk2/ovmf/OVMF_CODE.secboot.fd + - /usr/share/OVMF/OVMF_CODE.fd + - /usr/share/OVMF/OVMF_CODE.secboot.fd + - /usr/share/qemu/ovmf-x86_64-code.bin +efi_loader_locations_secboot: + - /usr/share/edk2/ovmf/OVMF_CODE.secboot.fd + - /usr/share/OVMF/OVMF_CODE.secboot.fd +efi_loader_locations: >- + {{ efi_loader_locations_secboot if test_vm_secure_boot | bool else efi_loader_locations_normal }} +efi_nvram_locations_normal: + - /usr/share/edk2/ovmf/OVMF_VARS.fd + - /usr/share/OVMF/OVMF_VARS.fd + - /usr/share/qemu/ovmf-x86_64-vars.bin +efi_nvram_locations_secboot: + - /usr/share/edk2/ovmf/OVMF_VARS.secboot.fd + - /usr/share/OVMF/OVMF_VARS.secboot.fd +efi_nvram_locations: >- + {{ efi_nvram_locations_secboot if test_vm_secure_boot | bool else efi_nvram_locations_normal }} diff --git a/playbooks/roles/bifrost-create-vm-nodes/tasks/prepare_libvirt.yml b/playbooks/roles/bifrost-create-vm-nodes/tasks/prepare_libvirt.yml index 355834777..e990269f9 100644 --- a/playbooks/roles/bifrost-create-vm-nodes/tasks/prepare_libvirt.yml +++ b/playbooks/roles/bifrost-create-vm-nodes/tasks/prepare_libvirt.yml @@ -15,6 +15,13 @@ # Setup libvirt - ensure network and storage pool are defined and active, # prepare dir for vm logs --- +- name: fail if secure boot is requested without UEFI + fail: + msg: Secure boot support requires default_boot_mode set to "uefi" + when: + - default_boot_mode != 'uefi' + - test_vm_secure_boot | bool + - name: install libvirt-python, gunicorn and lxml include_role: name: bifrost-pip-install @@ -212,18 +219,10 @@ become: true register: redfish_emulator_service_file -# NOTE(dtantsur): secure boot capable firmware goes second because some systems -# (e.g. Ubuntu) provide it but refuse to boot. However, CentOS provides only -# secure boot capable firmware, and it works for both secure und normal boot. - name: find OVMF firmware set_fact: efi_loader_path: "{{ item }}" - with_first_found: - - /usr/share/edk2/ovmf/OVMF_CODE.fd - - /usr/share/edk2/ovmf/OVMF_CODE.secboot.fd - - /usr/share/OVMF/OVMF_CODE.fd - - /usr/share/OVMF/OVMF_CODE.secboot.fd - - /usr/share/qemu/ovmf-x86_64-code.bin + with_first_found: "{{ efi_loader_locations }}" ignore_errors: true when: efi_loader_path is undefined @@ -240,10 +239,7 @@ - name: find OVMF NVRAM set_fact: efi_nvram_path: "{{ item }}" - with_first_found: - - /usr/share/edk2/ovmf/OVMF_VARS.fd - - /usr/share/OVMF/OVMF_VARS.fd - - /usr/share/qemu/ovmf-x86_64-vars.bin + with_first_found: "{{ efi_nvram_locations }}" when: default_boot_mode == 'uefi' - name: write Redfish Emulator configuration file diff --git a/releasenotes/notes/secure-boot-07d1503cd034f9d3.yaml b/releasenotes/notes/secure-boot-07d1503cd034f9d3.yaml new file mode 100644 index 000000000..41ff06183 --- /dev/null +++ b/releasenotes/notes/secure-boot-07d1503cd034f9d3.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds support for testing bifrost with UEFI secure boot enabled in VMs. + Requires an IPA ramdisk with kernel signed by a key recognized by GRUB2 + on the host machine.