I will also add that there a number of security concerns that are currently suboptimal with current diskless operating mode that I would think to be more severe than the scenarios that SecureBoot can mitigate. Security of deployment in general is a matter of significant design and limitations.
There's OS integrity assurance (SecureBoot validates that 'a' valid kernel runs, but generally stops at all the userspace, so a malicious /etc/shadow cannot be protected by secureboot, for example). For diskful install the solution we wanted to make easier would be disk encryption with the encryption keys sealed to appropriate TPM PCRs. Stateless has a bit more of a challenge on that front. HTTPS boot with pre-provisioned certs should reasonably mitigate this (the UEFI cert database does not generally include any CA except the ones specifically installed by the operator), but all non-HTTPS boot mechanisms would have to be disabled for this mitigation to have meaning. Node authentication is another. For diskful, the act of installing is intended to be a point where things might be relaxed a bit one time and then node identity persisted through disk contents and shut down node authentication apart from that credential. For stateless, the design was to have a system seal it's credential to its TPM and have the cluster manager allow retrieval of a sealed copy. In this scenario, it would be more bound than sealed, since PCRs would not be in a particularly consistent state. From: Jarrod Johnson Sent: Friday, August 16, 2019 2:48 PM To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> Subject: RE: [xcat-user] EXTERNAL: Re: [External] diskless booting with secure boot Another question is whether this would also be in conjunction with UEFI implementations that implement HTTPBOOT. Specifically, the ability to boot a disk image as a payload. In that particular formulation, then kernel/initramfs boot would be assembled identical to the way it would reside on a usb key for secure boot. Then we would have the HTTP *and* HTTPS transport support withoun xNBA. There's importance and urgency. If Urgent, the fastest path may be to enable tftp transfer of grub and http boot of kernel/initrd, though that precludes https boot for now. If less urgent, then I would be interested on the thoughts of going with the disk image approach mentioned above. We find this appealing as it enables HTTPS and also presents a great deal of consistency between booting a usb stick, a virtual media payload, and network boot, but it requires modern UEFI firmware to pull it off. A downside is it means a whole 'disk image' per set of unique boot arguments. In our confluent design, we were looking to mitigate this through getting all the parameters off of the kernel command line and reassembling the information within the initramfs (e.g. SPCR for console= replacement, our 'copernicus' concept for replacing 'xcatd=' and any node name/network parameter injection that tends to be unique per node. We would lose the persistence of the mac that pxe booted from early stage to OS, but Copernicus at least reestablishes that identity through a parallel interrogation rather than a sequential one as system firmware performs. As an aside, https boot is possible with meaningful certificate validation, but currently the onboarding process for the certificates is tedious, though we have a strategy to at least parallelize the tedium... It may be worth a live conversation (meeting? Phone? Irc?) to discuss the options to get there and what makes most sense. From: Hannum, Keith <keith.han...@lmco.com<mailto:keith.han...@lmco.com>> Sent: Friday, August 16, 2019 2:38 PM To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>> Subject: Re: [xcat-user] EXTERNAL: Re: [External] diskless booting with secure boot I did some asking and it's a very strong request. What can we do to support? -Keith ____________________ Keith Hannum keith.han...@lmco.com<mailto:keith.han...@lmco.com> From: Jarrod Johnson <jjohns...@lenovo.com<mailto:jjohns...@lenovo.com>> Sent: Friday, July 26, 2019 2:51 PM To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>> Subject: EXTERNAL: Re: [xcat-user] [External] diskless booting with secure boot Well, there's a lot that needs to happen there, with downsides. One is that xnba loader is not going to be compatible with secureboot, so you'd have to implement an alternate boot loader, which *likely* involves more tftp. There may be hope to write a plugin that uses grub and shim and httpboot to recover much of that. Of course, iirc you aren't allowed any compiled drivers of your own accord, so GPFS and nVidia for example would not work out so well... I have had some intent to implement secureboot compatible flow, but hadn't actually had a request yet. How strong is this request. From: Hannum, Keith <keith.han...@lmco.com<mailto:keith.han...@lmco.com>> Sent: Friday, July 26, 2019 12:00 PM To: xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net> Subject: [External] [xcat-user] diskless booting with secure boot Does anyone have experience booting statless/diskless booting with secure boot? What needs to be done to the image?
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
