Background

The GCP SecureBoot feature will be provided to the user as a cluster-wide parameter to be set during cluster creation. This setting cannot change after the cluster has been created, and all nodes within the cluster will make use of this setting.

Hive Changes Needed

Openshift Container Platform version 4.13 introduced the GCP customization for enabling Shielded VMs. Placing this configuration in the install-config.yaml ensures that the initial workers and master nodes are deployed with the secureBoot setting. However, through manual testing it was found that this functionality alone will not be enough to satisfy the requirements for Openshift Dedicated clusters.
OSD clusters are deployed with a set of infra nodes. These infra nodes are deployed via hive as a machine pool resource. From the perspective of the spoke cluster, these infra nodes constitute a day-2 machineset. These nodes are not created with the secure boot setting, because Hive does not currently have a way to specify this setting for its machine pools. Likewise, day-2 machine pools that are created will be missing the secure boot settings, as its machineset configuration will once again come from what is specified in its corresponding machine pool. The secureBoot setting must be consistent across all nodes. It is therefore necessary for CS to be able to specify to Hive that the secureBoot feature is being used via a property of the machine pool.

Requirement

This is for enabling UEFISecureBoot for VMs (required by ShieldVM policy) via HIVE for OSD-GCP.

Day 0 we get for free via install-config.

For day 2, we need to add a knob to MachinePools.

Current behavior

As per OSD documentation, Red Hat expects “constraints/compute.requireShieldedVm” policy not be in place for OSD use on GCP. With support for UEFISecureBoot, we should relax this constraint. 

For more details, refer XCMSTRAT-115

Here's the link to the Shielded VM configuration in OCP for reference