Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3546

Option to Enable UEFISecureBoot for VMs for OSD in GCP

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Done
    • Major
    • None
    • openshift-4.13, openshift-4.14, openshift-4.15
    • Installer
    • False
    • None
    • False
    • Not Selected
    • Product
    • 0
    • 0% 0%

    Description

      Summary of the issue: 

      The customer has the ShieldVM GCP Policy (https://cloud.google.com/compute/shielded-vm/docs/shielded-vm) in place and it's blocking the installation to succeed.

      ShieldVM GCP Policy must be relaxed by the customer as prerequisite before the OSD in GCP installation, because the OSD in GCP OpenShift installer (though Hive) will use the UEFI boot mode, and not the UEFISecureBoot as in the ShieldVM policy requests. 

      For the RFE, the customer is requesting to have an option to enable the UEFISecureBoot in the installation, to fulfill the correct ShieldVM GCP Policy constraints and not to be disabled during (or after) the installation.

      • What triage steps have been taken so far?:

      In a cluster of OSD in GCP the boot is UEFI instead of UEFISecureBoot, as we can see in the GCP VM Console dashboard in the section of ShieldVM (attached gcp-vm1 pic):

      Secure Boot: Off - (UEFISecureBoot)

      vTPM: On

      Integrity Monitoring: On

       

      In BareMetal we have this feature enabled:

      https://github.com/openshift/installer/blob/master/pkg/types/baremetal/platform.go#L16

      https://docs.openshift.com/container-platform/4.10/installing/installing_bare_metal_ipi/ipi-install-prerequisites.html#node-requirements_ipi-install-prerequisites

      GCP has not UEFISecureBoot - https://github.com/openshift/installer/blob/master/pkg/types/gcp/platform.go

      OpenShift Installer is capable now to launch the UEFISecureBoot - https://github.com/openshift/installer/blob/master/data/data/gcp/cluster/main.tf#L82

      through this PR that enables the UEFISecureBoot - https://github.com/openshift/installer/issues/2546

      • What logs have been reviewed (attach them?):

      [root@mobb-infra-gcp-mn4j6-master-2 /]# ls -lrht /sys/firmware/efi/

      total 0

      dr-xr-xr-x.  2 root root    0 May 24 19:28 efivars

      drwxr-xr-x. 33 root root    0 Jun 22 09:10 vars

      r-------.  1 root root 4.0K Jun 22 09:10 systab

      drwxr-xr-x.  6 root root    0 Jun 22 09:10 runtime-map

      rrr-.  1 root root 4.0K Jun 22 09:10 runtime

      drwxr-xr-x.  2 root root    0 Jun 22 09:10 mok-variables

      rrr-.  1 root root 4.0K Jun 22 09:10 fw_vendor

      rrr-.  1 root root 4.0K Jun 22 09:10 fw_platform_size

      rrr-.  1 root root 4.0K Jun 22 09:10 config_table

      Attachments

        Issue Links

          is depended on by

          Outcome - Organizational objective focused on a measurable outcome. May be in support of larger strategic goals. XCMSTRAT-25 GCP Security

          • Undefined - Priority not specified.
          • New
          is triggering

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-930 Enable UEFISecureBoot for VMs (as required by ShieldVM policy) for OSD/GCP

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-632 Add support to Shielded VMs on GCP

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              acathrow@redhat.com Andrew Cathrow
              rcarrata+mobb Roberto Carratala (Inactive)
              Votes:
              4 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: