Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: openshift-4.13, openshift-4.14, openshift-4.15
Component/s: Installer
Labels:
- RFE
- gcp
- installation
- osd
- sb_candidate

Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
Department:
Product
PX Impact Score:
PX Priority Data:
PX Review Complete:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Summary of the issue:

The customer has the ShieldVM GCP Policy (https://cloud.google.com/compute/shielded-vm/docs/shielded-vm) in place and it's blocking the installation to succeed.

ShieldVM GCP Policy must be relaxed by the customer as prerequisite before the OSD in GCP installation, because the OSD in GCP OpenShift installer (though Hive) will use the UEFI boot mode, and not the UEFISecureBoot as in the ShieldVM policy requests.

For the RFE, the customer is requesting to have an option to enable the UEFISecureBoot in the installation, to fulfill the correct ShieldVM GCP Policy constraints and not to be disabled during (or after) the installation.

What triage steps have been taken so far?:

In a cluster of OSD in GCP the boot is UEFI instead of UEFISecureBoot, as we can see in the GCP VM Console dashboard in the section of ShieldVM (attached gcp-vm1 pic):

Secure Boot: Off - (UEFISecureBoot)

vTPM: On

Integrity Monitoring: On

In BareMetal we have this feature enabled:

https://github.com/openshift/installer/blob/master/pkg/types/baremetal/platform.go#L16

https://docs.openshift.com/container-platform/4.10/installing/installing_bare_metal_ipi/ipi-install-prerequisites.html#node-requirements_ipi-install-prerequisites

GCP has not UEFISecureBoot - https://github.com/openshift/installer/blob/master/pkg/types/gcp/platform.go

OpenShift Installer is capable now to launch the UEFISecureBoot - https://github.com/openshift/installer/blob/master/data/data/gcp/cluster/main.tf#L82

through this PR that enables the UEFISecureBoot - https://github.com/openshift/installer/issues/2546

What logs have been reviewed (attach them?):

_{[root@mobb-infra-gcp-mn4j6-master-2 /]# ls -lrht /sys/firmware/efi/}

_{total 0}

_{dr-xr-xr-x. 2 root root 0 May 24 19:28 efivars}

_{drwxr-xr-x. 33 root root 0 Jun 22 09:10 vars}

_{r-------. 1 root root 4.0K Jun 22 09:10 systab}

_{drwxr-xr-x. 6 root root 0 Jun 22 09:10 runtime-map}

_{rrr-. 1 root root 4.0K Jun 22 09:10 runtime}

_{drwxr-xr-x. 2 root root 0 Jun 22 09:10 mok-variables}

_{rrr-. 1 root root 4.0K Jun 22 09:10 fw_vendor}

_{rrr-. 1 root root 4.0K Jun 22 09:10 fw_platform_size}

_{rrr-. 1 root root 4.0K Jun 22 09:10 config_table}

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

gcp-vm1.png
24 kB
2022/06/23 9:52 AM

is triggering

OCPSTRAT-930 Enable UEFISecureBoot for VMs (as required by ShieldVM policy) for OSD/GCP

Closed

relates to

OCPSTRAT-632 Add support to Shielded VMs on GCP

Closed

Assignee:: Andrew Cathrow

Reporter:: Roberto Carratala (Inactive)

Votes:: 4 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2022/06/23 9:55 AM

Updated:: 2023/12/07 3:18 PM

Resolved:: 2023/04/25 8:43 PM

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates