-
Epic
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
None
-
None
-
[virt] guest os specific secure boot config
-
rhel-virt-confidential-firmware
-
ssg_virtualization
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
Description
Different operating system boot loaders are signed with with different secure boot CA certificates. Until recently two CAs have been used by microsoft, both created 2011, one used to sign windows builds and one used to sign everything else (including shim.efi for linux distros). Physical hardware typically ships with these two certificates enrolled and our secure boot configuration for virtual machines did the same.
In 2023 a new set of CA certificates has been created and microsoft is in the process of switching over to the new certificates. There are two known reasons for this:
- The 2011 certificates will expire soon (2026).
- Microsoft wants revoke the 2011 windows certificate (add it to 'dbx') due to alot of boot loaders being signed with this certificate (google "black lotus").
In response to that the new certificates have been added to the default secure boot configuration for VMs. Which is far from ideal from a security point of view. A much better approach is to setup or choose the secure boot configuration specifically for the guest to be booted. It makes sense to have at least three configurations:
- windows-2011, for old windows boot media
- windows-2023, for recent windown boot media.
- linux, containing the 3rd party CA shim.efi is signed with (might also need 2011 + 2023 variants in the future).
Additionally these could be useful:
- redhat, containing the redhat uefi ca certificate (not yet used to sign rhel boot loaders, but this will probably change in the future). VM will only boot RH-signed binaries.
- rhtest, containing the redhat test ca (used to sign local and scratch builds). to simplify testing + development.
Open questions:
- how we are going to create the varstores? Create at install time? Create a collection at rpm build time?
- how we are going to choose the varstore? manually? libosinfo? Inspect boot media boot loader?
There will be a presentation on the topic on virt days Q1/2025.
Apr 1st 2025 update
There is customer demand for adding 3rd party certificates at VM creation time.
Use case: add cert used to sign antivirus kernel modules.
What SSTs and Layered Product teams should review this?
- virt firmware team
- libvirt
- virt-manager / virt-install
- kubevirt