F45 Change Proposal: Grub EFI For Confidential Computing (self-contained)

Wiki - https://fedoraproject.org/wiki/Changes/Grub2LightForConfidentialComputing Discussion thread - https://discussion.fedoraproject.org/t/f45-change-proposal-grub-efi-for-confidential-computing-self-contained/193574 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == An independent separate incarnation (package) of the GRUB bootloader for UEFI only that contains a minimal number of built-in modules, and can quickly boot a Unified Kernel Image (UKI) using Bootloader Specification (BLS) files. It will be built separately from the main GRUB package, and does not replace it for general usage. == Owner == * Name: [[User:lsandova| Leo Sandoval]] | lsandova@redhat.com * Name: [[User:mlewando| Marta Lewandowska]] | mlewando@redhat.com == Detailed Description == There is a need for a smaller, lighter version of the GRUB bootloader on UEFI to support booting sealed bootable container images, such as for Confidential Computing. Since confidential VMs rely on remote attestation, TPM PCR values need to be stable and predictable over long periods of time. Updating the bootloader results in changes to PCRs, and should therefore be avoided if possible. Additionally, Unified Kernel Images (UKIs) have become the preferred choice over the regular signed kernel because the whole payload is bundled and signed for Secure Boot, thus removing the vulnerability of the unsigned initramfs. They are used often in virtual environments, for confidential computing, and by CoreOS. Taken together, the ideal bootloader for these types of environments should be small, light, and not get updated too often. The fewer modules are built-in, the smaller the attack surface, and the less frequent updates need to be. The resulting idea is to create a smaller version of GRUB, the supported bootloader in most Linux environments, for UEFI, which is built as a separate package from the main GRUB build, contains only the modules that are absolutely necessary for VMs, and natively supports UKI loading. This new package is not meant to be a replacement for GRUB for general use; rather it's an additional package for specific applications. A separate rpm that is still a part of the grub2 build is already available for [https://kojipkgs.fedoraproject.org//packages/grub2/2.12/60.fc45/x86_64/grub2-efi-x64-cc-2.12-60.fc45.x86_64.rpm x86_64] and [https://kojipkgs.fedoraproject.org//packages/grub2/2.12/60.fc45/aarch64/grub2-efi-aa64-cc-2.12-60.fc45.aarch64.rpm aarch64] in Fedora Rawhide for testing. It is signed for Secure Boot with the GRUB key. In the future, it is expected to get its own Secure Boot signing key. Work is in progress to add support for this new build of GRUB in bootupd to enable safe bootloader updates on bootable container systems: https://github.com/coreos/bootupd/issues/1080 == Feedback == The original idea was to use systemd-boot for this application, but this was rejected for a number of reasons: * While the systemd team can support sd-boot in its present form, they view any additional features as a no-go * Although sd-boot is a light and trivial bootloader, it has not been widely tested or fuzzed, like GRUB has been * Long term maintenance of more than one bootloader would result in a lack of parity and added technical debt * Potential expansion to other architectures would necessitate a compatible bootloader anyway. The new lighter GRUB build is already being tested by CoreOS, and is generally working as expected. Small changes are still being made, and suggestions for changes are welcome. == Benefit to Fedora == This change will create a minimal UEFI bootloader for virtual environments that can further be tailored for use in those environments. It will natively load UKIs, support Secure Boot, and be a part of a robust and tested bootloader used in many Linux environments. == Scope == * Proposal owners: The bootloader engineering team needs to create a new GRUB package, separate from the core package that includes all the changes mentioned. * Other developers: CoreOS, who will be the main users, at least in the beginning, need to test, provide feedback, and perhaps change some of their workflows as needed. * Release engineering: [https://forge.fedoraproject.org/releng/tickets/issues #Releng issue number] * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: == Upgrade/compatibility impact == This is a new package, independent of the normal all-purpose GRUB, so unless a user installs it on purpose, there is no compatibility impact. == Early Testing (Optional) == This new package is designed specifically for VMs that run UEFI firmware, so an x86_64 or aarch64 VM is the environment to use. ===Prepare the test environment:=== * Install or create one or more UKIs ** Install `kernel-uki-virt` and add a command line addon using `ukify`, see instructions below ** Use `ukify` to create the UKI from scratch, see instructions below * If booting with Secure Boot enabled, sign your add-on or UKI, and enroll your public key in the MOK, see instructions below.<br> '''If you will not sign your UKI/addon, don't forget to disable Secure Boot.''' * Create the `/boot/efi/loader/entries` directory * Create BLS entries in that directory for each UKI. Specify the path to the UKI using the `efi` keyword, as you normally would use `linux` for the kernel. A minimal BLS file only needs to have a title and the path to the UKI: <pre> # cat /boot/efi/loader/entries/7.0.10-200-UKI.fc45.x86_64.conf title Fedora 45 UKI (7.0.10-200.fc45.x86_64) efi /EFI/Linux/7.0.10-200.fc45.x86_64.efi </pre> === (If you don't feel like doing all of that, you can boot regular kernels instead): === Because this version of GRUB is intended for UKIs, it expects those UKIs to be on the EFI system partition, but it can load a regular kernel too, as long as it's in the correct place. If you copy a kernel and its initrd from `/boot` to `/boot/efi/EFI/Linux` and that kernel's BLS configuration file from `/boot/loader/entries` to `/boot/efi/loader/entries` (and edit it to reflect the correct paths), then it should simply boot as usual. === Test: === * Download the [https://kojipkgs.fedoraproject.org//packages/grub2/2.12/60.fc45/x86_64/grub2-efi-x64-cc-2.12-60.fc45.x86_64.rpm grub2-efi-x64-cc rpm], unpack it, and replace your regular grub efi with it: <pre> # cp ./usr/lib/efi/grub2/1\:2.12-60.fc45/EFI/fedora/cc/grubx64-cc.efi /boot/efi/EFI/fedora/grubx64.efi </pre> * Reboot your machine You should see the GRUB menu with entries for each of the UKIs that you installed. If you press 'e' to edit an entry, you should see something like `chainloader /path/to/UKI` and when you execute any of the entries, they should successfully boot. You can check the size of the efi, and see that it is smaller than the normal grubx64.efi. Use the `tpm2_pcrread` command between reboots of different UKIs to see that the value of PCR8 does not change. ==== How to build your own UKI addon ==== The generic UKI that fedora ships has only `console=tty0 console=ttyS0` on its kernel command line. In order for it to actually boot on your system, it needs more information, like the root filesystem UUID, which you can see if you `# cat /proc/cmdline`. Since the UKI already has the command line bundled, you need to create a command line addon containing the additional information. You can do this using the [https://www.man7.org/linux/man-pages//man1/ukify.1.html ukify] command. First get the generic UKI by installing `kernel-virt-uki` and the command by installing `systemd-ukify`. Then something like this should work: <pre> # ukify build \ -cmdline "$(cat /proc/cmdline | cut -d' ' -f2-6)" \ --output set_root.unsigned.addon.efi </pre> You then need to copy the addon to the UKI's extra.d directory in `/boot/efi/EFI/Linux/` if you want to only apply it to a single UKI, or create `/boot/efi/loader/addons/` and copy it there, if you want it to work for all UKIs. (If you are planning to sign the addon, wait to move it until after you have signed it.) ==== How to build your own UKI ==== You can build your own UKI using kernels and initrds that you already have installed on your system once you have also installed `systemd-ukify`. Building one for the running kernel using the [https://www.man7.org/linux/man-pages//man1/ukify.1.html ukify] command, looks like this: <pre> # ukify build \ --linux /usr/lib/modules/$(uname -r)/vmlinuz \ --initrd /boot/initramfs-$(uname -r).img \ --uname $(uname -r) \ --cmdline "$(cat /proc/cmdline | cut -d' ' -f2-6)" \ --output kernel-$(uname -r | rev | cut -d'.' -f3-6 | rev)-UKI.efi \ --profile "kernel $(uname -r | rev | cut -d'.' -f3-6 | rev) UKI (Fedora $(cat /etc/os-release | grep VERSION_ID | sed -e 's/VERSION_ID=//g'))" </pre> You then need to copy the UKI to the correct directory. Typically this is `/boot/efi/EFI/Linux/` but can be the directory of your choosing, as long as you specify that in the UKI's BLS file. (If you are planning to sign the UKI, wait to move it until after you have signed it.) ==== How to sign for Secure Boot ==== It's actually possible to sign your UKI or addon during the ukify build, but this more generic procedure can be used to sign any artifact for Secure Boot. Install `openssl` and `pesign` and generate your signing key: <pre> # openssl req -quiet -newkey rsa:4096 -nodes \ -keyout custom_db.key -new -x509 -sha256 -days 3650 \ -subj "/CN=UKI Signing key/" \ --outform DER -out custom_db.der </pre> In this case the key size is 4096 bit, uses [https://en.wikipedia.org/wiki/RSA_cryptosystem RSA] for encryption, and can be used for signing for 10 years. Import the public key into the NSS database that `pesign` uses and give it a nickname: <pre> # certutil -A -t ",," -d /etc/pki/pesign -n \ 'My Secureboot Signer' -i custom_db.der </pre> Convert the public and private keys to PKCS12 format and import the result to enable signing using `pesign`: <pre> # openssl pkcs12 -export -out custom_db.pfx \ -inkey custom_db.key -in custom_db.der </pre> <pre> # pk12util -i custom_db.pfx \ -d/etc/pki/pesign -n 'My Secureboot Signer' </pre> Sign your UKI or addon with your private key: <pre> # pesign --certificate 'My Secureboot Signer' \ --in set_root.unsigned.addon.efi \ --out set_root.addon.efi --sign </pre> Move or copy the UKI or addon to the proper directory, see above. Import your public key into the Machine Owner Key (MOK) database: <pre> # mokutil --import custom_db.der </pre> You will be asked to create a password. You need to reboot the machine to complete the enrollment, and you will be asked for this password at that time. After rebooting, you can check that your key is actually in the MOK database: <pre> # mokutil --list-enrolled </pre> == Dependencies == N/A as this is a new package. == Documentation == N/A (not a System Wide Change) or to be determined. == Release Notes == To be determined. -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new