VM with secureboot doesn't work

guillomep · February 14, 2025, 9:23am

Hello,

I’m trying to deploy a VM of Talos using SecureBoot.
This is my instance configuration:

architecture: x86_64
config:
  boot.autorestart: "true"
  boot.autostart: "true"
  image.description: Talos for k8s 1.9.3
  image.os: Talos
  image.release: 1.9.3
  limits.cpu: "2"
  limits.memory: 2GiB
  security.secureboot: "true"

The VM won’t boot correctly unless I connect to the console, go into “Device Manager > Secure Boot Configuration” and then “Reset Secure Boot Keys”. After doing so the VM boot correctly.

Looking at the qemu.conf, I see

# Firmware (read only)
[drive]
file = "/opt/incus/share/qemu/OVMF_CODE.4MB.fd"
if = "pflash"
format = "raw"
unit = "0"
readonly = "on"

# Firmware settings (writable)
[drive]
file = "/dev/fd/4"
if = "pflash"
format = "raw"
unit = "1"

I don’t understand why it takes /opt/incus/share/qemu/OVMF_CODE.4MB.fd instead of /usr/share/OVMF/OVMF_CODE.secboot.fd. I tried to override systemd configuration in order to set the INCUS_EDK2_PATH to /usr/share/OVMF/ but that do nothing.

What am I missing to avoid resetting keys manually ?

guillomep · February 14, 2025, 10:27am

I just notice that after I boot Talos report it as “Secureboot is disabled”

guillomep · February 14, 2025, 3:01pm

Okay so I found why Talos was in Secure Mode disabled but to be able to run it I had to do the following.

Copy OVMF_VARS.fd which does not contains keys and then adding to the instance configuration the following:

    config = {
      "security.secureboot" = true
      "raw.apparmor"        = <<-EOT
      /tmp/boot/b${count.index}/OVMF_CODE_4M.secboot.fd rk,
      /tmp/boot/b${count.index}/OVMF_VARS_4M.fd rwk,
      EOT
      "raw.qemu"            = <<-EOT
      -drive if=pflash,format=raw,file="/usr/share/OVMF/OVMF_CODE_4M.secboot.fd",readonly=on,index=0
      -drive if=pflash,format=raw,file="/tmp/OVMF_VARS_4M.fd",index=1
      EOT
      "raw.qemu.conf"       = <<-EOT
      [drive][0]
      [drive][1]
      EOT
    }

Is there way to ask incus to use an empty vars instead of one with MS keys ?

Andrew_Wilson · February 15, 2025, 12:46pm

I am not familiar with Talos, but I am wondering it’s got some custom linux kernel module(s) associated with it?

Secureboot requires signed kernel modules, so when you build a different application from code (e.g. zfs) it wont work out of the box unless it gets signed by a secureboot key. Linux (at least Debian) gives us a machine key for doing that (via the command mokutil). It conveniently provides a means of signing your own kernels so that they work with secureboot but it is a bit of an odd procedure to go through.

So, if this is the root of your problem you can try to get your systems key added to the chain of trust. See the instructions here, which further explains this and shows how I sign a zfs module built from source on a Debian server. You have to register your systems key into the chain of trust. I warn you, it’s “quirky”:

Of course, I am only guessing that this might be your problem so apologies if this just sends you down a different rabbit hole.

GL.

Andrew

guillomep · February 15, 2025, 5:55pm

I know that modules need to be signed and in fact Talos already bundle with it and enroll its own keys. That why I need empty vars.

I’m just asking if there is a way to select specific OVMF file directly in incus instead of doing raw qemu