Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add UEFI_COMPATIBLE and SECURE_BOOT to RHCOS on GCP #2546

Closed
cgwalters opened this issue Oct 22, 2019 · 5 comments · Fixed by #2921
Closed

Add UEFI_COMPATIBLE and SECURE_BOOT to RHCOS on GCP #2546

cgwalters opened this issue Oct 22, 2019 · 5 comments · Fixed by #2921
Assignees
@cgwalters
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@cgwalters
Copy link
Member

We will need to do coreos/mantle#1060 but with Terraform, since for GCP we only upload image files. It looks like this was only very recently added to the Terraform GCP provider: GoogleCloudPlatform/magic-modules#2339

I still need to do some testing with this with RHCOS, but it works with FCOS, so filing this now to track it and help me remember to do it.
@cgwalters
Copy link
Member Author

/assign @cgwalters

@abhinavdahiya
Copy link
Contributor

@cgwalters do you mind providing a little more context on why this is important?

Also I think a prerequisite would be making sure machine-api has this feature if this is a VM tunable.

@cgwalters
Copy link
Member Author

@cgwalters do you mind providing a little more context on why this is important?

Turning on these flags gives us secure boot and a virtual TPM. The virtual TPM is quite useful for a variety of reasons, but one of the biggest is that we really want to push using TPMs on bare metal, and having a top-tier cloud target also have a TPM means we effectively get testing of some of the metal/TPM paths for free at scale.

Also I think a prerequisite would be making sure machine-api has this feature if this is a VM tunable.

I don't think that's necessary; it's a property of the image which machine-api just consumes.

@cgwalters cgwalters mentioned this issue Jan 14, 2020
Merged
@openshift-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci-robot openshift-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 20, 2020
@openshift-bot
Copy link
Contributor

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci-robot openshift-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 21, 2020
cgwalters added a commit to cgwalters/installer that referenced this issue Mar 26, 2020
@cgwalters
gcp: Flag RHCOS with SECURE_BOOT and UEFI_COMPATIBLE
85270dd 
This opts us in to some of the features from
https://cloud.google.com/security/shielded-cloud/shielded-vm
Specifically with this, we get a vTPM device.

And what's nice about having a TPM device is that we can start
to optionally make use of TPM devices in OpenShift which
will then work on both bare metal *and* in GCP.

Closes: openshift#2546
vrutkovs pushed a commit to vrutkovs/installer that referenced this issue Apr 13, 2020
@cgwalters @vrutkovs
gcp: Flag RHCOS with SECURE_BOOT and UEFI_COMPATIBLE
443cb0a 
This opts us in to some of the features from
https://cloud.google.com/security/shielded-cloud/shielded-vm
Specifically with this, we get a vTPM device.

And what's nice about having a TPM device is that we can start
to optionally make use of TPM devices in OpenShift which
will then work on both bare metal *and* in GCP.

Closes: openshift#2546
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cgwalters cgwalters

Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gcp: Flag RHCOS with SECURE_BOOT and UEFI_COMPATIBLE cgwalters/installer
4 participants
@cgwalters @openshift-bot @abhinavdahiya @openshift-ci-robot