Bug 2027505
Summary: | Signing Stream for Secure Boot | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Mike Rochefort <mroche> |
Component: | distribution | Assignee: | Brian Stinson <bstinson> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Release Test Team <release-test-team-automation> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | CentOS Stream | CC: | bstinson, carl, jesper.reenberg, jwboyer, karel, mike, ngompa13, pasteur, peter.georg, riehecky, siyy123, stadtkind2 |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-03-23 03:43:40 UTC | Type: | Enhancement |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mike Rochefort
2021-11-29 20:39:20 UTC
*** Bug 2052755 has been marked as a duplicate of this bug. *** https://composes.stream.centos.org/production/CentOS-Stream-9-20220217.0/ contains signed kernel and grub2 builds that should result in a Secureboot enabled system. Confirmed that the dvd1 is booting with secure boot and installs in my vmware environment. Thanks Brian. Say I have C9S already installed, what minimum grub2 and kernel version do I need to be able to enable Secure Boot on next boot? Is the centos-sb-certs package supposed to be missing from the composes? It seems weird that it's missing... (In reply to stadtkind2 from comment #4) > Say I have C9S already installed, what minimum grub2 and kernel version do I > need to be able to enable Secure Boot on next boot? kernel-5.14.0-60.el9 and grub2-2.06-21.el9 are in the Feb 17th compose. Later versions should continue to boot (In reply to Neal Gompa from comment #5) > Is the centos-sb-certs package supposed to be missing from the composes? It > seems weird that it's missing... The centos-sb-certs subpackage is an implementation detail for the buildsystem and won't be shipped in a consumer facing repo. We plan to add downloadable/copy-pastable public certs to this page https://centos.org/keys/ (In reply to Brian Stinson from comment #6) > (In reply to Neal Gompa from comment #5) > > Is the centos-sb-certs package supposed to be missing from the composes? It > > seems weird that it's missing... > > The centos-sb-certs subpackage is an implementation detail for the > buildsystem and won't be shipped in a consumer facing repo. We plan to add > downloadable/copy-pastable public certs to this page https://centos.org/keys/ Since it became a build dependency for the kernel package last week[1], I'm not sure it still makes sense to *not* ship it. [1]: https://gitlab.com/redhat/centos-stream/rpms/kernel/-/commit/48a069db186838a7fdde11fa81ab5b963d3ac7fa (In reply to Neal Gompa from comment #7) > (In reply to Brian Stinson from comment #6) > > (In reply to Neal Gompa from comment #5) > > > Is the centos-sb-certs package supposed to be missing from the composes? It > > > seems weird that it's missing... > > > > The centos-sb-certs subpackage is an implementation detail for the > > buildsystem and won't be shipped in a consumer facing repo. We plan to add > > downloadable/copy-pastable public certs to this page https://centos.org/keys/ > > Since it became a build dependency for the kernel package last week[1], I'm > not sure it still makes sense to *not* ship it. > > [1]: > https://gitlab.com/redhat/centos-stream/rpms/kernel/-/commit/ > 48a069db186838a7fdde11fa81ab5b963d3ac7fa We do need to add the equivalent package to CBS as a dummy for now until we can get proper SIG certs added. Otherwise, you can satisfy that dependency by pointing at the actual buildroot in koji. Is there something we can ship for people to use locally (i.e. not in the Koji environments)? Being able to do local 'mock' builds of a kernel to test patches is a useful workflow to support. We want to encourage use of the buildroot where it makes sense. We'll probably end up documenting this for some of these cases: # With centpkg installed from EPEL koji -p stream mock-config --arch x86_64 --tag c9s-build (In reply to Brian Stinson from comment #11) > We want to encourage use of the buildroot where it makes sense. We'll > probably end up documenting this for some of these cases: > > # With centpkg installed from EPEL > koji -p stream mock-config --arch x86_64 --tag c9s-build This seems unnecessarily painful for files that people should be able to have locally anyway. Why don't you want the certs package published? We publish GPG keys in a package so that local verification is possible, and having the certs package published enables the same kind of verification. And prior to the switch to the package, they were included in the kernel SRPM. So I don't understand why it's a problem to publish the package. They don't contain the private keys, only the public certs. (In reply to Neal Gompa from comment #12) > (In reply to Brian Stinson from comment #11) > > We want to encourage use of the buildroot where it makes sense. We'll > > probably end up documenting this for some of these cases: > > > > # With centpkg installed from EPEL > > koji -p stream mock-config --arch x86_64 --tag c9s-build > > This seems unnecessarily painful for files that people should be able to > have locally anyway. Why don't you want the certs package published? We > publish GPG keys in a package so that local verification is possible, and > having the certs package published enables the same kind of verification. > > And prior to the switch to the package, they were included in the kernel > SRPM. So I don't understand why it's a problem to publish the package. They > don't contain the private keys, only the public certs. We'll be including {redhat,centos}-sb-certs in CRB. Here's the bug that will actually make that happen: https://bugzilla.redhat.com/show_bug.cgi?id=2057686 Since secureboot is functional in CentOS Stream 9, we can close this bz. |