Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T861: op-mode: initial parts for UEFI secure boot CLI #4020

Merged
merged 4 commits into from
Sep 16, 2024
Merged

T861: op-mode: initial parts for UEFI secure boot CLI #4020

merged 4 commits into from
Sep 16, 2024

Conversation

c-po
Copy link
Member

@c-po c-po commented Aug 26, 2024

Change Summary

Add show secure-boot [keys] CLI command together with install mok CLI command.

Current SB state is displayed too via show ver

vyos@vyos:~$ show ver
...
Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest
Secure Boot:      enabled
...

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

Secure Boot / UEFI

Proposed changes

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 26, 2024
edited
Loading

👍
No issues in PR Title / Commit Title

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 26, 2024
edited
Loading

✅ No issues found in unused-imports check.. Please refer the workflow run

@c-po c-po marked this pull request as ready for review September 3, 2024 16:49
@c-po c-po requested a review from a team as a code owner September 3, 2024 16:49
@c-po c-po force-pushed the secure-boot branch 2 times, most recently from a6f5501 to a884836 Compare September 5, 2024 05:22
@c-po c-po marked this pull request as draft September 7, 2024 21:27
@c-po c-po marked this pull request as ready for review September 14, 2024 18:51
@c-po c-po mentioned this pull request Sep 14, 2024
Merged
11 tasks
sarthurdev
sarthurdev requested changes Sep 15, 2024
View reviewed changes
python/vyos/utils/system.py Outdated Show resolved Hide resolved
c-po added 3 commits September 16, 2024 17:28
@c-po
T861: op-mode: "show version" will display secure boot state
b78cc96 
  vyos@vyos:~$ show ver
  ...
  Architecture:     x86_64
  Boot via:         installed image
  System type:      KVM guest
  Secure Boot:      enabled
  ...
@c-po
T861: op-mode: add "show secure-boot [keys]" CLI command
9dfcea3 
Support getting current system secure boot state.
In addition add optional suppor tto list all enrolled MOK (Machine Owner Keys)
in the UEFI variable store.
@c-po
T861: op-mode: add "install mok" CLI command
07c4fe9 
Deploy VyOS Secure Boot CA MOK (Machine Owner Key) into UEFI variables of
the running machine.
@c-po c-po requested a review from sarthurdev September 16, 2024 15:29
@c-po c-po merged commit 53fa5c9 into vyos:current Sep 16, 2024
9 of 11 checks passed
@c-po c-po deleted the secure-boot branch September 16, 2024 15:33
fatpelt
fatpelt reviewed Oct 7, 2024
View reviewed changes
python/vyos/utils/system.py
from vyos.utils.boot import is_uefi_system
if not is_uefi_system():
return False
tmp = cmd('mokutil --sb-state')
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line throws an exception for devices that do not support secure-boot. should this be wrapped in a try?

# show ver
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/version.py", line 91, in <module>
    res = vyos.opmode.run(sys.modules[__name__])
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/opmode.py", line 271, in run
    res = func(**args)
          ^^^^^^^^^^^^
  File "/usr/libexec/vyos/op_mode/version.py", line 81, in show
    version_data = _get_raw_data(funny=funny)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/libexec/vyos/op_mode/version.py", line 67, in _get_raw_data
    if get_secure_boot_state():
       ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/utils/system.py", line 148, in get_secure_boot_state
    tmp = cmd('mokutil --sb-state')
          ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 155, in cmd
    raise OSError(code, feedback)
OSError: [Errno 255] failed to run command: mokutil --sb-state
returned:
exit code: 255

# mokutil --sb-state
This system doesn't support Secure Boot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fatpelt fatpelt fatpelt left review comments

@dmbaturin dmbaturin dmbaturin approved these changes

@sarthurdev sarthurdev sarthurdev approved these changes

@sever-sever sever-sever sever-sever approved these changes

@zdc zdc Awaiting requested review from zdc zdc was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

@fett0 fett0 Awaiting requested review from fett0 fett0 was automatically assigned from vyos/reviewers

Assignees

@c-po c-po

Labels
current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@c-po @dmbaturin @sarthurdev @fatpelt @sever-sever