Warewulf4 Secure Boot
Warewulf booting
The HPC deployment system warewulf uses the bootloader iPXE to load the linux kernel and the root file system with configuration overlay on top. This method was chosen as its flexible and scalable as well.
There was no technical reasons or outstanding features to choose iPXE over other boot loaders, so the de facto linux grub bootloader can also be used, which enables the secure boot and measured boot features. This document describes how to use grub with warewulf4 and enable secure for it. Measured boot can also be enabled so that keylime can be used for remote attestation.
Choose the right bootloader
It possible to boot grub directly, but in order to enable secure boot shim is used as first binray which is run and it will pull directly then grub with the same method as shim was pulled. This means that if shim was pulled per tftp, grub will to also be pulled per tftp.
With enabled secure boot the distributions which warewulf can use will be locked to one vendor as the shim of a vendor can only load the signed of grub of the vendor without any additional steps. Still it would be possible to the keys of the different vendors to the MOK (Machine Owner Key) database, but this requires a physical presence to enroll the MOKs.
Install
Follow the quck start guide for a basic installation of warewulf 4 4.x. If not already done, download am actual openSUSE leap container with the command
# wwctl container import docker://registry.opensuse.org/science/warewulf/leap-15.5/containers/kernel:latest leap15.5
This container contains allready a kernel but is missing shim and grub. In order to install this open a shell in the container with following command
# wwctl container shell leap15.5
within the container install the needed shim and grub binaries with
[leap15.5] Warewulf> zypper in -y shim grub2-x86_64-efi
Now the shim and grub binary has to copied to the tFTP directory. For this use the commands:
# cp $(wwctl container show leap15.5)/usr/share/efi/x86_64/shim-sles.efi /srv/tftpboot/warewulf/sles.efi
# cp $(wwctl container show leap15.5)/usr/share/grub2/x86_64-efi/grub-tpm.efi /srv/tftpboot/warewulf/grub.efi
With the binaries in the right place the dhpc server configuration has to be updated. The name of the binaries can be configured in warewulf.conf where you should replace following two lines
"00:07": ipxe-x86_64.efi
"00:09": ipxe-x86_64.efi
with
"00:07": shim.efi
"00:09": shim.efi
and restart the dhpc services with
# wwctl configure dhcp
After this steps instead of the iPXE binaries, first the shim signed by Microsoft is loaded which then loads grub.efi. Still missing is a grub.cfg in the right place which is created with following command:
# wwctl overlay edit host -p /srv/tftpboot/warewulf/grub.cfg.ww
Replace the content of this file with
# This file is autogenerated by warewulf
# Host: {{.BuildHost}}
# Time: {{.BuildTime}}
# Source: {{.BuildSource}}
echo "================================================================================"
echo "Warewulf v4 now booting with grub"
echo
uri="(http,{{.Ipaddr}}:9873)/provision/${net_default_mac}?assetkey="
kernel="${uri}&stage=kernel"
container="${uri}&stage=container&compress=gz"
system="${uri}&stage=system&compress=gz"
echo "Warewulf Controller: {{.Ipaddr}}"
echo "Trying to load a kernel... "
linux $kernel wwid=$"{net_default_mac}" quiet crashkernel=no vga=791 net.naming-scheme=v238
if [ x$? = x0 ] ; then
echo "Loading initrd..."
initrd $system $container
echo "Booting..."
boot
else
echo "MESSAGE: This node is unconfigured. Please have your system administrator add a"
echo " configuration for this node with HW address: ${net_default_mac}"
echo ""
echo "Rebooting in 1 minute..."
sleep 60
reboot
fi
and after the modificatin rebuild the host overlay with
# wwctl overlay build -H
Now the nodes can be rebooted with secure boot enabled.
Known problems
With this configuration will be only able to boot openSUSE/SUSE as the shim is taken from this distribution. Also the kernel commandline is statically configured in grub.cfg.ww