From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id C307B9C4E2 for ; Wed, 22 Nov 2023 09:55:00 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A59B514E2D for ; Wed, 22 Nov 2023 09:55:00 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 22 Nov 2023 09:54:59 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 34D9A4274C for ; Wed, 22 Nov 2023 09:54:59 +0100 (CET) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pve-devel@lists.proxmox.com Date: Wed, 22 Nov 2023 09:54:53 +0100 Message-Id: <20231122085453.132188-1-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.065 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com] Subject: [pve-devel] [PATCH docs] boot: add Secure Boot information X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Nov 2023 08:55:00 -0000 and refer to the (updated) wiki article for more in-depth explanations. Signed-off-by: Fabian Grünbichler --- local-zfs.adoc | 6 +++++- system-booting.adoc | 42 +++++++++++++++++++++++++++++++++++++----- 2 files changed, 42 insertions(+), 6 deletions(-) diff --git a/local-zfs.adoc b/local-zfs.adoc index b711f72..63de884 100644 --- a/local-zfs.adoc +++ b/local-zfs.adoc @@ -524,13 +524,17 @@ process of the new disk has progressed. ---- # proxmox-boot-tool format -# proxmox-boot-tool init +# proxmox-boot-tool init [grub] ---- NOTE: `ESP` stands for EFI System Partition, which is setup as partition #2 on bootable disks setup by the {pve} installer since version 5.4. For details, see xref:sysboot_proxmox_boot_setup[Setting up a new partition for use as synced ESP]. +NOTE: make sure to pass 'grub' as mode to `proxmox-boot-tool init` if +`proxmox-boot-tool status` indicates your current disks are using Grub, +especially if Secure Boot is enabled! + .With plain `grub`: ---- diff --git a/system-booting.adoc b/system-booting.adoc index 0b32810..7c2b026 100644 --- a/system-booting.adoc +++ b/system-booting.adoc @@ -9,8 +9,9 @@ endif::wiki[] selected in the installer. For EFI Systems installed with ZFS as the root filesystem `systemd-boot` is -used. All other deployments use the standard `grub` bootloader (this usually -also applies to systems which are installed on top of Debian). +used, unless Secure Boot is enabled. All other deployments use the standard +`grub` bootloader (this usually also applies to systems which are installed on +top of Debian). [[sysboot_installer_part_scheme]] @@ -30,9 +31,10 @@ The created partitions are: used for the chosen storage type Systems using ZFS as root filesystem are booted with a kernel and initrd image -stored on the 512 MB EFI System Partition. For legacy BIOS systems, `grub` is -used, for EFI systems `systemd-boot` is used. Both are installed and configured -to point to the ESPs. +stored on the 512 MB EFI System Partition. For legacy BIOS systems, and EFI +systems with Secure Boot enabled, `grub` is used, for EFI systems without +Secure Boot, `systemd-boot` is used. Both are installed and configured to point +to the ESPs. `grub` in BIOS mode (`--target i386-pc`) is installed onto the BIOS Boot Partition of all selected disks on all systems booted with `grub` @@ -100,6 +102,15 @@ To setup an existing, unmounted ESP located on `/dev/sda2` for inclusion in # proxmox-boot-tool init /dev/sda2 ---- +or + +---- +# proxmox-boot-tool init /dev/sda2 grub +---- + +to force initialization with Grub instead of systemd-boot, for example for +Secure Boot support. + Afterwards `/etc/kernel/proxmox-boot-uuids` should contain a new line with the UUID of the newly added partition. The `init` command will also automatically trigger a refresh of all configured ESPs. @@ -359,3 +370,24 @@ systems if you call the tool interactively. ---- # proxmox-boot-tool refresh ---- + +[[sysboot_secure_boot]] +Secure Boot +~~~~~~~~~~~ + +Since {pve} 8.1, Secure Boot is supported out of the box via signed packages +and integration in `proxmox-boot-tool`. + +The following packages need to be installed for Secure Boot to be enabled: + +- shim-signed (shim bootloader signed by Microsoft) +- shim-helpers-amd64-signed (fallback bootloader and MOKManager, signed by Proxmox) +- grub-efi-amd64-signed (Grub EFI bootloader, signed by Proxmox) +- proxmox-kernel-6.X.Y-Z-pve-signed (Kernel image, signed by Proxmox) + +Only Grub as bootloader is supported out of the box, since there are no other +pre-signed bootloader packages available. Any new installation of {pve} will +automatically have all of the above packages included. + +More details about how Secure Boot works, and how to customize the setup, are +available in https://pve.proxmox.com/wiki/Secure_Boot_Setup[our wiki]. -- 2.39.2