SecureBoot for OpenNebula disk images

[mcanevet]

I'm trying to understand how SecureBoot disk images work for VM-based platforms and want to confirm a couple of things before going further.

Question 1: Is SecureBootSupported: true in pkg/machinery/platforms/platforms.go what controls whether the factory exposes a SecureBoot disk image option for a given platform? OpenNebula currently does not have this flag. Is that why there is no SecureBoot disk image variant for OpenNebula in the factory?

Question 2: Even for platforms that do have SecureBootSupported: true (e.g. nocloud, cloudstack), does the resulting disk image include SecureBoot enrollment databases? My reading of the code is that it does not, that a SecureBoot disk image assumes keys are already pre-enrolled in the UEFI firmware, unlike secureboot-iso which bundles the databases and uses secure-boot-enroll: if-safe in loader.conf to auto-enroll on first boot. Is that correct?

Background: I'm running OpenNebula with QEMU/KVM and OVMF with an empty NVRAM (UEFI setup mode, no Platform Key enrolled). The goal would be to deploy Talos VMs that auto-enroll SecureBoot keys on first boot, the same way secureboot-iso does for bare metal.

[smira]

Question 1: Is SecureBootSupported: true in pkg/machinery/platforms/platforms.go what controls whether the factory exposes a SecureBoot disk image option for a given platform? OpenNebula currently does not have this flag. Is that why there is no SecureBoot disk image variant for OpenNebula in the factory?

It just means it was reported to work, there is some documentation. Image Factory still allows you to pull a SecureBoot image for any platform.

Question 2: Even for platforms that do have SecureBootSupported: true (e.g. nocloud, cloudstack), does the resulting disk image include SecureBoot enrollment databases? My reading of the code is that it does not, that a SecureBoot disk image assumes keys are already pre-enrolled in the UEFI firmware, unlike secureboot-iso which bundles the databases and uses secure-boot-enroll: if-safe in loader.conf to auto-enroll on first boot. Is that correct?

Disk images have auto-enrollment disabled, yes, keys should be enrolled into the firmware.

[mcanevet]

Interesting, when I try to generate a nocloud or cloudstack image, I can indeed select the SecureBoot flavor
, but not when trying to generate an opennebula one:

So that matches the SecureBootSupported field in pkg/machinery/platforms/platforms.go.

Also, would you be open for a contribution that allows auto-enrollment for image-based installation (like there is for ISO-based installation)?

[smira]

Image Factory is an API, UI is just a thin layer on top of it.

Use the API to get an image you need.

Auto-enrollment for images I think is not supported by systemd-boot.

[frezbo]

see #12568

[mcanevet]

Thank you for clarifying this point. I could indeed get the secureboot flavor for OpenNebula.
I didn't find the other discussion in my research (probably because it does not contain the word "SecureBoot", only "Secure Boot"), I'll close that one and continue the discussion on the other one.