🌱 spike: lifecycle for static measured boot

[mudler]

try to have static measured boot with our UKI images manually by taking notes of the steps

[mudler]

Blocked by #1150

[jimmykarily]

Desired output of this spike:

• steps that reproduce the lifecycle even if it requires manual commands and such (will be later implemented through kairos)
• some notes|docs|images that describe the process

[Itxaka]

Script to build and generate an uki iso measured with our TEST keys, NOT READY FOR PRODUCTION, ONLY FOR TESTING

• [UKI] Measure #2028

Fixes to agent to encyrpt OEM,PERSISTENT on UKI install and enroll the TPM keys:

• Encrypt uki partitions after install kairos-agent#176

Install was already done in the agent (kairos-agent uki install --device XXX) but it was missing the auto encryption.
Witht he patches provided, we can build a test iso from kairos directly, and the agent will make sure to encrypt those partitions so its impossible to touch (kernel+initramfs signed with our TEST keys, OEM and PERSISTENT only unlock if kernel+initrd signatures are valid) as long as secureboot is enabled.

Immucore changes to uki path to auto unlock the partitions were already merged in kairos-io/immucore#191

[Itxaka]

Missing:

• Upgrade path

Potential problems:

• signatures changing...no boot
• New TPM measurements have to be added to the luks volumes (so key0 would be the current system, key1 the new one) to be able to unlock them after upgrade. This is the one that has the most potential to failure. Not sure if we can enroll an extra key without the original password. So this may be a blocker.
  The thing is, we first create the luks partition with a random key, add the TPM mesurements as an extra key to unlock it and then remove the password from the luks partition so its only unlockable via TPM measurements. But Im not sure the enroll key feature from systemd-supports using TPM as a key to add a new key. If it only accepts a password to enroll a new key we are screwed.,

[Itxaka]

workflow that builds our uki with measurements: #2028
This builds an iso with systemd-boot (bootloader), and our uki file, a loader.conf (for the bootloader) and a kairos-VERSION.conf (for the bootloader as well)
This also has the posibility of building oci artifacts used for upgrade or potentially int he future, to generate isos with auroraboot
All files are signed with our test keys.
Files are also measured.
Uki isos are tested via our test workflow for correct use.
The workflow uses a firmware with SECUREBOOT enabled to test that we are signing them correctly.
The tests check for secureboot to be enabled.
This uses our TEST keys and TEST signatures for signing and measurements. THIS ARETIFACTS ARE NOT TO BE USED ANYWHERE BUT ON TESTING. Those keys are currently public so using those artifacts for anything other that development is a huge security issue.
Release workflow is to be discussed and implemented as we need to agree how to manage our keys.
Release workflow for end users to generate their isos/artifacts with private keys is to be discussed.

On agent, during uki install do via a subcommand kairos-agent uki install the code is here: https://github.com/kairos-io/kairos-agent/blob/main/pkg/uki/install.go

• Creates only 3 partitions (EFI, OEM, PERSISTENT)
• Currently hardcoded to mount the ISO via the ISO label to use it as source for the install.
• Install is basically dumping the source into the EFI partition as there is only 3 or 4 files needed in there (systemd-boot, config files and kairos UKI)
• Install encrypts both OEM and PERSISTENT partition with a random password, adds the TPM measurements as a second key to unlock them and removes the random password from the valid keys to unlock, hence only TPM measurements are valid to unlock the partitions. Done via kcrypt hook: https://github.com/kairos-io/kairos-agent/blob/main/internal/agent/hooks/kcrypt_uki.go
• Enrollment is done via kcrypt in here: https://github.com/kairos-io/kcrypt/blob/main/pkg/lib/lock.go#L73
  • mainly calls systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+8+9 PARTITION
  • then we wipe the paswords from the device: https://github.com/kairos-io/kcrypt/blob/main/pkg/lib/lock.go#L107

On boot, immucore unlock the partitions via kcrypt.UnlockAll before mounting them: https://github.com/kairos-io/kcrypt/blob/main/pkg/lib/unlock.go#L18

• This just calls /usr/lib/systemd/systemd-cryptsetup attach VOLUME DEVICE - tpm2-device=auto and it automatically uses the TPM values to unlock them
• TPM values used are:
  • 7: secureboot state
  • 8: cmdline
  • 9: initrd measurement
    We should probably move to use PCR 7+11 as that contains the full measurement of kernel image, initrd image, boot splash, devicetree database, and the embedded command line.

Upgrade is currently ongoing in the following PR: kairos-io/kairos-agent#182
but on a birds view, it just does:

• mount EFI partition as RW
• Check for enough space in the upgrade (to be implemented)
• Check how many uki files are there already (to be implemented)
• Remove older files if we are over the max versions allowed (to be implemented)
• Dump the upgrade source into EFI partition (artifact contains the correct tree to just extract it there, implemented and tested working)
• Add the new measurements as unlock keys for OEM and PERSISTENT (not implemented, current work, this is so we can unlock with the measurements of the current system and the upgraded system as the measurements will change, otherwise we got no access to the encrypted partitions anymore)
• done

[Itxaka]

this is done, specific cards are set for other tasks