Supermicro AS-1115CS-TNR

Sissejuhatus

TODO

Secure Boot

Tööpõhimõte

Füüsilise platvormi ettevalmistamiseks tuleb sooritada BIOS keskkonnas sellised tegevused

• arvuti on puhtas UEFI režiimis, st lülitada välja CMS jms töörežiimid, ühilduvusrežiimid jms
• arvutis puudub secure boot krüptomaterjal, st väljendatakse, et arvuti asub nn 'Setup mode' režiimis
• tekitada nö tehase-võtmematerjal (st microsoft põhine; alternatiiv oleks kasutada oma konkreetsete lahendustega seotud materjali, nt kasutades eksootilist bootloaderit nt refind, ja tuletada tema .efi rakendusest hash jne)
• lülitada sisse secure boot 'User mode'
• arvutisse on paigaldatud proxmox pve tarkvara ja andmesalvestuseks kasutatakse zfs lahendust

root@pve-npl-01:~# cat /proc/cmdline
initrd=\EFI\proxmox\6.17.13-2-pve\initrd.img-6.17.13-2-pve root=ZFS=rpool/ROOT/pve-1 boot=zfs

Väited

• kui operatsioonisüsteemi osakond on secure boot kasutuseks ettevalmistatud, siis ta töötab ka sisselülitamata secure boot platvormil; vastupidi ei tööta

Operatsioonisüsteemi ettevalmistamine

Lähtepunktiks on riistvaraline platvorm, kus puudub ka secure boot lahendusega seotud krüptomaterjal, operatsioonisüsteemi poolt vaadatuna paistab see nii

# mokutil --sb-state
Setup mode

Operatsioonisüsteemi ettevalmistamine sõltub operatsioonisüsteemist, nt Proxmox PVE v. 8 puhul on vaja kasutada mitte systemd-boot bootloaderit, aga grub variatsiooni. Praktiliselt bootloaderiga tegelemine toimub ühteviisi proxmox-boot-tool utiliidi abil.

Lähtepunkt

root@pve-npl-01:~# proxmox-boot-tool status
Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..
System currently booted with uefi
675C-5F13 is configured with: uefi (versions: 6.17.13-2-pve, 6.17.9-1-pve)
675D-76D7 is configured with: uefi (versions: 6.17.13-2-pve, 6.17.9-1-pve)

ning

root@pve-npl-01:~# efibootmgr
BootCurrent: 0007
Timeout: 1 seconds
BootOrder: 0007,0000,0008,0009,0002,0003,0004,0005,0001
Boot0000* Linux Boot Manager	HD(2,GPT,e27b6fcc-7ef3-4c4b-b4fb-8d4977b7c567,0x800,0x200000)/File(\EFI\systemd\systemd-bootx64.efi)
Boot0001* UEFI: Built-in EFI Shell	VenMedia(5023b95c-db26-429b-a648-bd47664c8012)0000424f
Boot0002* (B129/D0/F0) UEFI PXE IPv4 Mellanox Network Adapter - 90:5A:08:A3:18:D0(MAC:905a08a318d0)	PciRoot(0x2)/Pci(0x1,0x1)/Pci(0x0,0x0)/MAC(905a08a318d0,1)/IPv4(0.0.0.00.0.0.0,0,0)0000424f
Boot0003* (B129/D0/F1) UEFI PXE IPv4 Mellanox Network Adapter - 90:5A:08:A3:18:D1(MAC:905a08a318d1)	PciRoot(0x2)/Pci(0x1,0x1)/Pci(0x0,0x1)/MAC(905a08a318d1,1)/IPv4(0.0.0.00.0.0.0,0,0)0000424f
Boot0004* (B129/D0/F0) UEFI PXE IPv6 Mellanox Network Adapter - 90:5A:08:A3:18:D0(MAC:905a08a318d0)	PciRoot(0x2)/Pci(0x1,0x1)/Pci(0x0,0x0)/MAC(905a08a318d0,1)/IPv6([::]:<->[::]:,0,0)0000424f
Boot0005* (B129/D0/F1) UEFI PXE IPv6 Mellanox Network Adapter - 90:5A:08:A3:18:D1(MAC:905a08a318d1)	PciRoot(0x2)/Pci(0x1,0x1)/Pci(0x0,0x1)/MAC(905a08a318d1,1)/IPv6([::]:<->[::]:,0,0)0000424f
Boot0007* Linux Boot Manager	HD(2,GPT,aad6e4ea-8dbf-4b67-9a53-8342678e6bb5,0x800,0x200000)/File(\EFI\systemd\systemd-bootx64.efi)
Boot0008* UEFI OS	HD(2,GPT,aad6e4ea-8dbf-4b67-9a53-8342678e6bb5,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)0000424f
Boot0009* UEFI OS	HD(2,GPT,e27b6fcc-7ef3-4c4b-b4fb-8d4977b7c567,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)0000424f

paigaldamine ja bootloaderi asendamine

root@pve-npl-01:~# apt-get install proxmox-secure-boot-support


root@pve-npl-01:~# proxmox-boot-tool format /dev/nvme0n1p2
UUID="675D-76D7" SIZE="1073741824" FSTYPE="vfat" PARTTYPE="c12a7328-f81f-11d2-ba4b-00a0c93ec93b" PKNAME="nvme0n1" MOUNTPOINT=""
E: '/dev/nvme0n1p2' contains a filesystem ('vfat') - exiting (use --force to override)
root@pve-npl-01:~# proxmox-boot-tool format /dev/nvme0n1p2  --force
UUID="675D-76D7" SIZE="1073741824" FSTYPE="vfat" PARTTYPE="c12a7328-f81f-11d2-ba4b-00a0c93ec93b" PKNAME="nvme0n1" MOUNTPOINT=""
Formatting '/dev/nvme0n1p2' as vfat..
mkfs.fat 4.2 (2021-01-31)
Done.
root@pve-npl-01:~# proxmox-boot-tool format /dev/nvme1n1p2  --force
UUID="675C-5F13" SIZE="1073741824" FSTYPE="vfat" PARTTYPE="c12a7328-f81f-11d2-ba4b-00a0c93ec93b" PKNAME="nvme1n1" MOUNTPOINT=""
Formatting '/dev/nvme1n1p2' as vfat..
mkfs.fat 4.2 (2021-01-31)
Done.

root@pve-npl-01:~# proxmox-boot-tool init /dev/nvme0n1p2 grub
root@pve-npl-01:~# proxmox-boot-tool init /dev/nvme1n1p2 grub

root@pve-npl-01:~# proxmox-boot-tool status
Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..
System currently booted with uefi
WARN: /dev/disk/by-uuid/675C-5F13 does not exist - clean '/etc/kernel/proxmox-boot-uuids'! - skipping
WARN: /dev/disk/by-uuid/675D-76D7 does not exist - clean '/etc/kernel/proxmox-boot-uuids'! - skipping
F497-B3A9 is configured with: grub (versions: 6.17.13-2-pve, 6.17.9-1-pve)
F509-1B45 is configured with: grub (versions: 6.17.13-2-pve, 6.17.9-1-pve)
root@pve-npl-01:~# cat /etc/kernel/proxmox-boot-uuids
675C-5F13
675D-76D7
F497-B3A9
F509-1B45
root@pve-npl-01:~# vi /etc/kernel/proxmox-boot-uuids
root@pve-npl-01:~# cat /etc/kernel/proxmox-boot-uuids
F497-B3A9
F509-1B45

root@pve-npl-01:~# proxmox-boot-tool refresh

root@pve-npl-01:~# efibootmgr
BootCurrent: 0007
Timeout: 1 seconds
BootOrder: 0006,0007,0000,0008,0009,0002,0003,0004,0005,0001
Boot0000* Linux Boot Manager	HD(2,GPT,e27b6fcc-7ef3-4c4b-b4fb-8d4977b7c567,0x800,0x200000)/File(\EFI\systemd\systemd-bootx64.efi)
Boot0001* UEFI: Built-in EFI Shell	VenMedia(5023b95c-db26-429b-a648-bd47664c8012)0000424f
Boot0002* (B129/D0/F0) UEFI PXE IPv4 Mellanox Network Adapter - 90:5A:08:A3:18:D0(MAC:905a08a318d0)	PciRoot(0x2)/Pci(0x1,0x1)/Pci(0x0,0x0)/MAC(905a08a318d0,1)/IPv4(0.0.0.00.0.0.0,0,0)0000424f
Boot0003* (B129/D0/F1) UEFI PXE IPv4 Mellanox Network Adapter - 90:5A:08:A3:18:D1(MAC:905a08a318d1)	PciRoot(0x2)/Pci(0x1,0x1)/Pci(0x0,0x1)/MAC(905a08a318d1,1)/IPv4(0.0.0.00.0.0.0,0,0)0000424f
Boot0004* (B129/D0/F0) UEFI PXE IPv6 Mellanox Network Adapter - 90:5A:08:A3:18:D0(MAC:905a08a318d0)	PciRoot(0x2)/Pci(0x1,0x1)/Pci(0x0,0x0)/MAC(905a08a318d0,1)/IPv6([::]:<->[::]:,0,0)0000424f
Boot0005* (B129/D0/F1) UEFI PXE IPv6 Mellanox Network Adapter - 90:5A:08:A3:18:D1(MAC:905a08a318d1)	PciRoot(0x2)/Pci(0x1,0x1)/Pci(0x0,0x1)/MAC(905a08a318d1,1)/IPv6([::]:<->[::]:,0,0)0000424f
Boot0006* proxmox	HD(2,GPT,e27b6fcc-7ef3-4c4b-b4fb-8d4977b7c567,0x800,0x200000)/File(\EFI\proxmox\shimx64.efi)
Boot0007* Linux Boot Manager	HD(2,GPT,aad6e4ea-8dbf-4b67-9a53-8342678e6bb5,0x800,0x200000)/File(\EFI\systemd\systemd-bootx64.efi)
Boot0008* UEFI OS	HD(2,GPT,aad6e4ea-8dbf-4b67-9a53-8342678e6bb5,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)0000424f
Boot0009* UEFI OS	HD(2,GPT,e27b6fcc-7ef3-4c4b-b4fb-8d4977b7c567,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)0000424f

Peale bios/setup keskkonnas secure boot sisselülitamist

root@pve-npl-01:~# efibootmgr
BootCurrent: 0006
Timeout: 1 seconds
BootOrder: 0006,0008,0009
Boot0006* proxmox	HD(2,GPT,e27b6fcc-7ef3-4c4b-b4fb-8d4977b7c567,0x800,0x200000)/File(\EFI\proxmox\shimx64.efi)
Boot0008* UEFI OS	HD(2,GPT,aad6e4ea-8dbf-4b67-9a53-8342678e6bb5,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)0000424f
Boot0009* UEFI OS	HD(2,GPT,e27b6fcc-7ef3-4c4b-b4fb-8d4977b7c567,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)0000424f

root@pve-npl-01:~# mokutil --sb-state
SecureBoot enabled

Platvormi krüptomaterjali tekitamine

Platvormiks nimetatakse arvuti riistvara koosseisu kuuluvat uefi osakonda. Käesoleval juhul keskendutakse tavalisele nö microsoft võtmematerjalil põhinevale lahendusele, st kuskil süsteemis on olemas microsoft sertifikaat jms, see paigutatakse sinne kust seda saab uefi kasutada. Selle juhtumiseks tuleb BIOS keskkonnas valida

Security -> TODO

Süsteemi lülitamine User mode režiimi

BIOS keskkonnas valida

Security -> TODO

Tulemuse kontrollimine

TODO

# mokutil --sb-state
SecureBoot enabled

TODO

Kasulikud lisamaterjalid

• https://pve.proxmox.com/wiki/Host_Bootloader#sysboot_secure_boot

Watchdog

TODO

Firmware uuendamine - BIOS

TODO

Firmware uuendamine - BMC

TODO

Võrk

root@pve-npl-01:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto nic0

# otse syno
auto nic1
iface nic1 inet manual
        ovs_type OVSPort
        ovs_bridge vmbr0
	ovs_mtu 9000
        ovs_options trunks=520

# usw port
auto nic2
iface nic2 inet manual
        ovs_type OVSPort
        ovs_bridge vmbr0
	ovs_mtu 9000
        ovs_options trunks=506,509

auto vlan506
iface vlan506 inet static
	address 10.0.6.17/24
        ovs_type OVSIntPort
        ovs_bridge vmbr0
        ovs_options tag=506
        ovs_mtu 9000

auto vlan509
iface vlan509 inet static
	address 10.0.9.17/24
	gateway 10.0.9.1
        ovs_type OVSIntPort
        ovs_bridge vmbr0
        ovs_options tag=509
        ovs_mtu 9000

auto vlan520
iface vlan520 inet static
	address 10.0.20.17/24
        ovs_type OVSIntPort
        ovs_bridge vmbr0
        ovs_options tag=520
        ovs_mtu 9000

auto vlan521
iface vlan521 inet static
	address 10.0.21.17/24
        ovs_type OVSIntPort
        ovs_bridge vmbr0
        ovs_options tag=521
        ovs_mtu 9000

auto vmbr0
iface vmbr0 inet manual
        ovs_type OVSBridge
        ovs_ports nic1 nic2 vlan506 vlan509 vlan520 vlan521
        ovs_mtu 9000

Kasulikud lisamaterjalid

• TODO