红帽全球峰会5.3. 使用自定义 RHEL 镜像使用安全引导配置 RHEL 实例
要确保 Google Cloud Platform (GCP)上的 Red Hat Enterprise Linux 实例有安全的操作系统引导过程,请使用安全引导。当注册自定义 RHEL GCP 镜像时,镜像由安全引导的预存储统一固件接口(UEFI)变量组成。这可让从 RHEL 镜像启动的所有实例都使用带有第一次引导时所需的变量的安全引导机制。您可以通过在 SecureBoot DB 中包括自定义证书来配置 RHEL 实例,以便您可以签署自定义工件,如第三方内核模块和统一内核镜像(UKI)附加组件。
先决条件
- 您已创建了并上传 RHEL GCP 镜像。详情请参阅 将镜像上传到 GCP。
您已安装了以下软件包:
-
python3 -
efivar -
keyutils -
openssl -
python3-virt-firmware
-
-
您已安装了
google-cloud-cli工具。详情请参阅在 RHEL 上安装 gcloud CLI。
流程
创建新的随机通用唯一标识符(UUID),并将其存储在生成的随机文本文件中:
uuidgen --random > GUID.txt
$ uuidgen --random > GUID.txtCopy to Clipboard Copied! Toggle word wrap Toggle overflow 为平台密钥数据库生成一个新的 RSA 私钥
PK.key和自签名 X.509 证书PK.cer:Copy to Clipboard Copied! Toggle word wrap Toggle overflow openssl工具通过将输出格式设置为可辨识的编码规则(DER)来为证书生成一个通用名称平台密钥。DER 是数据编码的标准化二进制格式。为密钥交换密钥数据库生成一个新的 RSA 私钥
KEK.key和自签名 X.509 证书KEK.cer:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 生成自定义证书
custom_db.cer:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 下载 Microsoft 证书:
wget https://go.microsoft.com/fwlink/p/?linkid=321194 --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -O MicCorUEFCA2011_2011-06-27.crt
$ wget https://go.microsoft.com/fwlink/p/?linkid=321194 --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" -O MicCorUEFCA2011_2011-06-27.crtCopy to Clipboard Copied! Toggle word wrap Toggle overflow 下载更新的禁止签名(
dbx) UEFI Revocation List File for 64 位系统:wget https://uefi.org/sites/default/files/resources/x64_DBXUpdate.bin
$ wget https://uefi.org/sites/default/files/resources/x64_DBXUpdate.binCopy to Clipboard Copied! Toggle word wrap Toggle overflow 使用
google-cloud-cli实用程序使用所需的安全引导变量从磁盘快照中创建并注册镜像:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 在 Google Cloud 控制台中,使用
Turn on Security Boot功能启动example-rhel-10-efi-image镜像的实例。
验证
验证是否启用了安全引导:
mokutil --sb-state
$ mokutil --sb-state SecureBoot enabledCopy to Clipboard Copied! Toggle word wrap Toggle overflow 验证自定义证书的内核密钥环:
sudo keyctl list %:.platform
$ sudo keyctl list %:.platform ... 757453569: ---lswrv 0 0 asymmetric: Signature Database key: f064979641c24e1b935e402bdbc3d5c4672a1acc ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}