红帽全球峰会5.2. Configuring a RHEL VM on Azure with Secure Boot
To ensure that your Red Hat Enterprise Linux (RHEL) instance on the Azure cloud platform has a secured operating system booting process, use Secure Boot. When a custom RHEL Azure image is registered, the image consists of pre-stored Unified Extensible Firmware Interface (UEFI) variables for Secure Boot. This enables all the instances launched from the RHEL images to use the Secure Boot mechanism with the required variables on the first boot.
Microsoft Azure supports Secure Boot with Trusted Launch VMs. These VMs provide security mechanisms to protect against rootkits and bootkits, while providing additional features such as Virtual Trusted Platform Manager (vTPM). When creating an instance by using the GUI, you can find the Enable secure boot option under the Configure security features setting.
Prerequisites
You have installed the packages:
-
python3 -
openssl -
efivar -
keyutils -
python3-virt-firmware
-
-
You have installed the
azure-cliutility. For details, see Installing the Azure CLI on Linux.
Procedure
Generate a custom certificate
custom_db.cerby using theopensslutility:$ openssl req -quiet \ -newkey rsa:4096 \ -nodes -keyout custom_db.key \ -new -x509 \ -sha256 -days 3650 \ -subj "/CN=Signature Database key/" \ --outform DER \ -out custom_db.cerConvert the certificate into
base64-encoded format:$ echo base64 -w0 custom_db.cer MIIFIjCCAwqgAwIBAgITNf23J4k0d8c0NR ....Create and edit an
azure-example-template.jsonAzure Resource Manager (ARM) file for registering a new Azure Compute Gallery image version:$ vi azure-example-template.json { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "type": "Microsoft.Compute/galleries/images/versions", "apiVersion": "2023-07-03", "name": "<your compute gallery/your image definition/version>", "location": "<location of the VHD>", "properties": { "storageProfile": { "osDiskImage": { "source": { "id": "<your-storage-account-id>", "uri": "<url-with-the-vhd>" }, "hostCaching": "ReadOnly" } }, "securityProfile": { "uefiSettings": { "signatureTemplateNames": [ "MicrosoftUefiCertificateAuthorityTemplate" ], "additionalSignatures": { "db": [ { "type": "x509", "value": [ "<base64 of custom_db.cer>" ] } ] } } } } } ] }Use the
azure-cliutility to register the image version:$ az deployment group create --name <example_deployment> \ --resource-group <example_resource_group> \ --template-file <example_template.json>- Reboot the instance from the Azure Portal.
Verification
Check if the newly created RHEL instance has Secure Boot enabled:
$ mokutil --sb-state SecureBoot enabledUse the
keyctlutility to verify the kernel keyring for the custom certificate:$ sudo keyctl list %:.platform keys in keyring: ... 586621657: ---lswrv 0 0 asymmetric: Signature Database key: f064979641c24e1b935e402bdbc3d5c4672a1acc ...
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}