There are now aarch64 systems that are shipping with secure boot enabled so we need to be able to sign all the parts of the boot path (shim/grub2/kernel) like we do on x86_64 now. To do this we need the infrastructure (HSM, smart cards etc) to be able to do this.
I'm not sure how the signing keys etc are setup, whether we already have enough smart cards etc so this is a ticket to cover all of the various HW/infrastructure components.
Sooner the better but some what flexible.
When is this no longer needed or useful? (YYYY/MM/DD)
If we cannot complete your request, what is the impact?
There's the possibility of being unable to run on some HW due to secure boot requirements.
Metadata Update from @bowlofeggs:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: request-for-resources
So, the bkernel x86_64 boxes are using smart card readers that attach via USB.
I do not know, but I suspect the moonshot chassis has no USB to connect to, so we would need to move to mustangs for building. Do they have USB?
@smooge do you know the hardware you got for this? we should be able to check the bkernel boxes.
We will then need @pjones to prep a smart card with the needed info on it and get it to us?
Yes, the mustang HW has USB onboard, we'd probably want to get SSDs for the ones we use thought.
The signing smart card fits into a USB connector like this
I think the SSD item you are mentioning is for a different reason? As in "We can possibly take the SSD's out of the ARM calxeda's to put in Mustangs at the next visit?" versus an SSD being used inside a mustang for signing.
@smooge I understand the USB smart card. I meant SSD in the context of storage to replace the slow single HDDs currently in the mustangs to speed up builds. We could possibly use the ones in the calxeda, but I suspect they're already quite old.
Metadata Update from @smooge:
- Issue assigned to smooge
So, we can't really get more of the smart cards in question, but I've been investigating alternatives, and I think we can do this with yubikeys. Is there a strong preference in terms of form factor between yubikey and yubikey nano?
My first through is to go with the nano just because they're harder to casually remove from machines, but obviously those of yall who actually have to touch the hardware might have your own concerns either way that I'm not aware of.
Just another note here - I also have a preference for the nano because they don't have NFC.
Metadata Update from @smooge:
- Issue tagged with: security
I tagged this security so it gets on @puiterwijk queue
Sorry, I replied to @pjones on IRC, and nano's would be perfect.
Metadata Update from @kevin:
- Issue tagged with: backlog
So I think the latest update for this is that @pjones has provided the new signing HW to @kevin and it's awaiting a DC visit. I believe that HW should work with the new Lenovo aarch64 HW?
Next physical visit looks to be in June 2020 after we move the hardware to a new location.
to comment on this ticket.