Building secureboot assets using imager
with own PK and KEK
#9035
Unanswered
stereobutter
asked this question in
Q&A
Replies: 2 comments 4 replies
-
PK, KEK and friends are UEFI security database things, built to facilitate SecureBoot key enrollment. They are not used by Talos in any way. SecureBoot signer is important - it signs the UKI binary. Imager can auto-generate default PK, KEK and stuff for you, if you don't pass in paths to the files. If you pass in your files, it will use them and copy to the ISO |
Beta Was this translation helpful? Give feedback.
2 replies
-
Looking at (part of) the secureboot:
secureBootSigner:
keyPath: /secureboot/uki-signing-key.pem
certPath: /secureboot/uki-signing-cert.pem
pcrSigner:
keyPath: /secureboot/pcr-signing-key.pem
platformKeyPath: /secureboot/PK.auth
keyExchangeKeyPath: /secureboot/KEK.auth
signatureKeyPath: /secureboot/db.auth
|
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I'm currently in the process of figuring out how to build secureboot assets (installer images, secureboot.iso etc.) using
imager
. In the end I'd like to useimager
with a suitableprofile.yaml
in my CI using my own PKI. Unfortunately the docs are a little sparse here and I find the key generation utilities oftalosctl gen secureboot
and their docs a bit confusing due to terms such as SecureBoot key being used instead of the usual secureboot nomenclature.If my understanding of secureboot is correct there are basically two keys involved here:
Based on the above and the code for configuring build options of
imager
is my interpretation of the fields in the example bellow correct?Beta Was this translation helpful? Give feedback.
All reactions