enroll custom secureboot keys

C

crabgrass

New Member
Jul 19, 2024
2
0
1
I need to test the deployment of Talos Linux with secureboot enabled. The Talos boot image has an option to enroll their custom keys. I've done this on bare metal systems before, I go into the UEFI firmware, clear the current keys, restart, enable custom keys and boot the Talos image. The keys are written and when the system restarts, I go into the UEFI settings and enable secureboot. When Talos boots, it shows on its dashboard that secureboot is enabled.

On Proxmox, I create the UEFI VM with the EFI disk. I tried without pre-enrolled keys and with the option enabled.

When I turn the VM on, I immediately see the message:
Enrolling secure boot keys from directory: \loader\keys\auto
Failed to write PK secure boot variable: Security Violation

I get the same message when I boot the Talos image and choose to auto enroll their keys.

Searching does not really bring up any help resolving the issue. Threads I found are about Proxmox installation itself, not secureboot inside a VM.

Thanks!
 
crabgrass said:
I need to test the deployment of Talos Linux with secureboot enabled. The Talos boot image has an option to enroll their custom keys. I've done this on bare metal systems before, I go into the UEFI firmware, clear the current keys, restart, enable custom keys and boot the Talos image. The keys are written and when the system restarts, I go into the UEFI settings and enable secureboot. When Talos boots, it shows on its dashboard that secureboot is enabled.

On Proxmox, I create the UEFI VM with the EFI disk. I tried without pre-enrolled keys and with the option enabled.

When I turn the VM on, I immediately see the message:
Enrolling secure boot keys from directory: \loader\keys\auto
Failed to write PK secure boot variable: Security Violation

I get the same message when I boot the Talos image and choose to auto enroll their keys.

Searching does not really bring up any help resolving the issue. Threads I found are about Proxmox installation itself, not secureboot inside a VM.

Thanks!
Click to expand...
Hi,
Not sure if you already figured this out, but I'll reply anyway as I just came across this myself and fixed it.

Choose the second option on the TALOS boot screen "Reboot into firmware interface".
From there, go to Device manager > Secure boot configuration > secure boot mode > custom mode - press enter.
Then go one menu option down to "custom secure boot options" > PK options > enroll pk > enroll pk using file - press enter.
From there choose the first EFI disk > EFI > KEYS > uki-signing-cert.der - press enter.
Choose "Commit changes and exit".
Press ESC til you're back at the top level menu, then choose "Reset".

All should be well now, and Talos will boot into maintenance mode from the CD.
The menu options are a bit confusing and I'm not sure this is the "right way" but it worked for me.

Hope this helps!
 
  • Like
Reactions: soldatz, bryvo01 and crabgrass
Hey @Nyanchovy thanks for sharing, this will definitely help.

I kind of gave up on it and tried to run talos bare metal instead. I got the same errors and thought perhaps the Talos iso had changed. I ran Talos 1.4 and 1.5 bare metal with secure boot on these same systems. Worked like a charm before so I didn't quite understand why it wouldn't work now.

I'll give it another shot! :D
 
I'm trying this exact thing but having the same problem.

I tried to enroll the certs this way but the machine seems to be keep setting it "standard" mode instead of "custom" mode and I can't seem to make it stick.
 
Nyanchovy said:
Hi,
Not sure if you already figured this out, but I'll reply anyway as I just came across this myself and fixed it.

Choose the second option on the TALOS boot screen "Reboot into firmware interface".
From there, go to Device manager > Secure boot configuration > secure boot mode > custom mode - press enter.
Then go one menu option down to "custom secure boot options" > PK options > enroll pk > enroll pk using file - press enter.
From there choose the first EFI disk > EFI > KEYS > uki-signing-cert.der - press enter.
Choose "Commit changes and exit".
Press ESC til you're back at the top level menu, then choose "Reset".

All should be well now, and Talos will boot into maintenance mode from the CD.
The menu options are a bit confusing and I'm not sure this is the "right way" but it worked for me.

Hope this helps!
Click to expand...
works perfectly - thank you!
 
Nyanchovy said:
Hi,
Not sure if you already figured this out, but I'll reply anyway as I just came across this myself and fixed it.

Choose the second option on the TALOS boot screen "Reboot into firmware interface".
From there, go to Device manager > Secure boot configuration > secure boot mode > custom mode - press enter.
Then go one menu option down to "custom secure boot options" > PK options > enroll pk > enroll pk using file - press enter.
From there choose the first EFI disk > EFI > KEYS > uki-signing-cert.der - press enter.
Choose "Commit changes and exit".
Press ESC til you're back at the top level menu, then choose "Reset".

All should be well now, and Talos will boot into maintenance mode from the CD.
The menu options are a bit confusing and I'm not sure this is the "right way" but it worked for me.

Hope this helps!uki-signing-cert.der
Click to expand...
Tried this with Talos v1.9 . Went through all the motions. I keep getting access denied.
 
Last edited:
In case anyone else hits the same problems I did here, I got this working with Talos Linux 1.10.0 through 1.10.2.

The key point seems to be that IDE devices aren't supported by the SecureBoot process, and if you're using the Proxmox web UI to create a new VM then when it asks for the install image under the 'OS' tab it doesn't give you a choice of what bus your virtual CD-ROM device is attached to, it's just always IDE.

So after creating your VM you need to delete that device from the VM hardware, and attach an equivalent CD-ROM with your SecureBoot iso loaded but on the SATA bus.

If you're using CloudInit as well you need to make sure that is on a SATA bus too, otherwise the config from it will just be silently not loaded and then not used by the Talos installer.

Of course if you're using some sort of infra-as-code to set up your VMs you can set the CD-ROM devices as SATA right at the start, but if you originally created a VM manually and then used what that looked like as a base to define your IaC it might well just have IDE devices.

Once those are both done, you shouldn't even need to manually install the SecureBoot keys. I told Proxmox _not_ to pre-populate the drive with any keys when creating the EFI drive, and the Talos installer quite happily enrolled them, rebooted, installed Talos, and then started running off the hard drive.

The other thing I initially forgot was to update the machine image in my config that the installer would install. So Talos SecureBoot was booting from virtual CD, installing Talos non-SecureBoot to the hard drive, then erroring on reboot because the installer said Talos was already installed so it wouldn't run, but the hard drive couldn't boot because it didn't have the SecureBoot keys installed. So make sure you are actually telling it to install the SecureBoot image to the HDD if you have a config. The default-generated one doesn't work for SecureBoot.
 
No need to change the device medium. Just make sure you uncheck "Pre enroll keys" when creating the VM
 
Tried that before switching to SATA. Didn't work for me, wouldn't find a bootable device.

Cloud-init also failed to work if it was an IDE device instead of SATA, even after the rest of the installation was working.
 
Last edited:
You must log in or register to reply here.
Top Bottom