[SOLVED] Secure Boot with PVE coming?

B

Bugbear

Member
Dec 29, 2020
37
3
13
Hi!
It's the first time, that I tried to install a Proxmox server with UEFI Secure Boot enabled today and realized that it would not work.
Even the PVE8 docs (https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_12_Bookworm#PVE_Kernel_fails_to_boot) tell that Secure Boot should just be disabled.

This thread from 2019 mentions:
@fabian: We don't offer signed kernel images or Grub (yet), so there is no Secure Boot with PVE.
Click to expand...

As Secure Boot is kind of nice I wonder if there are any plans to ship signed PVE kernel images in foreseeable future?
 
Last edited:
Hi!

I see this topic is 'solved' but if i may i temporarily would open it again.

I am not very seasoned secure boot user but still from time to time i take interest in sb. Somehow randomly i stumbled to observe phenomena that running blktrace/blkparse is not successful (why i took interest into blktrace is another story :) on ordinary Ubuntu/Debian like this

# blktrace -a discard -d /dev/vda -o - | blkparse -i -
Thread 3 failed open /sys/kernel/debug/block/vda/trace3: 1/Operation not permitted
...
FAILED to start thread on CPU 0: 1/Operation not permitted
...
root@pbs-adala-3:~dmesg -T | tail -n 8
[Mon Sep 4 01:39:52 2023] Lockdown: blktrace: debugfs access is restricted; see man kernel_lockdown.7
...

Turns out reason for this is computer has secure boot enabled and more or less automatically it triggers among other things kernel lockdown, newer Ubuntu and Debian kernels have ('man 7 kernel_lockdown')

# grep CONFIG_SECURITY_LOCKDOWN_LSM /boot/config-5.10.0-25-amd64
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y

Now i would like to ask if it would be ok to run proxmox backup server v. 2.4/3.0 with vanilla debian v. 11/12 kernel since using it i could have this secure boot and lockdown? I actually run pbs as virtual machine and ext4 filesystems etc so i think i dont loose much not having pve kernel there in this regard; but otherwise i am thinking to myself if having sb enabled on pbs maybe pbs is otherwise tampered.

And i also, since it seems pve kernels do not have lockdown turned on

# grep CONFIG_SECURITY_LOCKDOWN_LSM /boot/config-6.2.16-4-bpo11-pve
# CONFIG_SECURITY_LOCKDOWN_LSM is not set

would like to ask when you do include secure boot officially do you consider also having lockdown feature turned on? (I wonder if it somehow contradicts with pbs or pve setup in general.)


Best regards,

Imre
 
Hi!

Just wanted to say thanks, in PVE v. 8.1 (and in PBS v. 3.1) i see secure boot and kernel lockdown behave to my mind exactly as expected!


Best regards,

Imre
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back