CP-312160: secureboot certificate update design doc#7006
CP-312160: secureboot certificate update design doc#7006
Conversation
chunjiez
requested review from
BengangY,
minglumlu,
robhoes and
stephenchengCloud
Signed-off-by: Chunjie Zhu <chunjie.zhu@cloud.com>
chunjiez
force-pushed
the
private/chunjiez/doc
branch
from
5d5aeb9 to
c4ccf61
Compare
|
Thanks for the document. I'd like to ask a couple questions:
|
|
Thanks @chunjiez, this toolstack design accurately reflects what we have discussed internally. From @dinhngtu's question, I think it would be good to add some more details about the interfaces between varstored and xapi:
|
| - `ok`: No update required (including non-applicable VM types) | ||
| - `update_available`: Update required | ||
| - `update_on_boot`: Update scheduled for next boot | ||
|
|
There was a problem hiding this comment.
The names and the meaning seem to diverge. If an update is required, the state should reflect that and not dance around it.
okupdate_requiredreboot_required
In the current proposal it is not obvious what is expected from the user.
|
|
||
| ### 3.1 VM Certificate State Model | ||
|
|
||
| `VM.secureboot_certificates_state` applies to VM-class objects, including: |
There was a problem hiding this comment.
"including" could mean that there are more but unlisted objects. Would say: "these VM-class objects:"
| Behavior: | ||
|
|
||
| - `mark=true`: require current state `update_available`, then set `update_on_boot` | ||
| - `mark=false`: require current state `update_on_boot`, then set `update_available` |
There was a problem hiding this comment.
Would marked or scheduled be better?
|
|
||
| Rules: | ||
|
|
||
| - `update=yes` -> set state `update_available` |
There was a problem hiding this comment.
I find the name ambiguous. Does it mean: this is an update? This has been updated? Is update a state (noun) or an action (verb)?
There was a problem hiding this comment.
It means it will be updated after calling set_NVRAM_EFI_variables
But shoult it be:
update=yes -> set state ok
| - `mark=true`: require current state `update_available`, then set `update_on_boot` | ||
| - `mark=false`: require current state `update_on_boot`, then set `update_available` | ||
|
|
||
| Validation: | ||
|
|
||
| - Reject invalid transitions with `OPERATION_NOT_ALLOWED` |
There was a problem hiding this comment.
I think a simple state diagram done in mermaid would work well to show the interactions between this field and the NVRAM
|
|
||
| When varstored initializes a VM and sees `secureboot_certificates_state=update_on_boot`: | ||
|
|
||
| - Perform certificate update flow during boot-time initialization |
There was a problem hiding this comment.
Can this flow end up in an invalid state that needs to be recovered from? That is, neither the new nor the outdated certificates are stored in the NVRAM
6 participants
Microsoft Secure Boot certificates from 2011 are reaching end-of-life, and legacy VMs may still contain only the old certificate set.
We design an out-of-band mechanism to update per-VM UEFI Secure Boot variables safely and at scale.