feat: add support for Secure Boot UEFI keys in Azure images (#70)

nordcloud · Jul 15, 2024 · e9e5a59 · e9e5a59
1 parent 1006627
commit e9e5a59
Show file tree

Hide file tree

Showing 8 changed files with 166 additions and 15 deletions.
diff --git a/docs/index.md b/docs/index.md
@@ -34,7 +34,7 @@ terraform {
   required_providers {
     imagefactory = {
       source  = "nordcloud/imagefactory"
-      version = "1.9.1"
+      version = "1.10.0"
     }
   }
 }

diff --git a/docs/resources/template.md b/docs/resources/template.md
@@ -144,6 +144,30 @@ resource "imagefactory_template" "azure_template" {
   }
 }
 
+# AZURE Template - additional signatures on Gen2 images
+
+resource "imagefactory_variable" "uefi_key" {
+  name  = "UEFI_KEY"
+  value = "MIIDQTCCAimgAwIBAgIQDd70KTXzSXuUqRAfm+RzqzANBgkqhkiG9w0BAQsFADAj...."
+}
+
+resource "imagefactory_template" "azure_template" {
+  name            = "Ubuntu1804"
+  description     = "Ubuntu 18.04 on Azure"
+  cloud_provider  = "AZURE"
+  distribution_id = data.imagefactory_distribution.ubuntu18.id
+  config {
+    azure {
+      trusted_launch = true
+      additional_signatures {
+        variable_name = imagefactory_variable.uefi_key.name
+        # If the variable is not defined in the template, the value can be set directly
+        # variable_value = "UEFI_KEY"
+      }
+    }
+  }
+}
+
 output "azure_template" {
   value = imagefactory_template.azure_template
 }
@@ -308,6 +332,7 @@ Required:
 Optional:
 
 - `additional_data_disks` (Block List, Max: 10) (see [below for nested schema](#nestedblock--config--azure--additional_data_disks))
+- `additional_signatures` (Block List) Additional UEFI keys that are used to validate the boot loader. This feature allows you to bind UEFI keys for driver/kernel modules that are signed by using a private key that's owned by third-party vendors. (see [below for nested schema](#nestedblock--config--azure--additional_signatures))
 - `eol_date_option` (Boolean) Default value is set to true
 - `exclude_from_latest` (Boolean)
 - `replica_regions` (List of String)
@@ -322,6 +347,14 @@ Required:
 - `size` (Number) Data disk size between 1 and 10 GB.
 
 
+<a id="nestedblock--config--azure--additional_signatures"></a>
+### Nested Schema for `config.azure.additional_signatures`
+
+Required:
+
+- `variable_name` (String) The name of the Customer Variable that is used to store the UEFI key.
+
+
 <a id="nestedblock--config--azure--vm_image_definition"></a>
 ### Nested Schema for `config.azure.vm_image_definition`
 

diff --git a/examples/provider/provider.tf b/examples/provider/provider.tf
@@ -7,7 +7,7 @@ terraform {
   required_providers {
     imagefactory = {
       source  = "nordcloud/imagefactory"
-      version = "1.9.1"
+      version = "1.10.0"
     }
   }
 }

diff --git a/examples/resources/imagefactory_template/resource.tf b/examples/resources/imagefactory_template/resource.tf
@@ -129,6 +129,30 @@ resource "imagefactory_template" "azure_template" {
   }
 }
 
+# AZURE Template - additional signatures on Gen2 images
+
+resource "imagefactory_variable" "uefi_key" {
+  name  = "UEFI_KEY"
+  value = "MIIDQTCCAimgAwIBAgIQDd70KTXzSXuUqRAfm+RzqzANBgkqhkiG9w0BAQsFADAj...."
+}
+
+resource "imagefactory_template" "azure_template" {
+  name            = "Ubuntu1804"
+  description     = "Ubuntu 18.04 on Azure"
+  cloud_provider  = "AZURE"
+  distribution_id = data.imagefactory_distribution.ubuntu18.id
+  config {
+    azure {
+      trusted_launch = true
+      additional_signatures {
+        variable_name = imagefactory_variable.uefi_key.name
+        # If the variable is not defined in the template, the value can be set directly
+        # variable_value = "UEFI_KEY"
+      }
+    }
+  }
+}
+
 output "azure_template" {
   value = imagefactory_template.azure_template
 }

diff --git a/imagefactory/imagetemplate/schema.go b/imagefactory/imagetemplate/schema.go
@@ -128,6 +128,16 @@ var additionalDataDisksResource = &schema.Resource{
 	},
 }
 
+var additionalSignaturesResource = &schema.Resource{
+	Schema: map[string]*schema.Schema{
+		"variable_name": {
+			Type:        schema.TypeString,
+			Required:    true,
+			Description: "The name of the Customer Variable that is used to store the UEFI key.",
+		},
+	},
+}
+
 var azureTemplateConfigResource = &schema.Resource{
 	Schema: map[string]*schema.Schema{
 		"exclude_from_latest": {
@@ -162,6 +172,14 @@ var azureTemplateConfigResource = &schema.Resource{
 			Type:     schema.TypeBool,
 			Optional: true,
 		},
+		"additional_signatures": {
+			Type:     schema.TypeList,
+			Optional: true,
+			Elem:     additionalSignaturesResource,
+			Description: "Additional UEFI keys that are used to validate the boot loader. " +
+				"This feature allows you to bind UEFI keys for driver/kernel modules that " +
+				"are signed by using a private key that's owned by third-party vendors.",
+		},
 	},
 }
 

diff --git a/imagefactory/imagetemplate/structures.go b/imagefactory/imagetemplate/structures.go
@@ -121,6 +121,18 @@ func expandAdditionalDataDisks(in []interface{}) *[]graphql.NewAdditionalDataDis
 	return &out
 }
 
+func expandAdditionalSignatures(in []interface{}) *[]graphql.NewUefiKey {
+	out := []graphql.NewUefiKey{}
+	for i := range in {
+		m := in[i].(map[string]interface{})
+		out = append(out, graphql.NewUefiKey{
+			VariableName: graphql.String(m["variable_name"].(string)),
+		})
+	}
+
+	return &out
+}
+
 func expandTemplateAzureConfig(in []interface{}) *graphql.NewTemplateAZUREConfig {
 	if len(in) == 0 {
 		return nil
@@ -149,6 +161,10 @@ func expandTemplateAzureConfig(in []interface{}) *graphql.NewTemplateAZUREConfig
 		out.AdditionalDataDisks = expandAdditionalDataDisks(m["additional_data_disks"].([]interface{}))
 	}
 
+	if m["additional_signatures"] != nil {
+		out.AdditionalSignatures = expandAdditionalSignatures(m["additional_signatures"].([]interface{}))
+	}
+
 	return out
 }
 

diff --git a/pkg/graphql/graphql.go b/pkg/graphql/graphql.go
diff --git a/pkg/graphql/schema.graphql b/pkg/graphql/schema.graphql
@@ -606,7 +606,7 @@ type CustomerStats {
 }
 
 
-# Copyright 2021-2023 Nordcloud Oy or its affiliates. All Rights Reserved.
+# Copyright 2021-2024 Nordcloud Oy or its affiliates. All Rights Reserved.
 
 """
 Distribution defines the cloud image that can be created by the ImageFactory.
@@ -631,6 +631,7 @@ type Distribution {
 	osEolDate: String
 	complianceScore: ComplianceScore
 	deprecated: Boolean
+	config: Config
 }
 
 type ComplianceScore {
@@ -644,6 +645,19 @@ type DistributionResults {
 	count: Int!
 }
 
+type Config {
+	azure: AZUREConfig
+}
+
+enum HyperVGeneration {
+	HYPERV_GENERATION_V1
+	HYPERV_GENERATION_V2
+}
+
+type AZUREConfig {
+	hypervGeneration: HyperVGeneration
+}
+
 
 # Copyright 2022-2024 Nordcloud Oy or its affiliates. All Rights Reserved.
 
@@ -1010,13 +1024,18 @@ type AdditionalDataDisks {
 	size: Int!
 }
 
+type UefiKey {
+	variableName: String!
+}
+
 type TemplateAZUREConfig {
 	replicaRegions: [String]
 	excludeFromLatest: Boolean
 	vmImageDefinition: VMImageDefinition
 	eolDateOption: Boolean
 	additionalDataDisks: [AdditionalDataDisks!]
 	trustedLaunch: Boolean
+	additionalSignatures: [UefiKey!]
 }
 
 type TemplateExoscaleConfig {
@@ -1150,6 +1169,13 @@ input NewVMImageDefinition {
 	sku: String!
 }
 
+input NewUefiKey {
+	"""
+	variableName is the name of the Customer Variable that is used to store the UEFI key.
+	"""
+	variableName: String!
+}
+
 input NewAdditionalDataDisks {
 	"""
 	size is in GB, from 1G to 10G.
@@ -1172,6 +1198,14 @@ input NewTemplateAZUREConfig {
 	"""
 	trustedLaunch: Boolean
 
+	"""
+	`additionalSignatures` defines additional UEFI keys that are used to validate the boot loader.
+
+	This feature allows you to bind unified extensible firmware interface (UEFI) keys for driver/kernel modules
+	that are signed by using a private key that's owned by third-party vendors.
+	"""
+	additionalSignatures: [NewUefiKey!]
+
 	"""
 	`additionalDataDisks` defines extra data disks attached to the image with a limit of 10.