보안 부팅은 모든 부팅 구성요소의 디지털 서명을 확인하고 서명 확인에 실패할 경우 부팅 프로세스를 중지하여 시스템에서 신뢰할 수 있는 소프트웨어만 실행하도록 합니다.
Google Distributed Cloud (GDC) 에어 갭 어플라이언스는 통합 확장 펌웨어 인터페이스(UEFI) 펌웨어를 사용하여 소프트웨어 서명에 사용되는 인증서와 키를 관리합니다.
UEFI 펌웨어는 소프트웨어 제조업체에서 시스템 펌웨어, 시스템 부트 로더, 로드하는 바이너리에 서명하는 데 사용하는 키를 포함하는 인증서를 안전하게 관리합니다. UEFI 문서를 보려면 https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf를 참고하세요.
부팅할 때마다 UEFI 펌웨어는 승인된 키의 보안 저장소를 바탕으로 각 부팅 구성 요소의 디지털 서명을 확인합니다. 정상적으로 서명되지 않았거나 아예 서명이 없는 부팅 구성요소는 모두 실행이 허용되지 않습니다. 보안 부팅을 사용 설정하려면 VM의 bootloader 유형을 uefi로 설정해야 합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eSecure boot ensures that only authentic software runs by verifying the digital signature of all boot components, halting the process if verification fails.\u003c/p\u003e\n"],["\u003cp\u003eUEFI firmware manages the certificates and keys used by software manufacturers to sign system firmware, boot loaders, and binaries.\u003c/p\u003e\n"],["\u003cp\u003eTo enable secure boot, the virtual machine's \u003ccode\u003ebootloader\u003c/code\u003e type must be set to \u003ccode\u003euefi\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eSecure boot can be enabled for a VM by using \u003ccode\u003ekubectl\u003c/code\u003e to patch the virtual machine's specifications, setting \u003ccode\u003efirmware\u003c/code\u003e type to \u003ccode\u003euefi\u003c/code\u003e and \u003ccode\u003eenableSecureBoot\u003c/code\u003e to \u003ccode\u003etrue\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eVerify that secure boot is successfully enabled by connecting to the VM and running \u003ccode\u003emokutil --sb-state\u003c/code\u003e, and if secure boot is not enabled, review the VM specifications for missing values.\u003c/p\u003e\n"]]],[],null,["# Securely boot a VM\n\nSecure boot helps to ensure that the system runs only authentic software by\nverifying the digital signature of all boot components, and stopping the boot\nprocess if signature verification fails.\n\nGoogle Distributed Cloud (GDC) air-gapped appliance uses the Unified Extensible Firmware Interface\n(UEFI) firmware to manage certificates and keys used for signing software.\n\nThe UEFI firmware securely manages the certificates that contain the keys the\nsoftware manufacturers use to sign the system firmware, the system boot loader,\nand any binaries they load. To see the UEFI documentation, visit\n`https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf`.\n\nOn each boot, the UEFI firmware verifies the digital signature of each boot\ncomponent against the secure store of approved keys. Any boot component that\nyou don't sign properly, or you don't sign at all, isn't allowed to run. To\nenable secure boot, you must set the VM's `bootloader` type to `uefi`.\n\nA vTPM is a virtualized trusted platform module. See \u003chttps://trustedcomputinggroup.org/trusted-platform-module-tpm-summary/\u003e for more information about vTPMs.\nIt's a specialized computer chip you can use to protect objects, like keys\nand certificates, that you use to authenticate access to your system. You can\nalso use the vTPM to protect secrets through shielding or sealing. For more\ninformation on sealed storage, see \u003chttps://en.wikipedia.org/wiki/Trusted_Computing#SEALED-STORAGE\u003e.\nSee the Go-TPM project on GitHub - \u003chttps://github.com/google/go-tpm\u003e -\nfor Go language examples that illustrate how to use a vTPM for this purpose.\n\nBefore you begin\n----------------\n\nTo use `gdcloud` command-line interface (CLI) commands, ensure that you have downloaded, installed,\nand configured the [`gdcloud` CLI](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-overview).\nAll commands for GDC air-gapped appliance use the `gdcloud` or\n`kubectl` CLI, and require an operating system (OS) environment.\n\n### Get the kubeconfig file path\n\nTo run commands against the Management API server, ensure you have the following\nresources:\n\n1. Locate the Management API server name, or ask your Platform Administrator (PA)\n what the server name is.\n\n2. [Sign in and generate](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/iam/sign-in#cli) the\n kubeconfig file for the Management API server if you don't have one.\n\n3. Use the path to replace \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER{\"</var>\"}}\u003c/var\u003e in these instructions.\n\n### Request permissions and access\n\nTo perform the tasks listed on this page, you must have the Project\nVirtualMachine Admin role. Follow the steps to\n[verify](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/vms/preparation#verify-user-access)\nthat you have the Project VirtualMachine Admin (`project-vm-admin`) role in the namespace\nof the project where the VM resides.\n\nEnable secure boot\n------------------\n\nEnable secure boot for a VM. Use the following instructions for a VM called\n\u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e in the project's namespace\n(\u003cvar translate=\"no\"\u003ePROJECT_NAMESPACE\u003c/var\u003e).\n\n1. Update your VM custom resource to enable secure boot:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e patch virtualmachines.virtualmachine.gdc.goog \u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e -n \u003cvar translate=\"no\"\u003ePROJECT_NAMESPACE\u003c/var\u003e --type merge --patch $'\n spec:\n shieldConfig:\n bootType: uefi\n enableSecureBoot: true\n '\n\n2. If the VM is running, restart it using the\n instructions to [restart a VM](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/vms/manage-vms/operations-and-lifecycle/start-and-stop-vm#restart-a-vm).\n\n3. Verify that you've enabled secure boot. [Establish an SSH connection to your VM](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/vms/connect-to-vm/connect-to-a-vm)\n and run the following command:\n\n mokutil --sb-state\n\n If you've successfully enabled secure boot, the command returns\n `SecureBoot enabled`.\n\n If the `mokutil` tool reports that you have not enabled secure boot, follow\n the steps in the section [Troubleshoot secure boot configuration](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/vms/manage-vms/secure-vms/secure-boot#troubleshoot-secure-boot).\n\n### Troubleshoot secure boot configuration\n\n1. Open your VM custom resource in an editor:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e edit virtualmachines.virtualmachine.gdc.goog \u003cvar label=\"vm name\" translate=\"no\"\u003eVM_NAME\u003c/var\u003e -n \u003cvar label=\"project namespace\" translate=\"no\"\u003ePROJECT_NAMESPACE\u003c/var\u003e\n\n2. Look for missing fields or values as shown in the `spec` field in\n [\"Run the following command\"](#reference). These are required.\n\n3. If any are missing or are incorrect, edit `spec` to add the missing\n fields and correct erroneous values.\n\n4. Save the file.\n\n5. Follow the steps in [Restart the VM](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/vms/manage-vms/operations-and-lifecycle/start-and-stop-vm#restart-a-vm).\n\nIf the previous steps don't resolve your issue, check the documentation\ncorresponding to the VM's operating system (OS) to verify that the OS\nversion supports the secure boot.\n\nEnable virtual trusted platform module (vTPM)\n---------------------------------------------\n\nEnable vTPM for a VM. Use the following instructions for a VM called\n\u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e in the project's\nnamespace (\u003cvar translate=\"no\"\u003ePROJECT_NAMESPACE\u003c/var\u003e).\n\n1. Update your VM custom resource to enable vTPM:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e patch virtualmachines.virtualmachine.gdc.goog \u003cvar label=\"vm name\" translate=\"no\"\u003eVM_NAME\u003c/var\u003e -n \u003cvar label=\"project namespace\" translate=\"no\"\u003ePROJECT_NAMESPACE\u003c/var\u003e --type merge --patch $'\n spec:\n shieldConfig:\n enableVtpm: true\n '\n\n2. If the VM is running, restart it using the\n instructions to [restart a VM](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/vms/manage-vms/operations-and-lifecycle/start-and-stop-vm#restart-a-vm).\n\n3. Verify that you've enabled vTPM. [Establish an SSH connection to your VM](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/vms/connect-to-vm/connect-to-a-vm)\n and run the following command:\n\n dmesg | grep -i tpm\n\n If you've successfully enabled vTPM, the command returns the TPM Module as\n part of the ACPI tables. The output looks similar to the following: \n\n [ 7.620985] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)\n\n If the `ACPI tables` don't display the TPM module, follow the steps in the section\n [Troubleshoot vTPM configuration](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/vms/manage-vms/secure-vms/secure-boot#troubleshoot-vtpm).\n\n### Troubleshoot vTPM configuration\n\n1. Open your VM custom resource in an editor:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e edit virtualmachines.virtualmachine.gdc.goog \u003cvar label=\"vm name\" translate=\"no\"\u003eVM_NAME\u003c/var\u003e -n \u003cvar label=\"project namespace\" translate=\"no\"\u003ePROJECT_NAMESPACE\u003c/var\u003e\n\n2. Look for missing fields or values as shown in the `spec` field in\n [Run the following command](#reference2). These are required.\n\n3. If any are missing or are incorrect, edit `spec` to add the missing\n fields and correct erroneous values.\n\n4. Save the file.\n\n5. Follow the steps in [Restart the VM](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/vms/manage-vms/operations-and-lifecycle/start-and-stop-vm#restart-a-vm).\n\nIf the previous steps don't resolve your issue, check the documentation\ncorresponding to the VM's operating system (OS) to verify that the OS\nversion supports vTPM."]]