Securely boot a VM

Secure boot helps to ensure that the system runs only authentic software by verifying the digital signature of all boot components, and stopping the boot process if signature verification fails.

The Unified Extensible Firmware Interface (UEFI) firmware securely manages the certificates that contain the keys the software manufacturers use to sign the system firmware, the system boot loader, and any binaries they load. To see the UEFI documentation, visit https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf.

On each boot, the UEFI firmware verifies the digital signature of each boot component against the secure store of approved keys. Any boot component that you do not sign properly, or you do not sign at all, isn't allowed to run. You must set the bootloader type of the virtual machine (VM) to uefi to enable a secure boot.

Before you begin

To use gdcloud command-line interface (CLI) commands, ensure that you have downloaded, installed, and configured the gdcloud CLI. All commands for Distributed Cloud Hosted use the gdcloud or kubectl CLI, and require an operating system (OS) environment.

Get the kubeconfig file paths

  1. Run gdcloud auth login to the admin cluster.

    1. Record the path to the generated file, as in this example:
      /tmp/admin-kubeconfig-with-user-identity.yaml.

    2. Use the path to replace ORG_ADMIN_KUBECONFIG in these instructions.

Enable secure boot

Enable secure boot for a VM. Use the following instructions for a VM called VM_NAME in the project's namespace (PROJECT_NAMESPACE).

  1. Run the following command:

    kubectl --kubeconfig ORG_ADMIN_KUBECONFIG patch virtualmachines.virtualmachine.gdc.goog VM_NAME -n PROJECT_NAMESPACE --type merge --patch $'
    spec:
       firmware:
          type: uefi
          enableSecureBoot: true
    '
    
    1. If the VM is running, restart it using the instructions to restart a VM.
    2. Verify that you've enabled SecureBoot. SSH into the VM and run the following command:

       mokutil --sb-state
       ```
      

    If you've successfully enabled SecureBoot, the command returns SecureBoot enabled.

    If the mokutil tool reports that you have not enabled SecureBoot, follow these steps:

    1. Run the following command:

       kubectl --kubeconfig ORG_ADMIN_KUBECONFIG edit virtualmachines.virtualmachine.gdc.goog VM_NAME -n PROJECT_NAMESPACE
       ```
      
    2. Look for missing fields or values as shown in the spec field in "Run the following command". These are required.

    3. If any are missing or are incorrect, edit spec to add the missing fields and correct erroneous values.

    4. Save the file.

    5. Follow the steps in Restart the VM.

    If the previous steps don't resolve your issue, check the documentation corresponding to the VM's operating system (OS) to verify that the OS version supports the secure boot.