Fixes #36834 - Add SecureBoot support for arbitrary operating systems to "Grub2 UEFI" PXE loaders

This feature consists of four patches, one each for foreman,
smart-proxy, foreman-installer, and puppet-foreman_proxy.

This patch adds support for individual Network Bootstrap Programs (NBP)
in order to enable network based installations of SecureBoot enabled
hosts for arbitrary operating systems.

SecureBoot expects to follow a chain of trust from the initial boot of
the host to the loading of Linux kernel modules. The very first shim
that is loaded determines which distribution is allowed to be booted or
kexec'ed until next reboot.

Currently the "Grub2 UEFI SecureBoot" PXE loaders use NBPs provided by
the vendor of the Foreman/Smart Proxy host system. All hosts receive and
execute the same binary. On SecureBoot enabled hosts, this limits
installations to operating systems by the vendor of the Foreman/
Smart Proxy host system.

Providing shim and GRUB2 by the vendor of the operating system to be
installed allows Foreman to install any operating system on SecureBoot
enabled hosts over network.

To achieve this, the host's DHCP filename option is set to a shim/GRUB2
binary in a host specific directory based on their MAC address.
Corresponding shim and GRUB2 binaries are copied into that directory
along with the generated GRUB2 configuration files.
When provisioning a host, the Smart Proxy checks in a dedicated
directory inside the TFTP root - the so called "bootloader universe" -
if NBPs are present matching the operating system, operating system
version, and architecture of the host to be installed. If this is the
case, these NBPs are copied from the bootloader universe directory to
the host specific directory. If not, as a fallback the default NBPs
provided by the vendor of the Foreman/Smart Proxy host system are
copied from the `:tftproot:/grub2` directory to the host specific
directory.

Up to now, shim and GRUB2 binaries have to be retrieved and set up in
the bootloader universe directory manually according to the
documentation. An automatic way to provide OS dependent NBPs will be
added in future.

In case there are no NBPs present in the bootloader universe matching
the operating system, operating system version, and architecture of
the host to be installed, the behaviour of the "Grub2 UEFI" PXE
loaders does not change to the behavior prior to this feature.

Implementation notes:
---------------------
* To be future proof (e.g. to be able to provide NBPs in the bootloader
  universe for other PXE loaders without running into any filename
  conflicts) and for better structure, the PXE kind is prepended as a
  first directory level inside the bootloader universe.
* The operating system version inside the bootloader universe consists
  of the major and minor version (if applicable) of the operating system
  separated by a dot (`.`). If no NBPs are configured for a specific
  operating system version the fallback directory `default` is used.
* To simplify things on Foreman side in future, symlinks are used for
  the shim (boot-sb.efi) and GRUB2 (boot.efi) binaries.
* Inside the TFTP root directory a new directory `host-config` is
  created for storing all the host specific directories.
* Inside the TFTP root directory a new directory `bootloader-universe`
  is created for storing all the OS specific boot files.
* For storage efficiency the shim and GRUB2 binaries from the
  bootloader universe or the `:tftproot:/grub2` directory are
  symlinked to the host specific directory.

Full example:
-------------
[root@vm ~]# hammer host info --id 241 | grep -E "(MAC address|Operating System)"
MAC address: 00:50:56:b4:75:5e
Operating System: AlmaLinux 8.9

[root@vm ~]# tree /var/lib/tftpboot/bootloader-universe/
/var/lib/tftpboot/bootloader-universe/
└── pxegrub2
    └── almalinux
        ├── 8.9
        │   └── x86_64
        │       ├── boot.efi -> grubx64.efi
        │       ├── boot-sb.efi -> shimx64.efi
        │       ├── grubx64.efi
        │       └── shimx64.efi
        └── default
            └── x86_64
                ├── boot.efi -> grubx64.efi
                ├── boot-sb.efi -> shimx64.efi
                ├── grubx64.efi
                └── shimx64.efi

[root@vm ~]# hammer host update --id 241 --build true

[root@vm ~]# tree /var/lib/tftpboot/host-config
/var/lib/tftpboot/host-config
└── 00-50-56-a3-41-a8
    └── grub2
        ├── boot.efi -> ../../../bootloader-universe/grubx64.efi
        ├── boot-sb.efi -> ../../../bootloader-universe/shimx64.efi
        ├── grub.cfg
        ├── grub.cfg-00:50:56:a3:41:a8
        ├── grub.cfg-01-00-50-56-a3-41-a8
        ├── grubx64.efi -> ../../../bootloader-universe/grubx64.efi
        ├── os_info
        └── shimx64.efi -> ../../../bootloader-universe/shimx64.efi

[root@vm ~]# grep -B2 00-50-56-b4-75-5e /var/lib/dhcpd/dhcpd.leases
hardware ethernet 00:50:56:b4:75:5e;
fixed-address 192.168.145.84;
supersede server.filename = "host-config/00-50-56-b4-75-5e/grub2/boot-sb.efi";

[root@vm ~]# pesign -S -i /var/lib/tftpboot/host-config/00-50-56-b4-75-5e/grub2/boot-sb.efi | grep "Microsoft Windows UEFI Driver Publisher"
The signer's common name is Microsoft Windows UEFI Driver Publisher

Author: Jan Löser

app/models/concerns/orchestration/dhcp.rb

@@ -108,6 +108,20 @@ def build_dhcp_record(record_mac)
     end
   end
 
+  def dhcp_filename(record_mac)
+    filename = operatingsystem.boot_filename(host)
+    if filename.include? "@@subdir@@"
+      if host.subnet&.tftp&.has_capability?(:TFTP, :bootloader_universe)
+        filename = filename.gsub("@@subdir@@", "host-config/#{record_mac.tr(':', '-').downcase}")
+        filename = filename.gsub(/\/grub\w*\.efi$/, "/boot.efi")
+        return filename.gsub(/\/shim\w*\.efi$/, "/boot-sb.efi")
+      else
+        return filename.gsub("@@subdir@@/", "")
+      end
+    end
+    filename
+  end
+
   # returns a hash of dhcp record settings
   def dhcp_attrs(record_mac)
     raise ::Foreman::Exception.new(N_("DHCP not supported for this NIC")) unless dhcp?
@@ -124,7 +138,7 @@ def dhcp_attrs(record_mac)
 
     if provision?
       dhcp_attr[:nextServer] = boot_server unless host.pxe_loader == 'None'
-      filename = operatingsystem.boot_filename(host)
+      filename = dhcp_filename(record_mac)
       dhcp_attr[:filename] = filename if filename.present?
       if jumpstart?
         jumpstart_arguments = os.jumpstart_params host, model.vendor_class

app/models/concerns/orchestration/tftp.rb

@@ -87,7 +87,13 @@ def setTFTP(kind)
       logger.info "Deploying TFTP #{kind} configuration for #{host.name}"
       each_unique_feasible_tftp_proxy do |proxy|
         mac_addresses_for_provisioning.each do |mac_addr|
-          proxy.set(kind, mac_addr, :pxeconfig => content)
+          proxy.set(kind, mac_addr, {
+                      :pxeconfig => content,
+                      :targetos => host.operatingsystem.name.downcase,
+                      :release => host.operatingsystem.release,
+                      :arch => host.arch.name,
+                      :bootfile_suffix => host.arch.bootfilename_efi,
+                    })
         end
       end
     else

app/models/concerns/pxe_loader_support.rb

@@ -5,7 +5,7 @@ module PxeLoaderSupport
   PXE_KINDS = {
     :PXELinux => /^(pxelinux.*|PXELinux (BIOS|UEFI))$/,
     :PXEGrub => /^(grub\/|Grub UEFI).*/,
-    :PXEGrub2 => /^(grub2\/|Grub2 (BIOS|UEFI|ELF)|http.*grub2\/).*/,
+    :PXEGrub2 => /(^Grub2 (BIOS|UEFI|ELF).*|\/?grub2\/)/,
     :iPXE => /^((iPXE|http.*\/ipxe-).*|ipxe\.efi|undionly\.kpxe)$/,
   }.with_indifferent_access.freeze
 
@@ -26,11 +26,11 @@ def all_loaders_map(precision = 'x64', httpboot_host = "httpboot_host")
         "Grub UEFI" => "grub/grub#{precision}.efi",
         "Grub2 BIOS" => "grub2/grub#{precision}.0",
         "Grub2 ELF" => "grub2/grub#{precision}.elf",
-        "Grub2 UEFI" => "grub2/grub#{precision}.efi",
-        "Grub2 UEFI SecureBoot" => "grub2/shim#{precision}.efi",
-        "Grub2 UEFI HTTP" => "http://#{httpboot_host}/httpboot/grub2/grub#{precision}.efi",
-        "Grub2 UEFI HTTPS" => "https://#{httpboot_host}/httpboot/grub2/grub#{precision}.efi",
-        "Grub2 UEFI HTTPS SecureBoot" => "https://#{httpboot_host}/httpboot/grub2/shim#{precision}.efi",
+        "Grub2 UEFI" => "@@subdir@@/grub2/grub#{precision}.efi",
+        "Grub2 UEFI SecureBoot" => "@@subdir@@/grub2/shim#{precision}.efi",
+        "Grub2 UEFI HTTP" => "http://#{httpboot_host}/httpboot/@@subdir@@/grub2/grub#{precision}.efi",
+        "Grub2 UEFI HTTPS" => "https://#{httpboot_host}/httpboot/@@subdir@@/grub2/grub#{precision}.efi",
+        "Grub2 UEFI HTTPS SecureBoot" => "https://#{httpboot_host}/httpboot/@@subdir@@/grub2/shim#{precision}.efi",
         "iPXE Embedded" => nil, # renders directly as foreman_url('iPXE')
         "iPXE UEFI HTTP" => "http://#{httpboot_host}/httpboot/ipxe-#{precision}.efi",
         "iPXE Chain BIOS" => "undionly-ipxe.0",

app/services/proxy_api/tftp.rb

@@ -10,6 +10,10 @@ def initialize(args)
     # [+mac+]  : MAC address
     # [+args+] : Hash containing
     #    :pxeconfig => String containing the configuration
+    #    :targetos  => String containing the lowercase operating system name
+    #    :release  => String containing the operating system major and minor version
+    #    :arch  => String containing the operating system architecture
+    #    :bootfile_suffix => String containing the architecture specific boot filename suffix
     # Returns  : Boolean status
     def set(kind, mac, args)
       parse(post(args, "#{kind}/#{mac}"))

test/factories/architecture.rb

@@ -5,5 +5,9 @@
     trait :for_snapshots_x86_64 do
       name { 'x86_64' }
     end
+
+    trait :x64 do
+      name { 'x64' }
+    end
   end
 end

test/factories/operatingsystem.rb

@@ -160,6 +160,17 @@
       title { 'Red Hat Enterprise Linux 7.5' }
     end
 
+    factory :rhel9, class: Redhat do
+      name { 'RHEL' }
+      major { '9' }
+      minor { '0' }
+      type { 'Redhat' }
+      title { 'Red Hat Enterprise Linux 9.0' }
+      architectures { [FactoryBot.build(:architecture, :x64)] }
+      media { [FactoryBot.build(:rhel_for_snapshots)] }
+      ptables { [FactoryBot.build(:ptable, name: 'ptable')] }
+    end
+
     factory :for_snapshots_centos_7_0, class: Redhat do
       name { 'CentOS' }
       major { '7' }

test/models/concerns/pxe_loader_support_test.rb

@@ -32,18 +32,28 @@ def setup
       assert_equal :PXEGrub, @subject.pxe_loader_kind(@host)
     end
 
-    test "PXEGrub2 is found for given filename" do
-      @host.pxe_loader = "grub2/grubx64.efi"
+    test "PXEGrub2 is found for grubx64.elf filename" do
+      @host.pxe_loader = "grub2/grubx64.elf"
+      assert_equal :PXEGrub2, @subject.pxe_loader_kind(@host)
+    end
+
+    test "PXEGrub2 is found for grubx64.0 filename" do
+      @host.pxe_loader = "grub2/grubx64.0"
+      assert_equal :PXEGrub2, @subject.pxe_loader_kind(@host)
+    end
+
+    test "PXEGrub2 is found for grubx64.efi filename" do
+      @host.pxe_loader = "host-config/#{@host.mac.tr(':', '-')}/grub2/grubx64.efi"
       assert_equal :PXEGrub2, @subject.pxe_loader_kind(@host)
     end
 
     test "PXEGrub2 is found for shimx64.efi filename" do
-      @host.pxe_loader = "grub2/shimx64.efi"
+      @host.pxe_loader = "host-config/#{@host.mac.tr(':', '-')}/grub2/shimx64.efi"
       assert_equal :PXEGrub2, @subject.pxe_loader_kind(@host)
     end
 
     test "PXEGrub2 is found for shimia32.efi filename" do
-      @host.pxe_loader = "grub2/shimia32.efi"
+      @host.pxe_loader = "host-config/#{@host.mac.tr(':', '-')}/grub2/shimia32.efi"
       assert_equal :PXEGrub2, @subject.pxe_loader_kind(@host)
     end
 
@@ -88,22 +98,17 @@ def setup
     end
 
     test "PXEGrub2 is found for http://smart_proxy/tftp/grub2/grubx64.efi filename" do
-      @host.pxe_loader = "http://smart_proxy/tftp/grub2/grubx64.efi"
+      @host.pxe_loader = "http://smart_proxy/tftp/host-config/#{@host.mac.tr(':', '-')}/grub2/grubx64.efi"
       assert_equal :PXEGrub2, @subject.pxe_loader_kind(@host)
     end
 
     test "PXEGrub2 is found for https://smart_proxy/tftp/grub2/grubx64.efi filename" do
-      @host.pxe_loader = "https://smart_proxy/tftp/grub2/grubx64.efi"
-      assert_equal :PXEGrub2, @subject.pxe_loader_kind(@host)
-    end
-
-    test "PXEGrub2 is found for https://smart_proxy/tftp/grub2/shimx64.efi filename" do
-      @host.pxe_loader = "https://smart_proxy/tftp/grub2/shimx64.efi"
+      @host.pxe_loader = "https://smart_proxy/tftp/host-config/#{@host.mac.tr(':', '-')}/grub2/grubx64.efi"
       assert_equal :PXEGrub2, @subject.pxe_loader_kind(@host)
     end
 
     test "PXEGrub2 is found for https://smart_proxy/tftp/grub2/shimx64.efi filename" do
-      @host.pxe_loader = "https://smart_proxy/tftp/grub2/shimx64.efi"
+      @host.pxe_loader = "https://smart_proxy/tftp/host-config/#{@host.mac.tr(':', '-')}/grub2/shimx64.efi"
       assert_equal :PXEGrub2, @subject.pxe_loader_kind(@host)
     end
 

test/models/operatingsystem_test.rb

@@ -379,13 +379,13 @@ class OperatingsystemTest < ActiveSupport::TestCase
     test 'should be the smart proxy and httpboot port for UEFI HTTP' do
       SmartProxy.any_instance.expects(:setting).with(:HTTPBoot, 'http_port').returns(1234)
       host = FactoryBot.build(:host, :managed, :with_tftp_and_httpboot_subnet, pxe_loader: 'Grub2 UEFI HTTP')
-      assert_match(%r{http://somewhere.*net:1234/httpboot/grub2/grubx64.efi}, host.operatingsystem.boot_filename(host))
+      assert_match(%r{http://somewhere.*net:1234/httpboot/@@subdir@@/grub2/grubx64.efi}, host.operatingsystem.boot_filename(host))
     end
 
     test 'should be the smart proxy and httpboot port for UEFI HTTPS' do
       SmartProxy.any_instance.expects(:setting).with(:HTTPBoot, 'https_port').returns(1235)
       host = FactoryBot.build(:host, :managed, :with_tftp_and_httpboot_subnet, pxe_loader: 'Grub2 UEFI HTTPS')
-      assert_match(%r{https://somewhere.*net:1235/httpboot/grub2/grubx64.efi}, host.operatingsystem.boot_filename(host))
+      assert_match(%r{https://somewhere.*net:1235/httpboot/@@subdir@@/grub2/grubx64.efi}, host.operatingsystem.boot_filename(host))
     end
 
     test 'should not raise an error without httpboot feature for PXE' do

test/models/orchestration/dhcp_test.rb

@@ -371,7 +371,8 @@ def host_with_loader(loader)
 
     h.build = true
     assert h.valid?, h.errors.messages.to_s
-    assert_equal ["dhcp_remove_aa:bb:cc:dd:ee:f1", "dhcp_create_aa:bb:cc:dd:ee:f1"], h.queue.task_ids
+    assert_includes h.queue.task_ids, "dhcp_remove_aa:bb:cc:dd:ee:f1"
+    assert_includes h.queue.task_ids, "dhcp_create_aa:bb:cc:dd:ee:f1"
   end
 
   test "when an existing host trigger a 'rebuild', its dhcp records should not be updated if valid dhcp records are found" do
@@ -383,7 +384,8 @@ def host_with_loader(loader)
     h.build = true
     assert h.valid?
     assert_empty h.errors
-    assert_equal ["dhcp_create_aa:bb:cc:dd:ee:f1"], h.queue.task_ids
+    assert_includes h.queue.task_ids, "dhcp_create_aa:bb:cc:dd:ee:f1"
+    assert_not_includes h.queue.task_ids, "dhcp_remove_aa:bb:cc:dd:ee:f1"
   end
 
   test "when an existing host change its bmc mac address, its dhcp record should be updated" do

test/models/orchestration/tftp_test.rb

@@ -145,26 +145,42 @@ class TFTPOrchestrationTest < ActiveSupport::TestCase
         ),
       ]
     end
+    let(:os) do
+      FactoryBot.create(:rhel9)
+    end
     let(:host) do
       FactoryBot.create(:host,
         :with_tftp_orchestration,
         :subnet => subnet,
         :interfaces => interfaces,
         :build => true,
         :location => subnet.locations.first,
-        :organization => subnet.organizations.first)
+        :organization => subnet.organizations.first,
+        :operatingsystem => os)
     end
 
     test '#setTFTP should provision tftp for all bond child macs' do
       ProxyAPI::TFTP.any_instance.expects(:set).with(
         'PXEGrub2',
         '00:53:67:ab:dd:00',
-        :pxeconfig => 'Template'
+        {
+          :pxeconfig => 'Template',
+          :targetos => os.name.downcase.to_s,
+          :release => host.operatingsystem.release,
+          :arch => host.arch.name,
+          :bootfile_suffix => host.arch.bootfilename_efi,
+        }
       ).once
       ProxyAPI::TFTP.any_instance.expects(:set).with(
         'PXEGrub2',
         '00:53:67:ab:dd:01',
-        :pxeconfig => 'Template'
+        {
+          :pxeconfig => 'Template',
+          :targetos => os.name.downcase.to_s,
+          :release => host.operatingsystem.release,
+          :arch => host.arch.name,
+          :bootfile_suffix => host.arch.bootfilename_efi,
+        }
       ).once
       host.provision_interface.stubs(:generate_pxe_template).returns('Template')
       host.provision_interface.send(:setTFTP, 'PXEGrub2')