Add support for securityProfile / uefiSettings on shared_image_gallery_destination #514
Description
Community Note
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
Description
It is possible to enroll/replace UEFI keys on an Azure Compute Gallery Image Version using ARM Template:
"uefiSettings": {
"signatureTemplateNames": [
"MicrosoftUefiCertificateAuthorityTemplate"
],
"additionalSignatures": {
"db": [
{
"type": "x509",
"value": [
"Base64 formatted certificate",
"Base64 formatted certificate"
]
}
],
"dbx": [
{
"type": "sha256",
"value": [
"Base64 formatted sha256 hash",
"Base64 formatted sha256 hash"
]
}
]
}
}
}
This example comes from Azure's documentation Secure Boot UEFI keys.
The packer-plugin-azure provider has a parameter block shared_image_gallery_destination but it's not currently possible to set securityProfile or securityProfile.uefiSettings.
Alternatively it would be great to be able to add custom ARM Template code.
Use Case(s)
Azure has a feature "Trusted launch" that is basically a secure boot. Some software such as proprietary anti viruses try to load themselves into the kernel and fails because they are signed by an external authority unrecognized by UEFI.
We usually use mokutil to enroll more keys but this is not supported on Azure.
The only method to do that is through an Azure Compute Gallery / Image / Version. Only at creation time.
Potential configuration
Potential References
- Secure Boot UEFI keys (Azure documentation)