Hyper-V SecureBoot with Talos

[nsc658]

Hello, I am running Talos on a Hyper-V cluster and was wondering if it is possible to enable SecureBoot?
Since Hyper-V doesn't seem to allow custom UEFI SecureBoot Key enrollment and the provided SecureBoot templates by Microsoft don't include the Talos SecureBoot key I am out of ideas.

Thanks in advance for the help.

[smira]

SecureBoot is not a feature of Talos itself, but it's UEFI firmware feature that allows to enroll the keys, etc.

We are not forcing in any way how keys are enrolled, or which keys are used to sign, etc.

If you're a Microsoft customer, you can probably ask them for support?

[brantgurga]

Hyper-V does not allow for custom keys. It provides a hardcoded set of 3 secure boot configurations, one for Windows, one for broad Linux distributions like Ubuntu, and one for shielded Linux distributions. Unfortunately, Talos is signed by their own certificate chain and I'm sure is too niche to ever be signed by the cert they provided for Linux, so secure boot with Hyper-V is currently not possible. There potentially might be a submission process, but they have restrictions on what they'll sign. https://techcommunity.microsoft.com/blog/hardware-dev-center/updated-microsoft-uefi-signing-requirements/1062916

[rothgar]

This is good information to add to the docs. Would you mind adding a note to public/talos/v1.11/platform-specific-installations/bare-metal-platforms/secureboot in the docs repo?

[smira]

I think Hyper-V is not really bare-metal (we might add a note for Hyper-V specifically).