Secure Boot?

[indivision]

I can see in searches here (and with my own direct testing) that TrueNAS won't boot with Secure Boot enabled.

This suggests that Secure Boot can work with FreeBSD: https://papers.freebsd.org/2019/bsdcan/stanek-improving_security_of_the_freebsd_boot_process/

Any chance that this feature will be added to TrueNAS?

 

[joshenders]

Seems like this is still an issue even under the release version on Linux, TrueNAS-SCALE-22.02.0. I also wonder if this is planned. I'll follow up on the Jira project.

 

[ihr]

@indivision I opened this request https://ixsystems.atlassian.net/browse/NAS-119724 a week ago. Still waiting for a reaction on the iXsystems team. In the meantime, I’ve purchased an expensive paperweight because the AMI Bios version 1620 on ASUS board doesn’t allow me to deactivate SecureBoot

 

[sretalla]

In the meantime, I’ve purchased an expensive paperweight because the AMI Bios version 1620 on ASUS board doesn’t allow me to deactivate SecureBoot

Maybe you can get away with a third party boot manager at least in the interim.

something like mixing these 2:

Building Clover with secure boot

Hi, I'm looking to make clover work with secure boot, which means compiling it with the ENABLE_SECURE_BOOT flag and signing all the binaries with a valid key. Following the fork and instructions here: https://github.com/RehabMan/Clover What I really want to know at this point is what macros...

www.tonymacx86.com

boot truenas from PCI-e SSD

Hi, I've been at this problem for a few days now. A while back I ordered a PCI-e adapter to fit Apple's proprietary SSD's, as I had one of those laying around. I wanted to put this in my truenas system to use it as the boot drive. The idea My goal was to use an SSD, connected through a PCI-e...

www.truenas.com

 

[ihr]

Thank you @sretalla for the pointers.

I've read the documentation and the process is quite complex:

1) I need to download the source code of shim and compile with some options...
2) I need to create my own keys to sign executables
3) I need to sign the existing boot of truenas? and loaded modules?

And test in loop to fix issues.

I could do a try, but only if I've support from iXsystems as I'm not aware of the details of how FreeBSD actually boots for TrueNAS (and it looks like FreeBSD does not support SecureBoot on its own) so,

Please iXsystems, if let me know if you can give me support on this process somehow!

Regards
Ignacio

 

[Whattteva]

I could do a try, but only if I've support from iXsystems as I'm not aware of the details of how FreeBSD actually boots for TrueNAS (and it looks like FreeBSD does not support SecureBoot on its own) so,

Please iXsystems, if let me know if you can give me support on this process somehow!

You expect active support when you didn't even buy their hardware? You're a funny comedian, you.

 

[ihr]

Well, I'm NOT requesting support on their product (which is what they sell)
I'm requesting support on how the boot process works only in case I've problems with it.
ALSO note I'm providing them the experience as advanced user to implement a solution so their OS can be installed on MODERN HARDWARE that does not allows to disable secureboot (most of the new motherboards does not allow to disable SecureBoot)

Yes, I'll spend my time on the benefit of iXsystems and I want them to be involved in the process. It is a WIN WIN deal!

 

[sretalla]

3) I need to sign the existing boot of truenas? and loaded modules?

I don't think that's how it would work...

I had posted the links with the intention that you come to be able to secure boot to Clover (a boot manager).

Clover would then (possibly) be able to boot TrueNAS without requiring TrueNAS itself to support secure boot.

Frankly, you've got a much better chance dealing with ASUS to get them to release a BIOS version that allows secure boot to be disabled.

 

[Whattteva]

You're a funny guy, framing it as you're more doing them a favor than the other way around. They designed the product for enterprise users and probably have no interest running it on your Asus so-called "MODERN consumer HARDWARE". It just so happens they let you download it for free and run it on whatever hardware you want, but expecting them to personally come help you and then frame it as you doing them a favor is really a funny one.

If you want to actually be helpful, file a bug report. Not by demanding them to help you claiming it's a "WIN WIN deal" as if you're saving them millions.

 

[danb35]

I’ve purchased an expensive paperweight

There's a reason we have a hardware recommendations guide.

I don't think your request is all that unreasonable, in that I expect we're going to start seeing secure boot mandated by more and more hardware. I don't know that iX will be able to do much if the underlying OSs don't support it though.

 

[cobrakiller58]

@indivision I opened this request https://ixsystems.atlassian.net/browse/NAS-119724 a week ago. Still waiting for a reaction on the iXsystems team. In the meantime, I’ve purchased an expensive paperweight because the AMI Bios version 1620 on ASUS board doesn’t allow me to deactivate SecureBoot

I'm curious what motherboard you have, it would be the first i've heard of that you cannot disable secureboot

@Whattteva a bug report has been filed.

 

[danb35]

If you want to actually be helpful, file a bug report.

Perhaps you didn't notice that he already did.

As to whether it's a win-win, I guess that depends on how likely you think it is that mandatory secure boot is going to make its way to server hardware in the near term.

 

[Whattteva]

Perhaps you didn't notice that he already did.

Ah, my apologies. I missed that part. That still doesn't change the fact that the expectation for that kind of support beyond the forums community support without having a service contract is at least a bit interesting, especially given the framing.

 

[ihr]

I don't think that's how it would work...

I had posted the links with the intention that you come to be able to secure boot to Clover (a boot manager).

Frankly, you've got a much better chance dealing with ASUS to get them to release a BIOS version that allows secure boot to be disabled.

I’ll give Clover a try. Thanks.

Regarding ASUS. They are informed and I’m waiting for a response from their 2nd level support

 

[ihr]

I'm curious what motherboard you have, it would be the first i've heard of that you cannot disable secureboot

@Whattteva a bug report has been filed.

It is an ASUS ROG STRIX B660-I GAMING WIFI

AMI BIOS version is 1620

 

[ihr]

You're a funny guy, framing it as you're more doing them a favor than the other way around. They designed the product for enterprise users and probably have no interest running it on your Asus so-called "MODERN consumer HARDWARE". It just so happens they let you download it for free and run it on whatever hardware you want, but expecting them to personally come help you and then frame it as you doing them a favor is really a funny one.

If you want to actually be helpful, file a bug report. Not by demanding them to help you claiming it's a "WIN WIN deal" as if you're saving them millions.

The BUG report was filled a week ago.

 

[ihr]

Thank you everyone for your responses. I really hope I could find a solution. Either, FreeBSD supports SecureBOOT and TrueNAS follows or the next version of TrueNAS could be based on Debian (as Proxmox is and it works)

 

[danb35]

or the next version of TrueNAS could be based on Debian

That's called TrueNAS SCALE, and it already exists.

 

[Whattteva]

Thank you everyone for your responses. I really hope I could find a solution. Either, FreeBSD supports SecureBOOT and TrueNAS follows or the next version of TrueNAS could be based on Debian (as Proxmox is and it works)

TrueNAS SCALE is it. Just like Proxmox, it's Debian-based and using Linux kernel 5.15.79.

 

[ihr]

I'll take a look at TrueNAS SCALE! and come back. Thank you for the pointer!