diff --git a/README.md b/README.md index a063fbd..969c35e 100644 --- a/README.md +++ b/README.md @@ -327,6 +327,13 @@ The organization that created the image. Example: `"Edgeless Systems"`. Name of the temporary disk. Image is uploaded to this disk before being converted to an image. +### `base.azure.additionalSignatures` / `variant..azure.additionalSignatures` + +- Default: `[]` +- Required: no + +Additional Secure Boot UEFI certificates can be added to the image to perform Trusted Launch with images that contain boot components which have been signed using a custom key. The certificates will be bound as UEFI db keys to an Image Version. The values have to be specified as single-line base64-encoded DER certificates. Example: `["MIIC0DCCAbigAwIBAgIUI7..."]`. + ### `base.gcp.project` / `variant..gcp.project` - Default: none diff --git a/azure/uploader.go b/azure/uploader.go index 6931973..f292daa 100644 --- a/azure/uploader.go +++ b/azure/uploader.go @@ -483,6 +483,29 @@ func (u *Uploader) createImageVersion(ctx context.Context, imageID string) (stri }, }, } + + if u.config.Azure.AdditionalSignatures != nil { + var value []*string + for _, sig := range u.config.Azure.AdditionalSignatures { + value = append(value, toPtr(sig)) + } + imageVersion.Properties.SecurityProfile = &armcomputev5.ImageVersionSecurityProfile{ + UefiSettings: &armcomputev5.GalleryImageVersionUefiSettings{ + SignatureTemplateNames: []*armcomputev5.UefiSignatureTemplateName{ + toPtr(armcomputev5.UefiSignatureTemplateNameMicrosoftUefiCertificateAuthorityTemplate), + }, + AdditionalSignatures: &armcomputev5.UefiKeySignatures{ + Db: []*armcomputev5.UefiKey{ + &armcomputev5.UefiKey{ + Type: toPtr(armcomputev5.UefiKeyTypeX509), + Value: value, + }, + }, + }, + }, + } + } + createPoller, err := u.imageVersions.BeginCreateOrUpdate(ctx, rg, sigName, defName, verName, imageVersion, &armcomputev5.GalleryImageVersionsClientBeginCreateOrUpdateOptions{}, ) diff --git a/config/config.go b/config/config.go index fab543d..25c783e 100644 --- a/config/config.go +++ b/config/config.go @@ -184,19 +184,20 @@ type AWSConfig struct { } type AzureConfig struct { - SubscriptionID string `toml:"subscriptionID,omitempty"` - Location string `toml:"location,omitempty"` - ReplicationRegions []string `toml:"replicationRegions,omitempty"` - ResourceGroup string `toml:"resourceGroup,omitempty" template:"true"` - AttestationVariant string `toml:"attestationVariant,omitempty" template:"true"` - SharedImageGallery string `toml:"sharedImageGallery,omitempty" template:"true"` - SharingProfile string `toml:"sharingProfile,omitempty" template:"true"` - SharingNamePrefix string `toml:"sharingNamePrefix,omitempty" template:"true"` - ImageDefinitionName string `toml:"imageDefinitionName,omitempty" template:"true"` - Offer string `toml:"offer,omitempty" template:"true"` - SKU string `toml:"sku,omitempty" template:"true"` - Publisher string `toml:"publisher,omitempty" template:"true"` - DiskName string `toml:"diskName,omitempty" template:"true"` + SubscriptionID string `toml:"subscriptionID,omitempty"` + Location string `toml:"location,omitempty"` + ReplicationRegions []string `toml:"replicationRegions,omitempty"` + ResourceGroup string `toml:"resourceGroup,omitempty" template:"true"` + AttestationVariant string `toml:"attestationVariant,omitempty" template:"true"` + SharedImageGallery string `toml:"sharedImageGallery,omitempty" template:"true"` + SharingProfile string `toml:"sharingProfile,omitempty" template:"true"` + SharingNamePrefix string `toml:"sharingNamePrefix,omitempty" template:"true"` + ImageDefinitionName string `toml:"imageDefinitionName,omitempty" template:"true"` + Offer string `toml:"offer,omitempty" template:"true"` + SKU string `toml:"sku,omitempty" template:"true"` + Publisher string `toml:"publisher,omitempty" template:"true"` + DiskName string `toml:"diskName,omitempty" template:"true"` + AdditionalSignatures []string `toml:"additionalSignatures,omitempty"` } type GCPConfig struct {