Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Default revocation list is overwritten when creating an image in Google Cloud Platform with Secure boot enabled

    • Updated:
    • 7 Oct 2021
    • Product/Version:
    • Cloud One - Workload Security
    • Deep Security 20.0
    • Platform:
    • Ubuntu
Summary
Customers may encounter an issue when enabling the secure boot for Ubuntu Linux in Google Cloud Platform. It has been observed that the DBX value will be overwritten when secure boot key is assigned while creating the Ubuntu image. 

 
Details
Public

When using gcloud command to create the image based on Ubuntu with the following command, the dbxs is default enrolled in the image created.

$ gcloud compute images create image-a --source-image=ubuntu-1804-bionic-v20210928 --source-image-project="ubuntu-os-cloud" --guest-os-features="UEFI_COMPATIBLE"
$ gcloud compute images describe image-a --source-image=ubuntu-1804-bionic-v20210928 --source-image-project="ubuntu-os-cloud" --guest-os-features="UEFI_COMPATIBLE"
image describe shows:
……
shieldedInstanceInitialState:
  dbxs:
  - content: <base 64 encoded string>
    fileType: BIN

……

 

When using the command provided by GCP to enroll the secure boot keys, this value will be overwrite with the default value, and might impact the customer if the default revocation list is in used.

$ gcloud compute images create image-b --source-image=ubuntu-1804-bionic-v20210928 --source-image-project="ubuntu-os-cloud" --signature-database-file=./MicCorUEFCA2011_2011-06-27.crt,./MicWinProPCA2011_2011-10-19.crt,./DS20_v2.der,./DS20.der --guest-os-features="UEFI_COMPATIBLE"
$ gcloud compute images describe image-b --source-image=ubuntu-1804-bionic-v20210928 --source-image-project="ubuntu-os-cloud" --guest-os-features="UEFI_COMPATIBLE"
image describe shows:
……
shieldedInstanceInitialState:
  dbs:
  - content: <base 64 encoded string>
    fileType: X509
  - content: <base 64 encoded string>
    fileType: X509
  - content: <base 64 encoded string>
    fileType: X509
  - content: <base 64 encoded string>
    fileType: X509

……

 

This issue only found on Ubuntu platform.


Recommendation
  1. Create the image base on default Ubuntu (source image and source image project might be different based on the image provided by GCP)
    $ gcloud compute images create <image name> --source-image=ubuntu-1804-bionic-v20210928 --source-image-project="ubuntu-os-cloud" --guest-os-features="UEFI_COMPATIBLE"
  2. Describe the content of the image using the following command:
    $ gcloud compute images describe <image name>
  3. Retrieve the content of dbxs, example of the value:

    ……
    shieldedInstanceInitialState:
      dbxs:
      - content: 2gcD8hMRFQAAAAAAAAAAABENAAAAAAAvEOndK..
        fileType: BIN

    ……

  4. Replace all the character ‘-‘ to ‘+’ and ‘_’ to ‘/’ to match base64 format.

    Use the following command to transform the binary:

    1. Powershell:
      • PS $b64 = ‘<content retrieved from step 4>’
      • PS $filename = ‘<full path of the file wish to be landed, extension must be bin>’
      • PS $bytes = [Convert]::FromBase64String($b64)
      • PS [IO.File]::WriteAllBytes($filename, $bytes)
    2. linux command:
      • $ echo “<content retrieved from step 4>” | base64 -d > <filename in binary format>
  5. Create the image with the following command:
    $ gcloud compute images create <image name> --source-image=ubuntu-1804-bionic-v20210928 --source-image-project="ubuntu-os-cloud" --signature-database-file=./MicCorUEFCA2011_2011-06-27.crt,./MicWinProPCA2011_2011-10-19.crt,./DS20_v2.der,./DS20.der --forbidden-database-file=./<file name created from step 5> --guest-os-features="UEFI_COMPATIBLE"
  6. Check the created image, the dbx value will now being set in the image and the content should be the same as the default one found in step 2:

    ……
    shieldedInstanceInitialState:
      dbs:
      - content: <base 64 encoded string>
        fileType: X509
      - content: <base 64 encoded string>
        fileType: X509
      - content: <base 64 encoded string>
        fileType: X509
      - content: <base 64 encoded string>
        fileType: X509
      dbxs:
      - content: <base 64 encoded string>
        fileType: BIN

    ……

Premium
Internal
Partner
Rating:
Category:
Deploy
Solution Id:
000289217
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.