Packer: GCP Shielded VM creation fails when Secure Boot is enabled

Created on 3 Jun 2020 · 3Comments · Source: hashicorp/packer

Overview of the Issue

Via the GCP console I can successfully create a VM with Secure Boot, vTPM, and Integrity Monitoring enabled, but Packer returns an error when doing the same.
In the console I have specified the same source image, family, machine type, zone, and disk size.

Reproduction Steps

Using Buildfile mentioned below.

Packer version

v1.5.6

Simplified Packer Buildfile

"builders": [ { "type": "googlecompute", "image_name": "base-centos-7-{{timestamp}}", "account_file": "<redacted>", "project_id": "<redacted>", "source_image": "centos-7-v20200521", "source_image_family": "centos-7", "ssh_username": "centos", "zone": "europe-west2-a", "machine_type": "n1-standard-1", "disk_size": 20, "enable_secure_boot": true, "enable_vtpm": true, "enable_integrity_monitoring": true } ]

Operating system and Environment details

MacOS 10.15.5

Log Fragments and crash.log files

==> googlecompute: Image: centos-7-v20200521 is not secure boot compatible. Please set 'enable_secure_boot' to false or choose another source image.

bug buildegoogle

Source

jonhadfield

👍1

Most helpful comment

Thanks for raising this issue @jonhadfield. When I added the Shielded VMs support in Packer some time ago, Google were still using a SECURE_BOOT guest OS feature with their images. It used to indicate that the compute image supports Shielded VM features. Looks like this is no longer the case as the SECURE_BOOT feature was internally deprecated (found this out after chasing this with them). They are now using the UEFI_COMPATIBLE feature. This means, using an image with 'UEFI_COMPATIBLE' guest OS feature confirms the 'secureBoot' feature compatibility. I raised a PR which fixes this since we are keen on continuing our use of Shielded VMs 💪

szamfirov on 8 Jun 2020

👍3

All 3 comments

Seems like the SECURE_BOOT type is not being returned. This is what I've got using the above packer file.

2020/06/04 01:58:31 packer-builder-googlecompute plugin: [INFO]   -- GuestOsFeatures: &{Type:UEFI_COMPATIBLE ForceSendFields:[] NullFields:[]}

Response from Google API

{
  "id": "2647106685913220970",
  "creationTimestamp": "2020-05-21T14:58:29.581-07:00",
  "name": "centos-7-v20200521",
  "description": "CentOS, CentOS, 7, x86_64 built on 20200521, supports Shielded VM features",
  "sourceType": "RAW",
  "rawDisk": {
    "source": "",
    "containerType": "TAR"
  },
  "deprecated": {
    "state": "DEPRECATED",
    "replacement": "https://www.googleapis.com/compute/v1/projects/centos-cloud/global/images/centos-7-v20200603"
  },
  "status": "READY",
  "archiveSizeBytes": "25513516544",
  "diskSizeGb": "20",
  "licenses": [
    "https://www.googleapis.com/compute/v1/projects/centos-cloud/global/licenses/centos-7"
  ],
  "family": "centos-7",
  "selfLink": "https://www.googleapis.com/compute/v1/projects/centos-cloud/global/images/centos-7-v20200521",
  "labelFingerprint": "42WmSpB8rSM=",
  "guestOsFeatures": [
    {
      "type": "UEFI_COMPATIBLE"
    }
  ],
  "licenseCodes": [
    "1000207"
  ],
  "storageLocations": [
    "asia",
    "eu",
    "asia",
    "us",
    "asia",
    "us",
    "eu",
    "asia",
    "us",
    "asia",
    "us",
    "asia",
    "asia",
    "eu",
    "eu",
    "us",
    "asia",
    "us",
    "us",
    "eu",
    "us",
    "us",
    "eu"
  ],
  "kind": "compute#image"
}

Tested with various other images like debian-10 it does not return the type we are looking for to enable SECURE_BOOT. A dirty workaround could potentially be looking at the description to see if contains string supports Shielded VM features.

/cc @nywilken

cpwc on 3 Jun 2020

szamfirov on 8 Jun 2020

👍3

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.