how to enable secure boot when using raw disk image and packer

[Dialgatrainer02]

hello, I'm trying to make a base image with talos installed and secureboot enabled with packer however i cant figure out how to enable secure boot and enroll the keys using packer. i understand that the iso usually auto enrolls the keys do you know how i could do that manually in arch after writing the disk image?

a simplified packer template to reproduce my current setup:

variable "talos_image" {
  type = object({
    arch        = string
    platform    = string
    secureboot  = bool
    factory_url = string
    version     = string
  })
  default = {
    arch        = "amd64"
    platform    = "nocloud"
    secureboot  = true
    factory_url = "https://factory.talos.dev"
    version     = "v1.10.2"
  }
}

variable "pve_username" {
  type    = string
  default = "root@pam"
}

variable "pve_password" {
  type = string
}
variable "pve_node" {
  type    = string
  default = "pve"
}

variable "pve_endpoint" {
  type = string
}

locals {
  schematic    = {
    customization = {
      extraKernelArgs = [
        "talos.halt_if_installed=1"
      ]
      systemExtensions = {
        officialExtensions = [
          "siderolabs/i915",
          "siderolabs/intel-ucode",
          "siderolabs/qemu-guest-agent"
        ]
      }
    }
  }
  schematic_id = jsondecode(data.http.schematic_id.body)["id"]
  image_id     = "${local.schematic_id}_${var.talos_image.version}"
}

data "http" "schematic_id" {
  url          = "${var.talos_image.factory_url}/schematics"
  method       = "POST"
  request_body = yamlencode(local.schematic)
}

source "proxmox-iso" "talos" {
  boot_wait       = "20s"
  bios            = "ovmf"
  qemu_agent      = true
  vm_name         = "talos-linux"
  vm_id           = 901
  machine         = "q35"
  cpu_type        = "host"
  cores           = 2
  memory          = 2048
  os              = "l26"
  scsi_controller = "virtio-scsi-single"
  disks {
    disk_size    = "10G"
    storage_pool = var.pve_datastore
    type         = "scsi"
    format       = "raw"
  }
  efi_config {
    efi_storage_pool  = "local-zfs"
    efi_type          = "4m"
    pre_enrolled_keys = false
    efi_format        = "raw"
  }
  tpm_config {
    tpm_storage_pool = var.pve_datastore
  }
  insecure_skip_tls_verify = true
  boot_iso {
    iso_checksum = "none"
    iso_urls = [
    "https://london.mirror.pkgbuild.com/iso/latest/archlinux-x86_64.iso"]
    // iso_download_pve = true
    iso_storage_pool = "local"
    type             = "sata"
    unmount          = true
  }
  cloud_init              = true
  cloud_init_disk_type    = "sata"
  cloud_init_storage_pool = var.pve_datastore
  network_adapters {
    bridge = "vmbr0"
    model  = "virtio"
  }
  node                 = "${var.pve_node}"
  password             = "${var.pve_password}"
  username             = "${var.pve_username}"
  proxmox_url          = "${var.pve_endpoint}"
  ssh_username         = "root"
  ssh_password         = "packer"
  ssh_timeout          = "15m"
  template_description = "talos linux, generated on ${timestamp()}. Made by Packer"
  tags                 = "talos;template"
  boot_command = [
    "<enter><wait50s>",
    "passwd<enter><wait1s>packer<enter><wait1s>packer<enter>",
  ]
}

build {
  name   = "talos"
  sources = ["source.proxmox-iso.talos"]

  provisioner "shell" {
    inline = [
      "URL=${var.talos_image.factory_url}/image/${local.schematic_id}/${var.talos_image.version}/${var.talos_image.platform}-${var.talos_image.arch}${var.talos_image.secureboot ? "-secureboot" : ""}.raw.xz",
      "echo 'Downloading build image from Talos Factory: ' + $URL",
      "curl -kL \"$URL\" -o /tmp/talos.raw.xz",
      "echo 'Writing build image to disk'",
      "xz -d -c /tmp/talos.raw.xz | dd of=/dev/sda && sync",
      "echo 'Done'",
    ]
  }
}

[frezbo]

Currently the disk image doesn't have an option to auto-enroll keys, that is limited to the iso. you may manually enroll the keys from Image Factory https://github.com/siderolabs/image-factory/?tab=readme-ov-file#get-securebootsigning-certpem

[Dialgatrainer02]

thank you, do you how i can manually setup the auto enrollment so it will auto enroll when the vm is booted like the iso does?

[frezbo]

You can add the enroll keys in the EFI partition as same as the ISO in loader/keys/auto. The files maybe extracted out of the iso

/loader/keys/auto/:
  drwxr-xr-x   1 0 0 [LSN     42]      2048 Jun 02 2019 03:04:52  .
  drwxr-xr-x   1 0 0 [LSN     41]      2048 Jun 02 2019 03:04:52  ..
  -rw-------   1 0 0 [LSN  49076]      3786 Jun 02 2019 03:04:52  db.auth
  -rw-------   1 0 0 [LSN  49078]      3786 Jun 02 2019 03:04:52  KEK.auth
  -rw-------   1 0 0 [LSN  49080]      3786 Jun 02 2019 03:04:52  PK.auth

[Dialgatrainer02]

Do you have to extract from the iso to get the keys? Is it not possible using the pem cert image factory gives.

[frezbo]

yes, otherwise you'd have to generate them in the format UEFI expects,, refer: https://www.talos.dev/v1.10/talos-guides/install/bare-metal-platforms/secureboot/#secureboot-with-custom-keys, note that this is not a guide for production setup

[Dialgatrainer02]

okay, thank you for the help, ill probably sign with my own keys