Bottlerocket partition layout / Secure boot #4304

rajivr · 2024-11-18T01:23:31Z

rajivr
Nov 18, 2024

I am new to Bottlerocket. I have two questions regarding Bottlerocket partition layout and Secure boot.

I am using ami-0e31b3541fad3fc88 (aws-eks-1.31-x86_64-1.26.1-943d9a41 release in us-east-2 region, with Kubelet in standalone mode).

Within grub.cfg, the entry is as follows (slightly abbreviated).

# ...
set check_signatures="no"
# ...
menuentry "Bottlerocket OS 1.26.1" --unrestricted {
   linux ($root)/vmlinuz \
   # ...
   initrd ($private)/bootconfig.data
# ...

I was wondering how bootconfig.data is authenticated during secure boot?

A /dev/nvme0n1p13 partition of partition type BOTTLEROCKET_DATA is present, but is uninitialized.
```
[root@admin]# file -Ls /.bottlerocket/rootfs/dev/nvme0n1p13
/.bottlerocket/rootfs/dev/nvme0n1p13: data
```
Could you please share some details on how this partition is being used within Bottlerocket?

Answered by bcressey

Nov 18, 2024

(1) I was wondering how bootconfig.data is authenticated during secure boot?

bootconfig.data is generated locally and contains kernel and init parameter overrides. It cannot be authenticated using the same mechanism.

Bottlerocket relies on the kernel's behavior of ordering bootconfig entries before anything else on the respective command lines, and the usual kernel behavior of overwriting earlier definitions with later ones. Parameters defined in grub.cfg should take precedence over anything in bootconfig.data.

As a gentle reminder: please follow the project's security policy for reporting any security issues.

(2) Could you please share some details on how this [uninitialized partition…

View full answer

bcressey · 2024-11-18T17:01:59Z

bcressey
Nov 18, 2024
Maintainer

(1) I was wondering how bootconfig.data is authenticated during secure boot?

bootconfig.data is generated locally and contains kernel and init parameter overrides. It cannot be authenticated using the same mechanism.

Bottlerocket relies on the kernel's behavior of ordering bootconfig entries before anything else on the respective command lines, and the usual kernel behavior of overwriting earlier definitions with later ones. Parameters defined in grub.cfg should take precedence over anything in bootconfig.data.

As a gentle reminder: please follow the project's security policy for reporting any security issues.

(2) Could you please share some details on how this [uninitialized partition] is being used within Bottlerocket?

It's not used in typical EC2 instance launches; it's only used on Outposts and only for launches where the second EBS volume is not present. If those conditions are met, any additional space on the first volume would be allocated toward that partition, and it would be formatted and used as the "BOTTLEROCKET-DATA" filesystem.

Overall the desire is to have a single AMI that supports various launch types (EC2, Outposts, Snow) and this is an artifact of that.

1 reply

rajivr Nov 19, 2024
Author

Thanks for the reply @bcressey.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bottlerocket partition layout / Secure boot #4304

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Bottlerocket partition layout / Secure boot #4304

rajivr Nov 18, 2024

Replies: 1 comment · 1 reply

bcressey Nov 18, 2024 Maintainer

rajivr Nov 19, 2024 Author

rajivr
Nov 18, 2024

Replies: 1 comment 1 reply

bcressey
Nov 18, 2024
Maintainer

rajivr Nov 19, 2024
Author