diff options
author | Jenkins <jenkins@review.openstack.org> | 2015-04-13 15:56:52 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2015-04-13 15:56:52 +0000 |
commit | 57f9802903ed227e7b37cbdea9b1d712580de328 (patch) | |
tree | 8842d62b05af5033e837665ab8caa90b5d653357 | |
parent | 88bf4caef8fa916a36e619340ea86d2e75b22bb1 (diff) | |
parent | db831de68c975536bd90f7e987cb50eedbdf2faf (diff) | |
download | ironic-57f9802903ed227e7b37cbdea9b1d712580de328.tar.gz |
Merge "iLO driver documentation for UEFI secure boot"
-rw-r--r-- | doc/source/deploy/install-guide.rst | 15 | ||||
-rw-r--r-- | doc/source/drivers/ilo.rst | 77 |
2 files changed, 71 insertions, 21 deletions
diff --git a/doc/source/deploy/install-guide.rst b/doc/source/deploy/install-guide.rst index 871e75313..5e253746e 100644 --- a/doc/source/deploy/install-guide.rst +++ b/doc/source/deploy/install-guide.rst @@ -701,21 +701,6 @@ steps on the Ironic conductor node to configure PXE UEFI environment. ironic node-update <node-uuid> add properties/capabilities='boot_mode:uefi' -#. For deploying signed images, update the Ironic node with ``secure_boot`` - capability in node's properties. - field:: - - ironic node-update <node-uuid> add properties/capabilities='secure_boot:true' - -#. Ensure the public key of the signed image is loaded into baremetal to deploy - signed images. - For HP Proliant Gen9 servers, one can enroll public key using iLO System - Utilities UI. Please refer to section ``Accessing Secure Boot options`` in - HP UEFI System Utilities User Guide http://www.hp.com/ctg/Manual/c04398276.pdf. - Also, one can refer to white paper on Secure Boot on Linux for HP Proliant - Servers at http://h20195.www2.hp.com/V2/getpdf.aspx/4AA5-4496ENW.pdf for - more details. - #. Make sure that bare metal node is configured to boot in UEFI boot mode and boot device is set to network/pxe. diff --git a/doc/source/drivers/ilo.rst b/doc/source/drivers/ilo.rst index 0cfe092ed..6df4ac22f 100644 --- a/doc/source/drivers/ilo.rst +++ b/doc/source/drivers/ilo.rst @@ -80,9 +80,10 @@ This driver should work on HP Proliant Gen8 Servers and above with iLO 4. It has been tested with the following servers: * ProLiant DL380e Gen8 -* ProLiant DL380e Gen8 * ProLiant DL580 Gen8 UEFI * ProLiant DL180 Gen9 UEFI +* ProLiant DL380 Gen9 UEFI +* ProLiant DL580 Gen9 UEFI For more up-to-date information on server platform support info, refer iLO driver wiki [6]_. @@ -95,6 +96,7 @@ Features by the nova flavor's extra spec. * Always boot from network using Virtual Media. * UEFI Boot Support +* UEFI Secure Boot Support * Passing authentication token via secure, encrypted management network (Virtual Media). Provisioning is done using iSCSI over data network (like PXE driver), so this driver has the benefit of security @@ -247,7 +249,11 @@ node:: Boot modes ~~~~~~~~~~ -Refer boot_mode_support_ for more information. +Refer to `Boot mode support`_ section for more information. + +UEFI Secure Boot +~~~~~~~~~~~~~~~~ +Refer to `UEFI Secure Boot support`_ section for more information. agent_ilo driver ^^^^^^^^^^^^^^^^ @@ -271,7 +277,8 @@ This driver should work on HP Proliant Gen8 Servers and above with iLO 4. It has been tested with the following servers: * ProLiant DL380e Gen8 -* ProLiant DL380e Gen8 +* ProLiant DL380 Gen9 UEFI +* ProLiant DL580 Gen9 UEFI This driver supports only Gen 8 Class 0 systems (BIOS only). For more up-to-date information, check the iLO driver wiki [6]_. @@ -284,6 +291,8 @@ Features * IPA runs on the baremetal node and pulls the image directly from Swift. * IPA deployed instances always boots from local disk. * Segregates management info from data channel. +* UEFI Boot Support +* UEFI Secure Boot Support Requirements ~~~~~~~~~~~~ @@ -421,6 +430,14 @@ node:: ironic node-create -d agent_ilo -i ilo_address=<ilo-ip-address> -i ilo_username=<ilo-username> -i ilo_password=<ilo-password> -i ilo_deploy_iso=<glance-uuid-of-deploy-iso> +Boot modes +~~~~~~~~~~ +Refer to `Boot mode support`_ section for more information. + +UEFI Secure Boot +~~~~~~~~~~~~~~~~ +Refer to `UEFI Secure Boot support`_ section for more information. + pxe_ilo driver ^^^^^^^^^^^^^^ @@ -510,13 +527,11 @@ node:: Boot modes ~~~~~~~~~~ -Refer boot_mode_support_ for more information. +Refer to `Boot mode support`_ section for more information. Functionalities across drivers ============================== -.. _boot_mode_support: - Boot mode support ^^^^^^^^^^^^^^^^^ The following drivers support automatic detection and setting of boot @@ -524,6 +539,7 @@ mode (Legacy BIOS or UEFI). * ``pxe_ilo`` * ``iscsi_ilo`` +* ``agent_ilo`` The boot modes can be configured in Ironic in the following way: @@ -570,6 +586,53 @@ diskimage-builder command to build the image. For example:: disk-image-create ubuntu baremetal iso +UEFI Secure Boot support +^^^^^^^^^^^^^^^^^^^^^^^^ +The following drivers support UEFI secure boot deploy: + +* ``iscsi_ilo`` +* ``agent_ilo`` + +The UEFI secure boot mode can be configured in Ironic by adding +``secure_boot`` parameter in the ``capabilities`` parameter within +``properties`` field of an Ironic node. + +``secure_boot`` is a boolean parameter and takes value as ``true`` or +``false``. + +To enable ``secure_boot`` on a node add it to ``capabilities`` as below:: + + ironic node-update <node-uuid> add properties/capabilities='secure_boot:true' + +Nodes having ``secure_boot`` set to ``true`` may be requested by adding an +``extra_spec`` to the Nova flavor:: + + nova flavor-key ironic-test-3 set capabilities:secure_boot="true" + nova boot --flavor ironic-test-3 --image test-image instance-1 + +If ``capabilities`` is used in ``extra_spec`` as above, Nova scheduler +(``ComputeCapabilitiesFilter``) will match only Ironic nodes which have +the ``secure_boot`` set appropriately in ``properties/capabilities``. It will +filter out rest of the nodes. + +The above facility for matching in Nova can be used in heterogeneous +environments where there is a mix of machines supporting and not supporting +UEFI secure boot, and operator wants to provide a choice to the user +regarding secure boot. If the flavor doesn't contain ``secure_boot`` then +Nova scheduler will not consider secure boot mode as a placement criteria, +hence user may get a secure boot capable machine that matches with user +specified flavors but deployment would not use its secure boot capability. +Secure boot deploy would happen only when it is explicitly specified through +flavor. + +Ensure the public key of the signed image is loaded into baremetal to deploy +signed images. +For HP Proliant Gen9 servers, one can enroll public key using iLO System +Utilities UI. Please refer to section ``Accessing Secure Boot options`` in +HP UEFI System Utilities User Guide. [7]_ +One can also refer to white paper on Secure Boot for Linux on HP Proliant +servers for additional details. [8]_ + References ========== @@ -579,4 +642,6 @@ References .. [4] http://docs.openstack.org/developer/glance/configuring.html#configuring-the-swift-storage-backend .. [5] Ironic Python Agent - https://github.com/openstack/ironic-python-agent .. [6] https://wiki.openstack.org/wiki/Ironic/Drivers/iLODrivers +.. [7] HP UEFI System Utilities User Guide - http://www.hp.com/ctg/Manual/c04398276.pdf +.. [8] Secure Boot for Linux on HP Proliant servers http://h20195.www2.hp.com/V2/getpdf.aspx/4AA5-4496ENW.pdf |