diff options
author | Mathieu Mitchell <mmitchell@iweb.com> | 2016-09-13 22:45:17 -0400 |
---|---|---|
committer | Mathieu Mitchell <mmitchell@iweb.com> | 2016-09-27 17:09:10 -0400 |
commit | 1d62fbe403a523af3b0ecffc38896ef3f7661932 (patch) | |
tree | b4516796886f672b082a5023cde0aec46b0979d4 | |
parent | 746faceeaba71138252f58515963bdf4f12ee7b2 (diff) | |
download | ironic-1d62fbe403a523af3b0ecffc38896ef3f7661932.tar.gz |
[install-guide] Import "Trusted boot with partition image"
Import Trusted boot under Advanced section.
Change-Id: I33907dee5d6af49b8851761dc7a5d7b4bb3081c6
Partial-bug: #1612278
(cherry picked from commit bf926789c15d92544b90a0a348c91a9a0790297e)
-rw-r--r-- | doc/source/deploy/install-guide.rst | 68 | ||||
-rw-r--r-- | install-guide/source/advanced.rst | 2 | ||||
-rw-r--r-- | install-guide/source/include/trusted-boot.rst | 71 |
3 files changed, 76 insertions, 65 deletions
diff --git a/doc/source/deploy/install-guide.rst b/doc/source/deploy/install-guide.rst index c3f67f2d3..0969930d2 100644 --- a/doc/source/deploy/install-guide.rst +++ b/doc/source/deploy/install-guide.rst @@ -719,73 +719,11 @@ the Bare Metal service Install Guide. Trusted boot with partition image ================================= -Starting with the Liberty release, Ironic supports trusted boot with partition -image. This means at the end of the deployment process, when the node is -rebooted with the new user image, ``trusted boot`` will be performed. It will -measure the node's BIOS, boot loader, Option ROM and the Kernel/Ramdisk, to -determine whether a bare metal node deployed by Ironic should be trusted. -It's important to note that in order for this to work the node being deployed -**must** have Intel `TXT`_ hardware support. The image being deployed with -Ironic must have ``oat-client`` installed within it. - -The following will describe how to enable ``trusted boot`` and boot -with PXE and Nova: - -#. Create a customized user image with ``oat-client`` installed:: - - disk-image-create -u fedora baremetal oat-client -o $TRUST_IMG - - For more information on creating customized images, see `ImageRequirement`_. - -#. Enable VT-x, VT-d, TXT and TPM on the node. This can be done manually through - the BIOS. Depending on the platform, several reboots may be needed. - -#. Enroll the node and update the node capability value:: - - ironic node-create -d pxe_ipmitool - - ironic node-update $NODE_UUID add properties/capabilities={'trusted_boot':true} - -#. Create a special flavor:: - - nova flavor-key $TRUST_FLAVOR_UUID set 'capabilities:trusted_boot'=true - -#. Prepare `tboot`_ and mboot.c32 and put them into tftp_root or http_root - directory on all nodes with the ironic-conductor processes:: - - Ubuntu: - cp /usr/lib/syslinux/mboot.c32 /tftpboot/ - - Fedora: - cp /usr/share/syslinux/mboot.c32 /tftpboot/ - - *Note: The actual location of mboot.c32 varies among different distribution versions.* - - tboot can be downloaded from - https://sourceforge.net/projects/tboot/files/latest/download - -#. Install an OAT Server. An `OAT Server`_ should be running and configured correctly. - -#. Boot an instance with Nova:: - - nova boot --flavor $TRUST_FLAVOR_UUID --image $TRUST_IMG --user-data $TRUST_SCRIPT trusted_instance - - *Note* that the node will be measured during ``trusted boot`` and the hash values saved - into `TPM`_. An example of TRUST_SCRIPT can be found in `trust script example`_. - -#. Verify the result via OAT Server. - - This is outside the scope of Ironic. At the moment, users can manually verify the result - by following the `manual verify steps`_. - -.. _`TXT`: http://en.wikipedia.org/wiki/Trusted_Execution_Technology -.. _`tboot`: https://sourceforge.net/projects/tboot -.. _`TPM`: http://en.wikipedia.org/wiki/Trusted_Platform_Module -.. _`OAT Server`: https://github.com/OpenAttestation/OpenAttestation/wiki -.. _`trust script example`: https://wiki.openstack.org/wiki/Bare-metal-trust#Trust_Script_Example -.. _`manual verify steps`: https://wiki.openstack.org/wiki/Bare-metal-trust#Manual_verify_result +The `Trusted boot with partition image`_ section has been moved to the Bare +Metal service Install Guide. +.. _`Trusted boot with partition image`: http://docs.openstack.org/project-install-guide/baremetal/draft/advanced.html#trusted-boot-with-partition-image Troubleshooting diff --git a/install-guide/source/advanced.rst b/install-guide/source/advanced.rst index de74fefdb..809a2b25a 100644 --- a/install-guide/source/advanced.rst +++ b/install-guide/source/advanced.rst @@ -8,3 +8,5 @@ Advanced features .. include:: include/root-device-hints.rst .. include:: include/kernel-boot-parameters.rst + +.. include:: include/trusted-boot.rst diff --git a/install-guide/source/include/trusted-boot.rst b/install-guide/source/include/trusted-boot.rst new file mode 100644 index 000000000..e7be5fdc9 --- /dev/null +++ b/install-guide/source/include/trusted-boot.rst @@ -0,0 +1,71 @@ +.. _trusted-boot: + +Trusted boot with partition image +--------------------------------- + +Starting with the Liberty release, Ironic supports trusted boot with partition +image. This means at the end of the deployment process, when the node is +rebooted with the new user image, ``trusted boot`` will be performed. It will +measure the node's BIOS, boot loader, Option ROM and the Kernel/Ramdisk, to +determine whether a bare metal node deployed by Ironic should be trusted. + +It's important to note that in order for this to work the node being deployed +**must** have Intel `TXT`_ hardware support. The image being deployed with +Ironic must have ``oat-client`` installed within it. + +The following will describe how to enable ``trusted boot`` and boot +with PXE and Nova: + +#. Create a customized user image with ``oat-client`` installed:: + + disk-image-create -u fedora baremetal oat-client -o $TRUST_IMG + + For more information on creating customized images, see :ref:`image-requirements`. + +#. Enable VT-x, VT-d, TXT and TPM on the node. This can be done manually through + the BIOS. Depending on the platform, several reboots may be needed. + +#. Enroll the node and update the node capability value:: + + ironic node-create -d pxe_ipmitool + + ironic node-update $NODE_UUID add properties/capabilities={'trusted_boot':true} + +#. Create a special flavor:: + + nova flavor-key $TRUST_FLAVOR_UUID set 'capabilities:trusted_boot'=true + +#. Prepare `tboot`_ and mboot.c32 and put them into tftp_root or http_root + directory on all nodes with the ironic-conductor processes:: + + Ubuntu: + cp /usr/lib/syslinux/mboot.c32 /tftpboot/ + + Fedora: + cp /usr/share/syslinux/mboot.c32 /tftpboot/ + + *Note: The actual location of mboot.c32 varies among different distribution versions.* + + tboot can be downloaded from + https://sourceforge.net/projects/tboot/files/latest/download + +#. Install an OAT Server. An `OAT Server`_ should be running and configured correctly. + +#. Boot an instance with Nova:: + + nova boot --flavor $TRUST_FLAVOR_UUID --image $TRUST_IMG --user-data $TRUST_SCRIPT trusted_instance + + *Note* that the node will be measured during ``trusted boot`` and the hash values saved + into `TPM`_. An example of TRUST_SCRIPT can be found in `trust script example`_. + +#. Verify the result via OAT Server. + + This is outside the scope of Ironic. At the moment, users can manually verify the result + by following the `manual verify steps`_. + +.. _`TXT`: http://en.wikipedia.org/wiki/Trusted_Execution_Technology +.. _`tboot`: https://sourceforge.net/projects/tboot +.. _`TPM`: http://en.wikipedia.org/wiki/Trusted_Platform_Module +.. _`OAT Server`: https://github.com/OpenAttestation/OpenAttestation/wiki +.. _`trust script example`: https://wiki.openstack.org/wiki/Bare-metal-trust#Trust_Script_Example +.. _`manual verify steps`: https://wiki.openstack.org/wiki/Bare-metal-trust#Manual_verify_result |