Merge "Follow up Secure boot support for irmc-virtual-media driver"

3 files changed, 38 insertions, 8 deletions

diff --git a/doc/source/admin/drivers/irmc.rst b/doc/source/admin/drivers/irmc.rst
index 0f8babec4..88d7a01a8 100644
--- a/doc/source/admin/drivers/irmc.rst
+++ b/doc/source/admin/drivers/irmc.rst
@@ -146,8 +146,9 @@ Node configuration
     irmc_username.
   - ``properties/capabilities`` property to be ``boot_mode:uefi`` if
     UEFI boot is required.
-  - ``properties/capabilities`` property to be ``boot_mode:uefi,secure_boot:true`` if
-    UEFI Secure Boot is required.
+  - ``properties/capabilities`` property to be ``secure_boot:true`` if
+    UEFI Secure Boot is required. Please refer to `UEFI Secure Boot Support`_
+    for more information.
 
 * All of nodes are configured by setting the following configuration
   options in ``[irmc]`` section of ``/etc/ironic/ironic.conf``:
@@ -215,7 +216,8 @@ Node configuration
   - ``properties/capabilities`` property to be ``boot_mode:uefi`` if
     UEFI boot is required.
   - ``properties/capabilities`` property to be ``secure_boot:true`` if
-    Secure Boot is required.
+    Secure Boot is required. Please refer to `UEFI Secure Boot Support`_
+    for more information.
   - ``driver_info/irmc_deploy_iso`` property to be either ``deploy iso
     file name``, ``Glance UUID``, ``Glance URL`` or ``Image Service
     URL``.
@@ -299,7 +301,8 @@ Node configuration
   - ``properties/capabilities`` property to be ``boot_mode:uefi`` if
     UEFI boot is required.
   - ``properties/capabilities`` property to be ``secure_boot:true`` if
-    Secure Boot is required.
+    Secure Boot is required. Please refer to `UEFI Secure Boot Support`_
+    for more information.
   - ``driver_info/irmc_deploy_iso`` property to be either ``deploy iso
     file name``, ``Glance UUID``, ``Glance URL`` or ``Image Service
     URL``.
@@ -352,6 +355,32 @@ Node configuration
 Functionalities across drivers
 ==============================
 
+UEFI Secure Boot Support
+^^^^^^^^^^^^^^^^^^^^^^^^
+The hardware type ``irmc`` and iRMC classic drivers support secure boot deploy.
+
+.. warning::
+     Secure boot feature is not supported with ``pxe`` boot interface.
+
+The UEFI secure boot can be configured by adding ``secure_boot`` parameter,
+which is a boolean value. Enabling the secure boot is different when
+Bare Metal service is used with Compute service or without Compute service. The
+following sections describes both methods:
+
+* Enabling secure boot with Compute service:
+  To enable secure boot we need to set a capability on the bare metal node
+  and the bare metal flavor, for example::
+
+    openstack baremetal node set <node-uuid> --property capabilities='secure_boot:true'
+    openstack flavor set FLAVOR-NAME --property capabilities:secure_boot="true"
+
+* Enabling secure boot without Compute service:
+  Since adding capabilities to the node's properties is only used by the nova
+  scheduler to perform more advanced scheduling of instances, we need
+  to enable secure boot without nova, for example::
+
+    openstack baremetal node set <node-uuid> --instance-info capabilities='{"secure_boot": "true"}'
+
 .. _irmc_node_cleaning:
 
 Node Cleaning Support
diff --git a/ironic/tests/unit/drivers/modules/irmc/test_boot.py b/ironic/tests/unit/drivers/modules/irmc/test_boot.py
index a496c4658..725299b2c 100644
--- a/ironic/tests/unit/drivers/modules/irmc/test_boot.py
+++ b/ironic/tests/unit/drivers/modules/irmc/test_boot.py
@@ -1157,7 +1157,7 @@ class IRMCVirtualMediaBootTestCase(db_base.DbTestCase):
                        autospec=True)
     def test_clean_up_instance_with_secure_boot(self, mock_cleanup_vmedia_boot,
                                                 mock_set_secure_boot_mode):
-        self.node.provision_state = states.CLEANING
+        self.node.provision_state = states.DELETING
         self.node.target_provision_state = states.AVAILABLE
         self.node.instance_info = {
             'capabilities': {
@@ -1178,7 +1178,7 @@ class IRMCVirtualMediaBootTestCase(db_base.DbTestCase):
                        autospec=True)
     def test_clean_up_instance_with_secure_boot_false(
             self, mock_cleanup_vmedia_boot, mock_set_secure_boot_mode):
-        self.node.provision_state = states.CLEANING
+        self.node.provision_state = states.DELETING
         self.node.target_provision_state = states.AVAILABLE
         self.node.instance_info = {
             'capabilities': {
@@ -1198,7 +1198,7 @@ class IRMCVirtualMediaBootTestCase(db_base.DbTestCase):
                        autospec=True)
     def test_clean_up_instance_without_secure_boot(
             self, mock_cleanup_vmedia_boot, mock_set_secure_boot_mode):
-        self.node.provision_state = states.CLEANING
+        self.node.provision_state = states.DELETING
         self.node.target_provision_state = states.AVAILABLE
         self.node.save()
         with task_manager.acquire(self.context, self.node.uuid,
diff --git a/releasenotes/notes/add-secure-boot-suport-irmc-9509f3735df2aa5d.yaml b/releasenotes/notes/add-secure-boot-suport-irmc-9509f3735df2aa5d.yaml
index 30d26f787..dd2c5061d 100644
--- a/releasenotes/notes/add-secure-boot-suport-irmc-9509f3735df2aa5d.yaml
+++ b/releasenotes/notes/add-secure-boot-suport-irmc-9509f3735df2aa5d.yaml
@@ -2,4 +2,5 @@
 features:
   - |
     Adds support to provision an instance in secure boot mode for
-    ``irmc-virtual-media`` boot interface.
\ No newline at end of file
+    ``irmc-virtual-media`` boot interface. For details, see the `iRMC driver documentation
+    <https://docs.openstack.org/ironic/latest/admin/drivers/irmc.html#uefi-secure-boot-support>`_.
\ No newline at end of file