[install-guide] Import "Trusted boot with partition image"

Import Trusted boot under Advanced section.

Change-Id: I33907dee5d6af49b8851761dc7a5d7b4bb3081c6
Partial-bug: #1612278
(cherry picked from commit bf926789c15d92544b90a0a348c91a9a0790297e)

2 files changed, 73 insertions, 0 deletions

diff --git a/install-guide/source/advanced.rst b/install-guide/source/advanced.rst
index de74fefdb..809a2b25a 100644
--- a/install-guide/source/advanced.rst
+++ b/install-guide/source/advanced.rst
@@ -8,3 +8,5 @@ Advanced features
 .. include:: include/root-device-hints.rst
 
 .. include:: include/kernel-boot-parameters.rst
+
+.. include:: include/trusted-boot.rst
diff --git a/install-guide/source/include/trusted-boot.rst b/install-guide/source/include/trusted-boot.rst
new file mode 100644
index 000000000..e7be5fdc9
--- /dev/null
+++ b/install-guide/source/include/trusted-boot.rst
@@ -0,0 +1,71 @@
+.. _trusted-boot:
+
+Trusted boot with partition image
+---------------------------------
+
+Starting with the Liberty release, Ironic supports trusted boot with partition
+image. This means at the end of the deployment process, when the node is
+rebooted with the new user image, ``trusted boot`` will be performed. It will
+measure the node's BIOS, boot loader, Option ROM and the Kernel/Ramdisk, to
+determine whether a bare metal node deployed by Ironic should be trusted.
+
+It's important to note that in order for this to work the node being deployed
+**must** have Intel `TXT`_ hardware support. The image being deployed with
+Ironic must have ``oat-client`` installed within it.
+
+The following will describe how to enable ``trusted boot`` and boot
+with PXE and Nova:
+
+#. Create a customized user image with ``oat-client`` installed::
+
+    disk-image-create -u fedora baremetal oat-client -o $TRUST_IMG
+
+   For more information on creating customized images, see :ref:`image-requirements`.
+
+#. Enable VT-x, VT-d, TXT and TPM on the node. This can be done manually through
+   the BIOS. Depending on the platform, several reboots may be needed.
+
+#. Enroll the node and update the node capability value::
+
+    ironic node-create -d pxe_ipmitool
+
+    ironic node-update $NODE_UUID add properties/capabilities={'trusted_boot':true}
+
+#. Create a special flavor::
+
+    nova flavor-key $TRUST_FLAVOR_UUID set 'capabilities:trusted_boot'=true
+
+#. Prepare `tboot`_ and mboot.c32 and put them into tftp_root or http_root
+   directory on all nodes with the ironic-conductor processes::
+
+    Ubuntu:
+        cp /usr/lib/syslinux/mboot.c32 /tftpboot/
+
+    Fedora:
+        cp /usr/share/syslinux/mboot.c32 /tftpboot/
+
+   *Note: The actual location of mboot.c32 varies among different distribution versions.*
+
+   tboot can be downloaded from
+   https://sourceforge.net/projects/tboot/files/latest/download
+
+#. Install an OAT Server. An `OAT Server`_ should be running and configured correctly.
+
+#. Boot an instance with Nova::
+
+    nova boot --flavor $TRUST_FLAVOR_UUID --image $TRUST_IMG --user-data $TRUST_SCRIPT trusted_instance
+
+   *Note* that the node will be measured during ``trusted boot`` and the hash values saved
+   into `TPM`_. An example of TRUST_SCRIPT can be found in `trust script example`_.
+
+#. Verify the result via OAT Server.
+
+   This is outside the scope of Ironic. At the moment, users can manually verify the result
+   by following the `manual verify steps`_.
+
+.. _`TXT`: http://en.wikipedia.org/wiki/Trusted_Execution_Technology
+.. _`tboot`: https://sourceforge.net/projects/tboot
+.. _`TPM`: http://en.wikipedia.org/wiki/Trusted_Platform_Module
+.. _`OAT Server`: https://github.com/OpenAttestation/OpenAttestation/wiki
+.. _`trust script example`: https://wiki.openstack.org/wiki/Bare-metal-trust#Trust_Script_Example
+.. _`manual verify steps`: https://wiki.openstack.org/wiki/Bare-metal-trust#Manual_verify_result