diff options
author | Mathieu Mitchell <mmitchell@iweb.com> | 2016-09-13 22:45:17 -0400 |
---|---|---|
committer | Mathieu Mitchell <mmitchell@iweb.com> | 2016-09-27 17:09:10 -0400 |
commit | 1d62fbe403a523af3b0ecffc38896ef3f7661932 (patch) | |
tree | b4516796886f672b082a5023cde0aec46b0979d4 /install-guide/source | |
parent | 746faceeaba71138252f58515963bdf4f12ee7b2 (diff) | |
download | ironic-1d62fbe403a523af3b0ecffc38896ef3f7661932.tar.gz |
[install-guide] Import "Trusted boot with partition image"
Import Trusted boot under Advanced section.
Change-Id: I33907dee5d6af49b8851761dc7a5d7b4bb3081c6
Partial-bug: #1612278
(cherry picked from commit bf926789c15d92544b90a0a348c91a9a0790297e)
Diffstat (limited to 'install-guide/source')
-rw-r--r-- | install-guide/source/advanced.rst | 2 | ||||
-rw-r--r-- | install-guide/source/include/trusted-boot.rst | 71 |
2 files changed, 73 insertions, 0 deletions
diff --git a/install-guide/source/advanced.rst b/install-guide/source/advanced.rst index de74fefdb..809a2b25a 100644 --- a/install-guide/source/advanced.rst +++ b/install-guide/source/advanced.rst @@ -8,3 +8,5 @@ Advanced features .. include:: include/root-device-hints.rst .. include:: include/kernel-boot-parameters.rst + +.. include:: include/trusted-boot.rst diff --git a/install-guide/source/include/trusted-boot.rst b/install-guide/source/include/trusted-boot.rst new file mode 100644 index 000000000..e7be5fdc9 --- /dev/null +++ b/install-guide/source/include/trusted-boot.rst @@ -0,0 +1,71 @@ +.. _trusted-boot: + +Trusted boot with partition image +--------------------------------- + +Starting with the Liberty release, Ironic supports trusted boot with partition +image. This means at the end of the deployment process, when the node is +rebooted with the new user image, ``trusted boot`` will be performed. It will +measure the node's BIOS, boot loader, Option ROM and the Kernel/Ramdisk, to +determine whether a bare metal node deployed by Ironic should be trusted. + +It's important to note that in order for this to work the node being deployed +**must** have Intel `TXT`_ hardware support. The image being deployed with +Ironic must have ``oat-client`` installed within it. + +The following will describe how to enable ``trusted boot`` and boot +with PXE and Nova: + +#. Create a customized user image with ``oat-client`` installed:: + + disk-image-create -u fedora baremetal oat-client -o $TRUST_IMG + + For more information on creating customized images, see :ref:`image-requirements`. + +#. Enable VT-x, VT-d, TXT and TPM on the node. This can be done manually through + the BIOS. Depending on the platform, several reboots may be needed. + +#. Enroll the node and update the node capability value:: + + ironic node-create -d pxe_ipmitool + + ironic node-update $NODE_UUID add properties/capabilities={'trusted_boot':true} + +#. Create a special flavor:: + + nova flavor-key $TRUST_FLAVOR_UUID set 'capabilities:trusted_boot'=true + +#. Prepare `tboot`_ and mboot.c32 and put them into tftp_root or http_root + directory on all nodes with the ironic-conductor processes:: + + Ubuntu: + cp /usr/lib/syslinux/mboot.c32 /tftpboot/ + + Fedora: + cp /usr/share/syslinux/mboot.c32 /tftpboot/ + + *Note: The actual location of mboot.c32 varies among different distribution versions.* + + tboot can be downloaded from + https://sourceforge.net/projects/tboot/files/latest/download + +#. Install an OAT Server. An `OAT Server`_ should be running and configured correctly. + +#. Boot an instance with Nova:: + + nova boot --flavor $TRUST_FLAVOR_UUID --image $TRUST_IMG --user-data $TRUST_SCRIPT trusted_instance + + *Note* that the node will be measured during ``trusted boot`` and the hash values saved + into `TPM`_. An example of TRUST_SCRIPT can be found in `trust script example`_. + +#. Verify the result via OAT Server. + + This is outside the scope of Ironic. At the moment, users can manually verify the result + by following the `manual verify steps`_. + +.. _`TXT`: http://en.wikipedia.org/wiki/Trusted_Execution_Technology +.. _`tboot`: https://sourceforge.net/projects/tboot +.. _`TPM`: http://en.wikipedia.org/wiki/Trusted_Platform_Module +.. _`OAT Server`: https://github.com/OpenAttestation/OpenAttestation/wiki +.. _`trust script example`: https://wiki.openstack.org/wiki/Bare-metal-trust#Trust_Script_Example +.. _`manual verify steps`: https://wiki.openstack.org/wiki/Bare-metal-trust#Manual_verify_result |