From bf926789c15d92544b90a0a348c91a9a0790297e Mon Sep 17 00:00:00 2001 From: Mathieu Mitchell Date: Tue, 13 Sep 2016 22:45:17 -0400 Subject: [PATCH] [install-guide] Import "Trusted boot with partition image" Import Trusted boot under Advanced section. Change-Id: I33907dee5d6af49b8851761dc7a5d7b4bb3081c6 Partial-bug: #1612278 --- doc/source/deploy/install-guide.rst | 68 +----------------- install-guide/source/advanced.rst | 2 + install-guide/source/include/trusted-boot.rst | 71 +++++++++++++++++++ 3 files changed, 76 insertions(+), 65 deletions(-) create mode 100644 install-guide/source/include/trusted-boot.rst diff --git a/doc/source/deploy/install-guide.rst b/doc/source/deploy/install-guide.rst index c3f67f2d34..0969930d20 100644 --- a/doc/source/deploy/install-guide.rst +++ b/doc/source/deploy/install-guide.rst @@ -719,73 +719,11 @@ the Bare Metal service Install Guide. Trusted boot with partition image ================================= -Starting with the Liberty release, Ironic supports trusted boot with partition -image. This means at the end of the deployment process, when the node is -rebooted with the new user image, ``trusted boot`` will be performed. It will -measure the node's BIOS, boot loader, Option ROM and the Kernel/Ramdisk, to -determine whether a bare metal node deployed by Ironic should be trusted. -It's important to note that in order for this to work the node being deployed -**must** have Intel `TXT`_ hardware support. The image being deployed with -Ironic must have ``oat-client`` installed within it. - -The following will describe how to enable ``trusted boot`` and boot -with PXE and Nova: - -#. Create a customized user image with ``oat-client`` installed:: - - disk-image-create -u fedora baremetal oat-client -o $TRUST_IMG - - For more information on creating customized images, see `ImageRequirement`_. - -#. Enable VT-x, VT-d, TXT and TPM on the node. This can be done manually through - the BIOS. Depending on the platform, several reboots may be needed. - -#. Enroll the node and update the node capability value:: - - ironic node-create -d pxe_ipmitool - - ironic node-update $NODE_UUID add properties/capabilities={'trusted_boot':true} - -#. Create a special flavor:: - - nova flavor-key $TRUST_FLAVOR_UUID set 'capabilities:trusted_boot'=true - -#. Prepare `tboot`_ and mboot.c32 and put them into tftp_root or http_root - directory on all nodes with the ironic-conductor processes:: - - Ubuntu: - cp /usr/lib/syslinux/mboot.c32 /tftpboot/ - - Fedora: - cp /usr/share/syslinux/mboot.c32 /tftpboot/ - - *Note: The actual location of mboot.c32 varies among different distribution versions.* - - tboot can be downloaded from - https://sourceforge.net/projects/tboot/files/latest/download - -#. Install an OAT Server. An `OAT Server`_ should be running and configured correctly. - -#. Boot an instance with Nova:: - - nova boot --flavor $TRUST_FLAVOR_UUID --image $TRUST_IMG --user-data $TRUST_SCRIPT trusted_instance - - *Note* that the node will be measured during ``trusted boot`` and the hash values saved - into `TPM`_. An example of TRUST_SCRIPT can be found in `trust script example`_. - -#. Verify the result via OAT Server. - - This is outside the scope of Ironic. At the moment, users can manually verify the result - by following the `manual verify steps`_. - -.. _`TXT`: http://en.wikipedia.org/wiki/Trusted_Execution_Technology -.. _`tboot`: https://sourceforge.net/projects/tboot -.. _`TPM`: http://en.wikipedia.org/wiki/Trusted_Platform_Module -.. _`OAT Server`: https://github.com/OpenAttestation/OpenAttestation/wiki -.. _`trust script example`: https://wiki.openstack.org/wiki/Bare-metal-trust#Trust_Script_Example -.. _`manual verify steps`: https://wiki.openstack.org/wiki/Bare-metal-trust#Manual_verify_result +The `Trusted boot with partition image`_ section has been moved to the Bare +Metal service Install Guide. +.. _`Trusted boot with partition image`: http://docs.openstack.org/project-install-guide/baremetal/draft/advanced.html#trusted-boot-with-partition-image Troubleshooting diff --git a/install-guide/source/advanced.rst b/install-guide/source/advanced.rst index de74fefdbb..809a2b25a0 100644 --- a/install-guide/source/advanced.rst +++ b/install-guide/source/advanced.rst @@ -8,3 +8,5 @@ Advanced features .. include:: include/root-device-hints.rst .. include:: include/kernel-boot-parameters.rst + +.. include:: include/trusted-boot.rst diff --git a/install-guide/source/include/trusted-boot.rst b/install-guide/source/include/trusted-boot.rst new file mode 100644 index 0000000000..e7be5fdc9e --- /dev/null +++ b/install-guide/source/include/trusted-boot.rst @@ -0,0 +1,71 @@ +.. _trusted-boot: + +Trusted boot with partition image +--------------------------------- + +Starting with the Liberty release, Ironic supports trusted boot with partition +image. This means at the end of the deployment process, when the node is +rebooted with the new user image, ``trusted boot`` will be performed. It will +measure the node's BIOS, boot loader, Option ROM and the Kernel/Ramdisk, to +determine whether a bare metal node deployed by Ironic should be trusted. + +It's important to note that in order for this to work the node being deployed +**must** have Intel `TXT`_ hardware support. The image being deployed with +Ironic must have ``oat-client`` installed within it. + +The following will describe how to enable ``trusted boot`` and boot +with PXE and Nova: + +#. Create a customized user image with ``oat-client`` installed:: + + disk-image-create -u fedora baremetal oat-client -o $TRUST_IMG + + For more information on creating customized images, see :ref:`image-requirements`. + +#. Enable VT-x, VT-d, TXT and TPM on the node. This can be done manually through + the BIOS. Depending on the platform, several reboots may be needed. + +#. Enroll the node and update the node capability value:: + + ironic node-create -d pxe_ipmitool + + ironic node-update $NODE_UUID add properties/capabilities={'trusted_boot':true} + +#. Create a special flavor:: + + nova flavor-key $TRUST_FLAVOR_UUID set 'capabilities:trusted_boot'=true + +#. Prepare `tboot`_ and mboot.c32 and put them into tftp_root or http_root + directory on all nodes with the ironic-conductor processes:: + + Ubuntu: + cp /usr/lib/syslinux/mboot.c32 /tftpboot/ + + Fedora: + cp /usr/share/syslinux/mboot.c32 /tftpboot/ + + *Note: The actual location of mboot.c32 varies among different distribution versions.* + + tboot can be downloaded from + https://sourceforge.net/projects/tboot/files/latest/download + +#. Install an OAT Server. An `OAT Server`_ should be running and configured correctly. + +#. Boot an instance with Nova:: + + nova boot --flavor $TRUST_FLAVOR_UUID --image $TRUST_IMG --user-data $TRUST_SCRIPT trusted_instance + + *Note* that the node will be measured during ``trusted boot`` and the hash values saved + into `TPM`_. An example of TRUST_SCRIPT can be found in `trust script example`_. + +#. Verify the result via OAT Server. + + This is outside the scope of Ironic. At the moment, users can manually verify the result + by following the `manual verify steps`_. + +.. _`TXT`: http://en.wikipedia.org/wiki/Trusted_Execution_Technology +.. _`tboot`: https://sourceforge.net/projects/tboot +.. _`TPM`: http://en.wikipedia.org/wiki/Trusted_Platform_Module +.. _`OAT Server`: https://github.com/OpenAttestation/OpenAttestation/wiki +.. _`trust script example`: https://wiki.openstack.org/wiki/Bare-metal-trust#Trust_Script_Example +.. _`manual verify steps`: https://wiki.openstack.org/wiki/Bare-metal-trust#Manual_verify_result