[install-guide] Import "Trusted boot with partition image"
Import Trusted boot under Advanced section.
Change-Id: I33907dee5d6af49b8851761dc7a5d7b4bb3081c6
Partial-bug: #1612278
(cherry picked from commit bf926789c1)
This commit is contained in:
Mathieu Mitchell
parent
746faceeab
commit
1d62fbe403
|
|
@ -719,73 +719,11 @@ the Bare Metal service Install Guide.
|
|||
|
||||
Trusted boot with partition image
|
||||
=================================
|
||||
Starting with the Liberty release, Ironic supports trusted boot with partition
|
||||
image. This means at the end of the deployment process, when the node is
|
||||
rebooted with the new user image, ``trusted boot`` will be performed. It will
|
||||
measure the node's BIOS, boot loader, Option ROM and the Kernel/Ramdisk, to
|
||||
determine whether a bare metal node deployed by Ironic should be trusted.
|
||||
|
||||
It's important to note that in order for this to work the node being deployed
|
||||
**must** have Intel `TXT`_ hardware support. The image being deployed with
|
||||
Ironic must have ``oat-client`` installed within it.
|
||||
|
||||
The following will describe how to enable ``trusted boot`` and boot
|
||||
with PXE and Nova:
|
||||
|
||||
#. Create a customized user image with ``oat-client`` installed::
|
||||
|
||||
disk-image-create -u fedora baremetal oat-client -o $TRUST_IMG
|
||||
|
||||
For more information on creating customized images, see `ImageRequirement`_.
|
||||
|
||||
#. Enable VT-x, VT-d, TXT and TPM on the node. This can be done manually through
|
||||
the BIOS. Depending on the platform, several reboots may be needed.
|
||||
|
||||
#. Enroll the node and update the node capability value::
|
||||
|
||||
ironic node-create -d pxe_ipmitool
|
||||
|
||||
ironic node-update $NODE_UUID add properties/capabilities={'trusted_boot':true}
|
||||
|
||||
#. Create a special flavor::
|
||||
|
||||
nova flavor-key $TRUST_FLAVOR_UUID set 'capabilities:trusted_boot'=true
|
||||
|
||||
#. Prepare `tboot`_ and mboot.c32 and put them into tftp_root or http_root
|
||||
directory on all nodes with the ironic-conductor processes::
|
||||
|
||||
Ubuntu:
|
||||
cp /usr/lib/syslinux/mboot.c32 /tftpboot/
|
||||
|
||||
Fedora:
|
||||
cp /usr/share/syslinux/mboot.c32 /tftpboot/
|
||||
|
||||
*Note: The actual location of mboot.c32 varies among different distribution versions.*
|
||||
|
||||
tboot can be downloaded from
|
||||
https://sourceforge.net/projects/tboot/files/latest/download
|
||||
|
||||
#. Install an OAT Server. An `OAT Server`_ should be running and configured correctly.
|
||||
|
||||
#. Boot an instance with Nova::
|
||||
|
||||
nova boot --flavor $TRUST_FLAVOR_UUID --image $TRUST_IMG --user-data $TRUST_SCRIPT trusted_instance
|
||||
|
||||
*Note* that the node will be measured during ``trusted boot`` and the hash values saved
|
||||
into `TPM`_. An example of TRUST_SCRIPT can be found in `trust script example`_.
|
||||
|
||||
#. Verify the result via OAT Server.
|
||||
|
||||
This is outside the scope of Ironic. At the moment, users can manually verify the result
|
||||
by following the `manual verify steps`_.
|
||||
|
||||
.. _`TXT`: http://en.wikipedia.org/wiki/Trusted_Execution_Technology
|
||||
.. _`tboot`: https://sourceforge.net/projects/tboot
|
||||
.. _`TPM`: http://en.wikipedia.org/wiki/Trusted_Platform_Module
|
||||
.. _`OAT Server`: https://github.com/OpenAttestation/OpenAttestation/wiki
|
||||
.. _`trust script example`: https://wiki.openstack.org/wiki/Bare-metal-trust#Trust_Script_Example
|
||||
.. _`manual verify steps`: https://wiki.openstack.org/wiki/Bare-metal-trust#Manual_verify_result
|
||||
The `Trusted boot with partition image`_ section has been moved to the Bare
|
||||
Metal service Install Guide.
|
||||
|
||||
.. _`Trusted boot with partition image`: http://docs.openstack.org/project-install-guide/baremetal/draft/advanced.html#trusted-boot-with-partition-image
|
||||
|
||||
|
||||
Troubleshooting
|
||||
|
|
|
|||
|
|
@ -8,3 +8,5 @@ Advanced features
|
|||
.. include:: include/root-device-hints.rst
|
||||
|
||||
.. include:: include/kernel-boot-parameters.rst
|
||||
|
||||
.. include:: include/trusted-boot.rst
|
||||
|
|
|
|||
|
|
@ -0,0 +1,71 @@
|
|||
.. _trusted-boot:
|
||||
|
||||
Trusted boot with partition image
|
||||
---------------------------------
|
||||
|
||||
Starting with the Liberty release, Ironic supports trusted boot with partition
|
||||
image. This means at the end of the deployment process, when the node is
|
||||
rebooted with the new user image, ``trusted boot`` will be performed. It will
|
||||
measure the node's BIOS, boot loader, Option ROM and the Kernel/Ramdisk, to
|
||||
determine whether a bare metal node deployed by Ironic should be trusted.
|
||||
|
||||
It's important to note that in order for this to work the node being deployed
|
||||
**must** have Intel `TXT`_ hardware support. The image being deployed with
|
||||
Ironic must have ``oat-client`` installed within it.
|
||||
|
||||
The following will describe how to enable ``trusted boot`` and boot
|
||||
with PXE and Nova:
|
||||
|
||||
#. Create a customized user image with ``oat-client`` installed::
|
||||
|
||||
disk-image-create -u fedora baremetal oat-client -o $TRUST_IMG
|
||||
|
||||
For more information on creating customized images, see :ref:`image-requirements`.
|
||||
|
||||
#. Enable VT-x, VT-d, TXT and TPM on the node. This can be done manually through
|
||||
the BIOS. Depending on the platform, several reboots may be needed.
|
||||
|
||||
#. Enroll the node and update the node capability value::
|
||||
|
||||
ironic node-create -d pxe_ipmitool
|
||||
|
||||
ironic node-update $NODE_UUID add properties/capabilities={'trusted_boot':true}
|
||||
|
||||
#. Create a special flavor::
|
||||
|
||||
nova flavor-key $TRUST_FLAVOR_UUID set 'capabilities:trusted_boot'=true
|
||||
|
||||
#. Prepare `tboot`_ and mboot.c32 and put them into tftp_root or http_root
|
||||
directory on all nodes with the ironic-conductor processes::
|
||||
|
||||
Ubuntu:
|
||||
cp /usr/lib/syslinux/mboot.c32 /tftpboot/
|
||||
|
||||
Fedora:
|
||||
cp /usr/share/syslinux/mboot.c32 /tftpboot/
|
||||
|
||||
*Note: The actual location of mboot.c32 varies among different distribution versions.*
|
||||
|
||||
tboot can be downloaded from
|
||||
https://sourceforge.net/projects/tboot/files/latest/download
|
||||
|
||||
#. Install an OAT Server. An `OAT Server`_ should be running and configured correctly.
|
||||
|
||||
#. Boot an instance with Nova::
|
||||
|
||||
nova boot --flavor $TRUST_FLAVOR_UUID --image $TRUST_IMG --user-data $TRUST_SCRIPT trusted_instance
|
||||
|
||||
*Note* that the node will be measured during ``trusted boot`` and the hash values saved
|
||||
into `TPM`_. An example of TRUST_SCRIPT can be found in `trust script example`_.
|
||||
|
||||
#. Verify the result via OAT Server.
|
||||
|
||||
This is outside the scope of Ironic. At the moment, users can manually verify the result
|
||||
by following the `manual verify steps`_.
|
||||
|
||||
.. _`TXT`: http://en.wikipedia.org/wiki/Trusted_Execution_Technology
|
||||
.. _`tboot`: https://sourceforge.net/projects/tboot
|
||||
.. _`TPM`: http://en.wikipedia.org/wiki/Trusted_Platform_Module
|
||||
.. _`OAT Server`: https://github.com/OpenAttestation/OpenAttestation/wiki
|
||||
.. _`trust script example`: https://wiki.openstack.org/wiki/Bare-metal-trust#Trust_Script_Example
|
||||
.. _`manual verify steps`: https://wiki.openstack.org/wiki/Bare-metal-trust#Manual_verify_result
|
||||
Loading…
Reference in New Issue