diff --git a/doc/source/admin/drivers/irmc.rst b/doc/source/admin/drivers/irmc.rst index 0f8babec40..88d7a01a8a 100644 --- a/doc/source/admin/drivers/irmc.rst +++ b/doc/source/admin/drivers/irmc.rst @@ -146,8 +146,9 @@ Node configuration irmc_username. - ``properties/capabilities`` property to be ``boot_mode:uefi`` if UEFI boot is required. - - ``properties/capabilities`` property to be ``boot_mode:uefi,secure_boot:true`` if - UEFI Secure Boot is required. + - ``properties/capabilities`` property to be ``secure_boot:true`` if + UEFI Secure Boot is required. Please refer to `UEFI Secure Boot Support`_ + for more information. * All of nodes are configured by setting the following configuration options in ``[irmc]`` section of ``/etc/ironic/ironic.conf``: @@ -215,7 +216,8 @@ Node configuration - ``properties/capabilities`` property to be ``boot_mode:uefi`` if UEFI boot is required. - ``properties/capabilities`` property to be ``secure_boot:true`` if - Secure Boot is required. + Secure Boot is required. Please refer to `UEFI Secure Boot Support`_ + for more information. - ``driver_info/irmc_deploy_iso`` property to be either ``deploy iso file name``, ``Glance UUID``, ``Glance URL`` or ``Image Service URL``. @@ -299,7 +301,8 @@ Node configuration - ``properties/capabilities`` property to be ``boot_mode:uefi`` if UEFI boot is required. - ``properties/capabilities`` property to be ``secure_boot:true`` if - Secure Boot is required. + Secure Boot is required. Please refer to `UEFI Secure Boot Support`_ + for more information. - ``driver_info/irmc_deploy_iso`` property to be either ``deploy iso file name``, ``Glance UUID``, ``Glance URL`` or ``Image Service URL``. @@ -352,6 +355,32 @@ Node configuration Functionalities across drivers ============================== +UEFI Secure Boot Support +^^^^^^^^^^^^^^^^^^^^^^^^ +The hardware type ``irmc`` and iRMC classic drivers support secure boot deploy. + +.. warning:: + Secure boot feature is not supported with ``pxe`` boot interface. + +The UEFI secure boot can be configured by adding ``secure_boot`` parameter, +which is a boolean value. Enabling the secure boot is different when +Bare Metal service is used with Compute service or without Compute service. The +following sections describes both methods: + +* Enabling secure boot with Compute service: + To enable secure boot we need to set a capability on the bare metal node + and the bare metal flavor, for example:: + + openstack baremetal node set --property capabilities='secure_boot:true' + openstack flavor set FLAVOR-NAME --property capabilities:secure_boot="true" + +* Enabling secure boot without Compute service: + Since adding capabilities to the node's properties is only used by the nova + scheduler to perform more advanced scheduling of instances, we need + to enable secure boot without nova, for example:: + + openstack baremetal node set --instance-info capabilities='{"secure_boot": "true"}' + .. _irmc_node_cleaning: Node Cleaning Support diff --git a/ironic/tests/unit/drivers/modules/irmc/test_boot.py b/ironic/tests/unit/drivers/modules/irmc/test_boot.py index a496c46589..725299b2c8 100644 --- a/ironic/tests/unit/drivers/modules/irmc/test_boot.py +++ b/ironic/tests/unit/drivers/modules/irmc/test_boot.py @@ -1157,7 +1157,7 @@ class IRMCVirtualMediaBootTestCase(db_base.DbTestCase): autospec=True) def test_clean_up_instance_with_secure_boot(self, mock_cleanup_vmedia_boot, mock_set_secure_boot_mode): - self.node.provision_state = states.CLEANING + self.node.provision_state = states.DELETING self.node.target_provision_state = states.AVAILABLE self.node.instance_info = { 'capabilities': { @@ -1178,7 +1178,7 @@ class IRMCVirtualMediaBootTestCase(db_base.DbTestCase): autospec=True) def test_clean_up_instance_with_secure_boot_false( self, mock_cleanup_vmedia_boot, mock_set_secure_boot_mode): - self.node.provision_state = states.CLEANING + self.node.provision_state = states.DELETING self.node.target_provision_state = states.AVAILABLE self.node.instance_info = { 'capabilities': { @@ -1198,7 +1198,7 @@ class IRMCVirtualMediaBootTestCase(db_base.DbTestCase): autospec=True) def test_clean_up_instance_without_secure_boot( self, mock_cleanup_vmedia_boot, mock_set_secure_boot_mode): - self.node.provision_state = states.CLEANING + self.node.provision_state = states.DELETING self.node.target_provision_state = states.AVAILABLE self.node.save() with task_manager.acquire(self.context, self.node.uuid, diff --git a/releasenotes/notes/add-secure-boot-suport-irmc-9509f3735df2aa5d.yaml b/releasenotes/notes/add-secure-boot-suport-irmc-9509f3735df2aa5d.yaml index 30d26f787c..dd2c5061d4 100644 --- a/releasenotes/notes/add-secure-boot-suport-irmc-9509f3735df2aa5d.yaml +++ b/releasenotes/notes/add-secure-boot-suport-irmc-9509f3735df2aa5d.yaml @@ -2,4 +2,5 @@ features: - | Adds support to provision an instance in secure boot mode for - ``irmc-virtual-media`` boot interface. \ No newline at end of file + ``irmc-virtual-media`` boot interface. For details, see the `iRMC driver documentation + `_. \ No newline at end of file