docs: add some additional context around iPXE and secure boot

Change-Id: Ifecd92b80472b3e28307ddbdbaeeb08ec0950c54
2024-06-05 11:24:15 -07:00 · 2024-06-05 11:24:15 -07:00 · 613348d112
commit 613348d112
parent 916b0f409b
1 changed files with 9 additions and 0 deletions
--- a/doc/source/install/configure-pxe.rst
+++ b/doc/source/install/configure-pxe.rst
@ -140,6 +140,9 @@ In order to deploy instances with PXE on bare metal nodes which support
 UEFI, perform these additional steps on the ironic conductor node to configure
 the PXE UEFI environment.

+.. NOTE:: Most commercial Linux distributions have signed shim and grub
+   binaries, which are required for Secure Boot.
+
 #. Install Grub2 and shim packages:

   Ubuntu (18.04LTS and later)::
@ -260,6 +263,12 @@ on the Bare Metal service node(s) where ``ironic-conductor`` is running.
      work, you can download a prebuilt one from http://boot.ipxe.org or build
      one image from source, see http://ipxe.org/download for more information.

+.. note::
+   The Ironic project is unaware of any vendor signed iPXE binaries to enable
+   use of iPXE with Secure Boot, unless you have implemented your own Secure
+   Boot key signing and support for the Machine Owner Key settings on
+   individual baremetal nodes.
+
 #. Copy the iPXE boot image (``undionly.kpxe`` for **BIOS** and
   ``ipxe.efi`` for **UEFI**) to ``/tftpboot``. The binary might
   be found at: