openstack/ironic
Code Issues Proposed changes

Remove support for trusted boot

Browse Source 
It requires network booting and legacy boot. While the latter will be
supported for a long time, the former is being removed.

Change-Id: Ie48e51fa95ba2059bd3cca6b8968f475934a75e5
This commit is contained in:
Dmitry Tantsur 2022-07-18 17:15:50 +02:00
parent 8811b9b1f5
commit dbcce25d38
15 changed files with 39 additions and 337 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/source/admin/drivers/irmc.rst
View File

@ -354,9 +354,6 @@ driver:
* ``rom_firmware_version``: ROM firmware version * ``rom_firmware_version``: ROM firmware version
* ``trusted_boot``: The flag whether TPM(Trusted Platform Module) is
supported by the server. The possible values are 'True' or 'False'.
* ``server_model``: server model * ``server_model``: server model
* ``pci_gpu_devices``: number of gpu devices connected to the bare metal. * ``pci_gpu_devices``: number of gpu devices connected to the bare metal.

30
ironic/common/pxe_utils.py
View File

@ -945,9 +945,10 @@ def build_service_pxe_config(task, instance_image_info,
pxe_config_path, root_uuid_or_disk_id, pxe_config_path, root_uuid_or_disk_id,
boot_mode_utils.get_boot_mode(node), boot_mode_utils.get_boot_mode(node),
is_whole_disk_image, is_whole_disk_image,
deploy_utils.is_trusted_boot_requested(node), iscsi_boot=deploy_utils.is_iscsi_boot(task),
deploy_utils.is_iscsi_boot(task), ramdisk_boot, ramdisk_boot=ramdisk_boot,
ipxe_enabled=ipxe_enabled, anaconda_boot=anaconda_boot) ipxe_enabled=ipxe_enabled,
anaconda_boot=anaconda_boot)
def build_kickstart_config_options(task): def build_kickstart_config_options(task):
@ -1055,29 +1056,6 @@ def get_volume_pxe_options(task):
return pxe_options return pxe_options
def validate_boot_parameters_for_trusted_boot(node):
"""Check if boot parameters are valid for trusted boot."""
boot_mode = boot_mode_utils.get_boot_mode(node)
boot_option = deploy_utils.get_boot_option(node)
is_whole_disk_image = node.driver_internal_info.get('is_whole_disk_image')
# 'is_whole_disk_image' is not supported by trusted boot, because there is
# no Kernel/Ramdisk to measure at all.
if (boot_mode != 'bios'
or is_whole_disk_image
or boot_option != 'netboot'):
msg = (_("Trusted boot is only supported in BIOS boot mode with "
"netboot and without whole_disk_image, but Node "
"%(node_uuid)s was configured with boot_mode: %(boot_mode)s, "
"boot_option: %(boot_option)s, is_whole_disk_image: "
"%(is_whole_disk_image)s: at least one of them is wrong, and "
"this can be caused by enable secure boot.") %
{'node_uuid': node.uuid, 'boot_mode': boot_mode,
'boot_option': boot_option,
'is_whole_disk_image': is_whole_disk_image})
LOG.error(msg)
raise exception.InvalidParameterValue(msg)
def validate_kickstart_template(ks_template): def validate_kickstart_template(ks_template):
"""Validate the kickstart template """Validate the kickstart template

28
ironic/drivers/modules/boot_mode_utils.py
View File

@ -168,30 +168,12 @@ def is_secure_boot_requested(node):
return sec_boot == 'true' return sec_boot == 'true'
def is_trusted_boot_requested(node):
"""Returns True if trusted_boot is requested for deploy.
This method checks instance property for trusted_boot and returns True
if it is requested.
:param node: a single Node.
:raises: InvalidParameterValue if the capabilities string is not a
dictionary or is malformed.
:returns: True if trusted_boot is requested.
"""
capabilities = common_utils.parse_instance_info_capabilities(node)
trusted_boot = capabilities.get('trusted_boot', 'false').lower()
return trusted_boot == 'true'
def get_boot_mode_for_deploy(node): def get_boot_mode_for_deploy(node):
"""Returns the boot mode that would be used for deploy. """Returns the boot mode that would be used for deploy.
This method returns boot mode to be used for deploy. This method returns boot mode to be used for deploy.
It returns 'uefi' if 'secure_boot' is set to 'true' or returns 'bios' if It returns 'uefi' if 'secure_boot' is set to 'true' in
'trusted_boot' is set to 'true' in 'instance_info/capabilities' of node. 'instance_info/capabilities' of node.
Otherwise it returns value of 'boot_mode' in 'properties/capabilities' Otherwise it returns value of 'boot_mode' in 'properties/capabilities'
of node if set. If that is not set, it returns boot mode in of node if set. If that is not set, it returns boot mode in
'internal_driver_info/deploy_boot_mode' for the node. 'internal_driver_info/deploy_boot_mode' for the node.
@ -211,12 +193,6 @@ def get_boot_mode_for_deploy(node):
LOG.debug('Deploy boot mode is uefi for %s.', node.uuid) LOG.debug('Deploy boot mode is uefi for %s.', node.uuid)
return 'uefi' return 'uefi'
if is_trusted_boot_requested(node):
# TODO(lintan) Trusted boot also supports uefi, but at the moment,
# it should only boot with bios.
LOG.debug('Deploy boot mode is bios for %s.', node.uuid)
return 'bios'
# NOTE(etingof): # NOTE(etingof):
# The search for a boot mode should be in the priority order: # The search for a boot mode should be in the priority order:
# #

22
ironic/drivers/modules/deploy_utils.py
View File

@ -58,7 +58,6 @@ SUPPORTED_CAPABILITIES = {
'boot_option': ('local', 'netboot', 'ramdisk', 'kickstart'), 'boot_option': ('local', 'netboot', 'ramdisk', 'kickstart'),
'boot_mode': ('bios', 'uefi'), 'boot_mode': ('bios', 'uefi'),
'secure_boot': ('true', 'false'), 'secure_boot': ('true', 'false'),
'trusted_boot': ('true', 'false'),
'disk_label': ('msdos', 'gpt'), 'disk_label': ('msdos', 'gpt'),
} }
@ -130,13 +129,10 @@ def _replace_root_uuid(path, root_uuid):
def _replace_boot_line(path, boot_mode, is_whole_disk_image, def _replace_boot_line(path, boot_mode, is_whole_disk_image,
trusted_boot=False, iscsi_boot=False, iscsi_boot=False, ramdisk_boot=False,
ramdisk_boot=False, ipxe_enabled=False, ipxe_enabled=False, anaconda_boot=False):
anaconda_boot=False):
if is_whole_disk_image: if is_whole_disk_image:
boot_disk_type = 'boot_whole_disk' boot_disk_type = 'boot_whole_disk'
elif trusted_boot:
boot_disk_type = 'trusted_boot'
elif iscsi_boot: elif iscsi_boot:
boot_disk_type = 'boot_iscsi' boot_disk_type = 'boot_iscsi'
elif ramdisk_boot: elif ramdisk_boot:
@ -164,9 +160,9 @@ def _replace_disk_identifier(path, disk_identifier):
# NOTE(TheJulia): This should likely be migrated to pxe_utils. # NOTE(TheJulia): This should likely be migrated to pxe_utils.
def switch_pxe_config(path, root_uuid_or_disk_id, boot_mode, def switch_pxe_config(path, root_uuid_or_disk_id, boot_mode,
is_whole_disk_image, trusted_boot=False, is_whole_disk_image, iscsi_boot=False,
iscsi_boot=False, ramdisk_boot=False, ramdisk_boot=False, ipxe_enabled=False,
ipxe_enabled=False, anaconda_boot=False): anaconda_boot=False):
"""Switch a pxe config from deployment mode to service mode. """Switch a pxe config from deployment mode to service mode.
:param path: path to the pxe config file in tftpboot. :param path: path to the pxe config file in tftpboot.
@ -174,9 +170,6 @@ def switch_pxe_config(path, root_uuid_or_disk_id, boot_mode,
disk_id in case of whole disk image. disk_id in case of whole disk image.
:param boot_mode: if boot mode is uefi or bios. :param boot_mode: if boot mode is uefi or bios.
:param is_whole_disk_image: if the image is a whole disk image or not. :param is_whole_disk_image: if the image is a whole disk image or not.
:param trusted_boot: if boot with trusted_boot or not. The usage of
is_whole_disk_image and trusted_boot are mutually exclusive. You can
have one or neither, but not both.
:param iscsi_boot: if boot is from an iSCSI volume or not. :param iscsi_boot: if boot is from an iSCSI volume or not.
:param ramdisk_boot: if the boot is to be to a ramdisk configuration. :param ramdisk_boot: if the boot is to be to a ramdisk configuration.
:param ipxe_enabled: A default False boolean value to tell the method :param ipxe_enabled: A default False boolean value to tell the method
@ -190,8 +183,8 @@ def switch_pxe_config(path, root_uuid_or_disk_id, boot_mode,
else: else:
_replace_disk_identifier(path, root_uuid_or_disk_id) _replace_disk_identifier(path, root_uuid_or_disk_id)
_replace_boot_line(path, boot_mode, is_whole_disk_image, trusted_boot, _replace_boot_line(path, boot_mode, is_whole_disk_image, iscsi_boot,
iscsi_boot, ramdisk_boot, ipxe_enabled, anaconda_boot) ramdisk_boot, ipxe_enabled, anaconda_boot)
def check_for_missing_params(info_dict, error_msg, param_prefix=''): def check_for_missing_params(info_dict, error_msg, param_prefix=''):
@ -1375,7 +1368,6 @@ def is_iscsi_boot(task):
# NOTE(etingof): retain original location of these funcs for compatibility # NOTE(etingof): retain original location of these funcs for compatibility
is_secure_boot_requested = boot_mode_utils.is_secure_boot_requested is_secure_boot_requested = boot_mode_utils.is_secure_boot_requested
is_trusted_boot_requested = boot_mode_utils.is_trusted_boot_requested
get_boot_mode_for_deploy = boot_mode_utils.get_boot_mode_for_deploy get_boot_mode_for_deploy = boot_mode_utils.get_boot_mode_for_deploy
parse_instance_info_capabilities = ( parse_instance_info_capabilities = (
utils.parse_instance_info_capabilities utils.parse_instance_info_capabilities

6
ironic/drivers/modules/irmc/inspect.py
View File

@ -90,7 +90,7 @@ sc2UnitNodeMacAddress OBJECT-TYPE
""" """
MAC_ADDRESS_OID = '1.3.6.1.4.1.231.2.10.2.2.10.3.1.1.9.1' MAC_ADDRESS_OID = '1.3.6.1.4.1.231.2.10.2.2.10.3.1.1.9.1'
CAPABILITIES_PROPERTIES = {'trusted_boot', 'irmc_firmware_version', CAPABILITIES_PROPERTIES = {'irmc_firmware_version',
'rom_firmware_version', 'server_model', 'rom_firmware_version', 'server_model',
'pci_gpu_devices', 'cpu_fpga'} 'pci_gpu_devices', 'cpu_fpga'}
@ -175,8 +175,8 @@ def _inspect_hardware(node, existing_traits=None, **kwargs):
elif cpu_fpga != 0 and 'CUSTOM_CPU_FPGA' not in new_traits: elif cpu_fpga != 0 and 'CUSTOM_CPU_FPGA' not in new_traits:
new_traits.append('CUSTOM_CPU_FPGA') new_traits.append('CUSTOM_CPU_FPGA')
if capabilities.get('trusted_boot') is False: # Ironic no longer supports trusted boot
capabilities.pop('trusted_boot') capabilities.pop('trusted_boot', None)
capabilities = utils.get_updated_capabilities( capabilities = utils.get_updated_capabilities(
node.properties.get('capabilities'), capabilities) node.properties.get('capabilities'), capabilities)
if capabilities: if capabilities:

17
ironic/drivers/modules/pxe_base.py
View File

@ -359,24 +359,7 @@ class PXEBaseMixin(object):
"'kickstart' boot option is set on the node but no " "'kickstart' boot option is set on the node but no "
"default kickstart template is specified")) "default kickstart template is specified"))
# Check the trusted_boot capabilities value.
deploy_utils.validate_capabilities(node) deploy_utils.validate_capabilities(node)
if deploy_utils.is_trusted_boot_requested(node):
# Check if 'boot_option' and boot mode is compatible with
# trusted boot.
if self.ipxe_enabled:
# NOTE(TheJulia): So in theory (huge theory here, not put to
# practice or tested), that one can define the kernel as tboot
# and define the actual kernel and ramdisk as appended data.
# Similar to how one can iPXE load the XEN hypervisor.
# tboot mailing list seem to indicate pxe/ipxe support, or
# more specifically avoiding breaking the scenarios of use,
# but there is also no definitive documentation on the subject.
LOG.warning('Trusted boot has been requested for %(node)s in '
'concert with iPXE. This is not a supported '
'configuration for an ironic deployment.',
{'node': node.uuid})
pxe_utils.validate_boot_parameters_for_trusted_boot(node)
# Check if we have invalid parameters being passed which will not work # Check if we have invalid parameters being passed which will not work
# for ramdisk configurations. # for ramdisk configurations.

4
ironic/drivers/modules/pxe_config.template
View File

@ -15,10 +15,6 @@ label boot_whole_disk
COM32 chain.c32 COM32 chain.c32
append mbr:{{ DISK_IDENTIFIER }} append mbr:{{ DISK_IDENTIFIER }}
label trusted_boot
kernel mboot
append tboot.gz --- {{pxe_options.aki_path}} root={{ ROOT }} ro text {{ pxe_options.pxe_append_params|default("", true) }} intel_iommu=on --- {{pxe_options.ari_path}}
label boot_ramdisk label boot_ramdisk
kernel {{ pxe_options.aki_path }} kernel {{ pxe_options.aki_path }}
append initrd={{ pxe_options.ari_path }} root=/dev/ram0 text {{ pxe_options.pxe_append_params|default("", true) }} {{ pxe_options.ramdisk_opts|default('', true) }} append initrd={{ pxe_options.ari_path }} root=/dev/ram0 text {{ pxe_options.pxe_append_params|default("", true) }} {{ pxe_options.ramdisk_opts|default('', true) }}

46
ironic/tests/unit/common/test_pxe_utils.py
View File

@ -1448,52 +1448,6 @@ class PXEInterfacesTestCase(db_base.DbTestCase):
list(fake_pxe_info.values()), list(fake_pxe_info.values()),
True) True)
@mock.patch.object(pxe_utils.LOG, 'error', autospec=True)
def test_validate_boot_parameters_for_trusted_boot_one(self, mock_log):
properties = {'capabilities': 'boot_mode:uefi'}
instance_info = {"boot_option": "netboot"}
self.node.properties = properties
self.node.instance_info['capabilities'] = instance_info
self.node.driver_internal_info['is_whole_disk_image'] = False
self.assertRaises(exception.InvalidParameterValue,
pxe_utils.validate_boot_parameters_for_trusted_boot,
self.node)
self.assertTrue(mock_log.called)
@mock.patch.object(pxe_utils.LOG, 'error', autospec=True)
def test_validate_boot_parameters_for_trusted_boot_two(self, mock_log):
properties = {'capabilities': 'boot_mode:bios'}
instance_info = {"boot_option": "local"}
self.node.properties = properties
self.node.instance_info['capabilities'] = instance_info
self.node.driver_internal_info['is_whole_disk_image'] = False
self.assertRaises(exception.InvalidParameterValue,
pxe_utils.validate_boot_parameters_for_trusted_boot,
self.node)
self.assertTrue(mock_log.called)
@mock.patch.object(pxe_utils.LOG, 'error', autospec=True)
def test_validate_boot_parameters_for_trusted_boot_three(self, mock_log):
properties = {'capabilities': 'boot_mode:bios'}
instance_info = {"boot_option": "netboot"}
self.node.properties = properties
self.node.instance_info['capabilities'] = instance_info
self.node.driver_internal_info['is_whole_disk_image'] = True
self.assertRaises(exception.InvalidParameterValue,
pxe_utils.validate_boot_parameters_for_trusted_boot,
self.node)
self.assertTrue(mock_log.called)
@mock.patch.object(pxe_utils.LOG, 'error', autospec=True)
def test_validate_boot_parameters_for_trusted_boot_pass(self, mock_log):
properties = {'capabilities': 'boot_mode:bios'}
instance_info = {"boot_option": "netboot"}
self.node.properties = properties
self.node.instance_info['capabilities'] = instance_info
self.node.driver_internal_info['is_whole_disk_image'] = False
pxe_utils.validate_boot_parameters_for_trusted_boot(self.node)
self.assertFalse(mock_log.called)
@mock.patch.object(pxe.PXEBoot, '__init__', lambda self: None) @mock.patch.object(pxe.PXEBoot, '__init__', lambda self: None)
class PXEBuildKickstartConfigOptionsTestCase(db_base.DbTestCase): class PXEBuildKickstartConfigOptionsTestCase(db_base.DbTestCase):

55
ironic/tests/unit/drivers/modules/irmc/test_inspect.py
View File

@ -83,7 +83,6 @@ class IRMCInspectInternalMethodsTestCase(test_common.BaseIRMCTest):
'cpus': 2, 'cpus': 2,
'cpu_arch': 'x86_64'} 'cpu_arch': 'x86_64'}
inspected_capabilities = { inspected_capabilities = {
'trusted_boot': False,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
@ -425,14 +424,12 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
gpu_ids = ['0x1000/0x0079', '0x2100/0x0080'] gpu_ids = ['0x1000/0x0079', '0x2100/0x0080']
cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180'] cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180']
existed_capabilities = { existed_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1 'pci_gpu_devices': 1
} }
inspected_capabilities = { inspected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
@ -440,7 +437,6 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
'cpu_fpga': 1 'cpu_fpga': 1
} }
expected_capabilities = { expected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
@ -463,12 +459,10 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
cpu_fpgas = [] cpu_fpgas = []
existed_capabilities = {} existed_capabilities = {}
inspected_capabilities = { inspected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'} 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'}
expected_capabilities = { expected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'} 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'}
@ -489,7 +483,6 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180'] cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180']
existed_capabilities = {} existed_capabilities = {}
inspected_capabilities = { inspected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
@ -497,7 +490,6 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
'cpu_fpga': 0 'cpu_fpga': 0
} }
expected_capabilities = { expected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'} 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'}
@ -519,18 +511,15 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
gpu_ids = [] gpu_ids = []
cpu_fpgas = [] cpu_fpgas = []
existed_capabilities = { existed_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1} 'pci_gpu_devices': 1}
inspected_capabilities = { inspected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'} 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'}
expected_capabilities = { expected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'} 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'}
@ -552,20 +541,17 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
gpu_ids = ['0x1000/0x0079', '0x2100/0x0080'] gpu_ids = ['0x1000/0x0079', '0x2100/0x0080']
cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180'] cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180']
existed_capabilities = { existed_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1} 'pci_gpu_devices': 1}
inspected_capabilities = { inspected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 0, 'pci_gpu_devices': 0,
'cpu_fpga': 0} 'cpu_fpga': 0}
expected_capabilities = { expected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'} 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'}
@ -581,13 +567,13 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
existed_traits, existed_traits,
expected_traits) expected_traits)
def test_inspect_hardware_props_trusted_boot_is_false(self): def test_inspect_hardware_props_trusted_boot_removed(self):
# Set config flags # Set config flags
gpu_ids = ['0x1000/0x0079', '0x2100/0x0080'] gpu_ids = ['0x1000/0x0079', '0x2100/0x0080']
cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180'] cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180']
existed_capabilities = {} existed_capabilities = {}
inspected_capabilities = { inspected_capabilities = {
'trusted_boot': False, 'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
@ -610,54 +596,17 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
existed_traits, existed_traits,
expected_traits) expected_traits)
def test_inspect_hardware_props_trusted_boot_is_false_and_existing_cap(
self):
# Set config flags
gpu_ids = ['0x1000/0x0079', '0x2100/0x0080']
cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180']
existed_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1}
inspected_capabilities = {
'trusted_boot': False,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1,
'cpu_fpga': 1}
expected_capabilities = {
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1}
existed_traits = ['CUSTOM_CPU_FPGA']
expected_traits = ['CUSTOM_CPU_FPGA']
self._test_inspect_hardware_props(gpu_ids,
cpu_fpgas,
existed_capabilities,
inspected_capabilities,
expected_capabilities,
existed_traits,
expected_traits)
def test_inspect_hardware_props_gpu_and_cpu_fpgas_results_are_different( def test_inspect_hardware_props_gpu_and_cpu_fpgas_results_are_different(
self): self):
# Set config flags # Set config flags
gpu_ids = ['0x1000/0x0079', '0x2100/0x0080'] gpu_ids = ['0x1000/0x0079', '0x2100/0x0080']
cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180'] cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180']
existed_capabilities = { existed_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1} 'pci_gpu_devices': 1}
inspected_capabilities = { inspected_capabilities = {
'trusted_boot': False,
'irmc_firmware_version': 'iRMC S4-7.82F', 'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5', 'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',

13
ironic/tests/unit/drivers/modules/test_boot_mode_utils.py
View File

@ -96,19 +96,6 @@ class GetBootModeTestCase(tests_base.TestCase):
result = boot_mode_utils.get_boot_mode_for_deploy(self.node) result = boot_mode_utils.get_boot_mode_for_deploy(self.node)
self.assertEqual('uefi', result) self.assertEqual('uefi', result)
instance_info = {'capabilities': {'trusted_boot': 'True'}}
self.node.instance_info = instance_info
result = boot_mode_utils.get_boot_mode_for_deploy(self.node)
self.assertEqual('bios', result)
instance_info = {'capabilities': {'trusted_boot': 'True',
'secure_boot': 'True'}}
self.node.instance_info = instance_info
result = boot_mode_utils.get_boot_mode_for_deploy(self.node)
self.assertEqual('uefi', result)
def test_get_boot_mode_for_deploy_using_instance_info_cap(self): def test_get_boot_mode_for_deploy_using_instance_info_cap(self):
instance_info = {'capabilities': {'boot_mode': 'uefi'}} instance_info = {'capabilities': {'boot_mode': 'uefi'}}
self.node.instance_info = instance_info self.node.instance_info = instance_info

69
ironic/tests/unit/drivers/modules/test_deploy_utils.py
View File

@ -61,10 +61,6 @@ append initrd=ramdisk root={{ ROOT }}
label boot_whole_disk label boot_whole_disk
COM32 chain.c32 COM32 chain.c32
append mbr:{{ DISK_IDENTIFIER }} append mbr:{{ DISK_IDENTIFIER }}
label trusted_boot
kernel mboot
append tboot.gz --- kernel root={{ ROOT }} --- ramdisk
""" """
_PXECONF_BOOT_PARTITION = """ _PXECONF_BOOT_PARTITION = """
@ -82,11 +78,6 @@ append initrd=ramdisk root=UUID=12345678-1234-1234-1234-1234567890abcdef
label boot_whole_disk label boot_whole_disk
COM32 chain.c32 COM32 chain.c32
append mbr:{{ DISK_IDENTIFIER }} append mbr:{{ DISK_IDENTIFIER }}
label trusted_boot
kernel mboot
append tboot.gz --- kernel root=UUID=12345678-1234-1234-1234-1234567890abcdef \
--- ramdisk
""" """
_PXECONF_BOOT_WHOLE_DISK = """ _PXECONF_BOOT_WHOLE_DISK = """
@ -104,32 +95,6 @@ append initrd=ramdisk root={{ ROOT }}
label boot_whole_disk label boot_whole_disk
COM32 chain.c32 COM32 chain.c32
append mbr:0x12345678 append mbr:0x12345678
label trusted_boot
kernel mboot
append tboot.gz --- kernel root={{ ROOT }} --- ramdisk
"""
_PXECONF_TRUSTED_BOOT = """
default trusted_boot
label deploy
kernel deploy_kernel
append initrd=deploy_ramdisk
ipappend 3
label boot_partition
kernel kernel
append initrd=ramdisk root=UUID=12345678-1234-1234-1234-1234567890abcdef
label boot_whole_disk
COM32 chain.c32
append mbr:{{ DISK_IDENTIFIER }}
label trusted_boot
kernel mboot
append tboot.gz --- kernel root=UUID=12345678-1234-1234-1234-1234567890abcdef \
--- ramdisk
""" """
_IPXECONF_DEPLOY = b""" _IPXECONF_DEPLOY = b"""
@ -379,17 +344,6 @@ class SwitchPxeConfigTestCase(tests_base.TestCase):
pxeconf = f.read() pxeconf = f.read()
self.assertEqual(_PXECONF_BOOT_WHOLE_DISK, pxeconf) self.assertEqual(_PXECONF_BOOT_WHOLE_DISK, pxeconf)
def test_switch_pxe_config_trusted_boot(self):
boot_mode = 'bios'
fname = self._create_config()
utils.switch_pxe_config(fname,
'12345678-1234-1234-1234-1234567890abcdef',
boot_mode,
False, True)
with open(fname, 'r') as f:
pxeconf = f.read()
self.assertEqual(_PXECONF_TRUSTED_BOOT, pxeconf)
def test_switch_ipxe_config_partition_image(self): def test_switch_ipxe_config_partition_image(self):
boot_mode = 'bios' boot_mode = 'bios'
fname = self._create_config(ipxe=True) fname = self._create_config(ipxe=True)
@ -492,7 +446,8 @@ class SwitchPxeConfigTestCase(tests_base.TestCase):
utils.switch_pxe_config(fname, utils.switch_pxe_config(fname,
'0x12345678', '0x12345678',
boot_mode, boot_mode,
False, False, True, is_whole_disk_image=False,
iscsi_boot=True,
ipxe_enabled=True) ipxe_enabled=True)
with open(fname, 'r') as f: with open(fname, 'r') as f:
pxeconf = f.read() pxeconf = f.read()
@ -988,18 +943,6 @@ class ParseInstanceInfoCapabilitiesTestCase(tests_base.TestCase):
self.node.instance_info = {'capabilities': {"secure_boot": "invalid"}} self.node.instance_info = {'capabilities': {"secure_boot": "invalid"}}
self.assertFalse(utils.is_secure_boot_requested(self.node)) self.assertFalse(utils.is_secure_boot_requested(self.node))
def test_is_trusted_boot_requested_true(self):
self.node.instance_info = {'capabilities': {"trusted_boot": "true"}}
self.assertTrue(utils.is_trusted_boot_requested(self.node))
def test_is_trusted_boot_requested_false(self):
self.node.instance_info = {'capabilities': {"trusted_boot": "false"}}
self.assertFalse(utils.is_trusted_boot_requested(self.node))
def test_is_trusted_boot_requested_invalid(self):
self.node.instance_info = {'capabilities': {"trusted_boot": "invalid"}}
self.assertFalse(utils.is_trusted_boot_requested(self.node))
def test_validate_boot_mode_capability(self): def test_validate_boot_mode_capability(self):
prop = {'capabilities': 'boot_mode:uefi,cap2:value2'} prop = {'capabilities': 'boot_mode:uefi,cap2:value2'}
self.node.properties = prop self.node.properties = prop
@ -1028,12 +971,6 @@ class ParseInstanceInfoCapabilitiesTestCase(tests_base.TestCase):
self.assertRaises(exception.InvalidParameterValue, self.assertRaises(exception.InvalidParameterValue,
utils.validate_capabilities, self.node) utils.validate_capabilities, self.node)
def test_validate_trusted_boot_capability(self):
properties = {'capabilities': 'trusted_boot:value'}
self.node.properties = properties
self.assertRaises(exception.InvalidParameterValue,
utils.validate_capabilities, self.node)
def test_all_supported_capabilities(self): def test_all_supported_capabilities(self):
self.assertEqual(('local', 'netboot', 'ramdisk', 'kickstart'), self.assertEqual(('local', 'netboot', 'ramdisk', 'kickstart'),
utils.SUPPORTED_CAPABILITIES['boot_option']) utils.SUPPORTED_CAPABILITIES['boot_option'])
@ -1041,8 +978,6 @@ class ParseInstanceInfoCapabilitiesTestCase(tests_base.TestCase):
utils.SUPPORTED_CAPABILITIES['boot_mode']) utils.SUPPORTED_CAPABILITIES['boot_mode'])
self.assertEqual(('true', 'false'), self.assertEqual(('true', 'false'),
utils.SUPPORTED_CAPABILITIES['secure_boot']) utils.SUPPORTED_CAPABILITIES['secure_boot'])
self.assertEqual(('true', 'false'),
utils.SUPPORTED_CAPABILITIES['trusted_boot'])
def test_get_disk_label(self): def test_get_disk_label(self):
inst_info = {'capabilities': {'disk_label': 'gpt', 'foo': 'bar'}} inst_info = {'capabilities': {'disk_label': 'gpt', 'foo': 'bar'}}

39
ironic/tests/unit/drivers/modules/test_ipxe.py
View File

@ -190,29 +190,6 @@ class iPXEBootTestCase(db_base.DbTestCase):
self.assertRaises(exception.MissingParameterValue, self.assertRaises(exception.MissingParameterValue,
task.driver.boot.validate, task) task.driver.boot.validate, task)
def test_validate_fail_trusted_boot_with_secure_boot(self):
instance_info = {"boot_option": "netboot",
"secure_boot": "true",
"trusted_boot": "true"}
properties = {'capabilities': 'trusted_boot:true'}
with task_manager.acquire(self.context, self.node.uuid,
shared=True) as task:
task.node.instance_info['capabilities'] = instance_info
task.node.properties = properties
task.node.driver_internal_info['is_whole_disk_image'] = False
self.assertRaises(exception.InvalidParameterValue,
task.driver.boot.validate, task)
def test_validate_fail_invalid_trusted_boot_value(self):
properties = {'capabilities': 'trusted_boot:value'}
instance_info = {"trusted_boot": "value"}
with task_manager.acquire(self.context, self.node.uuid,
shared=True) as task:
task.node.properties = properties
task.node.instance_info['capabilities'] = instance_info
self.assertRaises(exception.InvalidParameterValue,
task.driver.boot.validate, task)
@mock.patch.object(image_service.GlanceImageService, 'show', @mock.patch.object(image_service.GlanceImageService, 'show',
autospec=True) autospec=True)
def test_validate_fail_no_image_kernel_ramdisk_props(self, mock_glance): def test_validate_fail_no_image_kernel_ramdisk_props(self, mock_glance):
@ -623,8 +600,8 @@ class iPXEBootTestCase(db_base.DbTestCase):
provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts) provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts)
switch_pxe_config_mock.assert_called_once_with( switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'uefi', False, False, False, False, ipxe_enabled=True, 'uefi', False, iscsi_boot=False, ramdisk_boot=False,
anaconda_boot=False) ipxe_enabled=True, anaconda_boot=False)
set_boot_device_mock.assert_called_once_with(task, set_boot_device_mock.assert_called_once_with(task,
boot_devices.PXE, boot_devices.PXE,
persistent=True) persistent=True)
@ -668,8 +645,8 @@ class iPXEBootTestCase(db_base.DbTestCase):
provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts) provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts)
switch_pxe_config_mock.assert_called_once_with( switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'bios', False, False, False, False, ipxe_enabled=True, 'bios', False, iscsi_boot=False, ramdisk_boot=False,
anaconda_boot=False) ipxe_enabled=True, anaconda_boot=False)
set_boot_device_mock.assert_called_once_with(task, set_boot_device_mock.assert_called_once_with(task,
boot_devices.PXE, boot_devices.PXE,
persistent=True) persistent=True)
@ -829,8 +806,8 @@ class iPXEBootTestCase(db_base.DbTestCase):
ipxe_enabled=True) ipxe_enabled=True)
switch_pxe_config_mock.assert_called_once_with( switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'bios', False, False, False, False, ipxe_enabled=True, 'bios', False, iscsi_boot=False, ramdisk_boot=False,
anaconda_boot=False) ipxe_enabled=True, anaconda_boot=False)
self.assertFalse(set_boot_device_mock.called) self.assertFalse(set_boot_device_mock.called)
@mock.patch.object(manager_utils, 'node_set_boot_device', autospec=True) @mock.patch.object(manager_utils, 'node_set_boot_device', autospec=True)
@ -1212,8 +1189,8 @@ class iPXEBootTestCase(db_base.DbTestCase):
persistent=True) persistent=True)
switch_pxe_config_mock.assert_called_once_with( switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'uefi', True, False, False, False, ipxe_enabled=True, 'uefi', True, iscsi_boot=False, ramdisk_boot=False,
anaconda_boot=False) ipxe_enabled=True, anaconda_boot=False)
# No clean up # No clean up
self.assertFalse(clean_up_pxe_config_mock.called) self.assertFalse(clean_up_pxe_config_mock.called)
# No netboot configuration beyond the PXE files # No netboot configuration beyond the PXE files

35
ironic/tests/unit/drivers/modules/test_pxe.py
View File

@ -164,29 +164,6 @@ class PXEBootTestCase(db_base.DbTestCase):
self.assertRaises(exception.MissingParameterValue, self.assertRaises(exception.MissingParameterValue,
task.driver.boot.validate, task) task.driver.boot.validate, task)
def test_validate_fail_trusted_boot_with_secure_boot(self):
instance_info = {"boot_option": "netboot",
"secure_boot": "true",
"trusted_boot": "true"}
properties = {'capabilities': 'trusted_boot:true'}
with task_manager.acquire(self.context, self.node.uuid,
shared=True) as task:
task.node.instance_info['capabilities'] = instance_info
task.node.properties = properties
task.node.driver_internal_info['is_whole_disk_image'] = False
self.assertRaises(exception.InvalidParameterValue,
task.driver.boot.validate, task)
def test_validate_fail_invalid_trusted_boot_value(self):
properties = {'capabilities': 'trusted_boot:value'}
instance_info = {"trusted_boot": "value"}
with task_manager.acquire(self.context, self.node.uuid,
shared=True) as task:
task.node.properties = properties
task.node.instance_info['capabilities'] = instance_info
self.assertRaises(exception.InvalidParameterValue,
task.driver.boot.validate, task)
@mock.patch.object(image_service.GlanceImageService, 'show', autospec=True) @mock.patch.object(image_service.GlanceImageService, 'show', autospec=True)
def test_validate_fail_no_image_kernel_ramdisk_props(self, mock_glance): def test_validate_fail_no_image_kernel_ramdisk_props(self, mock_glance):
instance_info = {"boot_option": "netboot"} instance_info = {"boot_option": "netboot"}
@ -546,8 +523,8 @@ class PXEBootTestCase(db_base.DbTestCase):
provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts) provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts)
switch_pxe_config_mock.assert_called_once_with( switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'bios', False, False, False, False, ipxe_enabled=False, 'bios', False, iscsi_boot=False, ramdisk_boot=False,
anaconda_boot=False) ipxe_enabled=False, anaconda_boot=False)
set_boot_device_mock.assert_called_once_with(task, set_boot_device_mock.assert_called_once_with(task,
boot_devices.PXE, boot_devices.PXE,
persistent=True) persistent=True)
@ -587,8 +564,8 @@ class PXEBootTestCase(db_base.DbTestCase):
provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts) provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts)
switch_pxe_config_mock.assert_called_once_with( switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'uefi', False, False, False, False, ipxe_enabled=False, 'uefi', False, iscsi_boot=False, ramdisk_boot=False,
anaconda_boot=False) ipxe_enabled=False, anaconda_boot=False)
set_boot_device_mock.assert_called_once_with(task, set_boot_device_mock.assert_called_once_with(task,
boot_devices.PXE, boot_devices.PXE,
persistent=True) persistent=True)
@ -636,8 +613,8 @@ class PXEBootTestCase(db_base.DbTestCase):
ipxe_enabled=False) ipxe_enabled=False)
switch_pxe_config_mock.assert_called_once_with( switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'bios', False, False, False, False, ipxe_enabled=False, 'bios', False, iscsi_boot=False, ramdisk_boot=False,
anaconda_boot=False) ipxe_enabled=False, anaconda_boot=False)
self.assertFalse(set_boot_device_mock.called) self.assertFalse(set_boot_device_mock.called)
@mock.patch.object(manager_utils, 'node_set_boot_device', autospec=True) @mock.patch.object(manager_utils, 'node_set_boot_device', autospec=True)

4
ironic/tests/unit/drivers/pxe_config.template
View File

@ -15,10 +15,6 @@ label boot_whole_disk
COM32 chain.c32 COM32 chain.c32
append mbr:{{ DISK_IDENTIFIER }} append mbr:{{ DISK_IDENTIFIER }}
label trusted_boot
kernel mboot
append tboot.gz --- /tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/kernel root={{ ROOT }} ro text test_param intel_iommu=on --- /tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/ramdisk
label boot_ramdisk label boot_ramdisk
kernel /tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/kernel kernel /tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/kernel
append initrd=/tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/ramdisk root=/dev/ram0 text test_param ramdisk_param append initrd=/tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/ramdisk root=/dev/ram0 text test_param ramdisk_param

5
releasenotes/notes/no-trustedboot-01322dbaf33f8df8.yaml Normal file
View File

@ -0,0 +1,5 @@
---
upgrade:
- |
Support for trusted boot has been removed. This feature requires instance
network booting, which is also removed this cycle.