openstack/ironic
Code Issues Proposed changes
a400c66343
ironic/install-guide/source/include/trusted-boot.rst
Mathieu Mitchell bf926789c1 [install-guide] Import "Trusted boot with partition image" 
Import Trusted boot under Advanced section.

Change-Id: I33907dee5d6af49b8851761dc7a5d7b4bb3081c6
Partial-bug: #1612278
2016-09-26 08:41:21 -04:00

2.8 KiB
Raw Blame History

Trusted boot with partition image

Starting with the Liberty release, Ironic supports trusted boot with partition image. This means at the end of the deployment process, when the node is rebooted with the new user image, trusted boot will be performed. It will measure the node's BIOS, boot loader, Option ROM and the Kernel/Ramdisk, to determine whether a bare metal node deployed by Ironic should be trusted.

It's important to note that in order for this to work the node being deployed must have Intel TXT hardware support. The image being deployed with Ironic must have oat-client installed within it.

The following will describe how to enable trusted boot and boot with PXE and Nova:

  1. Create a customized user image with oat-client installed:

    disk-image-create -u fedora baremetal oat-client -o $TRUST_IMG

    For more information on creating customized images, see image-requirements.

  2. Enable VT-x, VT-d, TXT and TPM on the node. This can be done manually through the BIOS. Depending on the platform, several reboots may be needed.

  3. Enroll the node and update the node capability value:

    ironic node-create -d pxe_ipmitool

ironic node-update $NODE_UUID add properties/capabilities={'trusted_boot':true}

  4. Create a special flavor:

    nova flavor-key $TRUST_FLAVOR_UUID set 'capabilities:trusted_boot'=true

  5. Prepare tboot and mboot.c32 and put them into tftp_root or http_root directory on all nodes with the ironic-conductor processes:

    Ubuntu:
    cp /usr/lib/syslinux/mboot.c32 /tftpboot/

Fedora:
    cp /usr/share/syslinux/mboot.c32 /tftpboot/

    Note: The actual location of mboot.c32 varies among different distribution versions.

    tboot can be downloaded from https://sourceforge.net/projects/tboot/files/latest/download

  6. Install an OAT Server. An OAT Server should be running and configured correctly.

  7. Boot an instance with Nova:

    nova boot --flavor $TRUST_FLAVOR_UUID --image $TRUST_IMG --user-data $TRUST_SCRIPT trusted_instance

    Note that the node will be measured during trusted boot and the hash values saved into TPM. An example of TRUST_SCRIPT can be found in trust script example.

  8. Verify the result via OAT Server.

    This is outside the scope of Ironic. At the moment, users can manually verify the result by following the manual verify steps.