metal/tools/rsbc/README.md
Samuel Pei 99fd1b15b3 Create Redfish Secure Boot Controller tool
The process of enabling/disabling Secure Boot and uploading a
certificate on a server is complicated and time consuming.

This update introduces a Redfish Secure Boot Controller (rsbc)
Tool to automate the process of querying/enabling/disabling
Secure Boot on a server as well as uploading the secure boot
certificate to the host.

The tool also supports a service option which allows the user
to query which Redfish services are supported on the server(s).

Story: 2010533
Task: 47811

Test Plan:

PASS: Verify SB query against server that supports SB
PASS: Verify SB query against server that does not support SB
PASS: Verify SB enable/disable against server that supports SB
PASS: Verify SB upload against server that supports SB
PASS: Verify Redfish service on server that supports SB
PASS: Verify Redfish service on server that supports VM
PASS: Verify Redfish service on multiple servers
PASS: Verify end-to-end SB enable, upload and server secure boot.
PASS: Verify end to end SB enable, upload and server SB w/ ipv4, un, and pw
PASS: Verify service and SB query against a server using ipv6, un, and pw

Failure Path:

PASS: Verify handling of passing an invalid certificate
PASS: Verify handling of invalid command line input
PASS: Verify handling of incorrectly formatted input file
PASS: Verify SB enable/disable against server that does not supports SB
PASS: Verify handling when server is not reachable
PASS: Verify handling when server is unpingable

Signed-off-by: Samuel Pei <samuel.pei@windriver.com>
Change-Id: I1606112493d0313fa3d86034172c5cf965c557d4
2023-04-27 18:49:04 +00:00

48 lines
2.3 KiB
Markdown

The process of enabling/disabling Secure Boot and uploading a certificate on a
server is tedious, complicated, time consuming and potentially problematic.
The Redfish Secure Boot Manager Tool uses the Redfish Protocol to automate the
process of enabling/disabling Secure Boot and uploading certificates to a host.
The tool also supports a service option which allows the user to query which
Redfish services are supported on the server(s).
The user specifies which server(s) they would like to modify using the
--config flag, which supports multiple servers, or the --bmc_ip, --bmc_un,
and --bmc_pw flags, which support one specific server. The user should
supply the path to the .yaml configuration file when using the --config
flag and the ip address of the server, username, and the password when using
the --bmc_ip, --bmc_un, and --bmc_pw flags.
There are four modes to the tool:
--query checks if Secure Boot is supported on the server. It then returns the
state of Secure Boot and outputs a list of Secure Boot certificates
--service returns which Redfish services are supported on the server(s)
--enable and --disable enables or disables Secure boot on the server(s)
--upload Uploads a .pem or .der certificate to the server's Secure Boot database
Examples of usage with --config:
./rsbc.py --query --config ./query_server.yaml
./rsbc.py --enable --config ./sb_server.yaml
./rsbc.py --disable --config ./sb_server.yaml
./rsbc.py --upload ./certs/TiBoot.crt --config ./sb_server.yaml
Examples of usage with --bmc_ip and --bmc_pw:
./rsbc.py --query --bmc_ip <BMC IP address> --bmc_un <BMC username> --bmc_pw <BMC password>>
./rsbc.py --enable --bmc_ip <BMC IP address> --bmc_un <BMC username> --bmc_pw <BMC password>>
./rsbc.py --disable --bmc_ip <BMC IP address> --bmc_un <BMC username> --bmc_pw <BMC password>>
./rsbc.py --upload --bmc_ip <BMC IP address> --bmc_un <BMC username> --bmc_pw <BMC password>>
Example of the format of a configuration file:
virtual_media_iso:
yow2-xr11-025:
bmc_username: <BMC username>
bmc_address: <BMC IP address>
bmc_password: <BMC password>
For more information, please see the Documentation of this service located at: https://confluence.wrs.com/display/CE/Redfish+Secure+Boot+Manager+Tool+HLD