openstack/ironic
Code Issues Proposed changes
ironic/doc/source/install/include/trusted-boot.rst
Ruby Loo df686019f1 [install docs] ironic -> openstack baremetal CLI 
For the install documents, all the 'ironic' CLI commands are
replaced with their equivalent 'openstack baremetal' CLI commands.

Change-Id: Ic49cfd8d94366acb36c9a20b5c76885d7440f8d5
Partial-Bug: #1711235
2017-09-07 10:17:35 -04:00

2.9 KiB
Raw Blame History

Trusted boot with partition image

The Bare metal service supports trusted boot with partition images. This means at the end of the deployment process, when the node is rebooted with the new user image, trusted boot will be performed. It will measure the node's BIOS, boot loader, Option ROM and the Kernel/Ramdisk, to determine whether a bare metal node deployed by Ironic should be trusted.

It's important to note that in order for this to work the node being deployed must have Intel TXT hardware support. The image being deployed with Ironic must have oat-client installed within it.

The following will describe how to enable trusted boot and boot with PXE and Nova:

  1. Create a customized user image with oat-client installed:

    disk-image-create -u fedora baremetal oat-client -o $TRUST_IMG

    For more information on creating customized images, see image-requirements.

  2. Enable VT-x, VT-d, TXT and TPM on the node. This can be done manually through the BIOS. Depending on the platform, several reboots may be needed.

  3. Enroll the node and update the node capability value:

    openstack baremetal node create --driver pxe_ipmitool

openstack baremetal node set $NODE_UUID --property capabilities={'trusted_boot':true}

  4. Create a special flavor:

    nova flavor-key $TRUST_FLAVOR_UUID set 'capabilities:trusted_boot'=true

  5. Prepare tboot and mboot.c32 and put them into tftp_root or http_root directory on all nodes with the ironic-conductor processes:

    Ubuntu:
    cp /usr/lib/syslinux/mboot.c32 /tftpboot/

Fedora:
    cp /usr/share/syslinux/mboot.c32 /tftpboot/

    Note: The actual location of mboot.c32 varies among different distribution versions.

    tboot can be downloaded from https://sourceforge.net/projects/tboot/files/latest/download

  6. Install an OAT Server. An OAT Server should be running and configured correctly.

  7. Boot an instance with Nova:

    nova boot --flavor $TRUST_FLAVOR_UUID --image $TRUST_IMG --user-data $TRUST_SCRIPT trusted_instance

    Note that the node will be measured during trusted boot and the hash values saved into TPM. An example of TRUST_SCRIPT can be found in trust script example.

  8. Verify the result via OAT Server.

    This is outside the scope of Ironic. At the moment, users can manually verify the result by following the manual verify steps.