From 5a212299c498fe820c83bd5539eee5594377f5e7 Mon Sep 17 00:00:00 2001 From: Shivanand Tendulker Date: Thu, 16 Apr 2015 03:49:53 -0700 Subject: [PATCH] UEFI secure boot support for pxe_ilo driver https://blueprints.launchpad.net/ironic/+spec/uefi-secure-boot-pxe-ilo This spec proposes grub2 as a alternative bootloader for Ironic pxe driver to add support for UEFI secure boot to pxe_ilo driver. Change-Id: I5745fe5c30b0ba1eb67065218dec9c334884007a --- specs/liberty/uefi-secure-boot-pxe-ilo.rst | 297 +++++++++++++++++++++ 1 file changed, 297 insertions(+) create mode 100644 specs/liberty/uefi-secure-boot-pxe-ilo.rst diff --git a/specs/liberty/uefi-secure-boot-pxe-ilo.rst b/specs/liberty/uefi-secure-boot-pxe-ilo.rst new file mode 100644 index 00000000..1838fdaf --- /dev/null +++ b/specs/liberty/uefi-secure-boot-pxe-ilo.rst @@ -0,0 +1,297 @@ +.. + This work is licensed under a Creative Commons Attribution 3.0 Unported + License. + + http://creativecommons.org/licenses/by/3.0/legalcode + +================================================== +UEFI Secure Boot support for pxe_iLO driver +================================================== + +Include the URL of your launchpad blueprint: + +https://blueprints.launchpad.net/ironic/+spec/uefi-secure-boot-pxe-ilo + +As part of Kilo release UEFI secure boot support was enabled for all the iLO +drivers except pxe_ilo. It is important to have this feature supported for +pxe_ilo driver so that security sensitive users of pxe_ilo driver could deploy +more securely using Secure Boot feature of the UEFI. This spec proposes UEFI +Secure Boot support in baremetal provisioning for pxe_ilo driver. + +Problem description +=================== + +Secure Boot is part of the UEFI specification (http://www.uefi.org). It helps +to make sure that node boots using only software that is trusted by Admin/End +user. + +Secure Boot is different from TPM (Trusted Platform Module). TPM is a standard +for a secure cryptoprocessor, which is dedicated microprocessor designed to +secure hardware by integrating cryptographic keys into devices. Secure Boot is +part of UEFI specification, which can secure the boot process by preventing +the loading of drivers or OS loaders that are not signed with an acceptable +digital signature. + +When the node starts with secure boot enabled, system firmware checks the +signature of each piece of boot software, including firmware drivers (Option +ROMs), boot loaders and the operating system. If the signatures are good, +the node boots, and the firmware gives control to the operating system. + +The Admin and End users having security sensitivity with respect to baremetal +provisioning owing to the workloads they intend to run on the provisioned +nodes would be interested in using secure boot provided by UEFI. + +Once secure boot is enabled for a node, it cannot boot using unsigned boot +images. Hence it is important to use signed bootloaders and kernel if node +were to be booted using secure boot. + +This feature has been enabled for iscsi_ilo and agent_ilo driver during Kilo +release. It needs to be enabled for pxe_ilo driver. This needs pxe_ilo driver +should support signed UEFI bootloader for the nodes to boot in the UEFI secure +boot environment. + +Proposed change +=============== + +This spec proposes to support UEFI secure boot for pxe_ilo driver and grub2 as +an alternate bootloader for UEFI deploy for PXE drivers. + +Preparing the environment +------------------------- + +* The operator informs the Ironic using the ``capabilities`` property of the + node. The operator may add a new capability ``secure_boot=true`` in + ``capabilities`` within ``properties`` of that node. This is an optional + property that can be used if node needs to be provisioned for secure boot. + By default the behavior would be as if this property is set to 'false'. The + inspection feature in iLO drivers can auto discover secure boot capability + of the node and create node capability into that node object. + +* If the user has ``secure_boot`` capability set in the flavor, pxe_ilo has + ability to change the boot mode to UEFI and prepare the node for the secure + boot on the fly using proliantutils library calls. + +* Even if the ``secure_boot`` capability is set to ``true`` in the node's + ``properties/capabilities``, node can be used for normal non-secure boot + deployments. Driver would use the ``secure_boot`` capability information from + the node's ``instance_info`` field to provision node for UEFI secure boot. + +Preparing flavor for secure boot +-------------------------------- + +* The ``extra_specs`` field in the nova flavor should be used to indicate + secure boot. User will need to create a flavor by adding + "capabilities:secure_boot="true" to it. + +* iLO driver will not do secure boot if "secure_boot" capability flavor is + not present or set to "False". Nova scheduler will use secure_boot + capability as one of the node selection criteria if "secure_boot" is + present in extra_spec. If "secure_boot" is not present in extra_spec then + Nova scheduler will not consider "secure_boot" capability as a node + selection criteria. + +* Ironic virt Driver will pass the flavor capability information to the driver + as part of 'instance_info'. Having capability information as part of + 'instance_info' would help driver in preparing and decommissioning the node + appropriately. With respect to secure boot feature, this information would be + used by pxe_ilo driver for:- + + * During provisioning, driver can turn on the secure boot capability to + validate signatures of bootloaders and kernel. + + * During teardown, secure boot mode would be disabled on the node. + +Preparing bootloader and deploy images +-------------------------------------- + +To support UEFI secure boot for pxe_ilo driver, pxe driver for Ironic should +support signed UEFI bootloader. Currently 'elilo' is the default UEFI +bootloader for all pxe drivers. Not all major linux distros ship signed 'elilo' +bootloader. They ship signed 'grub2' bootloader. + +Enabling grub2 bootloader requires steps similar to elilo. Steps are:- + +* Copy signed shim and grub2 bootloader files into tftproot directory as + bootx64.efi and grubx64.efi respectively . + +* Create a master grub.cfg file under /tftpboot/grub + +* Contents of master grub.cfg would look something like this. + set default=master + set timeout=5 + set hidden_timeout_quiet=false + + menuentry "master" { + configfile /tftpboot/$net_default_ip.conf + } + + This master grub.cfg gets loaded first during PXE boot. It tells grub to + refer to the node specific config file in tftproot directory configured for + PXE. The name of config file is coined using DHCP IP address that would be + allocated to the node. This is to ensure that multiple grub.cfg files could + be created for parallel deploys. The contents of $net_default_ip.conf is + dynamically filled by PXE driver using grub template file. + +Ironic needs to support 'grub2' as an alternate UEFI bootloader for following +reasons:- + +* No active development happening on 'elilo' + +* All major linux distributions are supporting 'grub2' as a default UEFI + bootloader. + +* All major linux distributions provide signed 'grub2' bootloader which could + be used in UEFI secure boot deploy with distro supplied cloud images. + Otherwise users would need to build their own signed images for secure boot + deploy. + +* signed grub2 can be used for normal UEFI deploys as well. + +All major linux distros ship their self signed 'grub2' and also provide +Microsoft UEFI CA signed shim bootloader. The shim bootloader contains the UEFI +signature of respective distros. + +When node boots up using pxe, it loads Microsoft signed 'shim' boot loader +which in turn loads the distro signed 'grub2'. Distro signed 'grub2' can +validate and load the distro kernel. +Shim bootloader is required as it is signed using Microsoft UEFI CA signature +and recognizes corresponding linux vendors certificate as a valid certificate. +Secure boot enabled HP Proliant UEFI systems are pre-loaded with Microsoft UEFI +CA signatures. +User signed images can be supported but user need to manually configure +their keys to HP Proliant system ROM database using Proliant tools. + +User can configure 'grub2' as a bootloader by changing the following existing +variables in /etc/ironic/ironic.conf under pxe section: +uefi_pxe_config_template +uefi_pxe_bootfile_name + +Alternatives +------------ + +Add support for signed 'grub2' as a default UEFI bootloader in Ironic. But such +a change would have backward compatibility impact. + +Data model impact +----------------- + +None + +State Machine Impact +-------------------- + +None + +REST API impact +--------------- + +None + +RPC API impact +-------------- + +None + +Client (CLI) impact +------------------- +None + +Driver API impact +----------------- + +None + +Nova driver impact +------------------ + +None + +Security impact +--------------- + +This enhances security. Only correctly signed firmware, bootloader and OS can +be booted. It provides users with the opportunity to run the software of their +choice in the most secure manner. + +Other end user impact +--------------------- + +Users need to use properly signed deploy and boot components. +Currently pxe_ilo driver would support deploy and boot images having 'shim' and +'grub2' signed by Linux OS vendors. +If user wants to use custom signed images, then he would need to manually +configure their keys to UEFI using HP Proliant tools. +If user were to use an unsigned image for deploy with flavor requesting +UEFI secure boot, then deploy process would go through successfully, but +final boot into instance image would fail. The signature validation of +unsigned components would fail resulting in the failure of boot process. The +appropriate boot failure message would get displayed on Node's console. + +Scalability impact +------------------ + +None + +Performance Impact +------------------ + +There is no performance impact due to signature validation in secure boot. + +Other deployer impact +--------------------- + +User can deploy only signed images with UEFI secure boot enabled. + +Developer impact +---------------- + +None + +Implementation +============== + +Assignee(s) +----------- + +Primary assignee: + Shivanand Tendulker (stendulker@gmail.com) + +Work Items +---------- + +1. Add support for grub2/shim as a alternate UEFI bootloaders for Ironic pxe + driver. + +2. Implement secure boot for pxe_ilo driver. + +Dependencies +============ + +Signed user images. +The necessary DiskImageBuilder changes has been done to +build signed Ubuntu and Fedora images. + +Testing +======= + +Unit tests would be added for all newly added code. + +Upgrades and Backwards Compatibility +==================================== + +None. grub2 would be alternate bootloader, which user can use only if it needs +UEFI secure boot functionality. + +Documentation Impact +==================== + +Newly added functionality would be appropriately documented. + +References +========== + +1. UEFI specification http://www.uefi.org +2. Proliantutils module - https://pypi.python.org/pypi/proliantutils +3. HP UEFI System Utilities User Guide - http://www.hp.com/ctg/Manual/c04398276.pdf +4. Secure Boot for Linux on HP Proliant servers http://h20195.www2.hp.com/V2/getpdf.aspx/4AA5-4496ENW.pdf +