Add secure boot support to ilo-uefi-https

Adds secure boot support to ilo-uefi-https boot interface. Change-Id: I1d08b88496764bbee5cf0a1d306eb7be31d0d373 Story: #2008258 Task: #41114
2020-10-16 08:31:30 +00:00 · 2020-10-16 08:31:30 +00:00 · 681940c8f0
commit 681940c8f0
parent 585f90212a
4 changed files with 29 additions and 7 deletions
--- a/doc/source/admin/drivers/ilo.rst
+++ b/doc/source/admin/drivers/ilo.rst
@ -2160,9 +2160,6 @@ and ``ilo-uefi-https`` boot interface:
        --driver-info ilo_deploy_ramdisk=<glance-uuid-of-rescue-ramdisk> \
        --driver-info ilo_bootloader=<glance-uuid-of-bootloader>

-.. note::
-   UEFI secure boot is not supported with ``ilo-uefi-https`` boot interface.
-
 Layer 3 or DHCP-less ramdisk booting
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 DHCP-less deploy is supported by ``ilo`` and ``ilo5`` hardware types.
--- a/ironic/drivers/modules/ilo/boot.py
+++ b/ironic/drivers/modules/ilo/boot.py
@ -1142,6 +1142,8 @@ class IloUefiHttpsBoot(base.BootInterface):
            LOG.debug("Node %(node)s is set to permanently boot from local "
                      "%(device)s", {'node': task.node.uuid,
                                     'device': boot_devices.DISK})
+            # Need to enable secure boot, if being requested
+            ilo_common.update_secure_boot_mode(task, True)
            return

        params = {}
@ -1154,6 +1156,8 @@ class IloUefiHttpsBoot(base.BootInterface):
                    "node %s. Booting instance from disk anyway.", node.uuid)
                manager_utils.node_set_boot_device(task, boot_devices.DISK,
                                                   persistent=True)
+                # Need to enable secure boot, if being requested
+                ilo_common.update_secure_boot_mode(task, True)

                return
            params.update(root_uuid=root_uuid)
@ -1167,6 +1171,8 @@ class IloUefiHttpsBoot(base.BootInterface):
            node.instance_info = i_info
            node.save()

+        # Need to enable secure boot, if being requested
+        ilo_common.update_secure_boot_mode(task, True)
        ilo_common.setup_uefi_https(task, iso_ref, persistent=True)

        LOG.debug("Node %(node)s is set to boot from UEFIHTTP "
@ -1186,6 +1192,7 @@ class IloUefiHttpsBoot(base.BootInterface):
                  "%(node)s", {'node': task.node.uuid})

        image_utils.cleanup_iso_image(task)
+        disable_secure_boot_if_supported(task)

    @METRICS.timer('IloUefiHttpsBoot.validate_rescue')
    def validate_rescue(self, task):
--- a/ironic/tests/unit/drivers/modules/ilo/test_boot.py
+++ b/ironic/tests/unit/drivers/modules/ilo/test_boot.py
@ -1992,6 +1992,8 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
            task.driver.boot.clean_up_ramdisk(task)
            cleanup_iso_mock.assert_called_once_with(task)

+    @mock.patch.object(ilo_common, 'update_secure_boot_mode',
+                       spec_set=True, autospec=True)
    @mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True,
                       autospec=True)
    @mock.patch.object(ilo_common, 'setup_uefi_https',
@ -2005,7 +2007,7 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
    def _test_prepare_instance_local_or_whole_disk_image(
            self, set_boot_device_mock,
            parse_deploy_mock, prepare_iso_mock, setup_uefi_https_mock,
-            cleanup_iso_mock):
+            cleanup_iso_mock, update_secureboot_mock):

        with task_manager.acquire(self.context, self.node.uuid,
                                  shared=False) as task:
@ -2014,6 +2016,7 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
            set_boot_device_mock.assert_called_once_with(task,
                                                         boot_devices.DISK,
                                                         persistent=True)
+            update_secureboot_mock.assert_called_once_with(task, True)
            cleanup_iso_mock.assert_called_once_with(task)
            prepare_iso_mock.assert_not_called()
            setup_uefi_https_mock.assert_not_called()
@ -2028,6 +2031,8 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
        self.node.save()
        self._test_prepare_instance_local_or_whole_disk_image()

+    @mock.patch.object(ilo_common, 'update_secure_boot_mode',
+                       spec_set=True, autospec=True)
    @mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True,
                       autospec=True)
    @mock.patch.object(ilo_common, 'setup_uefi_https',
@ -2041,7 +2046,7 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
    def test_prepare_instance_partition_image(
            self, set_boot_device_mock,
            parse_deploy_mock, prepare_iso_mock, setup_uefi_https_mock,
-            cleanup_iso_mock):
+            cleanup_iso_mock, update_secureboot_mock):

        self.node.instance_info = {
            'capabilities': '{"boot_option": "netboot"}'
@ -2064,11 +2069,14 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
            parse_deploy_mock.assert_called_once_with(mock.ANY, task.node)
            prepare_iso_mock.assert_called_once_with(
                task, d_info, root_uuid='12312642-09d3-467f-8e09-12385826a123')
+            update_secureboot_mock.assert_called_once_with(task, True)
            setup_uefi_https_mock.assert_called_once_with(
                task, "recreated-iso", True)
            self.assertEqual(task.node.instance_info['ilo_boot_iso'],
                             "recreated-iso")

+    @mock.patch.object(ilo_common, 'update_secure_boot_mode',
+                       spec_set=True, autospec=True)
    @mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True,
                       autospec=True)
    @mock.patch.object(ilo_common, 'setup_uefi_https',
@ -2082,7 +2090,7 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
    def test_prepare_instance_boot_ramdisk(
            self, set_boot_device_mock,
            parse_deploy_mock, prepare_iso_mock, setup_uefi_https_mock,
-            cleanup_iso_mock):
+            cleanup_iso_mock, update_secureboot_mock):

        self.node.driver_internal_info.update({'is_whole_disk_image': False})
        self.node.save()
@ -2103,17 +2111,21 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
            parse_deploy_mock.assert_called_once_with(mock.ANY, task.node)
            prepare_iso_mock.assert_called_once_with(
                task, d_info)
+            update_secureboot_mock.assert_called_once_with(task, True)
            setup_uefi_https_mock.assert_called_once_with(
                task, "recreated-iso", True)
            self.assertTrue('ilo_boot_iso' not in task.node.instance_info)

+    @mock.patch.object(ilo_boot, 'disable_secure_boot_if_supported',
+                       spec_set=True, autospec=True)
    @mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True,
                       autospec=True)
-    def test_clean_up_instance(self, cleanup_iso_mock):
+    def test_clean_up_instance(self, cleanup_iso_mock, disable_secure_mock):
        with task_manager.acquire(self.context, self.node.uuid,
                                  shared=False) as task:
            task.driver.boot.clean_up_instance(task)
            cleanup_iso_mock.assert_called_once_with(task)
+            disable_secure_mock.assert_called_once_with(task)

    def test_validate_rescue(self):
        driver_info = self.node.driver_info
--- a/releasenotes/notes/uefi_https_secure_boot_support-41f4976e02c11162.yaml
+++ b/releasenotes/notes/uefi_https_secure_boot_support-41f4976e02c11162.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Adds secure boot support to ilo-uefi-https boot interface. Secure boot
+    support already exists for other boot interfaces but missing for this
+    interface.