From 681940c8f04f349ddf237985aa92454600b417b7 Mon Sep 17 00:00:00 2001 From: vmud213 Date: Fri, 16 Oct 2020 08:31:30 +0000 Subject: [PATCH] Add secure boot support to ilo-uefi-https Adds secure boot support to ilo-uefi-https boot interface. Change-Id: I1d08b88496764bbee5cf0a1d306eb7be31d0d373 Story: #2008258 Task: #41114 --- doc/source/admin/drivers/ilo.rst | 3 --- ironic/drivers/modules/ilo/boot.py | 7 +++++++ .../unit/drivers/modules/ilo/test_boot.py | 20 +++++++++++++++---- ..._secure_boot_support-41f4976e02c11162.yaml | 6 ++++++ 4 files changed, 29 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/uefi_https_secure_boot_support-41f4976e02c11162.yaml diff --git a/doc/source/admin/drivers/ilo.rst b/doc/source/admin/drivers/ilo.rst index 6974fdb49b..b1891c403d 100644 --- a/doc/source/admin/drivers/ilo.rst +++ b/doc/source/admin/drivers/ilo.rst @@ -2160,9 +2160,6 @@ and ``ilo-uefi-https`` boot interface: --driver-info ilo_deploy_ramdisk= \ --driver-info ilo_bootloader= -.. note:: - UEFI secure boot is not supported with ``ilo-uefi-https`` boot interface. - Layer 3 or DHCP-less ramdisk booting ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ DHCP-less deploy is supported by ``ilo`` and ``ilo5`` hardware types. diff --git a/ironic/drivers/modules/ilo/boot.py b/ironic/drivers/modules/ilo/boot.py index 613ec40ec8..c0e0411084 100644 --- a/ironic/drivers/modules/ilo/boot.py +++ b/ironic/drivers/modules/ilo/boot.py @@ -1142,6 +1142,8 @@ class IloUefiHttpsBoot(base.BootInterface): LOG.debug("Node %(node)s is set to permanently boot from local " "%(device)s", {'node': task.node.uuid, 'device': boot_devices.DISK}) + # Need to enable secure boot, if being requested + ilo_common.update_secure_boot_mode(task, True) return params = {} @@ -1154,6 +1156,8 @@ class IloUefiHttpsBoot(base.BootInterface): "node %s. Booting instance from disk anyway.", node.uuid) manager_utils.node_set_boot_device(task, boot_devices.DISK, persistent=True) + # Need to enable secure boot, if being requested + ilo_common.update_secure_boot_mode(task, True) return params.update(root_uuid=root_uuid) @@ -1167,6 +1171,8 @@ class IloUefiHttpsBoot(base.BootInterface): node.instance_info = i_info node.save() + # Need to enable secure boot, if being requested + ilo_common.update_secure_boot_mode(task, True) ilo_common.setup_uefi_https(task, iso_ref, persistent=True) LOG.debug("Node %(node)s is set to boot from UEFIHTTP " @@ -1186,6 +1192,7 @@ class IloUefiHttpsBoot(base.BootInterface): "%(node)s", {'node': task.node.uuid}) image_utils.cleanup_iso_image(task) + disable_secure_boot_if_supported(task) @METRICS.timer('IloUefiHttpsBoot.validate_rescue') def validate_rescue(self, task): diff --git a/ironic/tests/unit/drivers/modules/ilo/test_boot.py b/ironic/tests/unit/drivers/modules/ilo/test_boot.py index 0a435dde38..c598415cf5 100644 --- a/ironic/tests/unit/drivers/modules/ilo/test_boot.py +++ b/ironic/tests/unit/drivers/modules/ilo/test_boot.py @@ -1992,6 +1992,8 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase): task.driver.boot.clean_up_ramdisk(task) cleanup_iso_mock.assert_called_once_with(task) + @mock.patch.object(ilo_common, 'update_secure_boot_mode', + spec_set=True, autospec=True) @mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True, autospec=True) @mock.patch.object(ilo_common, 'setup_uefi_https', @@ -2005,7 +2007,7 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase): def _test_prepare_instance_local_or_whole_disk_image( self, set_boot_device_mock, parse_deploy_mock, prepare_iso_mock, setup_uefi_https_mock, - cleanup_iso_mock): + cleanup_iso_mock, update_secureboot_mock): with task_manager.acquire(self.context, self.node.uuid, shared=False) as task: @@ -2014,6 +2016,7 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase): set_boot_device_mock.assert_called_once_with(task, boot_devices.DISK, persistent=True) + update_secureboot_mock.assert_called_once_with(task, True) cleanup_iso_mock.assert_called_once_with(task) prepare_iso_mock.assert_not_called() setup_uefi_https_mock.assert_not_called() @@ -2028,6 +2031,8 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase): self.node.save() self._test_prepare_instance_local_or_whole_disk_image() + @mock.patch.object(ilo_common, 'update_secure_boot_mode', + spec_set=True, autospec=True) @mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True, autospec=True) @mock.patch.object(ilo_common, 'setup_uefi_https', @@ -2041,7 +2046,7 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase): def test_prepare_instance_partition_image( self, set_boot_device_mock, parse_deploy_mock, prepare_iso_mock, setup_uefi_https_mock, - cleanup_iso_mock): + cleanup_iso_mock, update_secureboot_mock): self.node.instance_info = { 'capabilities': '{"boot_option": "netboot"}' @@ -2064,11 +2069,14 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase): parse_deploy_mock.assert_called_once_with(mock.ANY, task.node) prepare_iso_mock.assert_called_once_with( task, d_info, root_uuid='12312642-09d3-467f-8e09-12385826a123') + update_secureboot_mock.assert_called_once_with(task, True) setup_uefi_https_mock.assert_called_once_with( task, "recreated-iso", True) self.assertEqual(task.node.instance_info['ilo_boot_iso'], "recreated-iso") + @mock.patch.object(ilo_common, 'update_secure_boot_mode', + spec_set=True, autospec=True) @mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True, autospec=True) @mock.patch.object(ilo_common, 'setup_uefi_https', @@ -2082,7 +2090,7 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase): def test_prepare_instance_boot_ramdisk( self, set_boot_device_mock, parse_deploy_mock, prepare_iso_mock, setup_uefi_https_mock, - cleanup_iso_mock): + cleanup_iso_mock, update_secureboot_mock): self.node.driver_internal_info.update({'is_whole_disk_image': False}) self.node.save() @@ -2103,17 +2111,21 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase): parse_deploy_mock.assert_called_once_with(mock.ANY, task.node) prepare_iso_mock.assert_called_once_with( task, d_info) + update_secureboot_mock.assert_called_once_with(task, True) setup_uefi_https_mock.assert_called_once_with( task, "recreated-iso", True) self.assertTrue('ilo_boot_iso' not in task.node.instance_info) + @mock.patch.object(ilo_boot, 'disable_secure_boot_if_supported', + spec_set=True, autospec=True) @mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True, autospec=True) - def test_clean_up_instance(self, cleanup_iso_mock): + def test_clean_up_instance(self, cleanup_iso_mock, disable_secure_mock): with task_manager.acquire(self.context, self.node.uuid, shared=False) as task: task.driver.boot.clean_up_instance(task) cleanup_iso_mock.assert_called_once_with(task) + disable_secure_mock.assert_called_once_with(task) def test_validate_rescue(self): driver_info = self.node.driver_info diff --git a/releasenotes/notes/uefi_https_secure_boot_support-41f4976e02c11162.yaml b/releasenotes/notes/uefi_https_secure_boot_support-41f4976e02c11162.yaml new file mode 100644 index 0000000000..cacce674af --- /dev/null +++ b/releasenotes/notes/uefi_https_secure_boot_support-41f4976e02c11162.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Adds secure boot support to ilo-uefi-https boot interface. Secure boot + support already exists for other boot interfaces but missing for this + interface.