openstack/ironic
Code Issues Proposed changes

Add secure boot support to ilo-uefi-https

Browse Source 
Adds secure boot support to ilo-uefi-https boot interface.

Change-Id: I1d08b88496764bbee5cf0a1d306eb7be31d0d373
Story: #2008258
Task: #41114
This commit is contained in:
vmud213 2020-10-16 08:31:30 +00:00
parent 585f90212a
commit 681940c8f0
4 changed files with 29 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/source/admin/drivers/ilo.rst
View File

@ -2160,9 +2160,6 @@ and ``ilo-uefi-https`` boot interface:
--driver-info ilo_deploy_ramdisk=<glance-uuid-of-rescue-ramdisk> \ --driver-info ilo_deploy_ramdisk=<glance-uuid-of-rescue-ramdisk> \
--driver-info ilo_bootloader=<glance-uuid-of-bootloader> --driver-info ilo_bootloader=<glance-uuid-of-bootloader>
.. note::
UEFI secure boot is not supported with ``ilo-uefi-https`` boot interface.
Layer 3 or DHCP-less ramdisk booting Layer 3 or DHCP-less ramdisk booting
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
DHCP-less deploy is supported by ``ilo`` and ``ilo5`` hardware types. DHCP-less deploy is supported by ``ilo`` and ``ilo5`` hardware types.

7
ironic/drivers/modules/ilo/boot.py
View File

@ -1142,6 +1142,8 @@ class IloUefiHttpsBoot(base.BootInterface):
LOG.debug("Node %(node)s is set to permanently boot from local " LOG.debug("Node %(node)s is set to permanently boot from local "
"%(device)s", {'node': task.node.uuid, "%(device)s", {'node': task.node.uuid,
'device': boot_devices.DISK}) 'device': boot_devices.DISK})
# Need to enable secure boot, if being requested
ilo_common.update_secure_boot_mode(task, True)
return return
params = {} params = {}
@ -1154,6 +1156,8 @@ class IloUefiHttpsBoot(base.BootInterface):
"node %s. Booting instance from disk anyway.", node.uuid) "node %s. Booting instance from disk anyway.", node.uuid)
manager_utils.node_set_boot_device(task, boot_devices.DISK, manager_utils.node_set_boot_device(task, boot_devices.DISK,
persistent=True) persistent=True)
# Need to enable secure boot, if being requested
ilo_common.update_secure_boot_mode(task, True)
return return
params.update(root_uuid=root_uuid) params.update(root_uuid=root_uuid)
@ -1167,6 +1171,8 @@ class IloUefiHttpsBoot(base.BootInterface):
node.instance_info = i_info node.instance_info = i_info
node.save() node.save()
# Need to enable secure boot, if being requested
ilo_common.update_secure_boot_mode(task, True)
ilo_common.setup_uefi_https(task, iso_ref, persistent=True) ilo_common.setup_uefi_https(task, iso_ref, persistent=True)
LOG.debug("Node %(node)s is set to boot from UEFIHTTP " LOG.debug("Node %(node)s is set to boot from UEFIHTTP "
@ -1186,6 +1192,7 @@ class IloUefiHttpsBoot(base.BootInterface):
"%(node)s", {'node': task.node.uuid}) "%(node)s", {'node': task.node.uuid})
image_utils.cleanup_iso_image(task) image_utils.cleanup_iso_image(task)
disable_secure_boot_if_supported(task)
@METRICS.timer('IloUefiHttpsBoot.validate_rescue') @METRICS.timer('IloUefiHttpsBoot.validate_rescue')
def validate_rescue(self, task): def validate_rescue(self, task):

20
ironic/tests/unit/drivers/modules/ilo/test_boot.py
View File

@ -1992,6 +1992,8 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
task.driver.boot.clean_up_ramdisk(task) task.driver.boot.clean_up_ramdisk(task)
cleanup_iso_mock.assert_called_once_with(task) cleanup_iso_mock.assert_called_once_with(task)
@mock.patch.object(ilo_common, 'update_secure_boot_mode',
spec_set=True, autospec=True)
@mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True, @mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True,
autospec=True) autospec=True)
@mock.patch.object(ilo_common, 'setup_uefi_https', @mock.patch.object(ilo_common, 'setup_uefi_https',
@ -2005,7 +2007,7 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
def _test_prepare_instance_local_or_whole_disk_image( def _test_prepare_instance_local_or_whole_disk_image(
self, set_boot_device_mock, self, set_boot_device_mock,
parse_deploy_mock, prepare_iso_mock, setup_uefi_https_mock, parse_deploy_mock, prepare_iso_mock, setup_uefi_https_mock,
cleanup_iso_mock): cleanup_iso_mock, update_secureboot_mock):
with task_manager.acquire(self.context, self.node.uuid, with task_manager.acquire(self.context, self.node.uuid,
shared=False) as task: shared=False) as task:
@ -2014,6 +2016,7 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
set_boot_device_mock.assert_called_once_with(task, set_boot_device_mock.assert_called_once_with(task,
boot_devices.DISK, boot_devices.DISK,
persistent=True) persistent=True)
update_secureboot_mock.assert_called_once_with(task, True)
cleanup_iso_mock.assert_called_once_with(task) cleanup_iso_mock.assert_called_once_with(task)
prepare_iso_mock.assert_not_called() prepare_iso_mock.assert_not_called()
setup_uefi_https_mock.assert_not_called() setup_uefi_https_mock.assert_not_called()
@ -2028,6 +2031,8 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
self.node.save() self.node.save()
self._test_prepare_instance_local_or_whole_disk_image() self._test_prepare_instance_local_or_whole_disk_image()
@mock.patch.object(ilo_common, 'update_secure_boot_mode',
spec_set=True, autospec=True)
@mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True, @mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True,
autospec=True) autospec=True)
@mock.patch.object(ilo_common, 'setup_uefi_https', @mock.patch.object(ilo_common, 'setup_uefi_https',
@ -2041,7 +2046,7 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
def test_prepare_instance_partition_image( def test_prepare_instance_partition_image(
self, set_boot_device_mock, self, set_boot_device_mock,
parse_deploy_mock, prepare_iso_mock, setup_uefi_https_mock, parse_deploy_mock, prepare_iso_mock, setup_uefi_https_mock,
cleanup_iso_mock): cleanup_iso_mock, update_secureboot_mock):
self.node.instance_info = { self.node.instance_info = {
'capabilities': '{"boot_option": "netboot"}' 'capabilities': '{"boot_option": "netboot"}'
@ -2064,11 +2069,14 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
parse_deploy_mock.assert_called_once_with(mock.ANY, task.node) parse_deploy_mock.assert_called_once_with(mock.ANY, task.node)
prepare_iso_mock.assert_called_once_with( prepare_iso_mock.assert_called_once_with(
task, d_info, root_uuid='12312642-09d3-467f-8e09-12385826a123') task, d_info, root_uuid='12312642-09d3-467f-8e09-12385826a123')
update_secureboot_mock.assert_called_once_with(task, True)
setup_uefi_https_mock.assert_called_once_with( setup_uefi_https_mock.assert_called_once_with(
task, "recreated-iso", True) task, "recreated-iso", True)
self.assertEqual(task.node.instance_info['ilo_boot_iso'], self.assertEqual(task.node.instance_info['ilo_boot_iso'],
"recreated-iso") "recreated-iso")
@mock.patch.object(ilo_common, 'update_secure_boot_mode',
spec_set=True, autospec=True)
@mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True, @mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True,
autospec=True) autospec=True)
@mock.patch.object(ilo_common, 'setup_uefi_https', @mock.patch.object(ilo_common, 'setup_uefi_https',
@ -2082,7 +2090,7 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
def test_prepare_instance_boot_ramdisk( def test_prepare_instance_boot_ramdisk(
self, set_boot_device_mock, self, set_boot_device_mock,
parse_deploy_mock, prepare_iso_mock, setup_uefi_https_mock, parse_deploy_mock, prepare_iso_mock, setup_uefi_https_mock,
cleanup_iso_mock): cleanup_iso_mock, update_secureboot_mock):
self.node.driver_internal_info.update({'is_whole_disk_image': False}) self.node.driver_internal_info.update({'is_whole_disk_image': False})
self.node.save() self.node.save()
@ -2103,17 +2111,21 @@ class IloUefiHttpsBootTestCase(db_base.DbTestCase):
parse_deploy_mock.assert_called_once_with(mock.ANY, task.node) parse_deploy_mock.assert_called_once_with(mock.ANY, task.node)
prepare_iso_mock.assert_called_once_with( prepare_iso_mock.assert_called_once_with(
task, d_info) task, d_info)
update_secureboot_mock.assert_called_once_with(task, True)
setup_uefi_https_mock.assert_called_once_with( setup_uefi_https_mock.assert_called_once_with(
task, "recreated-iso", True) task, "recreated-iso", True)
self.assertTrue('ilo_boot_iso' not in task.node.instance_info) self.assertTrue('ilo_boot_iso' not in task.node.instance_info)
@mock.patch.object(ilo_boot, 'disable_secure_boot_if_supported',
spec_set=True, autospec=True)
@mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True, @mock.patch.object(image_utils, 'cleanup_iso_image', spec_set=True,
autospec=True) autospec=True)
def test_clean_up_instance(self, cleanup_iso_mock): def test_clean_up_instance(self, cleanup_iso_mock, disable_secure_mock):
with task_manager.acquire(self.context, self.node.uuid, with task_manager.acquire(self.context, self.node.uuid,
shared=False) as task: shared=False) as task:
task.driver.boot.clean_up_instance(task) task.driver.boot.clean_up_instance(task)
cleanup_iso_mock.assert_called_once_with(task) cleanup_iso_mock.assert_called_once_with(task)
disable_secure_mock.assert_called_once_with(task)
def test_validate_rescue(self): def test_validate_rescue(self):
driver_info = self.node.driver_info driver_info = self.node.driver_info

6
releasenotes/notes/uefi_https_secure_boot_support-41f4976e02c11162.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
Adds secure boot support to ilo-uefi-https boot interface. Secure boot
support already exists for other boot interfaces but missing for this
interface.