Browse Source

Remove obsolete trusted boot doc

The OAT project was gone for a long time, the successor opencit was
also in an unmaintained state for a few years, let's remove this
piece from the doc as it can't provide meaningful instructions to be

Change-Id: If77e1125c05e2351c757c4397ea524617e91926d
Kaifeng Wang 2 weeks ago
3 changed files with 0 additions and 74 deletions
  1. +0
  2. +0
  3. +0

+ 0
- 1
doc/source/admin/security.rst View File

@@ -129,7 +129,6 @@ include:
Additional references:

- :ref:`cleaning`
- :ref:`trusted-boot`

Other considerations

+ 0
- 2
doc/source/install/advanced.rst View File

@@ -13,8 +13,6 @@ Advanced features

.. include:: include/

.. include:: include/

.. include:: include/

.. include:: include/

+ 0
- 71
doc/source/install/include/ View File

@@ -1,71 +0,0 @@
.. _trusted-boot:

Trusted boot with partition image

The Bare metal service supports trusted boot with partition images.
This means at the end of the deployment process, when the node is
rebooted with the new user image, ``trusted boot`` will be performed. It will
measure the node's BIOS, boot loader, Option ROM and the Kernel/Ramdisk, to
determine whether a bare metal node deployed by Ironic should be trusted.

It's important to note that in order for this to work the node being deployed
**must** have Intel `TXT`_ hardware support. The image being deployed with
Ironic must have ``oat-client`` installed within it.

The following will describe how to enable ``trusted boot`` and boot
with PXE and Nova:

#. Create a customized user image with ``oat-client`` installed::

disk-image-create -u fedora baremetal oat-client -o $TRUST_IMG

For more information on creating customized images, see :ref:`image-requirements`.

#. Enable VT-x, VT-d, TXT and TPM on the node. This can be done manually through
the BIOS. Depending on the platform, several reboots may be needed.

#. Enroll the node and update the node capability value::

baremetal node create --driver ipmi

baremetal node set $NODE_UUID --property capabilities={'trusted_boot':true}

#. Create a special flavor::

nova flavor-key $TRUST_FLAVOR_UUID set 'capabilities:trusted_boot'=true

#. Prepare `tboot`_ and mboot.c32 and put them into tftp_root or http_root
directory on all nodes with the ironic-conductor processes::

cp /usr/lib/syslinux/mboot.c32 /tftpboot/

cp /usr/share/syslinux/mboot.c32 /tftpboot/

*Note: The actual location of mboot.c32 varies among different distribution versions.*

tboot can be downloaded from

#. Install an OAT Server. An `OAT Server`_ should be running and configured correctly.

#. Boot an instance with Nova::

nova boot --flavor $TRUST_FLAVOR_UUID --image $TRUST_IMG --user-data $TRUST_SCRIPT trusted_instance

*Note* that the node will be measured during ``trusted boot`` and the hash values saved
into `TPM`_. An example of TRUST_SCRIPT can be found in `trust script example`_.

#. Verify the result via OAT Server.

This is outside the scope of Ironic. At the moment, users can manually verify the result
by following the `manual verify steps`_.

.. _`TXT`:
.. _`tboot`:
.. _`TPM`:
.. _`OAT Server`:
.. _`trust script example`:
.. _`manual verify steps`: