openstack/ironic
Code Issues Proposed changes

Remove support for trusted boot

Browse Source 
It requires network booting and legacy boot. While the latter will be
supported for a long time, the former is being removed.

Change-Id: Ie48e51fa95ba2059bd3cca6b8968f475934a75e5
This commit is contained in:
Dmitry Tantsur 2022-07-18 17:15:50 +02:00
parent 8811b9b1f5
commit dbcce25d38
15 changed files with 39 additions and 337 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/source/admin/drivers/irmc.rst
View File

@ -354,9 +354,6 @@ driver:
* ``rom_firmware_version``: ROM firmware version
* ``trusted_boot``: The flag whether TPM(Trusted Platform Module) is
supported by the server. The possible values are 'True' or 'False'.
* ``server_model``: server model
* ``pci_gpu_devices``: number of gpu devices connected to the bare metal.

30
ironic/common/pxe_utils.py
View File

@ -945,9 +945,10 @@ def build_service_pxe_config(task, instance_image_info,
pxe_config_path, root_uuid_or_disk_id,
boot_mode_utils.get_boot_mode(node),
is_whole_disk_image,
deploy_utils.is_trusted_boot_requested(node),
deploy_utils.is_iscsi_boot(task), ramdisk_boot,
ipxe_enabled=ipxe_enabled, anaconda_boot=anaconda_boot)
iscsi_boot=deploy_utils.is_iscsi_boot(task),
ramdisk_boot=ramdisk_boot,
ipxe_enabled=ipxe_enabled,
anaconda_boot=anaconda_boot)
def build_kickstart_config_options(task):
@ -1055,29 +1056,6 @@ def get_volume_pxe_options(task):
return pxe_options
def validate_boot_parameters_for_trusted_boot(node):
"""Check if boot parameters are valid for trusted boot."""
boot_mode = boot_mode_utils.get_boot_mode(node)
boot_option = deploy_utils.get_boot_option(node)
is_whole_disk_image = node.driver_internal_info.get('is_whole_disk_image')
# 'is_whole_disk_image' is not supported by trusted boot, because there is
# no Kernel/Ramdisk to measure at all.
if (boot_mode != 'bios'
or is_whole_disk_image
or boot_option != 'netboot'):
msg = (_("Trusted boot is only supported in BIOS boot mode with "
"netboot and without whole_disk_image, but Node "
"%(node_uuid)s was configured with boot_mode: %(boot_mode)s, "
"boot_option: %(boot_option)s, is_whole_disk_image: "
"%(is_whole_disk_image)s: at least one of them is wrong, and "
"this can be caused by enable secure boot.") %
{'node_uuid': node.uuid, 'boot_mode': boot_mode,
'boot_option': boot_option,
'is_whole_disk_image': is_whole_disk_image})
LOG.error(msg)
raise exception.InvalidParameterValue(msg)
def validate_kickstart_template(ks_template):
"""Validate the kickstart template

28
ironic/drivers/modules/boot_mode_utils.py
View File

@ -168,30 +168,12 @@ def is_secure_boot_requested(node):
return sec_boot == 'true'
def is_trusted_boot_requested(node):
"""Returns True if trusted_boot is requested for deploy.
This method checks instance property for trusted_boot and returns True
if it is requested.
:param node: a single Node.
:raises: InvalidParameterValue if the capabilities string is not a
dictionary or is malformed.
:returns: True if trusted_boot is requested.
"""
capabilities = common_utils.parse_instance_info_capabilities(node)
trusted_boot = capabilities.get('trusted_boot', 'false').lower()
return trusted_boot == 'true'
def get_boot_mode_for_deploy(node):
"""Returns the boot mode that would be used for deploy.
This method returns boot mode to be used for deploy.
It returns 'uefi' if 'secure_boot' is set to 'true' or returns 'bios' if
'trusted_boot' is set to 'true' in 'instance_info/capabilities' of node.
It returns 'uefi' if 'secure_boot' is set to 'true' in
'instance_info/capabilities' of node.
Otherwise it returns value of 'boot_mode' in 'properties/capabilities'
of node if set. If that is not set, it returns boot mode in
'internal_driver_info/deploy_boot_mode' for the node.
@ -211,12 +193,6 @@ def get_boot_mode_for_deploy(node):
LOG.debug('Deploy boot mode is uefi for %s.', node.uuid)
return 'uefi'
if is_trusted_boot_requested(node):
# TODO(lintan) Trusted boot also supports uefi, but at the moment,
# it should only boot with bios.
LOG.debug('Deploy boot mode is bios for %s.', node.uuid)
return 'bios'
# NOTE(etingof):
# The search for a boot mode should be in the priority order:
#

22
ironic/drivers/modules/deploy_utils.py
View File

@ -58,7 +58,6 @@ SUPPORTED_CAPABILITIES = {
'boot_option': ('local', 'netboot', 'ramdisk', 'kickstart'),
'boot_mode': ('bios', 'uefi'),
'secure_boot': ('true', 'false'),
'trusted_boot': ('true', 'false'),
'disk_label': ('msdos', 'gpt'),
}
@ -130,13 +129,10 @@ def _replace_root_uuid(path, root_uuid):
def _replace_boot_line(path, boot_mode, is_whole_disk_image,
trusted_boot=False, iscsi_boot=False,
ramdisk_boot=False, ipxe_enabled=False,
anaconda_boot=False):
iscsi_boot=False, ramdisk_boot=False,
ipxe_enabled=False, anaconda_boot=False):
if is_whole_disk_image:
boot_disk_type = 'boot_whole_disk'
elif trusted_boot:
boot_disk_type = 'trusted_boot'
elif iscsi_boot:
boot_disk_type = 'boot_iscsi'
elif ramdisk_boot:
@ -164,9 +160,9 @@ def _replace_disk_identifier(path, disk_identifier):
# NOTE(TheJulia): This should likely be migrated to pxe_utils.
def switch_pxe_config(path, root_uuid_or_disk_id, boot_mode,
is_whole_disk_image, trusted_boot=False,
iscsi_boot=False, ramdisk_boot=False,
ipxe_enabled=False, anaconda_boot=False):
is_whole_disk_image, iscsi_boot=False,
ramdisk_boot=False, ipxe_enabled=False,
anaconda_boot=False):
"""Switch a pxe config from deployment mode to service mode.
:param path: path to the pxe config file in tftpboot.
@ -174,9 +170,6 @@ def switch_pxe_config(path, root_uuid_or_disk_id, boot_mode,
disk_id in case of whole disk image.
:param boot_mode: if boot mode is uefi or bios.
:param is_whole_disk_image: if the image is a whole disk image or not.
:param trusted_boot: if boot with trusted_boot or not. The usage of
is_whole_disk_image and trusted_boot are mutually exclusive. You can
have one or neither, but not both.
:param iscsi_boot: if boot is from an iSCSI volume or not.
:param ramdisk_boot: if the boot is to be to a ramdisk configuration.
:param ipxe_enabled: A default False boolean value to tell the method
@ -190,8 +183,8 @@ def switch_pxe_config(path, root_uuid_or_disk_id, boot_mode,
else:
_replace_disk_identifier(path, root_uuid_or_disk_id)
_replace_boot_line(path, boot_mode, is_whole_disk_image, trusted_boot,
iscsi_boot, ramdisk_boot, ipxe_enabled, anaconda_boot)
_replace_boot_line(path, boot_mode, is_whole_disk_image, iscsi_boot,
ramdisk_boot, ipxe_enabled, anaconda_boot)
def check_for_missing_params(info_dict, error_msg, param_prefix=''):
@ -1375,7 +1368,6 @@ def is_iscsi_boot(task):
# NOTE(etingof): retain original location of these funcs for compatibility
is_secure_boot_requested = boot_mode_utils.is_secure_boot_requested
is_trusted_boot_requested = boot_mode_utils.is_trusted_boot_requested
get_boot_mode_for_deploy = boot_mode_utils.get_boot_mode_for_deploy
parse_instance_info_capabilities = (
utils.parse_instance_info_capabilities

6
ironic/drivers/modules/irmc/inspect.py
View File

@ -90,7 +90,7 @@ sc2UnitNodeMacAddress OBJECT-TYPE
"""
MAC_ADDRESS_OID = '1.3.6.1.4.1.231.2.10.2.2.10.3.1.1.9.1'
CAPABILITIES_PROPERTIES = {'trusted_boot', 'irmc_firmware_version',
CAPABILITIES_PROPERTIES = {'irmc_firmware_version',
'rom_firmware_version', 'server_model',
'pci_gpu_devices', 'cpu_fpga'}
@ -175,8 +175,8 @@ def _inspect_hardware(node, existing_traits=None, **kwargs):
elif cpu_fpga != 0 and 'CUSTOM_CPU_FPGA' not in new_traits:
new_traits.append('CUSTOM_CPU_FPGA')
if capabilities.get('trusted_boot') is False:
capabilities.pop('trusted_boot')
# Ironic no longer supports trusted boot
capabilities.pop('trusted_boot', None)
capabilities = utils.get_updated_capabilities(
node.properties.get('capabilities'), capabilities)
if capabilities:

17
ironic/drivers/modules/pxe_base.py
View File

@ -359,24 +359,7 @@ class PXEBaseMixin(object):
"'kickstart' boot option is set on the node but no "
"default kickstart template is specified"))
# Check the trusted_boot capabilities value.
deploy_utils.validate_capabilities(node)
if deploy_utils.is_trusted_boot_requested(node):
# Check if 'boot_option' and boot mode is compatible with
# trusted boot.
if self.ipxe_enabled:
# NOTE(TheJulia): So in theory (huge theory here, not put to
# practice or tested), that one can define the kernel as tboot
# and define the actual kernel and ramdisk as appended data.
# Similar to how one can iPXE load the XEN hypervisor.
# tboot mailing list seem to indicate pxe/ipxe support, or
# more specifically avoiding breaking the scenarios of use,
# but there is also no definitive documentation on the subject.
LOG.warning('Trusted boot has been requested for %(node)s in '
'concert with iPXE. This is not a supported '
'configuration for an ironic deployment.',
{'node': node.uuid})
pxe_utils.validate_boot_parameters_for_trusted_boot(node)
# Check if we have invalid parameters being passed which will not work
# for ramdisk configurations.

4
ironic/drivers/modules/pxe_config.template
View File

@ -15,10 +15,6 @@ label boot_whole_disk
COM32 chain.c32
append mbr:{{ DISK_IDENTIFIER }}
label trusted_boot
kernel mboot
append tboot.gz --- {{pxe_options.aki_path}} root={{ ROOT }} ro text {{ pxe_options.pxe_append_params|default("", true) }} intel_iommu=on --- {{pxe_options.ari_path}}
label boot_ramdisk
kernel {{ pxe_options.aki_path }}
append initrd={{ pxe_options.ari_path }} root=/dev/ram0 text {{ pxe_options.pxe_append_params|default("", true) }} {{ pxe_options.ramdisk_opts|default('', true) }}

46
ironic/tests/unit/common/test_pxe_utils.py
View File

@ -1448,52 +1448,6 @@ class PXEInterfacesTestCase(db_base.DbTestCase):
list(fake_pxe_info.values()),
True)
@mock.patch.object(pxe_utils.LOG, 'error', autospec=True)
def test_validate_boot_parameters_for_trusted_boot_one(self, mock_log):
properties = {'capabilities': 'boot_mode:uefi'}
instance_info = {"boot_option": "netboot"}
self.node.properties = properties
self.node.instance_info['capabilities'] = instance_info
self.node.driver_internal_info['is_whole_disk_image'] = False
self.assertRaises(exception.InvalidParameterValue,
pxe_utils.validate_boot_parameters_for_trusted_boot,
self.node)
self.assertTrue(mock_log.called)
@mock.patch.object(pxe_utils.LOG, 'error', autospec=True)
def test_validate_boot_parameters_for_trusted_boot_two(self, mock_log):
properties = {'capabilities': 'boot_mode:bios'}
instance_info = {"boot_option": "local"}
self.node.properties = properties
self.node.instance_info['capabilities'] = instance_info
self.node.driver_internal_info['is_whole_disk_image'] = False
self.assertRaises(exception.InvalidParameterValue,
pxe_utils.validate_boot_parameters_for_trusted_boot,
self.node)
self.assertTrue(mock_log.called)
@mock.patch.object(pxe_utils.LOG, 'error', autospec=True)
def test_validate_boot_parameters_for_trusted_boot_three(self, mock_log):
properties = {'capabilities': 'boot_mode:bios'}
instance_info = {"boot_option": "netboot"}
self.node.properties = properties
self.node.instance_info['capabilities'] = instance_info
self.node.driver_internal_info['is_whole_disk_image'] = True
self.assertRaises(exception.InvalidParameterValue,
pxe_utils.validate_boot_parameters_for_trusted_boot,
self.node)
self.assertTrue(mock_log.called)
@mock.patch.object(pxe_utils.LOG, 'error', autospec=True)
def test_validate_boot_parameters_for_trusted_boot_pass(self, mock_log):
properties = {'capabilities': 'boot_mode:bios'}
instance_info = {"boot_option": "netboot"}
self.node.properties = properties
self.node.instance_info['capabilities'] = instance_info
self.node.driver_internal_info['is_whole_disk_image'] = False
pxe_utils.validate_boot_parameters_for_trusted_boot(self.node)
self.assertFalse(mock_log.called)
@mock.patch.object(pxe.PXEBoot, '__init__', lambda self: None)
class PXEBuildKickstartConfigOptionsTestCase(db_base.DbTestCase):

55
ironic/tests/unit/drivers/modules/irmc/test_inspect.py
View File

@ -83,7 +83,6 @@ class IRMCInspectInternalMethodsTestCase(test_common.BaseIRMCTest):
'cpus': 2,
'cpu_arch': 'x86_64'}
inspected_capabilities = {
'trusted_boot': False,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
@ -425,14 +424,12 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
gpu_ids = ['0x1000/0x0079', '0x2100/0x0080']
cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180']
existed_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1
}
inspected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
@ -440,7 +437,6 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
'cpu_fpga': 1
}
expected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
@ -463,12 +459,10 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
cpu_fpgas = []
existed_capabilities = {}
inspected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'}
expected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'}
@ -489,7 +483,6 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180']
existed_capabilities = {}
inspected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
@ -497,7 +490,6 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
'cpu_fpga': 0
}
expected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'}
@ -519,18 +511,15 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
gpu_ids = []
cpu_fpgas = []
existed_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1}
inspected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'}
expected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'}
@ -552,20 +541,17 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
gpu_ids = ['0x1000/0x0079', '0x2100/0x0080']
cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180']
existed_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1}
inspected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 0,
'cpu_fpga': 0}
expected_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'}
@ -581,13 +567,13 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
existed_traits,
expected_traits)
def test_inspect_hardware_props_trusted_boot_is_false(self):
def test_inspect_hardware_props_trusted_boot_removed(self):
# Set config flags
gpu_ids = ['0x1000/0x0079', '0x2100/0x0080']
cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180']
existed_capabilities = {}
inspected_capabilities = {
'trusted_boot': False,
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
@ -610,54 +596,17 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest):
existed_traits,
expected_traits)
def test_inspect_hardware_props_trusted_boot_is_false_and_existing_cap(
self):
# Set config flags
gpu_ids = ['0x1000/0x0079', '0x2100/0x0080']
cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180']
existed_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1}
inspected_capabilities = {
'trusted_boot': False,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1,
'cpu_fpga': 1}
expected_capabilities = {
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1}
existed_traits = ['CUSTOM_CPU_FPGA']
expected_traits = ['CUSTOM_CPU_FPGA']
self._test_inspect_hardware_props(gpu_ids,
cpu_fpgas,
existed_capabilities,
inspected_capabilities,
expected_capabilities,
existed_traits,
expected_traits)
def test_inspect_hardware_props_gpu_and_cpu_fpgas_results_are_different(
self):
# Set config flags
gpu_ids = ['0x1000/0x0079', '0x2100/0x0080']
cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180']
existed_capabilities = {
'trusted_boot': True,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',
'pci_gpu_devices': 1}
inspected_capabilities = {
'trusted_boot': False,
'irmc_firmware_version': 'iRMC S4-7.82F',
'server_model': 'TX2540M1F5',
'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x',

13
ironic/tests/unit/drivers/modules/test_boot_mode_utils.py
View File

@ -96,19 +96,6 @@ class GetBootModeTestCase(tests_base.TestCase):
result = boot_mode_utils.get_boot_mode_for_deploy(self.node)
self.assertEqual('uefi', result)
instance_info = {'capabilities': {'trusted_boot': 'True'}}
self.node.instance_info = instance_info
result = boot_mode_utils.get_boot_mode_for_deploy(self.node)
self.assertEqual('bios', result)
instance_info = {'capabilities': {'trusted_boot': 'True',
'secure_boot': 'True'}}
self.node.instance_info = instance_info
result = boot_mode_utils.get_boot_mode_for_deploy(self.node)
self.assertEqual('uefi', result)
def test_get_boot_mode_for_deploy_using_instance_info_cap(self):
instance_info = {'capabilities': {'boot_mode': 'uefi'}}
self.node.instance_info = instance_info

69
ironic/tests/unit/drivers/modules/test_deploy_utils.py
View File

@ -61,10 +61,6 @@ append initrd=ramdisk root={{ ROOT }}
label boot_whole_disk
COM32 chain.c32
append mbr:{{ DISK_IDENTIFIER }}
label trusted_boot
kernel mboot
append tboot.gz --- kernel root={{ ROOT }} --- ramdisk
"""
_PXECONF_BOOT_PARTITION = """
@ -82,11 +78,6 @@ append initrd=ramdisk root=UUID=12345678-1234-1234-1234-1234567890abcdef
label boot_whole_disk
COM32 chain.c32
append mbr:{{ DISK_IDENTIFIER }}
label trusted_boot
kernel mboot
append tboot.gz --- kernel root=UUID=12345678-1234-1234-1234-1234567890abcdef \
--- ramdisk
"""
_PXECONF_BOOT_WHOLE_DISK = """
@ -104,32 +95,6 @@ append initrd=ramdisk root={{ ROOT }}
label boot_whole_disk
COM32 chain.c32
append mbr:0x12345678
label trusted_boot
kernel mboot
append tboot.gz --- kernel root={{ ROOT }} --- ramdisk
"""
_PXECONF_TRUSTED_BOOT = """
default trusted_boot
label deploy
kernel deploy_kernel
append initrd=deploy_ramdisk
ipappend 3
label boot_partition
kernel kernel
append initrd=ramdisk root=UUID=12345678-1234-1234-1234-1234567890abcdef
label boot_whole_disk
COM32 chain.c32
append mbr:{{ DISK_IDENTIFIER }}
label trusted_boot
kernel mboot
append tboot.gz --- kernel root=UUID=12345678-1234-1234-1234-1234567890abcdef \
--- ramdisk
"""
_IPXECONF_DEPLOY = b"""
@ -379,17 +344,6 @@ class SwitchPxeConfigTestCase(tests_base.TestCase):
pxeconf = f.read()
self.assertEqual(_PXECONF_BOOT_WHOLE_DISK, pxeconf)
def test_switch_pxe_config_trusted_boot(self):
boot_mode = 'bios'
fname = self._create_config()
utils.switch_pxe_config(fname,
'12345678-1234-1234-1234-1234567890abcdef',
boot_mode,
False, True)
with open(fname, 'r') as f:
pxeconf = f.read()
self.assertEqual(_PXECONF_TRUSTED_BOOT, pxeconf)
def test_switch_ipxe_config_partition_image(self):
boot_mode = 'bios'
fname = self._create_config(ipxe=True)
@ -492,7 +446,8 @@ class SwitchPxeConfigTestCase(tests_base.TestCase):
utils.switch_pxe_config(fname,
'0x12345678',
boot_mode,
False, False, True,
is_whole_disk_image=False,
iscsi_boot=True,
ipxe_enabled=True)
with open(fname, 'r') as f:
pxeconf = f.read()
@ -988,18 +943,6 @@ class ParseInstanceInfoCapabilitiesTestCase(tests_base.TestCase):
self.node.instance_info = {'capabilities': {"secure_boot": "invalid"}}
self.assertFalse(utils.is_secure_boot_requested(self.node))
def test_is_trusted_boot_requested_true(self):
self.node.instance_info = {'capabilities': {"trusted_boot": "true"}}
self.assertTrue(utils.is_trusted_boot_requested(self.node))
def test_is_trusted_boot_requested_false(self):
self.node.instance_info = {'capabilities': {"trusted_boot": "false"}}
self.assertFalse(utils.is_trusted_boot_requested(self.node))
def test_is_trusted_boot_requested_invalid(self):
self.node.instance_info = {'capabilities': {"trusted_boot": "invalid"}}
self.assertFalse(utils.is_trusted_boot_requested(self.node))
def test_validate_boot_mode_capability(self):
prop = {'capabilities': 'boot_mode:uefi,cap2:value2'}
self.node.properties = prop
@ -1028,12 +971,6 @@ class ParseInstanceInfoCapabilitiesTestCase(tests_base.TestCase):
self.assertRaises(exception.InvalidParameterValue,
utils.validate_capabilities, self.node)
def test_validate_trusted_boot_capability(self):
properties = {'capabilities': 'trusted_boot:value'}
self.node.properties = properties
self.assertRaises(exception.InvalidParameterValue,
utils.validate_capabilities, self.node)
def test_all_supported_capabilities(self):
self.assertEqual(('local', 'netboot', 'ramdisk', 'kickstart'),
utils.SUPPORTED_CAPABILITIES['boot_option'])
@ -1041,8 +978,6 @@ class ParseInstanceInfoCapabilitiesTestCase(tests_base.TestCase):
utils.SUPPORTED_CAPABILITIES['boot_mode'])
self.assertEqual(('true', 'false'),
utils.SUPPORTED_CAPABILITIES['secure_boot'])
self.assertEqual(('true', 'false'),
utils.SUPPORTED_CAPABILITIES['trusted_boot'])
def test_get_disk_label(self):
inst_info = {'capabilities': {'disk_label': 'gpt', 'foo': 'bar'}}

39
ironic/tests/unit/drivers/modules/test_ipxe.py
View File

@ -190,29 +190,6 @@ class iPXEBootTestCase(db_base.DbTestCase):
self.assertRaises(exception.MissingParameterValue,
task.driver.boot.validate, task)
def test_validate_fail_trusted_boot_with_secure_boot(self):
instance_info = {"boot_option": "netboot",
"secure_boot": "true",
"trusted_boot": "true"}
properties = {'capabilities': 'trusted_boot:true'}
with task_manager.acquire(self.context, self.node.uuid,
shared=True) as task:
task.node.instance_info['capabilities'] = instance_info
task.node.properties = properties
task.node.driver_internal_info['is_whole_disk_image'] = False
self.assertRaises(exception.InvalidParameterValue,
task.driver.boot.validate, task)
def test_validate_fail_invalid_trusted_boot_value(self):
properties = {'capabilities': 'trusted_boot:value'}
instance_info = {"trusted_boot": "value"}
with task_manager.acquire(self.context, self.node.uuid,
shared=True) as task:
task.node.properties = properties
task.node.instance_info['capabilities'] = instance_info
self.assertRaises(exception.InvalidParameterValue,
task.driver.boot.validate, task)
@mock.patch.object(image_service.GlanceImageService, 'show',
autospec=True)
def test_validate_fail_no_image_kernel_ramdisk_props(self, mock_glance):
@ -623,8 +600,8 @@ class iPXEBootTestCase(db_base.DbTestCase):
provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts)
switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'uefi', False, False, False, False, ipxe_enabled=True,
anaconda_boot=False)
'uefi', False, iscsi_boot=False, ramdisk_boot=False,
ipxe_enabled=True, anaconda_boot=False)
set_boot_device_mock.assert_called_once_with(task,
boot_devices.PXE,
persistent=True)
@ -668,8 +645,8 @@ class iPXEBootTestCase(db_base.DbTestCase):
provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts)
switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'bios', False, False, False, False, ipxe_enabled=True,
anaconda_boot=False)
'bios', False, iscsi_boot=False, ramdisk_boot=False,
ipxe_enabled=True, anaconda_boot=False)
set_boot_device_mock.assert_called_once_with(task,
boot_devices.PXE,
persistent=True)
@ -829,8 +806,8 @@ class iPXEBootTestCase(db_base.DbTestCase):
ipxe_enabled=True)
switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'bios', False, False, False, False, ipxe_enabled=True,
anaconda_boot=False)
'bios', False, iscsi_boot=False, ramdisk_boot=False,
ipxe_enabled=True, anaconda_boot=False)
self.assertFalse(set_boot_device_mock.called)
@mock.patch.object(manager_utils, 'node_set_boot_device', autospec=True)
@ -1212,8 +1189,8 @@ class iPXEBootTestCase(db_base.DbTestCase):
persistent=True)
switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'uefi', True, False, False, False, ipxe_enabled=True,
anaconda_boot=False)
'uefi', True, iscsi_boot=False, ramdisk_boot=False,
ipxe_enabled=True, anaconda_boot=False)
# No clean up
self.assertFalse(clean_up_pxe_config_mock.called)
# No netboot configuration beyond the PXE files

35
ironic/tests/unit/drivers/modules/test_pxe.py
View File

@ -164,29 +164,6 @@ class PXEBootTestCase(db_base.DbTestCase):
self.assertRaises(exception.MissingParameterValue,
task.driver.boot.validate, task)
def test_validate_fail_trusted_boot_with_secure_boot(self):
instance_info = {"boot_option": "netboot",
"secure_boot": "true",
"trusted_boot": "true"}
properties = {'capabilities': 'trusted_boot:true'}
with task_manager.acquire(self.context, self.node.uuid,
shared=True) as task:
task.node.instance_info['capabilities'] = instance_info
task.node.properties = properties
task.node.driver_internal_info['is_whole_disk_image'] = False
self.assertRaises(exception.InvalidParameterValue,
task.driver.boot.validate, task)
def test_validate_fail_invalid_trusted_boot_value(self):
properties = {'capabilities': 'trusted_boot:value'}
instance_info = {"trusted_boot": "value"}
with task_manager.acquire(self.context, self.node.uuid,
shared=True) as task:
task.node.properties = properties
task.node.instance_info['capabilities'] = instance_info
self.assertRaises(exception.InvalidParameterValue,
task.driver.boot.validate, task)
@mock.patch.object(image_service.GlanceImageService, 'show', autospec=True)
def test_validate_fail_no_image_kernel_ramdisk_props(self, mock_glance):
instance_info = {"boot_option": "netboot"}
@ -546,8 +523,8 @@ class PXEBootTestCase(db_base.DbTestCase):
provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts)
switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'bios', False, False, False, False, ipxe_enabled=False,
anaconda_boot=False)
'bios', False, iscsi_boot=False, ramdisk_boot=False,
ipxe_enabled=False, anaconda_boot=False)
set_boot_device_mock.assert_called_once_with(task,
boot_devices.PXE,
persistent=True)
@ -587,8 +564,8 @@ class PXEBootTestCase(db_base.DbTestCase):
provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts)
switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'uefi', False, False, False, False, ipxe_enabled=False,
anaconda_boot=False)
'uefi', False, iscsi_boot=False, ramdisk_boot=False,
ipxe_enabled=False, anaconda_boot=False)
set_boot_device_mock.assert_called_once_with(task,
boot_devices.PXE,
persistent=True)
@ -636,8 +613,8 @@ class PXEBootTestCase(db_base.DbTestCase):
ipxe_enabled=False)
switch_pxe_config_mock.assert_called_once_with(
pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50",
'bios', False, False, False, False, ipxe_enabled=False,
anaconda_boot=False)
'bios', False, iscsi_boot=False, ramdisk_boot=False,
ipxe_enabled=False, anaconda_boot=False)
self.assertFalse(set_boot_device_mock.called)
@mock.patch.object(manager_utils, 'node_set_boot_device', autospec=True)

4
ironic/tests/unit/drivers/pxe_config.template
View File

@ -15,10 +15,6 @@ label boot_whole_disk
COM32 chain.c32
append mbr:{{ DISK_IDENTIFIER }}
label trusted_boot
kernel mboot
append tboot.gz --- /tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/kernel root={{ ROOT }} ro text test_param intel_iommu=on --- /tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/ramdisk
label boot_ramdisk
kernel /tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/kernel
append initrd=/tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/ramdisk root=/dev/ram0 text test_param ramdisk_param

5
releasenotes/notes/no-trustedboot-01322dbaf33f8df8.yaml Normal file
View File

@ -0,0 +1,5 @@
---
upgrade:
- |
Support for trusted boot has been removed. This feature requires instance
network booting, which is also removed this cycle.