From dbcce25d3840a06ea83d5f76ca90d55c2a0ac629 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Mon, 18 Jul 2022 17:15:50 +0200 Subject: [PATCH] Remove support for trusted boot It requires network booting and legacy boot. While the latter will be supported for a long time, the former is being removed. Change-Id: Ie48e51fa95ba2059bd3cca6b8968f475934a75e5 --- doc/source/admin/drivers/irmc.rst | 3 - ironic/common/pxe_utils.py | 30 ++------ ironic/drivers/modules/boot_mode_utils.py | 28 +------- ironic/drivers/modules/deploy_utils.py | 22 ++---- ironic/drivers/modules/irmc/inspect.py | 6 +- ironic/drivers/modules/pxe_base.py | 17 ----- ironic/drivers/modules/pxe_config.template | 4 -- ironic/tests/unit/common/test_pxe_utils.py | 46 ------------- .../unit/drivers/modules/irmc/test_inspect.py | 55 +-------------- .../drivers/modules/test_boot_mode_utils.py | 13 ---- .../unit/drivers/modules/test_deploy_utils.py | 69 +------------------ .../tests/unit/drivers/modules/test_ipxe.py | 39 +++-------- ironic/tests/unit/drivers/modules/test_pxe.py | 35 ++-------- ironic/tests/unit/drivers/pxe_config.template | 4 -- .../no-trustedboot-01322dbaf33f8df8.yaml | 5 ++ 15 files changed, 39 insertions(+), 337 deletions(-) create mode 100644 releasenotes/notes/no-trustedboot-01322dbaf33f8df8.yaml diff --git a/doc/source/admin/drivers/irmc.rst b/doc/source/admin/drivers/irmc.rst index 7e53bf8bb3..47ba7e9e6c 100644 --- a/doc/source/admin/drivers/irmc.rst +++ b/doc/source/admin/drivers/irmc.rst @@ -354,9 +354,6 @@ driver: * ``rom_firmware_version``: ROM firmware version -* ``trusted_boot``: The flag whether TPM(Trusted Platform Module) is - supported by the server. The possible values are 'True' or 'False'. - * ``server_model``: server model * ``pci_gpu_devices``: number of gpu devices connected to the bare metal. diff --git a/ironic/common/pxe_utils.py b/ironic/common/pxe_utils.py index b0f1d906fc..033c53ff8e 100644 --- a/ironic/common/pxe_utils.py +++ b/ironic/common/pxe_utils.py @@ -945,9 +945,10 @@ def build_service_pxe_config(task, instance_image_info, pxe_config_path, root_uuid_or_disk_id, boot_mode_utils.get_boot_mode(node), is_whole_disk_image, - deploy_utils.is_trusted_boot_requested(node), - deploy_utils.is_iscsi_boot(task), ramdisk_boot, - ipxe_enabled=ipxe_enabled, anaconda_boot=anaconda_boot) + iscsi_boot=deploy_utils.is_iscsi_boot(task), + ramdisk_boot=ramdisk_boot, + ipxe_enabled=ipxe_enabled, + anaconda_boot=anaconda_boot) def build_kickstart_config_options(task): @@ -1055,29 +1056,6 @@ def get_volume_pxe_options(task): return pxe_options -def validate_boot_parameters_for_trusted_boot(node): - """Check if boot parameters are valid for trusted boot.""" - boot_mode = boot_mode_utils.get_boot_mode(node) - boot_option = deploy_utils.get_boot_option(node) - is_whole_disk_image = node.driver_internal_info.get('is_whole_disk_image') - # 'is_whole_disk_image' is not supported by trusted boot, because there is - # no Kernel/Ramdisk to measure at all. - if (boot_mode != 'bios' - or is_whole_disk_image - or boot_option != 'netboot'): - msg = (_("Trusted boot is only supported in BIOS boot mode with " - "netboot and without whole_disk_image, but Node " - "%(node_uuid)s was configured with boot_mode: %(boot_mode)s, " - "boot_option: %(boot_option)s, is_whole_disk_image: " - "%(is_whole_disk_image)s: at least one of them is wrong, and " - "this can be caused by enable secure boot.") % - {'node_uuid': node.uuid, 'boot_mode': boot_mode, - 'boot_option': boot_option, - 'is_whole_disk_image': is_whole_disk_image}) - LOG.error(msg) - raise exception.InvalidParameterValue(msg) - - def validate_kickstart_template(ks_template): """Validate the kickstart template diff --git a/ironic/drivers/modules/boot_mode_utils.py b/ironic/drivers/modules/boot_mode_utils.py index 737aca24c5..bb3ccc3a42 100644 --- a/ironic/drivers/modules/boot_mode_utils.py +++ b/ironic/drivers/modules/boot_mode_utils.py @@ -168,30 +168,12 @@ def is_secure_boot_requested(node): return sec_boot == 'true' -def is_trusted_boot_requested(node): - """Returns True if trusted_boot is requested for deploy. - - This method checks instance property for trusted_boot and returns True - if it is requested. - - :param node: a single Node. - :raises: InvalidParameterValue if the capabilities string is not a - dictionary or is malformed. - :returns: True if trusted_boot is requested. - """ - - capabilities = common_utils.parse_instance_info_capabilities(node) - trusted_boot = capabilities.get('trusted_boot', 'false').lower() - - return trusted_boot == 'true' - - def get_boot_mode_for_deploy(node): """Returns the boot mode that would be used for deploy. This method returns boot mode to be used for deploy. - It returns 'uefi' if 'secure_boot' is set to 'true' or returns 'bios' if - 'trusted_boot' is set to 'true' in 'instance_info/capabilities' of node. + It returns 'uefi' if 'secure_boot' is set to 'true' in + 'instance_info/capabilities' of node. Otherwise it returns value of 'boot_mode' in 'properties/capabilities' of node if set. If that is not set, it returns boot mode in 'internal_driver_info/deploy_boot_mode' for the node. @@ -211,12 +193,6 @@ def get_boot_mode_for_deploy(node): LOG.debug('Deploy boot mode is uefi for %s.', node.uuid) return 'uefi' - if is_trusted_boot_requested(node): - # TODO(lintan) Trusted boot also supports uefi, but at the moment, - # it should only boot with bios. - LOG.debug('Deploy boot mode is bios for %s.', node.uuid) - return 'bios' - # NOTE(etingof): # The search for a boot mode should be in the priority order: # diff --git a/ironic/drivers/modules/deploy_utils.py b/ironic/drivers/modules/deploy_utils.py index e70fcd17b6..bcefd23238 100644 --- a/ironic/drivers/modules/deploy_utils.py +++ b/ironic/drivers/modules/deploy_utils.py @@ -58,7 +58,6 @@ SUPPORTED_CAPABILITIES = { 'boot_option': ('local', 'netboot', 'ramdisk', 'kickstart'), 'boot_mode': ('bios', 'uefi'), 'secure_boot': ('true', 'false'), - 'trusted_boot': ('true', 'false'), 'disk_label': ('msdos', 'gpt'), } @@ -130,13 +129,10 @@ def _replace_root_uuid(path, root_uuid): def _replace_boot_line(path, boot_mode, is_whole_disk_image, - trusted_boot=False, iscsi_boot=False, - ramdisk_boot=False, ipxe_enabled=False, - anaconda_boot=False): + iscsi_boot=False, ramdisk_boot=False, + ipxe_enabled=False, anaconda_boot=False): if is_whole_disk_image: boot_disk_type = 'boot_whole_disk' - elif trusted_boot: - boot_disk_type = 'trusted_boot' elif iscsi_boot: boot_disk_type = 'boot_iscsi' elif ramdisk_boot: @@ -164,9 +160,9 @@ def _replace_disk_identifier(path, disk_identifier): # NOTE(TheJulia): This should likely be migrated to pxe_utils. def switch_pxe_config(path, root_uuid_or_disk_id, boot_mode, - is_whole_disk_image, trusted_boot=False, - iscsi_boot=False, ramdisk_boot=False, - ipxe_enabled=False, anaconda_boot=False): + is_whole_disk_image, iscsi_boot=False, + ramdisk_boot=False, ipxe_enabled=False, + anaconda_boot=False): """Switch a pxe config from deployment mode to service mode. :param path: path to the pxe config file in tftpboot. @@ -174,9 +170,6 @@ def switch_pxe_config(path, root_uuid_or_disk_id, boot_mode, disk_id in case of whole disk image. :param boot_mode: if boot mode is uefi or bios. :param is_whole_disk_image: if the image is a whole disk image or not. - :param trusted_boot: if boot with trusted_boot or not. The usage of - is_whole_disk_image and trusted_boot are mutually exclusive. You can - have one or neither, but not both. :param iscsi_boot: if boot is from an iSCSI volume or not. :param ramdisk_boot: if the boot is to be to a ramdisk configuration. :param ipxe_enabled: A default False boolean value to tell the method @@ -190,8 +183,8 @@ def switch_pxe_config(path, root_uuid_or_disk_id, boot_mode, else: _replace_disk_identifier(path, root_uuid_or_disk_id) - _replace_boot_line(path, boot_mode, is_whole_disk_image, trusted_boot, - iscsi_boot, ramdisk_boot, ipxe_enabled, anaconda_boot) + _replace_boot_line(path, boot_mode, is_whole_disk_image, iscsi_boot, + ramdisk_boot, ipxe_enabled, anaconda_boot) def check_for_missing_params(info_dict, error_msg, param_prefix=''): @@ -1375,7 +1368,6 @@ def is_iscsi_boot(task): # NOTE(etingof): retain original location of these funcs for compatibility is_secure_boot_requested = boot_mode_utils.is_secure_boot_requested -is_trusted_boot_requested = boot_mode_utils.is_trusted_boot_requested get_boot_mode_for_deploy = boot_mode_utils.get_boot_mode_for_deploy parse_instance_info_capabilities = ( utils.parse_instance_info_capabilities diff --git a/ironic/drivers/modules/irmc/inspect.py b/ironic/drivers/modules/irmc/inspect.py index 4204ac95bd..7b785d2fbf 100644 --- a/ironic/drivers/modules/irmc/inspect.py +++ b/ironic/drivers/modules/irmc/inspect.py @@ -90,7 +90,7 @@ sc2UnitNodeMacAddress OBJECT-TYPE """ MAC_ADDRESS_OID = '1.3.6.1.4.1.231.2.10.2.2.10.3.1.1.9.1' -CAPABILITIES_PROPERTIES = {'trusted_boot', 'irmc_firmware_version', +CAPABILITIES_PROPERTIES = {'irmc_firmware_version', 'rom_firmware_version', 'server_model', 'pci_gpu_devices', 'cpu_fpga'} @@ -175,8 +175,8 @@ def _inspect_hardware(node, existing_traits=None, **kwargs): elif cpu_fpga != 0 and 'CUSTOM_CPU_FPGA' not in new_traits: new_traits.append('CUSTOM_CPU_FPGA') - if capabilities.get('trusted_boot') is False: - capabilities.pop('trusted_boot') + # Ironic no longer supports trusted boot + capabilities.pop('trusted_boot', None) capabilities = utils.get_updated_capabilities( node.properties.get('capabilities'), capabilities) if capabilities: diff --git a/ironic/drivers/modules/pxe_base.py b/ironic/drivers/modules/pxe_base.py index 78d7b59878..a8a768b8b6 100644 --- a/ironic/drivers/modules/pxe_base.py +++ b/ironic/drivers/modules/pxe_base.py @@ -359,24 +359,7 @@ class PXEBaseMixin(object): "'kickstart' boot option is set on the node but no " "default kickstart template is specified")) - # Check the trusted_boot capabilities value. deploy_utils.validate_capabilities(node) - if deploy_utils.is_trusted_boot_requested(node): - # Check if 'boot_option' and boot mode is compatible with - # trusted boot. - if self.ipxe_enabled: - # NOTE(TheJulia): So in theory (huge theory here, not put to - # practice or tested), that one can define the kernel as tboot - # and define the actual kernel and ramdisk as appended data. - # Similar to how one can iPXE load the XEN hypervisor. - # tboot mailing list seem to indicate pxe/ipxe support, or - # more specifically avoiding breaking the scenarios of use, - # but there is also no definitive documentation on the subject. - LOG.warning('Trusted boot has been requested for %(node)s in ' - 'concert with iPXE. This is not a supported ' - 'configuration for an ironic deployment.', - {'node': node.uuid}) - pxe_utils.validate_boot_parameters_for_trusted_boot(node) # Check if we have invalid parameters being passed which will not work # for ramdisk configurations. diff --git a/ironic/drivers/modules/pxe_config.template b/ironic/drivers/modules/pxe_config.template index 46597403bf..9b773b2baf 100644 --- a/ironic/drivers/modules/pxe_config.template +++ b/ironic/drivers/modules/pxe_config.template @@ -15,10 +15,6 @@ label boot_whole_disk COM32 chain.c32 append mbr:{{ DISK_IDENTIFIER }} -label trusted_boot -kernel mboot -append tboot.gz --- {{pxe_options.aki_path}} root={{ ROOT }} ro text {{ pxe_options.pxe_append_params|default("", true) }} intel_iommu=on --- {{pxe_options.ari_path}} - label boot_ramdisk kernel {{ pxe_options.aki_path }} append initrd={{ pxe_options.ari_path }} root=/dev/ram0 text {{ pxe_options.pxe_append_params|default("", true) }} {{ pxe_options.ramdisk_opts|default('', true) }} diff --git a/ironic/tests/unit/common/test_pxe_utils.py b/ironic/tests/unit/common/test_pxe_utils.py index f38e7127ad..fc8081b328 100644 --- a/ironic/tests/unit/common/test_pxe_utils.py +++ b/ironic/tests/unit/common/test_pxe_utils.py @@ -1448,52 +1448,6 @@ class PXEInterfacesTestCase(db_base.DbTestCase): list(fake_pxe_info.values()), True) - @mock.patch.object(pxe_utils.LOG, 'error', autospec=True) - def test_validate_boot_parameters_for_trusted_boot_one(self, mock_log): - properties = {'capabilities': 'boot_mode:uefi'} - instance_info = {"boot_option": "netboot"} - self.node.properties = properties - self.node.instance_info['capabilities'] = instance_info - self.node.driver_internal_info['is_whole_disk_image'] = False - self.assertRaises(exception.InvalidParameterValue, - pxe_utils.validate_boot_parameters_for_trusted_boot, - self.node) - self.assertTrue(mock_log.called) - - @mock.patch.object(pxe_utils.LOG, 'error', autospec=True) - def test_validate_boot_parameters_for_trusted_boot_two(self, mock_log): - properties = {'capabilities': 'boot_mode:bios'} - instance_info = {"boot_option": "local"} - self.node.properties = properties - self.node.instance_info['capabilities'] = instance_info - self.node.driver_internal_info['is_whole_disk_image'] = False - self.assertRaises(exception.InvalidParameterValue, - pxe_utils.validate_boot_parameters_for_trusted_boot, - self.node) - self.assertTrue(mock_log.called) - - @mock.patch.object(pxe_utils.LOG, 'error', autospec=True) - def test_validate_boot_parameters_for_trusted_boot_three(self, mock_log): - properties = {'capabilities': 'boot_mode:bios'} - instance_info = {"boot_option": "netboot"} - self.node.properties = properties - self.node.instance_info['capabilities'] = instance_info - self.node.driver_internal_info['is_whole_disk_image'] = True - self.assertRaises(exception.InvalidParameterValue, - pxe_utils.validate_boot_parameters_for_trusted_boot, - self.node) - self.assertTrue(mock_log.called) - - @mock.patch.object(pxe_utils.LOG, 'error', autospec=True) - def test_validate_boot_parameters_for_trusted_boot_pass(self, mock_log): - properties = {'capabilities': 'boot_mode:bios'} - instance_info = {"boot_option": "netboot"} - self.node.properties = properties - self.node.instance_info['capabilities'] = instance_info - self.node.driver_internal_info['is_whole_disk_image'] = False - pxe_utils.validate_boot_parameters_for_trusted_boot(self.node) - self.assertFalse(mock_log.called) - @mock.patch.object(pxe.PXEBoot, '__init__', lambda self: None) class PXEBuildKickstartConfigOptionsTestCase(db_base.DbTestCase): diff --git a/ironic/tests/unit/drivers/modules/irmc/test_inspect.py b/ironic/tests/unit/drivers/modules/irmc/test_inspect.py index d12e1e0b3e..5c66cb96a5 100644 --- a/ironic/tests/unit/drivers/modules/irmc/test_inspect.py +++ b/ironic/tests/unit/drivers/modules/irmc/test_inspect.py @@ -83,7 +83,6 @@ class IRMCInspectInternalMethodsTestCase(test_common.BaseIRMCTest): 'cpus': 2, 'cpu_arch': 'x86_64'} inspected_capabilities = { - 'trusted_boot': False, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', @@ -425,14 +424,12 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest): gpu_ids = ['0x1000/0x0079', '0x2100/0x0080'] cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180'] existed_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'pci_gpu_devices': 1 } inspected_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', @@ -440,7 +437,6 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest): 'cpu_fpga': 1 } expected_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', @@ -463,12 +459,10 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest): cpu_fpgas = [] existed_capabilities = {} inspected_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'} expected_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'} @@ -489,7 +483,6 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest): cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180'] existed_capabilities = {} inspected_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', @@ -497,7 +490,6 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest): 'cpu_fpga': 0 } expected_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'} @@ -519,18 +511,15 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest): gpu_ids = [] cpu_fpgas = [] existed_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'pci_gpu_devices': 1} inspected_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'} expected_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'} @@ -552,20 +541,17 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest): gpu_ids = ['0x1000/0x0079', '0x2100/0x0080'] cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180'] existed_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'pci_gpu_devices': 1} inspected_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'pci_gpu_devices': 0, 'cpu_fpga': 0} expected_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x'} @@ -581,13 +567,13 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest): existed_traits, expected_traits) - def test_inspect_hardware_props_trusted_boot_is_false(self): + def test_inspect_hardware_props_trusted_boot_removed(self): # Set config flags gpu_ids = ['0x1000/0x0079', '0x2100/0x0080'] cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180'] existed_capabilities = {} inspected_capabilities = { - 'trusted_boot': False, + 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', @@ -610,54 +596,17 @@ class IRMCInspectTestCase(test_common.BaseIRMCTest): existed_traits, expected_traits) - def test_inspect_hardware_props_trusted_boot_is_false_and_existing_cap( - self): - # Set config flags - gpu_ids = ['0x1000/0x0079', '0x2100/0x0080'] - cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180'] - existed_capabilities = { - 'trusted_boot': True, - 'irmc_firmware_version': 'iRMC S4-7.82F', - 'server_model': 'TX2540M1F5', - 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', - 'pci_gpu_devices': 1} - inspected_capabilities = { - 'trusted_boot': False, - 'irmc_firmware_version': 'iRMC S4-7.82F', - 'server_model': 'TX2540M1F5', - 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', - 'pci_gpu_devices': 1, - 'cpu_fpga': 1} - expected_capabilities = { - 'irmc_firmware_version': 'iRMC S4-7.82F', - 'server_model': 'TX2540M1F5', - 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', - 'pci_gpu_devices': 1} - - existed_traits = ['CUSTOM_CPU_FPGA'] - expected_traits = ['CUSTOM_CPU_FPGA'] - - self._test_inspect_hardware_props(gpu_ids, - cpu_fpgas, - existed_capabilities, - inspected_capabilities, - expected_capabilities, - existed_traits, - expected_traits) - def test_inspect_hardware_props_gpu_and_cpu_fpgas_results_are_different( self): # Set config flags gpu_ids = ['0x1000/0x0079', '0x2100/0x0080'] cpu_fpgas = ['0x1000/0x0179', '0x2100/0x0180'] existed_capabilities = { - 'trusted_boot': True, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', 'pci_gpu_devices': 1} inspected_capabilities = { - 'trusted_boot': False, 'irmc_firmware_version': 'iRMC S4-7.82F', 'server_model': 'TX2540M1F5', 'rom_firmware_version': 'V4.6.5.4 R1.15.0 for D3099-B1x', diff --git a/ironic/tests/unit/drivers/modules/test_boot_mode_utils.py b/ironic/tests/unit/drivers/modules/test_boot_mode_utils.py index 646d307895..6ce797c519 100644 --- a/ironic/tests/unit/drivers/modules/test_boot_mode_utils.py +++ b/ironic/tests/unit/drivers/modules/test_boot_mode_utils.py @@ -96,19 +96,6 @@ class GetBootModeTestCase(tests_base.TestCase): result = boot_mode_utils.get_boot_mode_for_deploy(self.node) self.assertEqual('uefi', result) - instance_info = {'capabilities': {'trusted_boot': 'True'}} - self.node.instance_info = instance_info - - result = boot_mode_utils.get_boot_mode_for_deploy(self.node) - self.assertEqual('bios', result) - - instance_info = {'capabilities': {'trusted_boot': 'True', - 'secure_boot': 'True'}} - self.node.instance_info = instance_info - - result = boot_mode_utils.get_boot_mode_for_deploy(self.node) - self.assertEqual('uefi', result) - def test_get_boot_mode_for_deploy_using_instance_info_cap(self): instance_info = {'capabilities': {'boot_mode': 'uefi'}} self.node.instance_info = instance_info diff --git a/ironic/tests/unit/drivers/modules/test_deploy_utils.py b/ironic/tests/unit/drivers/modules/test_deploy_utils.py index 230eec8f16..2bcdf1cb6e 100644 --- a/ironic/tests/unit/drivers/modules/test_deploy_utils.py +++ b/ironic/tests/unit/drivers/modules/test_deploy_utils.py @@ -61,10 +61,6 @@ append initrd=ramdisk root={{ ROOT }} label boot_whole_disk COM32 chain.c32 append mbr:{{ DISK_IDENTIFIER }} - -label trusted_boot -kernel mboot -append tboot.gz --- kernel root={{ ROOT }} --- ramdisk """ _PXECONF_BOOT_PARTITION = """ @@ -82,11 +78,6 @@ append initrd=ramdisk root=UUID=12345678-1234-1234-1234-1234567890abcdef label boot_whole_disk COM32 chain.c32 append mbr:{{ DISK_IDENTIFIER }} - -label trusted_boot -kernel mboot -append tboot.gz --- kernel root=UUID=12345678-1234-1234-1234-1234567890abcdef \ ---- ramdisk """ _PXECONF_BOOT_WHOLE_DISK = """ @@ -104,32 +95,6 @@ append initrd=ramdisk root={{ ROOT }} label boot_whole_disk COM32 chain.c32 append mbr:0x12345678 - -label trusted_boot -kernel mboot -append tboot.gz --- kernel root={{ ROOT }} --- ramdisk -""" - -_PXECONF_TRUSTED_BOOT = """ -default trusted_boot - -label deploy -kernel deploy_kernel -append initrd=deploy_ramdisk -ipappend 3 - -label boot_partition -kernel kernel -append initrd=ramdisk root=UUID=12345678-1234-1234-1234-1234567890abcdef - -label boot_whole_disk -COM32 chain.c32 -append mbr:{{ DISK_IDENTIFIER }} - -label trusted_boot -kernel mboot -append tboot.gz --- kernel root=UUID=12345678-1234-1234-1234-1234567890abcdef \ ---- ramdisk """ _IPXECONF_DEPLOY = b""" @@ -379,17 +344,6 @@ class SwitchPxeConfigTestCase(tests_base.TestCase): pxeconf = f.read() self.assertEqual(_PXECONF_BOOT_WHOLE_DISK, pxeconf) - def test_switch_pxe_config_trusted_boot(self): - boot_mode = 'bios' - fname = self._create_config() - utils.switch_pxe_config(fname, - '12345678-1234-1234-1234-1234567890abcdef', - boot_mode, - False, True) - with open(fname, 'r') as f: - pxeconf = f.read() - self.assertEqual(_PXECONF_TRUSTED_BOOT, pxeconf) - def test_switch_ipxe_config_partition_image(self): boot_mode = 'bios' fname = self._create_config(ipxe=True) @@ -492,7 +446,8 @@ class SwitchPxeConfigTestCase(tests_base.TestCase): utils.switch_pxe_config(fname, '0x12345678', boot_mode, - False, False, True, + is_whole_disk_image=False, + iscsi_boot=True, ipxe_enabled=True) with open(fname, 'r') as f: pxeconf = f.read() @@ -988,18 +943,6 @@ class ParseInstanceInfoCapabilitiesTestCase(tests_base.TestCase): self.node.instance_info = {'capabilities': {"secure_boot": "invalid"}} self.assertFalse(utils.is_secure_boot_requested(self.node)) - def test_is_trusted_boot_requested_true(self): - self.node.instance_info = {'capabilities': {"trusted_boot": "true"}} - self.assertTrue(utils.is_trusted_boot_requested(self.node)) - - def test_is_trusted_boot_requested_false(self): - self.node.instance_info = {'capabilities': {"trusted_boot": "false"}} - self.assertFalse(utils.is_trusted_boot_requested(self.node)) - - def test_is_trusted_boot_requested_invalid(self): - self.node.instance_info = {'capabilities': {"trusted_boot": "invalid"}} - self.assertFalse(utils.is_trusted_boot_requested(self.node)) - def test_validate_boot_mode_capability(self): prop = {'capabilities': 'boot_mode:uefi,cap2:value2'} self.node.properties = prop @@ -1028,12 +971,6 @@ class ParseInstanceInfoCapabilitiesTestCase(tests_base.TestCase): self.assertRaises(exception.InvalidParameterValue, utils.validate_capabilities, self.node) - def test_validate_trusted_boot_capability(self): - properties = {'capabilities': 'trusted_boot:value'} - self.node.properties = properties - self.assertRaises(exception.InvalidParameterValue, - utils.validate_capabilities, self.node) - def test_all_supported_capabilities(self): self.assertEqual(('local', 'netboot', 'ramdisk', 'kickstart'), utils.SUPPORTED_CAPABILITIES['boot_option']) @@ -1041,8 +978,6 @@ class ParseInstanceInfoCapabilitiesTestCase(tests_base.TestCase): utils.SUPPORTED_CAPABILITIES['boot_mode']) self.assertEqual(('true', 'false'), utils.SUPPORTED_CAPABILITIES['secure_boot']) - self.assertEqual(('true', 'false'), - utils.SUPPORTED_CAPABILITIES['trusted_boot']) def test_get_disk_label(self): inst_info = {'capabilities': {'disk_label': 'gpt', 'foo': 'bar'}} diff --git a/ironic/tests/unit/drivers/modules/test_ipxe.py b/ironic/tests/unit/drivers/modules/test_ipxe.py index 294133a4c5..d9dd126b35 100644 --- a/ironic/tests/unit/drivers/modules/test_ipxe.py +++ b/ironic/tests/unit/drivers/modules/test_ipxe.py @@ -190,29 +190,6 @@ class iPXEBootTestCase(db_base.DbTestCase): self.assertRaises(exception.MissingParameterValue, task.driver.boot.validate, task) - def test_validate_fail_trusted_boot_with_secure_boot(self): - instance_info = {"boot_option": "netboot", - "secure_boot": "true", - "trusted_boot": "true"} - properties = {'capabilities': 'trusted_boot:true'} - with task_manager.acquire(self.context, self.node.uuid, - shared=True) as task: - task.node.instance_info['capabilities'] = instance_info - task.node.properties = properties - task.node.driver_internal_info['is_whole_disk_image'] = False - self.assertRaises(exception.InvalidParameterValue, - task.driver.boot.validate, task) - - def test_validate_fail_invalid_trusted_boot_value(self): - properties = {'capabilities': 'trusted_boot:value'} - instance_info = {"trusted_boot": "value"} - with task_manager.acquire(self.context, self.node.uuid, - shared=True) as task: - task.node.properties = properties - task.node.instance_info['capabilities'] = instance_info - self.assertRaises(exception.InvalidParameterValue, - task.driver.boot.validate, task) - @mock.patch.object(image_service.GlanceImageService, 'show', autospec=True) def test_validate_fail_no_image_kernel_ramdisk_props(self, mock_glance): @@ -623,8 +600,8 @@ class iPXEBootTestCase(db_base.DbTestCase): provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts) switch_pxe_config_mock.assert_called_once_with( pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", - 'uefi', False, False, False, False, ipxe_enabled=True, - anaconda_boot=False) + 'uefi', False, iscsi_boot=False, ramdisk_boot=False, + ipxe_enabled=True, anaconda_boot=False) set_boot_device_mock.assert_called_once_with(task, boot_devices.PXE, persistent=True) @@ -668,8 +645,8 @@ class iPXEBootTestCase(db_base.DbTestCase): provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts) switch_pxe_config_mock.assert_called_once_with( pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", - 'bios', False, False, False, False, ipxe_enabled=True, - anaconda_boot=False) + 'bios', False, iscsi_boot=False, ramdisk_boot=False, + ipxe_enabled=True, anaconda_boot=False) set_boot_device_mock.assert_called_once_with(task, boot_devices.PXE, persistent=True) @@ -829,8 +806,8 @@ class iPXEBootTestCase(db_base.DbTestCase): ipxe_enabled=True) switch_pxe_config_mock.assert_called_once_with( pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", - 'bios', False, False, False, False, ipxe_enabled=True, - anaconda_boot=False) + 'bios', False, iscsi_boot=False, ramdisk_boot=False, + ipxe_enabled=True, anaconda_boot=False) self.assertFalse(set_boot_device_mock.called) @mock.patch.object(manager_utils, 'node_set_boot_device', autospec=True) @@ -1212,8 +1189,8 @@ class iPXEBootTestCase(db_base.DbTestCase): persistent=True) switch_pxe_config_mock.assert_called_once_with( pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", - 'uefi', True, False, False, False, ipxe_enabled=True, - anaconda_boot=False) + 'uefi', True, iscsi_boot=False, ramdisk_boot=False, + ipxe_enabled=True, anaconda_boot=False) # No clean up self.assertFalse(clean_up_pxe_config_mock.called) # No netboot configuration beyond the PXE files diff --git a/ironic/tests/unit/drivers/modules/test_pxe.py b/ironic/tests/unit/drivers/modules/test_pxe.py index be48f890e7..779606229d 100644 --- a/ironic/tests/unit/drivers/modules/test_pxe.py +++ b/ironic/tests/unit/drivers/modules/test_pxe.py @@ -164,29 +164,6 @@ class PXEBootTestCase(db_base.DbTestCase): self.assertRaises(exception.MissingParameterValue, task.driver.boot.validate, task) - def test_validate_fail_trusted_boot_with_secure_boot(self): - instance_info = {"boot_option": "netboot", - "secure_boot": "true", - "trusted_boot": "true"} - properties = {'capabilities': 'trusted_boot:true'} - with task_manager.acquire(self.context, self.node.uuid, - shared=True) as task: - task.node.instance_info['capabilities'] = instance_info - task.node.properties = properties - task.node.driver_internal_info['is_whole_disk_image'] = False - self.assertRaises(exception.InvalidParameterValue, - task.driver.boot.validate, task) - - def test_validate_fail_invalid_trusted_boot_value(self): - properties = {'capabilities': 'trusted_boot:value'} - instance_info = {"trusted_boot": "value"} - with task_manager.acquire(self.context, self.node.uuid, - shared=True) as task: - task.node.properties = properties - task.node.instance_info['capabilities'] = instance_info - self.assertRaises(exception.InvalidParameterValue, - task.driver.boot.validate, task) - @mock.patch.object(image_service.GlanceImageService, 'show', autospec=True) def test_validate_fail_no_image_kernel_ramdisk_props(self, mock_glance): instance_info = {"boot_option": "netboot"} @@ -546,8 +523,8 @@ class PXEBootTestCase(db_base.DbTestCase): provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts) switch_pxe_config_mock.assert_called_once_with( pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", - 'bios', False, False, False, False, ipxe_enabled=False, - anaconda_boot=False) + 'bios', False, iscsi_boot=False, ramdisk_boot=False, + ipxe_enabled=False, anaconda_boot=False) set_boot_device_mock.assert_called_once_with(task, boot_devices.PXE, persistent=True) @@ -587,8 +564,8 @@ class PXEBootTestCase(db_base.DbTestCase): provider_mock.update_dhcp.assert_called_once_with(task, dhcp_opts) switch_pxe_config_mock.assert_called_once_with( pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", - 'uefi', False, False, False, False, ipxe_enabled=False, - anaconda_boot=False) + 'uefi', False, iscsi_boot=False, ramdisk_boot=False, + ipxe_enabled=False, anaconda_boot=False) set_boot_device_mock.assert_called_once_with(task, boot_devices.PXE, persistent=True) @@ -636,8 +613,8 @@ class PXEBootTestCase(db_base.DbTestCase): ipxe_enabled=False) switch_pxe_config_mock.assert_called_once_with( pxe_config_path, "30212642-09d3-467f-8e09-21685826ab50", - 'bios', False, False, False, False, ipxe_enabled=False, - anaconda_boot=False) + 'bios', False, iscsi_boot=False, ramdisk_boot=False, + ipxe_enabled=False, anaconda_boot=False) self.assertFalse(set_boot_device_mock.called) @mock.patch.object(manager_utils, 'node_set_boot_device', autospec=True) diff --git a/ironic/tests/unit/drivers/pxe_config.template b/ironic/tests/unit/drivers/pxe_config.template index b3cfa7ea07..7cf91e3691 100644 --- a/ironic/tests/unit/drivers/pxe_config.template +++ b/ironic/tests/unit/drivers/pxe_config.template @@ -15,10 +15,6 @@ label boot_whole_disk COM32 chain.c32 append mbr:{{ DISK_IDENTIFIER }} -label trusted_boot -kernel mboot -append tboot.gz --- /tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/kernel root={{ ROOT }} ro text test_param intel_iommu=on --- /tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/ramdisk - label boot_ramdisk kernel /tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/kernel append initrd=/tftpboot/1be26c0b-03f2-4d2e-ae87-c02d7f33c123/ramdisk root=/dev/ram0 text test_param ramdisk_param diff --git a/releasenotes/notes/no-trustedboot-01322dbaf33f8df8.yaml b/releasenotes/notes/no-trustedboot-01322dbaf33f8df8.yaml new file mode 100644 index 0000000000..07de90fe76 --- /dev/null +++ b/releasenotes/notes/no-trustedboot-01322dbaf33f8df8.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Support for trusted boot has been removed. This feature requires instance + network booting, which is also removed this cycle.