A service for managing and provisioning Bare Metal servers.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

72 lines
2.8 KiB

  1. .. _trusted-boot:
  2. Trusted boot with partition image
  3. ---------------------------------
  4. The Bare metal service supports trusted boot with partition images.
  5. This means at the end of the deployment process, when the node is
  6. rebooted with the new user image, ``trusted boot`` will be performed. It will
  7. measure the node's BIOS, boot loader, Option ROM and the Kernel/Ramdisk, to
  8. determine whether a bare metal node deployed by Ironic should be trusted.
  9. It's important to note that in order for this to work the node being deployed
  10. **must** have Intel `TXT`_ hardware support. The image being deployed with
  11. Ironic must have ``oat-client`` installed within it.
  12. The following will describe how to enable ``trusted boot`` and boot
  13. with PXE and Nova:
  14. #. Create a customized user image with ``oat-client`` installed::
  15. disk-image-create -u fedora baremetal oat-client -o $TRUST_IMG
  16. For more information on creating customized images, see :ref:`image-requirements`.
  17. #. Enable VT-x, VT-d, TXT and TPM on the node. This can be done manually through
  18. the BIOS. Depending on the platform, several reboots may be needed.
  19. #. Enroll the node and update the node capability value::
  20. baremetal node create --driver ipmi
  21. baremetal node set $NODE_UUID --property capabilities={'trusted_boot':true}
  22. #. Create a special flavor::
  23. nova flavor-key $TRUST_FLAVOR_UUID set 'capabilities:trusted_boot'=true
  24. #. Prepare `tboot`_ and mboot.c32 and put them into tftp_root or http_root
  25. directory on all nodes with the ironic-conductor processes::
  26. Ubuntu:
  27. cp /usr/lib/syslinux/mboot.c32 /tftpboot/
  28. Fedora:
  29. cp /usr/share/syslinux/mboot.c32 /tftpboot/
  30. *Note: The actual location of mboot.c32 varies among different distribution versions.*
  31. tboot can be downloaded from
  32. https://sourceforge.net/projects/tboot/files/latest/download
  33. #. Install an OAT Server. An `OAT Server`_ should be running and configured correctly.
  34. #. Boot an instance with Nova::
  35. nova boot --flavor $TRUST_FLAVOR_UUID --image $TRUST_IMG --user-data $TRUST_SCRIPT trusted_instance
  36. *Note* that the node will be measured during ``trusted boot`` and the hash values saved
  37. into `TPM`_. An example of TRUST_SCRIPT can be found in `trust script example`_.
  38. #. Verify the result via OAT Server.
  39. This is outside the scope of Ironic. At the moment, users can manually verify the result
  40. by following the `manual verify steps`_.
  41. .. _`TXT`: http://en.wikipedia.org/wiki/Trusted_Execution_Technology
  42. .. _`tboot`: https://sourceforge.net/projects/tboot
  43. .. _`TPM`: http://en.wikipedia.org/wiki/Trusted_Platform_Module
  44. .. _`OAT Server`: https://github.com/OpenAttestation/OpenAttestation/wiki
  45. .. _`trust script example`: https://wiki.openstack.org/wiki/Bare-metal-trust#Trust_Script_Example
  46. .. _`manual verify steps`: https://wiki.openstack.org/wiki/Bare-metal-trust#Manual_verify_result