metal/tools/rsbc/README.md
Samuel Pei 99fd1b15b3 Create Redfish Secure Boot Controller tool
The process of enabling/disabling Secure Boot and uploading a
certificate on a server is complicated and time consuming.

This update introduces a Redfish Secure Boot Controller (rsbc)
Tool to automate the process of querying/enabling/disabling
Secure Boot on a server as well as uploading the secure boot
certificate to the host.

The tool also supports a service option which allows the user
to query which Redfish services are supported on the server(s).

Story: 2010533
Task: 47811

Test Plan:

PASS: Verify SB query against server that supports SB
PASS: Verify SB query against server that does not support SB
PASS: Verify SB enable/disable against server that supports SB
PASS: Verify SB upload against server that supports SB
PASS: Verify Redfish service on server that supports SB
PASS: Verify Redfish service on server that supports VM
PASS: Verify Redfish service on multiple servers
PASS: Verify end-to-end SB enable, upload and server secure boot.
PASS: Verify end to end SB enable, upload and server SB w/ ipv4, un, and pw
PASS: Verify service and SB query against a server using ipv6, un, and pw

Failure Path:

PASS: Verify handling of passing an invalid certificate
PASS: Verify handling of invalid command line input
PASS: Verify handling of incorrectly formatted input file
PASS: Verify SB enable/disable against server that does not supports SB
PASS: Verify handling when server is not reachable
PASS: Verify handling when server is unpingable

Signed-off-by: Samuel Pei <samuel.pei@windriver.com>
Change-Id: I1606112493d0313fa3d86034172c5cf965c557d4
2023-04-27 18:49:04 +00:00

2.3 KiB

The process of enabling/disabling Secure Boot and uploading a certificate on a server is tedious, complicated, time consuming and potentially problematic.

The Redfish Secure Boot Manager Tool uses the Redfish Protocol to automate the process of enabling/disabling Secure Boot and uploading certificates to a host. The tool also supports a service option which allows the user to query which Redfish services are supported on the server(s).

The user specifies which server(s) they would like to modify using the --config flag, which supports multiple servers, or the --bmc_ip, --bmc_un, and --bmc_pw flags, which support one specific server. The user should supply the path to the .yaml configuration file when using the --config flag and the ip address of the server, username, and the password when using the --bmc_ip, --bmc_un, and --bmc_pw flags.

There are four modes to the tool:

--query checks if Secure Boot is supported on the server. It then returns the state of Secure Boot and outputs a list of Secure Boot certificates

--service returns which Redfish services are supported on the server(s)

--enable and --disable enables or disables Secure boot on the server(s)

--upload Uploads a .pem or .der certificate to the server's Secure Boot database

Examples of usage with --config: ./rsbc.py --query --config ./query_server.yaml ./rsbc.py --enable --config ./sb_server.yaml ./rsbc.py --disable --config ./sb_server.yaml ./rsbc.py --upload ./certs/TiBoot.crt --config ./sb_server.yaml

Examples of usage with --bmc_ip and --bmc_pw: ./rsbc.py --query --bmc_ip --bmc_un --bmc_pw > ./rsbc.py --enable --bmc_ip --bmc_un --bmc_pw > ./rsbc.py --disable --bmc_ip --bmc_un --bmc_pw > ./rsbc.py --upload --bmc_ip --bmc_un --bmc_pw >

Example of the format of a configuration file:

virtual_media_iso: yow2-xr11-025: bmc_username: bmc_address: bmc_password:

For more information, please see the Documentation of this service located at: https://confluence.wrs.com/display/CE/Redfish+Secure+Boot+Manager+Tool+HLD