The process of enabling/disabling Secure Boot and uploading a certificate on a server is complicated and time consuming. This update introduces a Redfish Secure Boot Controller (rsbc) Tool to automate the process of querying/enabling/disabling Secure Boot on a server as well as uploading the secure boot certificate to the host. The tool also supports a service option which allows the user to query which Redfish services are supported on the server(s). Story: 2010533 Task: 47811 Test Plan: PASS: Verify SB query against server that supports SB PASS: Verify SB query against server that does not support SB PASS: Verify SB enable/disable against server that supports SB PASS: Verify SB upload against server that supports SB PASS: Verify Redfish service on server that supports SB PASS: Verify Redfish service on server that supports VM PASS: Verify Redfish service on multiple servers PASS: Verify end-to-end SB enable, upload and server secure boot. PASS: Verify end to end SB enable, upload and server SB w/ ipv4, un, and pw PASS: Verify service and SB query against a server using ipv6, un, and pw Failure Path: PASS: Verify handling of passing an invalid certificate PASS: Verify handling of invalid command line input PASS: Verify handling of incorrectly formatted input file PASS: Verify SB enable/disable against server that does not supports SB PASS: Verify handling when server is not reachable PASS: Verify handling when server is unpingable Signed-off-by: Samuel Pei <samuel.pei@windriver.com> Change-Id: I1606112493d0313fa3d86034172c5cf965c557d4
2.3 KiB
The process of enabling/disabling Secure Boot and uploading a certificate on a server is tedious, complicated, time consuming and potentially problematic.
The Redfish Secure Boot Manager Tool uses the Redfish Protocol to automate the process of enabling/disabling Secure Boot and uploading certificates to a host. The tool also supports a service option which allows the user to query which Redfish services are supported on the server(s).
The user specifies which server(s) they would like to modify using the --config flag, which supports multiple servers, or the --bmc_ip, --bmc_un, and --bmc_pw flags, which support one specific server. The user should supply the path to the .yaml configuration file when using the --config flag and the ip address of the server, username, and the password when using the --bmc_ip, --bmc_un, and --bmc_pw flags.
There are four modes to the tool:
--query checks if Secure Boot is supported on the server. It then returns the state of Secure Boot and outputs a list of Secure Boot certificates
--service returns which Redfish services are supported on the server(s)
--enable and --disable enables or disables Secure boot on the server(s)
--upload Uploads a .pem or .der certificate to the server's Secure Boot database
Examples of usage with --config: ./rsbc.py --query --config ./query_server.yaml ./rsbc.py --enable --config ./sb_server.yaml ./rsbc.py --disable --config ./sb_server.yaml ./rsbc.py --upload ./certs/TiBoot.crt --config ./sb_server.yaml
Examples of usage with --bmc_ip and --bmc_pw: ./rsbc.py --query --bmc_ip --bmc_un --bmc_pw > ./rsbc.py --enable --bmc_ip --bmc_un --bmc_pw > ./rsbc.py --disable --bmc_ip --bmc_un --bmc_pw > ./rsbc.py --upload --bmc_ip --bmc_un --bmc_pw >
Example of the format of a configuration file:
virtual_media_iso: yow2-xr11-025: bmc_username: bmc_address: bmc_password:
For more information, please see the Documentation of this service located at: https://confluence.wrs.com/display/CE/Redfish+Secure+Boot+Manager+Tool+HLD