implemented
This design proposes exposing an ability to turn UEFI secure boot on and off during provisioning and deprovisioning.
Security-conscious deployments would like to make sure secure boot is enabled for their instances, so that the hardware refuses to boot kernel-level code that has not been signed with a known key.
- API addition to enable secure boot before booting the instance (and disable it on deprovisioning)
- Support for custom secure boot keys.
- Secure boot during deployment/cleaning/inspection.
Add a new value for BootMode
enumeration: UEFISecureBoot
. If set on a host,
the following change are done to the corresponding Ironic node object:
boot_mode:uefi,secure_boot:true
is added toproperties.capabilities
.secure_boot
with a value oftrue
is added toinstance_info.capabilities
.
Add a SupportsSecureBoot
call to AccessDetails
, returning true
for
redfish://
, redfish-virtualmedia://
, idrac-virtualmedia
, ilo4://
,
ilo5://
and irmc://
.
- Strictly speaking, it's enough to add the
secure_boot
capability only toinstance_info
,properties
is only updated for consistency. - Secure boot can be used with live ISO but only when virtual media is used to deliver it (secure boot is incompatible with network booting in practice).
None, secure boot is off by default.
- Update
AccessDetails
with a new call. - Define a new value for
BootMode
.
- Ironic support for Redfish secure boot management is on review upstream.
Unfortunately, at this point it's only possible to test this feature on real hardware.
None
None
None
Require users to configure secure boot manually. This approach has two large disadvantages:
- It's not always trivial to do.
- It breaks network booting.