Skip to content

Commit

Permalink
Add Secure Boot for Satellite and RHEL
Browse files Browse the repository at this point in the history
  • Loading branch information
Lennonka committed Dec 17, 2024
1 parent 6186ff1 commit 3a27ad4
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 5 deletions.
21 changes: 19 additions & 2 deletions guides/common/assembly_using-pxe-to-provision-hosts.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ include::modules/proc_creating-hosts-with-pxeless-provisioning.adoc[leveloffset=

include::modules/proc_creating-hosts-with-uefi-http-boot-provisioning.adoc[leveloffset=+1]

ifndef::satellite[]
:extract_deb_prefix: cd /tmp && ar x /tmp
:extract_deb_xz_suffix: && tar -xf data.tar.xz && cd -
:extract_deb_zst_suffix: && tar --use-compress-program=unzstd -xf data.tar.zst && cd -
Expand All @@ -21,6 +20,7 @@ ifndef::satellite[]
:parent-client-pkg-ext: {client-pkg-ext}
:secureboot-os-name: My_Operating_System_In_Lowercase

ifndef::satellite[]
:client-os-context: almalinux
:client-os: AlmaLinux
:client-pkg-ext: rpm
Expand Down Expand Up @@ -65,7 +65,24 @@ include::modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-h
:extract_grub: {extract_rpm_prefix}/{grub_efi_downloaded_package_name} {extract_rpm_suffix}
:extract_shim: {extract_rpm_prefix}/{shim_efi_downloaded_package_name} {extract_rpm_suffix}
include::modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-hosts.adoc[leveloffset=+1]
endif::[]

:client-os-context: rhel
:client-os: {RHEL}
:client-pkg-ext: rpm
:grub_efi_download_url: https://access.redhat.com/downloads/content/package-browser[Package browser] on the Red{nbsp}Hat Customer Portal
:grub_efi_downloaded_package_name: grub2-efi-x64.rpm
:grub_efi_package_name: grub2-efi-x64
:grub_efi_tmp_binary_path: /tmp/boot/efi/EFI/{client-os-context}/grubx64.efi
:shim_efi_download_url: https://access.redhat.com/downloads/content/package-browser[Package browser] on the Red{nbsp}Hat Customer Portal
:shim_efi_downloaded_package_name: shim-x64.rpm
:shim_efi_package_name: shim-x64
:shim_efi_tmp_binary_path: /tmp/boot/efi/EFI/{client-os-context}/shimx64.efi
:extract_grub: {extract_rpm_prefix}/{grub_efi_downloaded_package_name} {extract_rpm_suffix}
:extract_shim: {extract_rpm_prefix}/{shim_efi_downloaded_package_name} {extract_rpm_suffix}
include::modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-hosts.adoc[leveloffset=+1]

ifndef::satellite[]
:client-os-context: ubuntu
:client-os: Ubuntu
:client-pkg-ext: deb
Expand All @@ -80,6 +97,7 @@ include::modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-h
:extract_grub: {extract_deb_prefix}/{grub_efi_downloaded_package_name} {extract_deb_zst_suffix}
:extract_shim: {extract_deb_prefix}/{shim_efi_downloaded_package_name} {extract_deb_xz_suffix}
include::modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-hosts.adoc[leveloffset=+1]
endif::[]

// reset global attributes
:client-os: {parent-client-os}
Expand All @@ -103,7 +121,6 @@ include::modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-h
:!shim_efi_downloaded_package_name:
:!shim_efi_package_name:
:!shim_efi_tmp_binary_path:
endif::[]

include::modules/proc_deploying-ssh-keys-during-provisioning.adoc[leveloffset=+1]
:!using-pxe-to-provision-hosts:
7 changes: 4 additions & 3 deletions guides/common/modules/con_using-pxe-to-provision-hosts.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -43,22 +43,23 @@ In {Project} provisioning, the PXE loader option defines the DHCP `filename` opt
* For BIOS systems, select the *PXELinux BIOS* option to enable a provisioned host to download the `pxelinux.0` file over TFTP.
* For UEFI systems, select the *Grub2 UEFI* option to enable a TFTP client to download `grubx64.efi` file, or select the *Grub2 UEFI HTTP* option to enable an UEFI HTTP client to download `grubx64.efi` with the HTTP Boot feature.

ifndef::satellite[]
{ProjectName} supports UEFI Secure Boot.
SecureBoot PXE loaders enable a client to download the `shim.efi` bootstrap boot loader that then loads the signed `grubx64.efi`.
Use the *Grub2 UEFI SecureBoot* PXE loader for PXE-boot provisioning or *Grub2 UEFI HTTPS SecureBoot* for HTTP-boot provisioning.

By default, you can provision operating systems from the vendor of the operating system of your {ProjectServer} on Secure Boot enabled hosts.
To provision operating systems on Secure Boot enabled hosts from different vendors, you have to provide signed shim and GRUB2 binaries provided by the vendor of your operating system.
ifndef::orcharhino[]
ifdef::satellite[]
For more information, see xref:configuring-{smart-proxy-context}-to-provision-rhel-on-Secure-Boot-enabled-hosts[].
endif::[]
ifndef::orcharhino,satellite[]
For more information, see:

* xref:configuring-{smart-proxy-context}-to-provision-almalinux-on-Secure-Boot-enabled-hosts[]
* xref:configuring-{smart-proxy-context}-to-provision-debian-on-Secure-Boot-enabled-hosts[]
* xref:configuring-{smart-proxy-context}-to-provision-rocky-on-Secure-Boot-enabled-hosts[]
* xref:configuring-{smart-proxy-context}-to-provision-ubuntu-on-Secure-Boot-enabled-hosts[]
endif::[]
endif::[]

ifdef::satellite[]
For more information about supported workflows, see https://access.redhat.com/solutions/2674001[Supported architectures and provisioning scenarios].
Expand Down

0 comments on commit 3a27ad4

Please sign in to comment.