From 86fb5e06029fca2022dec32f12993539ebf7a956 Mon Sep 17 00:00:00 2001 From: Zuzana Lena Ansorgova Date: Wed, 4 Dec 2024 11:43:03 +0100 Subject: [PATCH] Add Secure Boot for Satellite and RHEL --- ...assembly_using-pxe-to-provision-hosts.adoc | 21 +++++++++++++++++-- .../con_using-pxe-to-provision-hosts.adoc | 7 ++++--- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/guides/common/assembly_using-pxe-to-provision-hosts.adoc b/guides/common/assembly_using-pxe-to-provision-hosts.adoc index 9d1d61b79b8..417a9a229be 100644 --- a/guides/common/assembly_using-pxe-to-provision-hosts.adoc +++ b/guides/common/assembly_using-pxe-to-provision-hosts.adoc @@ -11,7 +11,6 @@ include::modules/proc_creating-hosts-with-pxeless-provisioning.adoc[leveloffset= include::modules/proc_creating-hosts-with-uefi-http-boot-provisioning.adoc[leveloffset=+1] -ifndef::satellite[] :extract_deb_prefix: cd /tmp && ar x /tmp :extract_deb_xz_suffix: && tar -xf data.tar.xz && cd - :extract_deb_zst_suffix: && tar --use-compress-program=unzstd -xf data.tar.zst && cd - @@ -21,6 +20,7 @@ ifndef::satellite[] :parent-client-pkg-ext: {client-pkg-ext} :secureboot-os-name: My_Operating_System_In_Lowercase +ifndef::satellite[] :client-os-context: almalinux :client-os: AlmaLinux :client-pkg-ext: rpm @@ -65,7 +65,24 @@ include::modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-h :extract_grub: {extract_rpm_prefix}/{grub_efi_downloaded_package_name} {extract_rpm_suffix} :extract_shim: {extract_rpm_prefix}/{shim_efi_downloaded_package_name} {extract_rpm_suffix} include::modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-hosts.adoc[leveloffset=+1] +endif::[] +:client-os-context: rhel +:client-os: {RHEL} +:client-pkg-ext: rpm +:grub_efi_download_url: https://access.redhat.com/downloads/content/package-browser[Package browser] on the Red{nbsp}Hat Customer Portal +:grub_efi_downloaded_package_name: grub2-efi-x64.rpm +:grub_efi_package_name: grub2-efi-x64 +:grub_efi_tmp_binary_path: /tmp/boot/efi/EFI/{client-os-context}/grubx64.efi +:shim_efi_download_url: https://access.redhat.com/downloads/content/package-browser[Package browser] on the Red{nbsp}Hat Customer Portal +:shim_efi_downloaded_package_name: shim-x64.rpm +:shim_efi_package_name: shim-x64 +:shim_efi_tmp_binary_path: /tmp/boot/efi/EFI/{client-os-context}/shimx64.efi +:extract_grub: {extract_rpm_prefix}/{grub_efi_downloaded_package_name} {extract_rpm_suffix} +:extract_shim: {extract_rpm_prefix}/{shim_efi_downloaded_package_name} {extract_rpm_suffix} +include::modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-hosts.adoc[leveloffset=+1] + +ifndef::satellite[] :client-os-context: ubuntu :client-os: Ubuntu :client-pkg-ext: deb @@ -80,6 +97,7 @@ include::modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-h :extract_grub: {extract_deb_prefix}/{grub_efi_downloaded_package_name} {extract_deb_zst_suffix} :extract_shim: {extract_deb_prefix}/{shim_efi_downloaded_package_name} {extract_deb_xz_suffix} include::modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-hosts.adoc[leveloffset=+1] +endif::[] // reset global attributes :client-os: {parent-client-os} @@ -103,7 +121,6 @@ include::modules/proc_configuring-smart-proxy-to-provision-secure-boot-enabled-h :!shim_efi_downloaded_package_name: :!shim_efi_package_name: :!shim_efi_tmp_binary_path: -endif::[] include::modules/proc_deploying-ssh-keys-during-provisioning.adoc[leveloffset=+1] :!using-pxe-to-provision-hosts: diff --git a/guides/common/modules/con_using-pxe-to-provision-hosts.adoc b/guides/common/modules/con_using-pxe-to-provision-hosts.adoc index 31efe00c58e..be5cd6fa4b2 100644 --- a/guides/common/modules/con_using-pxe-to-provision-hosts.adoc +++ b/guides/common/modules/con_using-pxe-to-provision-hosts.adoc @@ -43,14 +43,16 @@ In {Project} provisioning, the PXE loader option defines the DHCP `filename` opt * For BIOS systems, select the *PXELinux BIOS* option to enable a provisioned host to download the `pxelinux.0` file over TFTP. * For UEFI systems, select the *Grub2 UEFI* option to enable a TFTP client to download `grubx64.efi` file, or select the *Grub2 UEFI HTTP* option to enable an UEFI HTTP client to download `grubx64.efi` with the HTTP Boot feature. -ifndef::satellite[] {ProjectName} supports UEFI Secure Boot. SecureBoot PXE loaders enable a client to download the `shim.efi` bootstrap boot loader that then loads the signed `grubx64.efi`. Use the *Grub2 UEFI SecureBoot* PXE loader for PXE-boot provisioning or *Grub2 UEFI HTTPS SecureBoot* for HTTP-boot provisioning. By default, you can provision operating systems from the vendor of the operating system of your {ProjectServer} on Secure Boot enabled hosts. To provision operating systems on Secure Boot enabled hosts from different vendors, you have to provide signed shim and GRUB2 binaries provided by the vendor of your operating system. -ifndef::orcharhino[] +ifdef::satellite[] +For more information, see xref:configuring-{smart-proxy-context}-to-provision-rhel-on-Secure-Boot-enabled-hosts[]. +endif::[] +ifndef::orcharhino,satellite[] For more information, see: * xref:configuring-{smart-proxy-context}-to-provision-almalinux-on-Secure-Boot-enabled-hosts[] @@ -58,7 +60,6 @@ For more information, see: * xref:configuring-{smart-proxy-context}-to-provision-rocky-on-Secure-Boot-enabled-hosts[] * xref:configuring-{smart-proxy-context}-to-provision-ubuntu-on-Secure-Boot-enabled-hosts[] endif::[] -endif::[] ifdef::satellite[] For more information about supported workflows, see https://access.redhat.com/solutions/2674001[Supported architectures and provisioning scenarios].