GettingStarted: Remove BIOS specific info from SB chapter

Change-Id: Id5a5b3f98bbd7a93cb7ce142aaf41f0f4010ab8e Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Adrian Dudau <adrian.dudau@enea.com> 2019-10-03 15:55:36 +0200
committer: Miruna Paun <Miruna.Paun@enea.com> 2019-10-08 17:28:10 +0200
commit: 4a4541066152f6742e7da584d8c00fecf578871c (patch)
tree: b8f9cb01aac3d3ef7f8c125e9fe719285a413f7c /doc/book-enea-nfv-access-getting-started
parent: bb0102d04ef9b3e2083e5c26dfe76592acdc400a (diff)
download: el_releases-nfv-access-4a4541066152f6742e7da584d8c00fecf578871c.tar.gz
1 files changed, 43 insertions, 127 deletions
diff --git a/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml
index 0dbdd84..f048897 100644
--- a/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml
+++ b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml
@@ -4,10 +4,11 @@
 <chapter id="advanced_conf">
  <title>Advanced Configurations</title>
-    <para>This chapter describes possible configurations for select advanced features
+  <para>This chapter describes possible configurations for select advanced
-    such as the Hugepage Reservation Service, UEFI Secure Boot and Bare Metal
+  features such as the Hugepage Reservation Service, UEFI Secure Boot and Bare
-    Provisioning. These features are optional in the Enea NFV Access platform.
+  Metal Provisioning. These features are optional in the Enea NFV Access
-    If you do not intend to use these features, skip this chapter.</para>
+  platform. If you do not intend to use these features, skip this
+  chapter.</para>
  <section id="hugepage_reservation">
    <title>Hugepage Reservation Service</title>
@@ -66,8 +67,8 @@
        <listitem>
          <para><literal>percent_os_alloc</literal>: Decides how much memory
          to try to reserve for userspace applications. The algorithm will try
-          to reserve at least the value of <literal>percent_os_alloc</literal> of the total
+          to reserve at least the value of <literal>percent_os_alloc</literal>
-          system memory for userspace applications.</para>
+          of the total system memory for userspace applications.</para>
        </listitem>
        <listitem>
@@ -117,8 +118,8 @@
    <section id="hugepage_customizing_man">
      <title>Customizing Manual Hugepage Reservation</title>
-      <para>The automatic algorithm can be disabled and hugepages in turn, configured
+      <para>The automatic algorithm can be disabled and hugepages in turn,
-      manually. To do this, comment the line which defines
+      configured manually. To do this, comment the line which defines
      <literal>hugepage_setup</literal> as <literal>auto</literal> and
      configure memory for each CPU socket in the following manner:</para>
@@ -149,20 +150,20 @@ node0.1048576kB = 3 </programlisting>
  <section id="uefi_secure_boot">
    <title>UEFI Secure Boot</title>
-      <para>Secure Boot was designed to enhance security in the pre-boot
+    <para>Secure Boot was designed to enhance security in the pre-boot
-      environment. It prevents malicious software and applications from being
+    environment. It prevents malicious software and applications from being
-      loaded during the system start-up process.</para>
+    loaded during the system start-up process.</para>
-      <para>The basic principle of UEFI Secure Boot is that it requires all
+    <para>The basic principle of UEFI Secure Boot is that it requires all
-      artifacts involved in the boot process (bootloaders, kernel, initramfs)
+    artifacts involved in the boot process (bootloaders, kernel, initramfs) to
-      to be signed using a set of private keys. On a Secure Boot enabled uCPE
+    be signed using a set of private keys. On a Secure Boot enabled uCPE
-      device these artifacts are checked against a set of public certificates
+    device these artifacts are checked against a set of public certificates
-      which correspond to these keys. If there are any mismatches the boot
+    which correspond to these keys. If there are any mismatches the boot
-      process will fail at the stage(s) they are detected.</para>
+    process will fail at the stage(s) they are detected.</para>
-      <para>For more information about Secure Boot please refer to <ulink
+    <para>For more information about Secure Boot please refer to <ulink
-      url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure
+    url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure
-      Boot in Modern Computer Security Solutions</ulink>.</para>
+    Boot in Modern Computer Security Solutions</ulink>.</para>
    <section id="secure_boot_keys">
      <title>Enabling UEFI Secure Boot</title>
@@ -213,101 +214,16 @@ node0.1048576kB = 3 </programlisting>
        can be found on the EFI partition (usually the first partition of the
        drive) under <literal>/uefi_sb_keys</literal>.</para>
-        <para><emphasis role="bold">How to manually enroll Enea
+        <para>These certificates need to be manually enrolled in BIOS. The
-        Certificates</emphasis></para>
+        exact details on how to proceed may vary depending the version of the 
+          UEFI firmware.</para>
-        <orderedlist>
-          <listitem>
-            <para>Reboot the uCPE device and press <literal>DEL</literal> to
-            enter into BIOS.</para>
-          </listitem>
-          <listitem>
-            <para>Select <literal>Secure Boot Mode</literal> -&gt;
-            <literal>Custom</literal>.</para>
-          </listitem>
-          <listitem>
-            <para>Select <literal>Key Management</literal> from the
-            <literal>Security</literal> menu.</para>
-          </listitem>
-          <listitem>
-            <para>Enroll the <literal>Platform Key (PK)</literal>:
-            <itemizedlist>
-                <listitem>
-                   Select <literal>Set New Key</literal> -&gt; 
-                  <literal>File from a file system</literal>.                   . 
-                </listitem>
-                <listitem>
-                   Specify the folder: <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/PK.esl</literal>
-              </listitem>
-                <listitem>
-                   Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>. 
-                </listitem>
-              </itemizedlist></para>
-          </listitem>
-          <listitem>
-            <para>Enroll the <literal>Key Exchange key (KEK)</literal>:
-            <itemizedlist>
-                <listitem>
-                   Select <literal>Set New Key</literal> -&gt; <literal>File from a file system</literal>.
-                </listitem>
-                <listitem>
-                   Specify the folder: <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/KEK.esl</literal>
-                </listitem>
-                <listitem>
-                   Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>. 
-                </listitem>
-              </itemizedlist></para>
-          </listitem>
-          <listitem>
-            <para>Enroll the <literal>Authorized Signature (DB)</literal>:
-            <itemizedlist>
-                <listitem>
-                   Select <literal>Set New Key</literal> -&gt; <literal>File from a file system</literal>. 
-                </listitem>
-                <listitem>
-                   Specify the folder: <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/DB.esl</literal>
-                </listitem>
-                <listitem>
-                   Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>. 
-                </listitem>
-              </itemizedlist></para>
-          </listitem>
-        </orderedlist>
-        <note>
-          <para>Details on how to provision the certificates may vary with
-          different versions of UEFI firmware.</para>
-        </note>
      </section>
      <section id="enable_secure_boot">
        <title>Enabling Secure Boot in BIOS</title>
-        <para>Once the certificates are provisioned we can enable the Secure
+        <para>Once the certificates are enrolled, Secure Boot needs to be
-        Boot feature:</para>
+        enabled in BIOS and the device rebooted.</para>
-        <orderedlist>
-          <listitem>
-            <para>Within BIOS, select the <literal>Security option</literal> from the top
-            menu.</para>
-          </listitem>
-          <listitem>
-            <para>Set the <literal>Boot Menu</literal> -&gt;
-            <literal>Enabled.</literal></para>
-          </listitem>
-        </orderedlist>
      </section>
    </section>
  </section>
@@ -315,21 +231,21 @@ node0.1048576kB = 3 </programlisting>
  <section id="bare_meta_prov">
    <title>Bare Metal Provisioning</title>
-      <para>Bare Metal Provisioning can be used for automated deployment of
+    <para>Bare Metal Provisioning can be used for automated deployment of the
-      the Enea NFV Access Run Time Platform on a large number of uCPE devices.
+    Enea NFV Access Run Time Platform on a large number of uCPE devices. The
-      The uCPE devices may have no previous operating system installed, or are
+    uCPE devices may have no previous operating system installed, or are
-      reinstalled without preserving any existing data. Enea NFV Access Bare
+    reinstalled without preserving any existing data. Enea NFV Access Bare
-      Metal Provisioning is based on standardized Pre-Boot Execution
+    Metal Provisioning is based on standardized Pre-Boot Execution environment
-      environment (PXE) booting.</para>
+    (PXE) booting.</para>
-      <para>The Bare Metal Provisioning process begins by PXE booting an Enea
+    <para>The Bare Metal Provisioning process begins by PXE booting an Enea
-      NFV Access installer <literal>initramfs</literal> image. The installer
+    NFV Access installer <literal>initramfs</literal> image. The installer
-      downloads a configuration file, as well as the Enea NFV Access Run Time
+    downloads a configuration file, as well as the Enea NFV Access Run Time
-      Platform image and then proceeds to install the system by dividing the
+    Platform image and then proceeds to install the system by dividing the
-      disk into 2 partitions. A GPT partition containing the GRUB boot loader
+    disk into 2 partitions. A GPT partition containing the GRUB boot loader
-      and a second partition containing the Enea NFV Access Run Time Platform
+    and a second partition containing the Enea NFV Access Run Time Platform
-      root filesystem. When the installation is complete, the uCPE device is
+    root filesystem. When the installation is complete, the uCPE device is
-      automatically rebooted into Enea NFV Access Run Time Platform.</para>
+    automatically rebooted into Enea NFV Access Run Time Platform.</para>
    <section id="bare_meta_prov_prereq">
      <title>Prerequisites</title>
@@ -438,8 +354,8 @@ node0.1048576kB = 3 </programlisting>
          <listitem>
            <para><literal>notify_path</literal>. Location where notification
-            files will be placed, specified in <literal>Server IP:directory</literal>
+            files will be placed, specified in <literal>Server
-            format.</para>
+            IP:directory</literal> format.</para>
          </listitem>
        </itemizedlist>
author	Adrian Dudau <adrian.dudau@enea.com>	2019-10-03 15:55:36 +0200
committer	Miruna Paun <Miruna.Paun@enea.com>	2019-10-08 17:28:10 +0200
commit	4a4541066152f6742e7da584d8c00fecf578871c (patch)
tree	b8f9cb01aac3d3ef7f8c125e9fe719285a413f7c /doc/book-enea-nfv-access-getting-started
parent	bb0102d04ef9b3e2083e5c26dfe76592acdc400a (diff)
download	el_releases-nfv-access-4a4541066152f6742e7da584d8c00fecf578871c.tar.gz

diff --git a/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml index 0dbdd84..f048897 100644 --- a/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml +++ b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml
@@ -4,10 +4,11 @@
4	<chapter id="advanced_conf">	4	<chapter id="advanced_conf">
5	<title>Advanced Configurations</title>	5	<title>Advanced Configurations</title>
6		6
7	<para>This chapter describes possible configurations for select advanced features	7	<para>This chapter describes possible configurations for select advanced
8	such as the Hugepage Reservation Service, UEFI Secure Boot and Bare Metal	8	features such as the Hugepage Reservation Service, UEFI Secure Boot and Bare
9	Provisioning. These features are optional in the Enea NFV Access platform.	9	Metal Provisioning. These features are optional in the Enea NFV Access
10	If you do not intend to use these features, skip this chapter.</para>	10	platform. If you do not intend to use these features, skip this
		11	chapter.</para>
11		12
12	<section id="hugepage_reservation">	13	<section id="hugepage_reservation">
13	<title>Hugepage Reservation Service</title>	14	<title>Hugepage Reservation Service</title>
@@ -66,8 +67,8 @@
66	<listitem>	67	<listitem>
67	<para><literal>percent_os_alloc</literal>: Decides how much memory	68	<para><literal>percent_os_alloc</literal>: Decides how much memory
68	to try to reserve for userspace applications. The algorithm will try	69	to try to reserve for userspace applications. The algorithm will try
69	to reserve at least the value of <literal>percent_os_alloc</literal> of the total	70	to reserve at least the value of <literal>percent_os_alloc</literal>
70	system memory for userspace applications.</para>	71	of the total system memory for userspace applications.</para>
71	</listitem>	72	</listitem>
72		73
73	<listitem>	74	<listitem>
@@ -117,8 +118,8 @@
117	<section id="hugepage_customizing_man">	118	<section id="hugepage_customizing_man">
118	<title>Customizing Manual Hugepage Reservation</title>	119	<title>Customizing Manual Hugepage Reservation</title>
119		120
120	<para>The automatic algorithm can be disabled and hugepages in turn, configured	121	<para>The automatic algorithm can be disabled and hugepages in turn,
121	manually. To do this, comment the line which defines	122	configured manually. To do this, comment the line which defines
122	<literal>hugepage_setup</literal> as <literal>auto</literal> and	123	<literal>hugepage_setup</literal> as <literal>auto</literal> and
123	configure memory for each CPU socket in the following manner:</para>	124	configure memory for each CPU socket in the following manner:</para>
124		125
@@ -149,20 +150,20 @@ node0.1048576kB = 3 </programlisting>
149	<section id="uefi_secure_boot">	150	<section id="uefi_secure_boot">
150	<title>UEFI Secure Boot</title>	151	<title>UEFI Secure Boot</title>
151		152
152	<para>Secure Boot was designed to enhance security in the pre-boot	153	<para>Secure Boot was designed to enhance security in the pre-boot
153	environment. It prevents malicious software and applications from being	154	environment. It prevents malicious software and applications from being
154	loaded during the system start-up process.</para>	155	loaded during the system start-up process.</para>
155		156
156	<para>The basic principle of UEFI Secure Boot is that it requires all	157	<para>The basic principle of UEFI Secure Boot is that it requires all
157	artifacts involved in the boot process (bootloaders, kernel, initramfs)	158	artifacts involved in the boot process (bootloaders, kernel, initramfs) to
158	to be signed using a set of private keys. On a Secure Boot enabled uCPE	159	be signed using a set of private keys. On a Secure Boot enabled uCPE
159	device these artifacts are checked against a set of public certificates	160	device these artifacts are checked against a set of public certificates
160	which correspond to these keys. If there are any mismatches the boot	161	which correspond to these keys. If there are any mismatches the boot
161	process will fail at the stage(s) they are detected.</para>	162	process will fail at the stage(s) they are detected.</para>
162		163
163	<para>For more information about Secure Boot please refer to <ulink	164	<para>For more information about Secure Boot please refer to <ulink
164	url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure	165	url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure
165	Boot in Modern Computer Security Solutions</ulink>.</para>	166	Boot in Modern Computer Security Solutions</ulink>.</para>
166		167
167	<section id="secure_boot_keys">	168	<section id="secure_boot_keys">
168	<title>Enabling UEFI Secure Boot</title>	169	<title>Enabling UEFI Secure Boot</title>
@@ -213,101 +214,16 @@ node0.1048576kB = 3 </programlisting>
213	can be found on the EFI partition (usually the first partition of the	214	can be found on the EFI partition (usually the first partition of the
214	drive) under <literal>/uefi_sb_keys</literal>.</para>	215	drive) under <literal>/uefi_sb_keys</literal>.</para>
215		216
216	<para><emphasis role="bold">How to manually enroll Enea	217	<para>These certificates need to be manually enrolled in BIOS. The
217	Certificates</emphasis></para>	218	exact details on how to proceed may vary depending the version of the
218		219	UEFI firmware.</para>
219	<orderedlist>
220	<listitem>
221	<para>Reboot the uCPE device and press <literal>DEL</literal> to
222	enter into BIOS.</para>
223	</listitem>
224
225	<listitem>
226	<para>Select <literal>Secure Boot Mode</literal> ->
227	<literal>Custom</literal>.</para>
228	</listitem>
229
230	<listitem>
231	<para>Select <literal>Key Management</literal> from the
232	<literal>Security</literal> menu.</para>
233	</listitem>
234
235	<listitem>
236	<para>Enroll the <literal>Platform Key (PK)</literal>:
237	<itemizedlist>
238	<listitem>
239	Select <literal>Set New Key</literal> ->
240	<literal>File from a file system</literal>. .
241	</listitem>
242
243	<listitem>
244	Specify the folder: <literal><user-keys>/<uefi_sb_keys>/PK.esl</literal>
245	</listitem>
246
247	<listitem>
248	Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
249	</listitem>
250	</itemizedlist></para>
251	</listitem>
252
253	<listitem>
254	<para>Enroll the <literal>Key Exchange key (KEK)</literal>:
255	<itemizedlist>
256	<listitem>
257	Select <literal>Set New Key</literal> -> <literal>File from a file system</literal>.
258	</listitem>
259
260	<listitem>
261	Specify the folder: <literal><user-keys>/<uefi_sb_keys>/KEK.esl</literal>
262	</listitem>
263
264	<listitem>
265	Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
266	</listitem>
267	</itemizedlist></para>
268	</listitem>
269
270	<listitem>
271	<para>Enroll the <literal>Authorized Signature (DB)</literal>:
272	<itemizedlist>
273	<listitem>
274	Select <literal>Set New Key</literal> -> <literal>File from a file system</literal>.
275	</listitem>
276
277	<listitem>
278	Specify the folder: <literal><user-keys>/<uefi_sb_keys>/DB.esl</literal>
279	</listitem>
280
281	<listitem>
282	Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
283	</listitem>
284	</itemizedlist></para>
285	</listitem>
286	</orderedlist>
287
288	<note>
289	<para>Details on how to provision the certificates may vary with
290	different versions of UEFI firmware.</para>
291	</note>
292	</section>	220	</section>
293		221
294	<section id="enable_secure_boot">	222	<section id="enable_secure_boot">
295	<title>Enabling Secure Boot in BIOS</title>	223	<title>Enabling Secure Boot in BIOS</title>
296		224
297	<para>Once the certificates are provisioned we can enable the Secure	225	<para>Once the certificates are enrolled, Secure Boot needs to be
298	Boot feature:</para>	226	enabled in BIOS and the device rebooted.</para>
299
300	<orderedlist>
301	<listitem>
302	<para>Within BIOS, select the <literal>Security option</literal> from the top
303	menu.</para>
304	</listitem>
305
306	<listitem>
307	<para>Set the <literal>Boot Menu</literal> ->
308	<literal>Enabled.</literal></para>
309	</listitem>
310	</orderedlist>
311	</section>	227	</section>
312	</section>	228	</section>
313	</section>	229	</section>
@@ -315,21 +231,21 @@ node0.1048576kB = 3 </programlisting>
315	<section id="bare_meta_prov">	231	<section id="bare_meta_prov">
316	<title>Bare Metal Provisioning</title>	232	<title>Bare Metal Provisioning</title>
317		233
318	<para>Bare Metal Provisioning can be used for automated deployment of	234	<para>Bare Metal Provisioning can be used for automated deployment of the
319	the Enea NFV Access Run Time Platform on a large number of uCPE devices.	235	Enea NFV Access Run Time Platform on a large number of uCPE devices. The
320	The uCPE devices may have no previous operating system installed, or are	236	uCPE devices may have no previous operating system installed, or are
321	reinstalled without preserving any existing data. Enea NFV Access Bare	237	reinstalled without preserving any existing data. Enea NFV Access Bare
322	Metal Provisioning is based on standardized Pre-Boot Execution	238	Metal Provisioning is based on standardized Pre-Boot Execution environment
323	environment (PXE) booting.</para>	239	(PXE) booting.</para>
324		240
325	<para>The Bare Metal Provisioning process begins by PXE booting an Enea	241	<para>The Bare Metal Provisioning process begins by PXE booting an Enea
326	NFV Access installer <literal>initramfs</literal> image. The installer	242	NFV Access installer <literal>initramfs</literal> image. The installer
327	downloads a configuration file, as well as the Enea NFV Access Run Time	243	downloads a configuration file, as well as the Enea NFV Access Run Time
328	Platform image and then proceeds to install the system by dividing the	244	Platform image and then proceeds to install the system by dividing the
329	disk into 2 partitions. A GPT partition containing the GRUB boot loader	245	disk into 2 partitions. A GPT partition containing the GRUB boot loader
330	and a second partition containing the Enea NFV Access Run Time Platform	246	and a second partition containing the Enea NFV Access Run Time Platform
331	root filesystem. When the installation is complete, the uCPE device is	247	root filesystem. When the installation is complete, the uCPE device is
332	automatically rebooted into Enea NFV Access Run Time Platform.</para>	248	automatically rebooted into Enea NFV Access Run Time Platform.</para>
333		249
334	<section id="bare_meta_prov_prereq">	250	<section id="bare_meta_prov_prereq">
335	<title>Prerequisites</title>	251	<title>Prerequisites</title>
@@ -438,8 +354,8 @@ node0.1048576kB = 3 </programlisting>
438		354
439	<listitem>	355	<listitem>
440	<para><literal>notify_path</literal>. Location where notification	356	<para><literal>notify_path</literal>. Location where notification
441	files will be placed, specified in <literal>Server IP:directory</literal>	357	files will be placed, specified in <literal>Server
442	format.</para>	358	IP:directory</literal> format.</para>
443	</listitem>	359	</listitem>
444	</itemizedlist>	360	</itemizedlist>
445		361