diff options
author | Adrian Dudau <adrian.dudau@enea.com> | 2019-10-03 15:55:36 +0200 |
---|---|---|
committer | Miruna Paun <Miruna.Paun@enea.com> | 2019-10-08 17:28:10 +0200 |
commit | 4a4541066152f6742e7da584d8c00fecf578871c (patch) | |
tree | b8f9cb01aac3d3ef7f8c125e9fe719285a413f7c /doc/book-enea-nfv-access-getting-started | |
parent | bb0102d04ef9b3e2083e5c26dfe76592acdc400a (diff) | |
download | el_releases-nfv-access-4a4541066152f6742e7da584d8c00fecf578871c.tar.gz |
GettingStarted: Remove BIOS specific info from SB chapter
Change-Id: Id5a5b3f98bbd7a93cb7ce142aaf41f0f4010ab8e
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'doc/book-enea-nfv-access-getting-started')
-rw-r--r-- | doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml | 170 |
1 files changed, 43 insertions, 127 deletions
diff --git a/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml index 0dbdd84..f048897 100644 --- a/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml +++ b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml | |||
@@ -4,10 +4,11 @@ | |||
4 | <chapter id="advanced_conf"> | 4 | <chapter id="advanced_conf"> |
5 | <title>Advanced Configurations</title> | 5 | <title>Advanced Configurations</title> |
6 | 6 | ||
7 | <para>This chapter describes possible configurations for select advanced features | 7 | <para>This chapter describes possible configurations for select advanced |
8 | such as the Hugepage Reservation Service, UEFI Secure Boot and Bare Metal | 8 | features such as the Hugepage Reservation Service, UEFI Secure Boot and Bare |
9 | Provisioning. These features are optional in the Enea NFV Access platform. | 9 | Metal Provisioning. These features are optional in the Enea NFV Access |
10 | If you do not intend to use these features, skip this chapter.</para> | 10 | platform. If you do not intend to use these features, skip this |
11 | chapter.</para> | ||
11 | 12 | ||
12 | <section id="hugepage_reservation"> | 13 | <section id="hugepage_reservation"> |
13 | <title>Hugepage Reservation Service</title> | 14 | <title>Hugepage Reservation Service</title> |
@@ -66,8 +67,8 @@ | |||
66 | <listitem> | 67 | <listitem> |
67 | <para><literal>percent_os_alloc</literal>: Decides how much memory | 68 | <para><literal>percent_os_alloc</literal>: Decides how much memory |
68 | to try to reserve for userspace applications. The algorithm will try | 69 | to try to reserve for userspace applications. The algorithm will try |
69 | to reserve at least the value of <literal>percent_os_alloc</literal> of the total | 70 | to reserve at least the value of <literal>percent_os_alloc</literal> |
70 | system memory for userspace applications.</para> | 71 | of the total system memory for userspace applications.</para> |
71 | </listitem> | 72 | </listitem> |
72 | 73 | ||
73 | <listitem> | 74 | <listitem> |
@@ -117,8 +118,8 @@ | |||
117 | <section id="hugepage_customizing_man"> | 118 | <section id="hugepage_customizing_man"> |
118 | <title>Customizing Manual Hugepage Reservation</title> | 119 | <title>Customizing Manual Hugepage Reservation</title> |
119 | 120 | ||
120 | <para>The automatic algorithm can be disabled and hugepages in turn, configured | 121 | <para>The automatic algorithm can be disabled and hugepages in turn, |
121 | manually. To do this, comment the line which defines | 122 | configured manually. To do this, comment the line which defines |
122 | <literal>hugepage_setup</literal> as <literal>auto</literal> and | 123 | <literal>hugepage_setup</literal> as <literal>auto</literal> and |
123 | configure memory for each CPU socket in the following manner:</para> | 124 | configure memory for each CPU socket in the following manner:</para> |
124 | 125 | ||
@@ -149,20 +150,20 @@ node0.1048576kB = 3 </programlisting> | |||
149 | <section id="uefi_secure_boot"> | 150 | <section id="uefi_secure_boot"> |
150 | <title>UEFI Secure Boot</title> | 151 | <title>UEFI Secure Boot</title> |
151 | 152 | ||
152 | <para>Secure Boot was designed to enhance security in the pre-boot | 153 | <para>Secure Boot was designed to enhance security in the pre-boot |
153 | environment. It prevents malicious software and applications from being | 154 | environment. It prevents malicious software and applications from being |
154 | loaded during the system start-up process.</para> | 155 | loaded during the system start-up process.</para> |
155 | 156 | ||
156 | <para>The basic principle of UEFI Secure Boot is that it requires all | 157 | <para>The basic principle of UEFI Secure Boot is that it requires all |
157 | artifacts involved in the boot process (bootloaders, kernel, initramfs) | 158 | artifacts involved in the boot process (bootloaders, kernel, initramfs) to |
158 | to be signed using a set of private keys. On a Secure Boot enabled uCPE | 159 | be signed using a set of private keys. On a Secure Boot enabled uCPE |
159 | device these artifacts are checked against a set of public certificates | 160 | device these artifacts are checked against a set of public certificates |
160 | which correspond to these keys. If there are any mismatches the boot | 161 | which correspond to these keys. If there are any mismatches the boot |
161 | process will fail at the stage(s) they are detected.</para> | 162 | process will fail at the stage(s) they are detected.</para> |
162 | 163 | ||
163 | <para>For more information about Secure Boot please refer to <ulink | 164 | <para>For more information about Secure Boot please refer to <ulink |
164 | url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure | 165 | url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure |
165 | Boot in Modern Computer Security Solutions</ulink>.</para> | 166 | Boot in Modern Computer Security Solutions</ulink>.</para> |
166 | 167 | ||
167 | <section id="secure_boot_keys"> | 168 | <section id="secure_boot_keys"> |
168 | <title>Enabling UEFI Secure Boot</title> | 169 | <title>Enabling UEFI Secure Boot</title> |
@@ -213,101 +214,16 @@ node0.1048576kB = 3 </programlisting> | |||
213 | can be found on the EFI partition (usually the first partition of the | 214 | can be found on the EFI partition (usually the first partition of the |
214 | drive) under <literal>/uefi_sb_keys</literal>.</para> | 215 | drive) under <literal>/uefi_sb_keys</literal>.</para> |
215 | 216 | ||
216 | <para><emphasis role="bold">How to manually enroll Enea | 217 | <para>These certificates need to be manually enrolled in BIOS. The |
217 | Certificates</emphasis></para> | 218 | exact details on how to proceed may vary depending the version of the |
218 | 219 | UEFI firmware.</para> | |
219 | <orderedlist> | ||
220 | <listitem> | ||
221 | <para>Reboot the uCPE device and press <literal>DEL</literal> to | ||
222 | enter into BIOS.</para> | ||
223 | </listitem> | ||
224 | |||
225 | <listitem> | ||
226 | <para>Select <literal>Secure Boot Mode</literal> -> | ||
227 | <literal>Custom</literal>.</para> | ||
228 | </listitem> | ||
229 | |||
230 | <listitem> | ||
231 | <para>Select <literal>Key Management</literal> from the | ||
232 | <literal>Security</literal> menu.</para> | ||
233 | </listitem> | ||
234 | |||
235 | <listitem> | ||
236 | <para>Enroll the <literal>Platform Key (PK)</literal>: | ||
237 | <itemizedlist> | ||
238 | <listitem> | ||
239 | Select <literal>Set New Key</literal> -> | ||
240 | <literal>File from a file system</literal>. . | ||
241 | </listitem> | ||
242 | |||
243 | <listitem> | ||
244 | Specify the folder: <literal><user-keys>/<uefi_sb_keys>/PK.esl</literal> | ||
245 | </listitem> | ||
246 | |||
247 | <listitem> | ||
248 | Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>. | ||
249 | </listitem> | ||
250 | </itemizedlist></para> | ||
251 | </listitem> | ||
252 | |||
253 | <listitem> | ||
254 | <para>Enroll the <literal>Key Exchange key (KEK)</literal>: | ||
255 | <itemizedlist> | ||
256 | <listitem> | ||
257 | Select <literal>Set New Key</literal> -> <literal>File from a file system</literal>. | ||
258 | </listitem> | ||
259 | |||
260 | <listitem> | ||
261 | Specify the folder: <literal><user-keys>/<uefi_sb_keys>/KEK.esl</literal> | ||
262 | </listitem> | ||
263 | |||
264 | <listitem> | ||
265 | Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>. | ||
266 | </listitem> | ||
267 | </itemizedlist></para> | ||
268 | </listitem> | ||
269 | |||
270 | <listitem> | ||
271 | <para>Enroll the <literal>Authorized Signature (DB)</literal>: | ||
272 | <itemizedlist> | ||
273 | <listitem> | ||
274 | Select <literal>Set New Key</literal> -> <literal>File from a file system</literal>. | ||
275 | </listitem> | ||
276 | |||
277 | <listitem> | ||
278 | Specify the folder: <literal><user-keys>/<uefi_sb_keys>/DB.esl</literal> | ||
279 | </listitem> | ||
280 | |||
281 | <listitem> | ||
282 | Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>. | ||
283 | </listitem> | ||
284 | </itemizedlist></para> | ||
285 | </listitem> | ||
286 | </orderedlist> | ||
287 | |||
288 | <note> | ||
289 | <para>Details on how to provision the certificates may vary with | ||
290 | different versions of UEFI firmware.</para> | ||
291 | </note> | ||
292 | </section> | 220 | </section> |
293 | 221 | ||
294 | <section id="enable_secure_boot"> | 222 | <section id="enable_secure_boot"> |
295 | <title>Enabling Secure Boot in BIOS</title> | 223 | <title>Enabling Secure Boot in BIOS</title> |
296 | 224 | ||
297 | <para>Once the certificates are provisioned we can enable the Secure | 225 | <para>Once the certificates are enrolled, Secure Boot needs to be |
298 | Boot feature:</para> | 226 | enabled in BIOS and the device rebooted.</para> |
299 | |||
300 | <orderedlist> | ||
301 | <listitem> | ||
302 | <para>Within BIOS, select the <literal>Security option</literal> from the top | ||
303 | menu.</para> | ||
304 | </listitem> | ||
305 | |||
306 | <listitem> | ||
307 | <para>Set the <literal>Boot Menu</literal> -> | ||
308 | <literal>Enabled.</literal></para> | ||
309 | </listitem> | ||
310 | </orderedlist> | ||
311 | </section> | 227 | </section> |
312 | </section> | 228 | </section> |
313 | </section> | 229 | </section> |
@@ -315,21 +231,21 @@ node0.1048576kB = 3 </programlisting> | |||
315 | <section id="bare_meta_prov"> | 231 | <section id="bare_meta_prov"> |
316 | <title>Bare Metal Provisioning</title> | 232 | <title>Bare Metal Provisioning</title> |
317 | 233 | ||
318 | <para>Bare Metal Provisioning can be used for automated deployment of | 234 | <para>Bare Metal Provisioning can be used for automated deployment of the |
319 | the Enea NFV Access Run Time Platform on a large number of uCPE devices. | 235 | Enea NFV Access Run Time Platform on a large number of uCPE devices. The |
320 | The uCPE devices may have no previous operating system installed, or are | 236 | uCPE devices may have no previous operating system installed, or are |
321 | reinstalled without preserving any existing data. Enea NFV Access Bare | 237 | reinstalled without preserving any existing data. Enea NFV Access Bare |
322 | Metal Provisioning is based on standardized Pre-Boot Execution | 238 | Metal Provisioning is based on standardized Pre-Boot Execution environment |
323 | environment (PXE) booting.</para> | 239 | (PXE) booting.</para> |
324 | 240 | ||
325 | <para>The Bare Metal Provisioning process begins by PXE booting an Enea | 241 | <para>The Bare Metal Provisioning process begins by PXE booting an Enea |
326 | NFV Access installer <literal>initramfs</literal> image. The installer | 242 | NFV Access installer <literal>initramfs</literal> image. The installer |
327 | downloads a configuration file, as well as the Enea NFV Access Run Time | 243 | downloads a configuration file, as well as the Enea NFV Access Run Time |
328 | Platform image and then proceeds to install the system by dividing the | 244 | Platform image and then proceeds to install the system by dividing the |
329 | disk into 2 partitions. A GPT partition containing the GRUB boot loader | 245 | disk into 2 partitions. A GPT partition containing the GRUB boot loader |
330 | and a second partition containing the Enea NFV Access Run Time Platform | 246 | and a second partition containing the Enea NFV Access Run Time Platform |
331 | root filesystem. When the installation is complete, the uCPE device is | 247 | root filesystem. When the installation is complete, the uCPE device is |
332 | automatically rebooted into Enea NFV Access Run Time Platform.</para> | 248 | automatically rebooted into Enea NFV Access Run Time Platform.</para> |
333 | 249 | ||
334 | <section id="bare_meta_prov_prereq"> | 250 | <section id="bare_meta_prov_prereq"> |
335 | <title>Prerequisites</title> | 251 | <title>Prerequisites</title> |
@@ -438,8 +354,8 @@ node0.1048576kB = 3 </programlisting> | |||
438 | 354 | ||
439 | <listitem> | 355 | <listitem> |
440 | <para><literal>notify_path</literal>. Location where notification | 356 | <para><literal>notify_path</literal>. Location where notification |
441 | files will be placed, specified in <literal>Server IP:directory</literal> | 357 | files will be placed, specified in <literal>Server |
442 | format.</para> | 358 | IP:directory</literal> format.</para> |
443 | </listitem> | 359 | </listitem> |
444 | </itemizedlist> | 360 | </itemizedlist> |
445 | 361 | ||