Puppet Class: tpm::tboot

Defined in:
manifests/tboot.pp

Overview

Create a launch policy, modify grub, and enable tboot

Parameters:

  • intermediate_grub_entry (Boolean) (defaults to: true)

    Provide a tboot Grub entry with no policy, for bootstrapping

  • purge_boot_entries (Boolean) (defaults to: false)

    Remove other, nontrusted boot entries from Grub

  • lock_kernel_packages (Boolean) (defaults to: true)

    Lock kernel related packages in YUM, to avoid accidentally invalidating the launch policy

  • kernel_packages_to_lock (Array[String]) (defaults to: [ 'kernel','kernel-bigmem','kernel-enterprise', 'kernel-smp','kernel-debug','kernel-unsupported', 'kernel-source','kernel-devel','kernel-PAE', 'kernel-PAE-debug','kernel-modules', 'kernel-headers' ])

    List of kernel related packages to lock

  • sinit_name (Optional[String]) (defaults to: undef)

    Name of the SINIT policy file, usually ending in ‘*.BIN`

  • sinit_source (Optional[String]) (defaults to: simplib::lookup('simp_options::rsync', { 'default_value' => undef }))

    Puppet ‘file` resouce source arrtibute for the SINIT binary @example The binary was manually copied over to `/root/BIN`, so this entry was set to `file:///root/BIN`

  • rsync_source (String) (defaults to: "tboot_${::environment}/")

    Rsync location for the SINIT binary

  • rsync_server (Optional[String]) (defaults to: simplib::lookup('simp_options::rsync::server', { 'default_value' => '127.0.0.1' }))

    Rsync server. This param has a smart default of ‘simp_options::rsync::server`

  • rsync_timeout (Integer) (defaults to: simplib::lookup('simp_options::rsync::timeout', { 'default_value' => 1 }))

    Rsync timeout. This param has a smart default of ‘simp_options::rsync::timeout`

  • owner_password (String) (defaults to: passgen( "${facts['fqdn']}_tpm0_owner_pass", { 'length' => 20 } ))

    The TPM owner password

  • tboot_boot_options (Array[String]) (defaults to: ['logging=serial,memory,vga','min_ram=0x2000000'])

    Kernel parameters for the tboot kernel ‘min_ram=0x2000000` is required on systems with more than 4GB of memory @see the tboot documentation in `/usr/share/simp/tboot-*/README`

  • additional_boot_options (Array[String]) (defaults to: ['intel_iommu=on'])

    Regular Linux kernel parameters, specific to tboot sessions ‘intel_iommu=on` is the default here to force the kernel to load VT-d

  • policy_script (Stdlib::AbsolutePath) (defaults to: '/root/txt/create_lcp_boot_policy.sh')

    The script to generate the tboot policy. This should not be changed

  • policy_script_source (String) (defaults to: 'puppet:///modules/tpm/create_lcp_tboot_policy.sh')

    Where to find the script. This should also not be changed

  • package_ensure (String) (defaults to: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }))

    How to ensure the ‘tboot` package will be managed

  • update_script (Stdlib::AbsolutePath) (defaults to: '/root/txt/update_tboot_policy.sh')
  • update_script_source (String) (defaults to: 'puppet:///modules/tpm/update_tboot_policy.sh') 


23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
# File 'manifests/tboot.pp', line 23

class tpm::tboot (
  Boolean              $intermediate_grub_entry = true,
  Boolean              $purge_boot_entries      = false,
  Boolean              $lock_kernel_packages    = true,
  Array[String]        $kernel_packages_to_lock = [ 'kernel','kernel-bigmem','kernel-enterprise',
                                                    'kernel-smp','kernel-debug','kernel-unsupported',
                                                    'kernel-source','kernel-devel','kernel-PAE',
                                                    'kernel-PAE-debug','kernel-modules', 'kernel-headers' ],
  Optional[String]     $sinit_name              = undef,
  Optional[String]     $sinit_source            = simplib::lookup('simp_options::rsync', { 'default_value' => undef }),
  String               $rsync_source            = "tboot_${::environment}/",
  Optional[String]     $rsync_server            = simplib::lookup('simp_options::rsync::server', { 'default_value' => '127.0.0.1' }),
  Integer              $rsync_timeout           = simplib::lookup('simp_options::rsync::timeout', { 'default_value' => 1 }),
  String               $owner_password          = passgen( "${facts['fqdn']}_tpm0_owner_pass", { 'length' => 20 } ),
  Array[String]        $tboot_boot_options      = ['logging=serial,memory,vga','min_ram=0x2000000'],
  Array[String]        $additional_boot_options = ['intel_iommu=on'],
  Stdlib::AbsolutePath $policy_script           = '/root/txt/create_lcp_boot_policy.sh',
  String               $policy_script_source    = 'puppet:///modules/tpm/create_lcp_tboot_policy.sh',
  Stdlib::AbsolutePath $update_script           = '/root/txt/update_tboot_policy.sh',
  String               $update_script_source    = 'puppet:///modules/tpm/update_tboot_policy.sh',
  String               $package_ensure          = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
) {
  include 'tpm'

  reboot_notify { 'Launch tboot':
    reason => 'tboot policy has been written, please reboot to complete a verified launch'
  }

  file { '/root/txt/':
    ensure => directory
  }

  package { 'tboot':
    ensure => $package_ensure
  }

  include 'tpm::tboot::sinit'
  include 'tpm::tboot::policy'
  include 'tpm::tboot::grub'
  include 'tpm::tboot::lock_kernel'

  Class['tpm']
  -> Class['tpm::tboot::sinit']
  ~> Class['tpm::tboot::policy']
  ~> Class['tpm::tboot::grub']
  ~> Reboot_notify['Launch tboot']

}