You must configure PowerScale Secure Boot on each individual node in a PowerScale cluster. Be sure to understand the requirements and considerations described in this section before configuring PowerScale Secure Boot.
Supported platforms and prerequisites
The PowerScale Secure Boot feature requires a supported node platform, OneFS version, and NFP version, as shown in the following table.
Table 3. PowerScale Secure Boot supported platforms
Dell Isilon A2000 | 11.4 or later | 9.3.0.0 or later |
Dell PowerScale A300, A3000, B100, F200, F210, F600, F710, F900, H700, H7000, P100 | 11.4 or later | 9.3.0.0 or later |
Note: You must upgrade to OneFS 9.3.0.0 or later before upgrading to Node Firmware package 11.4.
Considerations
Before configuring the PowerScale Secure Boot feature, consider the following information:
- Isilon and PowerScale nodes are not shipped with PowerScale Secure Boot enabled. However, the feature may be enabled as required by site requirements.
- Enabling the PowerScale Secure Boot feature is performed individually on each node by using IPMI or the BIOS.
- A PowerScale cluster composed of PowerScale Secure Boot enabled nodes, and PowerScale Secure Boot disabled nodes, is supported.
- A license is not required for PowerScale Secure Boot, because the feature is natively supported.
- The PowerScale Secure Boot feature can be enabled or disabled at any point. Enabling PowerScale Secure Boot does not impact disabling the feature in the future.
- Plan a maintenance window to enable or disable the PowerScale Secure Boot feature. A node reboot is required during the process.
- As a best practice, configure a BIOS UI admin password to restrict access. For more information about configuring the BIOS admin password, see the Security Configuration Guide for the specified release at PowerScale Info Hubs.
- The PowerScale Secure Boot feature does not affect cluster performance. The feature is only run at bootup.
- After the PowerScale Secure Boot feature is enabled, reimaging the node through PXE is not supported. However, reimaging through a USB drive is supported. If a node must be reimaged through PXE, disable PowerScale Secure Boot, reimage, and enable PowerScale Secure Boot.
Enabling PowerScale Secure Boot
Before enabling the PowerScale Secure Boot feature, review this paper in its entirety. The PowerScale Secure Boot feature is enabled on each node individually. Repeat the process for each node where the PowerScale Secure Boot feature is required. The process for enabling the Secure Boot feature depends on the node platform.
A300, A2000, A3000, H700, and H7000 nodes
To enable the PowerScale Secure Boot feature on an A300, A3000, H700, or H7000 node, perform the following steps:
- Upgrade the cluster to OneFS 9.3.0.0 or later (if not already completed), and ensure that the release is committed successfully.
- Upgrade the node where the PowerScale Secure Boot feature is to be enabled to Node Firmware Package 11.4 (if not already completed).
- Log in to the OneFS command-line interface of the node where the PowerScale Secure Boot feature is to be enabled, as a user with IPMI permissions.
- To enable the PowerScale Secure Boot feature, run the following commands:
ipmitool raw 0x30 0x12 0x08 0x13 0x01 0x53 0x55 0x42 0x54
ipmitool raw 0x30 0x11 0x04 0x00 0x08 0x13 0x01
The expected output is 0x00 0x08 0x13 0x01 0x53 0x55 0x42 0x54.
ipmitool raw 0x30 0x12 0x0C 0x13 0x01 0x01
ipmitool raw 0x30 0x11 0x01 0x00 0x0C 0x13 0x01
The expected output is 0x13 0x01 0x01.
- Reboot the node to apply the PowerScale Secure Boot feature.
- To confirm whether the PowerScale Secure Boot feature is enabled, run the following command:
sysctl security.mac.veriexec.state
The output should state that the veriexec state is loaded and active:
security.mac.veriexec.state: loaded active enforce locked
- Repeat steps 2 through 6 for each node in the cluster that supports the PowerScale Secure Boot feature.
B100, F200, F600, F900, and P100 nodes
To enable the PowerScale Secure Boot feature on a B100, F200, F600, F900, or P100 node, perform the following steps:
- Ensure that the cluster is running OneFS 9.3.0.0 or later. If an upgrade is required, implement the upgrade and ensure that the release is committed successfully.
- Ensure that the node where the PowerScale Secure Boot feature is to be enabled has Node Firmware Package 11.4 or later.
- Reboot the node and press the F2 key at the BIOS POST screen, as shown in the following figure.
Figure 16. BIOS POST screen
- Select the System BIOS option from the System Setup screen, as shown in the following figure.
Figure 17. System Setup
- Select the System Security option from the System BIOS screen, as shown in the following figure.
Figure 18. System Security
- Scroll down to the Secure Boot option under System Security and switch it to Enabled, as shown in the following figure.
Figure 19. Secure Boot
- Press the ESC key one screen at a time until the initial System Setup screen appears, then press the ESC key again. Finally, when a prompt appears to exit and reboot, select the Yes option, as shown in the following figure.
Figure 20. Exit and reboot
During the reboot process, a message appears confirming that the Secure Boot feature is enabled:
UEFI0074: The Secure Boot policy has been modified since the last time the system was started
- To confirm whether the PowerScale Secure Boot feature is enabled, run the following command:
sysctl security.mac.veriexec.state
The output should state that the veriexec state is loaded and active:
security.mac.veriexec.state: loaded active enforce locked
- Repeat Steps 2 through 8 for each node in the cluster that supports the PowerScale Secure Boot feature.
Disabling PowerScale Secure Boot
After the PowerScale Secure Boot feature is enabled, disabling it requires accessing the node's BIOS UI during the bootup sequence.
Note: Disabling the Secure Boot feature is only supported through the BIOS UI by design. This ensures that only those who have physical and administrator access to the node can perform this action.
Similar to the process of enabling the feature, disabling also requires repeating the process on each Secure Boot enabled node. The process for disabling the Secure Boot feature is the same for all node platforms.
To disable the PowerScale Secure Boot feature:
- Access the BIOS of the node where the PowerScale Secure Boot must be disabled. Press the F2 or DEL key during the boot sequence to enter the BIOS setup menu.
- Browse to the Security tab from the BIOS setup menu, and select the Secure Boot menu option as shown in the following figure.
Figure 21. BIOS Security tab
- From the Secure Boot menu, select the Secure Boot option, as shown in the following figure.
Figure 22. Secure Boot
- For Secure Boot, select Disabled to disable the PowerScale Secure Boot feature.
- Press the ESC key to return to the main menu.
- Browse to the Save & Exit tab, and select the Save & Exit option from the Save Changes and Exit tab, as highlighted in the following figure.
Secure Boot is now disabled, and the node will continue to boot after exiting the BIOS.
Figure 23. BIOS Save & Exit tab