V4.0/pg fsws containers

Author: raghav19

product-guides/Foundational & Workload Security.md

@@ -380,33 +380,23 @@ systemctl restart docker
 * On each worker node with `TXT/BTG` enabled and registered to K8s control-plane, the following pre-req needs to be done on `RHEL-8.3`/`Ubuntu-18.04` systems
 
   * Foundational Security
-    
+
+    * `Tboot-1.10.1` or later to be installed for non `SUEFI` servers. [Tboot installation Details](https://github.com/intel-secl/docs/blob/master/product-guides/Foundational%20%26%20Workload%20Security.md#tboot-installation)
+
     * Only for `Ubuntu-18.04`, run the following commands
-    
+
       ```shell
       $ modprobe msr
       ```
+
   * Workload Security
-    * Container Confidentiality with Docker runtime
-      * Copy `container-runtime` directory to each of the `TXT/BTG` enabled physical servers       
-        
-      * Run the `install-prereqs-docker.sh` script on the physical servers from `container-runtime`
-      
-        > **Note:** `container-runtime` scripts need to be run on `TXT/BTG/SUEFI` enabled services
-      
-      * Reboot the server
-      
-      * Only for `Ubuntu-18.04`, run the following command
-      
-        ```shell
-        $ modprobe msr
-        ```
-      
     * Container Confidentiality with CRIO runtime
 
-    * Copy `container-runtime` directory to each of the `TXT/BTG` enabled physical servers  
+      * `Tboot-1.10.1`  or later to be installed for non `SUEFI` servers. [Tboot installation Details](https://github.com/intel-secl/docs/blob/master/product-guides/Foundational%20%26%20Workload%20Security.md#tboot-installation) 
+        
+      * Copy `container-runtime` directory to each of the  physical servers  
 
-    * Run the `install-prereqs-crio.sh` script on the physical servers from `container-runtime`
+      * Run the `install-prereqs-crio.sh` script on the physical servers from `container-runtime`
 
         > **Note:** `container-runtime` scripts need to be run on `TXT/BTG/SUEFI` enabled services
 

product-guides/Images/hvs-db.jpg

@@ -127,12 +127,15 @@ The below steps needs to be carried out on the Build and Deployment VM
   rm -rf $tmpdir
   ```
 
-* Extract Install `go` version > `go1.13` & <= `go1.14.4` from `https://golang.org/dl/` 
-  and set `GOROOT` & `PATH`
-
-  ```shell
-  export GOROOT=<path_to_go>
+* Golang installation
+  
+```shell
+  wget https://dl.google.com/go/go1.14.4.linux-amd64.tar.gz
+  tar -xzf go1.14.4.linux-amd64.tar.gz
+  sudo mv go /usr/local
+  export GOROOT=/usr/local/go
   export PATH=$GOROOT/bin:$PATH
+  rm -rf go1.14.4.linux-amd64.tar.gz
   ```
 
 ### Building
@@ -429,43 +432,46 @@ ansible-playbook <playbook-name> \
 
 ### Additional Examples & Tips
 
-#### TPM is already owned
+#### TBoot Installation
 
-If the Trusted Platform Module(TPM) is already owned, the owner secret(SRK) can be provided directly during runtime in the playbook:
+Tboot needs to be built by the user from tboot source and the `tboot.gz` & `tboot-syms` files needs to be copied under the `binaries` folder. The supported version of Tboot as of 4.0 release is `tboot-1.10.1`.The options must then be provided during runtime in the playbook:
 
 ```shell
 ansible-playbook <playbook-name> \
 --extra-vars setup=<setup var from supported usecases> \
 --extra-vars binaries_path=<path where built binaries are copied to> \
---extra-vars tpm_secret=<tpm owner secret>
+--extra-vars tboot_gz_file=<path where built binaries are copied to>/tboot.gz
+--extra-vars tboot_syms_file=<path where built binaries are copied to>/tboot-syms
 ```
-or
 
-Update the following vars in `vars/main.yml`
+or 
+
+Update the following in `vars/main.yml`
 
 ```yaml
 # The TPM Storage Root Key(SRK) Password to be used if TPM is already owned
-tpm_owner_secret: <tpm_secret>
+tboot_gz_file: "<binaries_path>/tboot.gz"
+tboot_syms_file: "<binaries_path>/tboot-syms"
 ```
 
-#### GRUB Default option for Booting into MLE
-
-The grub2_default option would vary from OEM to OEM for booting after installing tboot. The grub option to be selected for booting into TBOOT/MLE mode, use `grubby --info <option:0/1...>` to determine which one has no boot menu assigned to it during runtime in the playbook as below. Default is 3.
+#### TPM is already owned
 
-> **NOTE:** This is not required in case of UEFI Secure boot mode
+If the Trusted Platform Module(TPM) is already owned, the owner secret(SRK) can be provided directly during runtime in the playbook:
 
 ```shell
 ansible-playbook <playbook-name> \
 --extra-vars setup=<setup var from supported usecases> \
 --extra-vars binaries_path=<path where built binaries are copied to> \
---extra-vars grub_default_option=<grub_default_option>
+--extra-vars tpm_secret=<tpm owner secret>
 ```
+
 or
 
 Update the following vars in `vars/main.yml`
 
 ```yaml
-grub_default_option: "3"
+# The TPM Storage Root Key(SRK) Password to be used if TPM is already owned
+tpm_owner_secret: <tpm_secret>
 ```
 
 #### UEFI SecureBoot enabled
@@ -477,11 +483,13 @@ ansible-playbook <playbook-name> \
 --extra-vars setup=<setup var from supported usecases> \
 --extra-vars binaries_path=<path where built binaries are copied to> \
 --extra-vars uefi_secureboot=yes \
--- extra-vars grub_file_path=<uefi mode grub file path>
+--extra-vars grub_file_path=<uefi mode grub file path>
 ```
 
 or
 
+Update the following vars in `vars/main.yml`
+
 ```yaml
 # UEFI mode or UEFI SecureBoot mode
 # ['no' - UEFI mode, 'yes' - UEFI SecureBoot mode]