Goal:

Provide support for Secure Boot provisioning on bare-metal, VMware vSphere and Libvirt across multiple operating systems. Discovery and bootdisk flows can be kept out, unless the support for them is straightforward.

Acceptance Criteria:

• Bare-metal Provisioning:
  • Users are able to provision bare-metal machines with UEFI Secure Boot enabled.
  • Satellite should allow users to specify Secure Boot settings during the provisioning process.
  • Secure Boot must be supported across multiple operating systems, ensuring compatibility with commonly used OSs.
  • Successful completion of provisioning must result in a machine configured to use UEFI Secure Boot.

1. VMware vSphere Provisioning:

• • Users are able to create and import VMs on VMware vSphere with UEFI Secure Boot and TPM enabled via Satellite.
  • Satellite supports configuring Secure Boot and TPM settings for VMware-based VMs, with options visible in the UI, Hammer CLI and API.
  • VMs created with Secure Boot enabled must successfully boot and function as expected across different operating systems.

1. Libvirt Provisioning:

• • Users are able to create and import VMs on Libvirt with UEFI Secure Boot enabled via Satellite.
  • Satellite supports configuring Secure Boot settings for Libvirt-based VMs, with options visible in the UI, Hammer CLI and API.
  • VMs created with Secure Boot enabled must boot successfully and operate correctly on various supported OSs.

1. User Interface:

• • Users are able to view and configure Secure Boot settings easily in the Satellite UI for all supported platforms (bare-metal, VMware vSphere, and Libvirt).
  • Changes in Secure Boot settings must be clearly reflected in the UI and confirmed through successful provisioning and operation of the machine or VM.

1. Documentation:

• • Comprehensive user documentation must be provided, detailing the steps for enabling and configuring Secure Boot provisioning on bare-metal, VMware vSphere, and Libvirt.
  • The documentation must cover supported operating systems, the required steps in the Satellite UI, Hammer CLI and API.

1. Testing and Validation:

• • Secure Boot provisioning must be thoroughly tested on supported operating systems and platforms to ensure reliable operation.
  • Automated tests must verify that Secure Boot settings are applied correctly, and machines/VMs boot and run as expected with Secure Boot enabled.
  • Existing functionality for provisioning without Secure Boot must remain unaffected. Regression testing must be performed across bare-metal, VMware vSphere, and Libvirt environments.

The following bugzillas will be addressed

• https://bugzilla.redhat.com/show_bug.cgi?id=1791608 SecureBoot RFE
• https://bugzilla.redhat.com/show_bug.cgi?id=2102051 vmware support
• https://bugzilla.redhat.com/show_bug.cgi?id=2220957 vmware EFI flow does not work

Upstream discussion: https://community.theforeman.org/t/add-secureboot-support-for-arbitrary-distributions/32601. The discovery support should be added later if it can't be added during this epic.

[SecureBoot implementation|https://docs.google.com/document/d/1g5FAiJ9Bz7M83la-Q_ss7erBo9MID2DyyWjeB_0MzL4/edit]