dellemc.openmanage.idrac_secure_boot module – Configure attributes, import, or export secure boot certificate, and reset keys.

Note

This module is part of the dellemc.openmanage collection (version 9.7.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install dellemc.openmanage. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: dellemc.openmanage.idrac_secure_boot.

New in dellemc.openmanage 9.6.0

Synopsis

  • This module allows you to perform the following operations.`

  • Import or Export Secure Boot certificate.

  • Enable or disable Secure Boot mode.

  • Configure Platform Key (PK) and Key Exchange Key (KEK) policies

  • Configure Allow Database (DB) and Disallow Database (DBX) certificates.

  • Reset UEFI Secure Boot keys.

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 3.9.6

Parameters

Parameter

Comments

boot_mode

string

Boot mode of the iDRAC.

Uefi enables the secure boot in UEFI mode.

Bios enables the secure boot in BIOS mode.

Choices:

  • "Uefi"

  • "Bios"

ca_path

path

added in dellemc.openmanage 5.0.0

The Privacy Enhanced Mail (PEM) file that contains a CA certificate to be used for the validation.

database

list / elements=path

A list of absolute paths of the Allow Database(DB) certificate file for UEFI secure boot.

Directory path with write permission when export_certificates is true.

disallow_database

list / elements=path

A list of absolute paths of the Disallow Database(DBX) certificate file for UEFI secure boot.

Directory path with write permission when export_certificates is true.

export_certificates

boolean

Export all the available certificates in the specified directory for the given keys.

export_cetificates is mutually exclusive with import.

export_cetificates is true either of platform_key or i(key_exchange_key) or database - or disallow_database is required.

Choices:

  • false

  • true

force_int_10

string

Determines whether the system BIOS loads the legacy video (INT 10h) option ROM from the video controller.

This parameter is supported only in UEFI boot mode. If UEFI Secure Boot mode is enabled, you cannot enable this parameter.

Disabled if the operating system supports UEFI video output standards.

Enabled if the operating system does not support UEFI video output standards.

Choices:

  • "Disabled"

  • "Enabled"

idrac_ip

string / required

iDRAC IP Address.

idrac_password

aliases: idrac_pwd

string

iDRAC user password.

If the password is not provided, then the environment variable IDRAC_PASSWORD is used.

Example: export IDRAC_PASSWORD=password

idrac_port

integer

iDRAC port.

Default: 443

idrac_user

string

iDRAC username.

If the username is not provided, then the environment variable IDRAC_USERNAME is used.

Example: export IDRAC_USERNAME=username

import_certificates

boolean

Import all the specified key certificates.

When import_certificates is true, then either platform_key, KEK, database, or disallow_database is required.

Choices:

  • false

  • true

job_wait

boolean

Whether to wait till completion of the secure boot certificate operation. This is applicable when restart is true.

Choices:

  • false

  • true ← (default)

job_wait_timeout

integer

The maximum wait time of job_wait in seconds. The job is tracked only for this duration.

This option is applicable when job_wait is true.

Default: 1200

KEK

list / elements=path

A list of absolute paths of the Key Exchange Key (KEK) certificate file for UEFI secure boot.

Directory path with write permission when export_certificates is true.

platform_key

path

The absolute path of the Platform key certificate file for UEFI secure boot.

Directory path with write permission when export_certificates is true.

reset_keys

string

Resets the UEFI Secure Boot keys.

DeleteAllKeys deletes the content of all UEFI Secure Boot key databases (PK, KEK, DB, and DBX). This choice configures the system in Setup Mode.

DeletePK deletes the content of the PK UEFI Secure Boot database. This choice configures the system in Setup Mode.

ResetAllKeysToDefault resets the content of all UEFI Secure Boot key databases (PK, KEK, DB, and DBX) to their default values.

ResetDB resets the content of the DB UEFI Secure Boot database to its default values.

ResetDBX resets the content of the DBX UEFI Secure Boot database to its default values.

ResetKEK resets the content of the KEK UEFI Secure Boot database to its default values.

ResetPK resets the content of the PK UEFI Secure Boot database to its default values.

Choices:

  • "DeleteAllKeys"

  • "DeletePK"

  • "ResetAllKeysToDefault"

  • "ResetDB"

  • "ResetDBX"

  • "ResetKEK"

  • "ResetPK"

restart

boolean

Secure boot certificate import operation requires a server restart. This parameter provides an option to restart the server.

true restarts the server.

false does not restart the server.

restart is applicable when import_certificates is true.

restart will be ignored only when export_certificates is true.

Choices:

  • false ← (default)

  • true

restart_type

string

Restart type of the server.

ForceRestart forcefully restarts the server.

GracefulRestart gracefully restarts the server.

restart_type is applicable when restart is true.

Choices:

  • "GracefulRestart" ← (default)

  • "ForceRestart"

secure_boot

string

UEFI Secure Boot.

The secure_boot can be Enabled only if boot_mode is UEFI and force_int_10 is Disabled.

Disabled disables the secure boot mode.

Enabled enables the secure boot mode.

Choices:

  • "Disabled"

  • "Enabled"

secure_boot_mode

string

The UEFI Secure Boot mode configures how to use the Secure Boot Policy.

AuditMode sets the Secure Boot mode to an Audit mode when Platform Key is not installed on the system. The BIOS does not authenticate updates to the policy objects and transition between modes. BIOS performs a signature verification on pre-boot images and logs the results in the Image Execution Information table, where it processes the images whether the status of verification is pass or fail.

DeployedMode sets the Secure Boot mode to a Deployed mode when Platform Key is installed on the system, and then BIOS performs a signature verification to update the policy objects.

UserMode sets the Secure Boot mode to a User mode when Platform Key is installed on the system, and then BIOS performs signature verification to update policy objects.

Choices:

  • "AuditMode"

  • "DeployedMode"

  • "UserMode"

secure_boot_policy

string

The following are the types of Secure Boot policy.

Custom inherits the standard certificates and image digests that are loaded in the system by default. You can modify the certificates and image digests.

Standard indicates that the system has default certificates, image digests, or hash loaded from the factory.

When the Secure Boot Policy is set to Custom, you can perform following operations such as viewing, exporting, importing, deleting, deleting all, and resetting policies.

Choices:

  • "Custom"

  • "Standard"

timeout

integer

added in dellemc.openmanage 5.0.0

The socket level timeout in seconds.

Default: 30

validate_certs

boolean

added in dellemc.openmanage 5.0.0

If false, the SSL certificates will not be validated.

Configure false only on personally controlled sites where self-signed certificates are used.

Prior to collection version 5.0.0, the validate_certs is false by default.

Choices:

  • false

  • true ← (default)

x_auth_token

string

added in dellemc.openmanage 9.3.0

Authentication token.

If the x_auth_token is not provided, then the environment variable IDRAC_X_AUTH_TOKEN is used.

Example: export IDRAC_X_AUTH_TOKEN=x_auth_token

Attributes

Attribute

Support

Description

check_mode

Support: full

Runs task to validate without performing action on the target machine.

diff_mode

Support: none

Runs the task to report the changes made or to be made.

Notes

Note

  • This module will always report changes found to be applied for import_certificates when run in check mode.

  • This module does not support idempotency when reset_type or export_certificates or import_certificates is provided.

  • To configure the secure boot settings, the idrac_secure_boot module performs the following order of operations set attributes, export certificate, reset keys, import certificate, and restart iDRAC.

  • export_certificate will export all the certificates of the key defined in the playbook.

  • This module considers values of restart and job_wait only for the last operation in the sequence.

  • This module supports IPv4 and IPv6 addresses.

  • Only reset_keys is supported on iDRAC8.

Examples

---
- name: Enable Secure Boot.
  dellemc.openmanage.idrac_secure_boot:
    idrac_ip: "192.168.1.2"
    idrac_user: "user"
    idrac_password: "password"
    ca_path: "/path/to/ca_cert.pem"
    secure_boot: "Enabled"

- name: Set Secure Boot mode, Secure Boot policy, and restart iDRAC.
  dellemc.openmanage.idrac_secure_boot:
    idrac_ip: "192.168.1.2"
    idrac_user: "user"
    idrac_password: "password"
    ca_path: "/path/to/ca_cert.pem"
    secure_boot: "Enabled"
    secure_boot_mode: "UserMode"
    secure_boot_policy: "Custom"
    restart: true
    restart_type: "GracefulRestart"

- name: Reset Secure Boot certificates.
  dellemc.openmanage.idrac_secure_boot:
    idrac_ip: "192.168.1.2"
    idrac_user: "user"
    idrac_password: "password"
    ca_path: "/path/to/ca_cert.pem"
    reset_keys: "ResetAllKeysToDefault"

- name: Export multiple Secure Boot certificate.
  dellemc.openmanage.idrac_secure_boot:
    idrac_ip: "192.168.1.2"
    idrac_user: "user"
    idrac_password: "password"
    ca_path: "/path/to/ca_cert.pem"
    export_certificates: true
    platform_key: /user/name/export_cert/pk
    KEK:
      - /user/name/export_cert/kek
    database:
      - /user/name/export_cert/db
    disallow_database:
      - /user/name/export_cert/dbx

- name: Import multiple Secure Boot certificate without applying to iDRAC.
  dellemc.openmanage.idrac_secure_boot:
    idrac_ip: "192.168.1.2"
    idrac_user: "user"
    idrac_password: "password"
    ca_path: "/path/to/ca_cert.pem"
    import_certificates: true
    platform_key: /user/name/certificates/pk.pem
    KEK:
      - /user/name/certificates/kek1.pem
      - /user/name/certificates/kek2.pem
    database:
      - /user/name/certificates/db1.pem
      - /user/name/certificates/db2.pem
    disallow_database:
      - /user/name/certificates/dbx1.pem
      - /user/name/certificates/dbx2.pem

- name: Import a Secure Boot certificate and restart the server to apply it.
  dellemc.openmanage.idrac_secure_boot:
    idrac_ip: "192.168.1.2"
    idrac_user: "user"
    idrac_password: "password"
    ca_path: "/path/to/ca_cert.pem"
    import_certificates: true
    platform_key: /user/name/certificates/pk.pem
    restart: true
    job_wait_timeout: 600

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

error_info

dictionary

Details of the HTTP Error.

Returned: on HTTP error

Sample: {"error": {"@Message.ExtendedInfo": [{"Message": "Unable to process the request because an error occurred.", "MessageArgs": [], "MessageId": "GEN1234", "RelatedProperties": [], "Resolution": "Retry the operation. If the issue persists, contact your system administrator.", "Severity": "Critical"}], "code": "Base.1.0.GeneralError", "message": "A general error has occurred. See ExtendedInfo for more information."}}

msg

string

Status of the secure boot operation.

Returned: always

Sample: "Successfully imported the SecureBoot certificate."

Authors

  • Abhishek Sinha(@ABHISHEK-SINHA10)

  • Lovepreet Singh (@singh-lovepreet1)