HyTrust requires a separate boot partition in which the HyTrust DataControl Policy Agent can be installed. How you do this depends on the version of Linux running on the server. For your convenience, the following sections explain how to set up a separate boot partition on CentOS 6.
Assume that the current Linux is installed on device /dev/sda and that the GRUB stage1 bootloader is also installed on /dev/sda. This is a typical Linux installation. Assuming you add a new device named /dev/sdb to hold the new boot partition, you should create a partition on it using fdisk or sfdisk. For example:
# sfdisk -f -uS -D /dev/sdb << EOF EOF # partprobe
Find out the space required by the /boot subtree:
# du -sh /boot
The new boot partition should have at least have two times this space. As a rule of thumb, the space provided should be twice the space used by /boot, plus 100MB. Format the new partition with ext4 (ext3 is also fine), as follows:
# mkfs.ext4 /dev/sdb1
Copy the files from the /boot directory to the new boot partition:
# mkdir -p /tmp/sdb1/boot # mount /dev/sdb1 /tmp/sdb1/boot # cp -a /boot/* /tmp/sdb1/boo
Find out the UUID of the new boot partition:
# blkid /dev/sdb1 # umount /tmp/sdb1/boot
Add an entry to /etc/fstab to mount the new boot partition, as follows:
# UUID=<uuid> /boot ext4 rw 0 0
Mount the new /boot partition:
# mount /boot
Install GRUB with boot files on the new boot partition, while the GRUB stage1 is copied to the current boot device, as follows:
# grub-install --recheck /dev/sda
Note that GRUB is being installed on /dev/sda but the boot directory comes from /dev/sdb1. Update your GRUB configuration to take this change into account. Manually edit /boot/grub/menu.lst, so that root points to the GRUB device equivalent of /dev/sdb Usually, it is hd1. See the mapping in /boot/grub/device.map: kernel must assume that vmlinuz is in / and not /boot, and initrd must assume that vmlinuz is in / and not /boot.
For example:
default=0 timeout=5 splashimage=(hd1,0)/grub/splash.xpm.gz hiddenmenu title CentOS (2.6.32-358.el6.x86_64) root (hd1,0) kernel /vmlinuz-2.6.32-358.el6.x86_64 ro \ root=UUID=98e62ddf-69ec-4a82-b143-b87291d4a9b8 \ rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 r initrd \ /initramfs-2.6.32-358.el6.x86_64.img
Please refer to the section Using a separate partition for /boot in http://wiki.centos.org/HowTos/GrubInstallation.
Your system is ready now, so reboot and confirm that all is well.
What to Do Next
Verify the configuration as described in Verifying the Current VM Configuration and then encrypt the boot disk as described in Encrypting Linux Root and Swap Drives.