docs: document trusted boot

docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/arg.md

@@ -11,19 +11,22 @@ tags: ["edge"]
 During the EdgeForge process, you provide an **.arg** document that contains a list of parameters to configure the build
 of both the provider images and the Edge Installer ISO. This page lists the parameters available in the **.arg** file.
 
-| **Argument**       | **Description**                                                                                                                                        | **Allowed Values**                                                                              |
-| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------- |
-| `ARCH`             | Architecture of the image.                                                                                                                             | `amd64`, `arm64`.                                                                               |
-| `CUSTOM_TAG`       | A custom tag for the provider images. This custom tag will be appended to the `IMAGE_REGISTRY` and `IMAGE_REPO` parameters to form the full image tag. | Lowercase alphanumeric string without spaces.                                                   |
-| `FIPS_ENABLED`     | Whether to generate FIPS compliant binaries.                                                                                                           | `true`, `false.`                                                                                |
-| `HTTP_PROXY`       | URL of the HTTP Proxy server.                                                                                                                          | URL string.                                                                                     |
-| `HTTPS_PROXY`      | URL of the HTTPS Proxy server.                                                                                                                         | URL string.                                                                                     |
-| `IMAGE_REGISTRY`   | The image registry to use for tagging the generated provider images.                                                                                   | Your image registry hostname, without `http` or `https` <br /> Example: docker.io/spectrocloud. |
-| `IMAGE_REPO`       | The image repository to use for tagging the generated provider images.                                                                                 | Your image repository name.                                                                     |
-| `ISO_NAME`         | Name of the Installer ISO file.                                                                                                                        | Lowercase alphanumeric string without spaces. The characters `-` and `_` are allowed.           |
-| `K8S_DISTRIBUTION` | Kubernetes distribution.                                                                                                                               | ` k3s`, `rke2`, `kubeadm`, `kubeadm-fips`.                                                      |
-| `NO_PROXY`         | URLS that should be excluded from the proxy.                                                                                                           | Comma-separated URL string.                                                                     |
-| `OS_DISTRIBUTION`  | OS distribution.                                                                                                                                       | `ubuntu`, `opensuse-leap`, `rhel`.                                                              |
-| `OS_VERSION`       | OS version. This applies to Ubuntu only.                                                                                                               | `20`, `22`.                                                                                     |
-| `PROXY_CERT_PATH`  | Absolute path of the SSL Proxy certificate in the PEM format.                                                                                          | Absolute path string.                                                                           |
-| `UPDATE_KERNEL`    | Determines whether to upgrade the Kernel version to the latest from the upstream OS provider.                                                          | `true`, `false`.                                                                                |
+| **Argument**                  | **Description**                                                                                                                                                     | **Allowed Values**                                                                              |
+| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
+| `ARCH`                        | Architecture of the image. Required.                                                                                                                                | `amd64`, `arm64`.                                                                               |
+| `AUTO_ENROLL_SECUREBOOT_KEYS` | Determines whether to auto enroll keys used for Trusted Boot.                                                                                                       | `true`, `false`. Default is `false`.                                                            |
+| `CUSTOM_TAG`                  | A custom tag for the provider images. This custom tag will be appended to the `IMAGE_REGISTRY` and `IMAGE_REPO` parameters to form the full image tag.              | Lowercase alphanumeric string without spaces.                                                   |
+| `FIPS_ENABLED`                | Whether to generate FIPS compliant binaries.                                                                                                                        | `true`, `false.` Default is `false`                                                             |
+| `HTTP_PROXY`                  | URL of the HTTP Proxy server.                                                                                                                                       | URL string.                                                                                     |
+| `HTTPS_PROXY`                 | URL of the HTTPS Proxy server.                                                                                                                                      | URL string.                                                                                     |
+| `IMAGE_REGISTRY`              | The image registry to use for tagging the generated provider images. Required.                                                                                      | Your image registry hostname, without `http` or `https` <br /> Example: docker.io/spectrocloud. |
+| `IMAGE_REPO`                  | The image repository to use for tagging the generated provider images. Required.                                                                                    | Your image repository name.                                                                     |
+| `INCLUDE_MS_SECUREBOOT_KEYS`  | Whether to include Microsoft's secure boot keys in the set of keys to enroll in your device for secure boot. Almost every machine requires these keys.              | `true`, `false`. Default is `true`.                                                             |
+| `ISO_NAME`                    | Name of the Installer ISO file. Required.                                                                                                                           | Lowercase alphanumeric string without spaces. The characters `-` and `_` are allowed.           |
+| `IS_UKI`                      | Determines whether to build a Unified Kernel Image (UKI) to enabled Trusted Boot. Refer to [Trusted Boot](../../trusted-boot/trusted-boot.md) for more information. | `true`, `false`. Default is `false`.                                                            |
+| `K8S_DISTRIBUTION`            | Kubernetes distribution.                                                                                                                                            | ` k3s`, `rke2`, `kubeadm`, `kubeadm-fips`.                                                      |
+| `NO_PROXY`                    | URLS that should be excluded from the proxy.                                                                                                                        | Comma-separated URL string.                                                                     |
+| `OS_DISTRIBUTION`             | OS distribution.                                                                                                                                                    | `ubuntu`, `opensuse-leap`, `rhel`.                                                              |
+| `OS_VERSION`                  | OS version. This applies to Ubuntu only.                                                                                                                            | `20`, `22`.                                                                                     |
+| `PROXY_CERT_PATH`             | Absolute path of the SSL Proxy certificate in the PEM format.                                                                                                       | Absolute path string.                                                                           |
+| `UPDATE_KERNEL`               | Determines whether to upgrade the Kernel version to the latest from the upstream OS provider.                                                                       | `true`, `false`.                                                                                |

docs/docs-content/clusters/edge/hardware-requirements.md

@@ -36,6 +36,16 @@ All Edge hosts must meet the following minimum hardware requirements.
 
 ARM64 support is only verified for the Nvidia Jetson Orin device family.
 
+## Trusted Boot
+
+To use Trusted Boot, your Edge host must meet the following additional requirements:
+
+- Edge host must have a Trusted Plat Module (TPM) 2.0 or later.
+- Edge host must support Unified Extensible Firmware Interface (UEFI) boot options.
+- Edge host must be capable of booting Extensible Firmware Interface (EFI) files of size 850 MB or greater. Refer to
+  [Check Hardware EFI Boot Limit](/docs/docs-content/clusters/edge/trusted-boot/edgeforge/check-efi-limit.md) for a
+  rough estimate of your EFI boot limit. For a more precise determination, contact sales@spectrocloud.com.
+
 ## Virtual Machine Operator (VMO)
 
 To operate VMO on edge clusters, the CPUs of the constituent Edge hosts must have the following virtualization

docs/docs-content/clusters/edge/trusted-boot/deployment-day2/_category_.json

@@ -0,0 +1,3 @@
+{
+  "position": 30
+}

docs/docs-content/clusters/edge/trusted-boot/deployment-day2/deployment-day2.md

@@ -0,0 +1,20 @@
+---
+sidebar_label: "Deployment and Management"
+title: "Deployment and Day 2 Operations for Trusted Boot"
+description:
+  "Learn about how to install Palette Edge with Trusted Boot and how to upgrade a cluster in Day-2 operations."
+hide_table_of_contents: false
+sidebar_position: 20
+tags: ["edge"]
+---
+
+Once you have built the Edge Installer ISO and have pushed the provider image to an available registry, you can proceed
+to installation and Day-2 operations such as upgrading a cluster thereafter. Both the installation process and the
+upgrade process for Palette Edge with Trusted Boot are similar to those without Trusted Boot.
+
+This section discusses how to install Palette Edge with Trusted Boot and how to upgrade a cluster.
+
+## Resources
+
+- [Installation](./install.md)
+- [Upgrade a Cluster](./upgrade-cluster.md)