yahoo-eng-team team mailing list archive

[Imran Hussain <1958636@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Hi,

I've been trying to get Secure Boot VMs working on my Openstack. But I'm
running in to issues with firmware requiring SMM enabled.

Versions:
libvirt version: 6.0.0, package: 0ubuntu8.15
QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.18)
Nova 23.1.1 (deployed via kolla, so kolla/ubuntu-source-nova-compute:wallaby is the image)
ovmf 0~20191122.bd85bf54-2ubuntu3.3

There's an issue with the way Nova Libvirt driver handles secure boot
and the firmware bit.

It boils down to Nova Libvirt driver doesn't produce the correct XML to
start a VM. Nova needs to either:

1) Take advantage of Libvirts auto firmware selection feature
OR
2) Produce the correct XML

I have produced 2 series of patch sets for both approaches. Neither
patch set is production/merge ready but works on my systems and provides
a base.

1. https://review.opendev.org/c/openstack/nova/+/825729
2. https://review.opendev.org/c/openstack/nova/+/825496


Context:
http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026796.html
http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026826.html
https://specs.openstack.org/openstack/nova-specs/specs/wallaby/implemented/allow-secure-boot-for-qemu-kvm-guests.html
https://that.guru/blog/uefi-secure-boot-in-libvirt/
https://libvirt.org/formatdomain.html#bios-bootloader

** Affects: nova
     Importance: Undecided
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1958636

Title:
  nova / libvirt Secure Boot VM support not fully functional

Status in OpenStack Compute (nova):
  In Progress

Bug description:
  Hi,

  I've been trying to get Secure Boot VMs working on my Openstack. But
  I'm running in to issues with firmware requiring SMM enabled.

  Versions:
  libvirt version: 6.0.0, package: 0ubuntu8.15
  QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.18)
  Nova 23.1.1 (deployed via kolla, so kolla/ubuntu-source-nova-compute:wallaby is the image)
  ovmf 0~20191122.bd85bf54-2ubuntu3.3

  There's an issue with the way Nova Libvirt driver handles secure boot
  and the firmware bit.

  It boils down to Nova Libvirt driver doesn't produce the correct XML
  to start a VM. Nova needs to either:

  1) Take advantage of Libvirts auto firmware selection feature
  OR
  2) Produce the correct XML

  I have produced 2 series of patch sets for both approaches. Neither
  patch set is production/merge ready but works on my systems and
  provides a base.

  1. https://review.opendev.org/c/openstack/nova/+/825729
  2. https://review.opendev.org/c/openstack/nova/+/825496

  
  Context:
  http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026796.html
  http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026826.html
  https://specs.openstack.org/openstack/nova-specs/specs/wallaby/implemented/allow-secure-boot-for-qemu-kvm-guests.html
  https://that.guru/blog/uefi-secure-boot-in-libvirt/
  https://libvirt.org/formatdomain.html#bios-bootloader

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1958636/+subscriptions