yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1958636] Re: nova / libvirt Secure Boot VM support not fully functional

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1958636@xxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Feb 2022 21:43:41 -0000
Reply-to: Bug 1958636 <1958636@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/nova/+/825496
Committed: https://opendev.org/openstack/nova/commit/6ad789010043dc4dcf8d1c0f497b6c728d230f45
Submitter: "Zuul (22348)"
Branch:    master

commit 6ad789010043dc4dcf8d1c0f497b6c728d230f45
Author: Imran Hussain <ih@xxxxxxxxxxxx>
Date:   Thu Jan 20 12:26:41 2022 +0000

    [nova/libvirt] Support for checking and enabling SMM when needed
    
    Check the features list we get from the firmware descriptor file
    to see if we need SMM (requires-smm), if so then enable it as
    we aren't using the libvirt built in mechanism to enable it
    when grabbing the right firmware.
    
    Closes-Bug: 1958636
    
    Change-Id: I890b3021a29fa546d9e36b21b1111e8537cd0020
    Signed-off-by: Imran Hussain <ih@xxxxxxxxxxxx>


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1958636

Title:
  nova / libvirt Secure Boot VM support not fully functional

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  Hi,

  I've been trying to get Secure Boot VMs working on my Openstack. But
  I'm running in to issues with firmware requiring SMM enabled.

  Versions:
  libvirt version: 6.0.0, package: 0ubuntu8.15
  QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.18)
  Nova 23.1.1 (deployed via kolla, so kolla/ubuntu-source-nova-compute:wallaby is the image)
  ovmf 0~20191122.bd85bf54-2ubuntu3.3

  There's an issue with the way Nova Libvirt driver handles secure boot
  and the firmware bit.

  It boils down to Nova Libvirt driver doesn't produce the correct XML
  to start a VM. Nova needs to either:

  1) Take advantage of Libvirts auto firmware selection feature
  OR
  2) Produce the correct XML

  I have produced 2 series of patch sets for both approaches. Neither
  patch set is production/merge ready but works on my systems and
  provides a base.

  1. https://review.opendev.org/c/openstack/nova/+/825729
  2. https://review.opendev.org/c/openstack/nova/+/825496

  
  Context:
  http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026796.html
  http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026826.html
  https://specs.openstack.org/openstack/nova-specs/specs/wallaby/implemented/allow-secure-boot-for-qemu-kvm-guests.html
  https://that.guru/blog/uefi-secure-boot-in-libvirt/
  https://libvirt.org/formatdomain.html#bios-bootloader

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1958636/+subscriptions

References

[Bug 1958636] [NEW] nova / libvirt Secure Boot VM support not fully functional
From: Imran Hussain, 2022-01-21