yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #96277
[Bug 2116092] Re: Openstack secure boot for windows and linux distros
A few notes:
- When using image metadata and you use volume boot, make sure that the properties are set in "root volume".
If you change volume order then you may have one without properties as boot volume
- In OpenStack environment we most usually expect you use pre-built image, instead of using iso to
do usual installation steps.
I'm closing this as Invalid upon comment:8 .
** Changed in: nova
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2116092
Title:
Openstack secure boot for windows and linux distros
Status in OpenStack Compute (nova):
Invalid
Bug description:
I would like to install Windows11 on openstack to support secure boot tpm etc. I have been struggling with this for some time, but when I create a Linux distribution, the path to "loader" and "nvram" is correct in the instance xml file. But I can't run secure boot. And if I create a Windows11 instance, none of the above works. Please advise.
I am attaching xml files.
Linux:
openstack@ubuntik:~$ virsh dumpxml instance-00000033
<domain type='kvm' id='20'>
<name>instance-00000033</name>
<uuid>ffc1b7ac-bc71-48ce-8ee5-fc21bdcdb933</uuid>
<metadata>
<nova:instance xmlns:nova="http://openstack.org/xmlns/libvirt/nova/1.1";>
<nova:package version="27.4.0"/>
<nova:name>test-ubuntu-secure-boot</nova:name>
<nova:creationTime>2025-07-07 11:20:44</nova:creationTime>
<nova:flavor name="linux flavor mid">
<nova:memory>8192</nova:memory>
<nova:disk>50</nova:disk>
<nova:swap>0</nova:swap>
<nova:ephemeral>0</nova:ephemeral>
<nova:vcpus>2</nova:vcpus>
</nova:flavor>
<nova:owner>
<nova:user uuid="25cbacbfed884ec08b0124620a8cf46e">admin</nova:user>
<nova:project uuid="d8accdbc14094a8f822692a5eef291f2">admin</nova:project>
</nova:owner>
<nova:root type="image" uuid="397d21d5-eac3-401d-ac47-b36a80d8ac35"/>
<nova:ports>
<nova:port uuid="c90edcd5-a670-484b-bd47-75ecbf22fb94">
<nova:ip type="fixed" address="10.2.0.196" ipVersion="4"/>
</nova:port>
</nova:ports>
</nova:instance>
</metadata>
<memory unit='KiB'>8388608</memory>
<currentMemory unit='KiB'>8388608</currentMemory>
<vcpu placement='static'>2</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<sysinfo type='smbios'>
<system>
<entry name='manufacturer'>OpenStack Foundation</entry>
<entry name='product'>OpenStack Nova</entry>
<entry name='version'>27.4.0</entry>
<entry name='serial'>ffc1b7ac-bc71-48ce-8ee5-fc21bdcdb933</entry>
<entry name='uuid'>ffc1b7ac-bc71-48ce-8ee5-fc21bdcdb933</entry>
<entry name='family'>Virtual Machine</entry>
</system>
</sysinfo>
<os>
<type arch='x86_64' machine='pc-q35-6.2'>hvm</type>
<loader readonly='yes' secure='no' type='pflash'>/usr/share/OVMF/OVMF_CODE_4M.fd</loader>
<nvram template='/usr/share/OVMF/OVMF_VARS_4M.fd'>/var/lib/libvirt/qemu/nvram/instance-00000033_VARS.fd</nvram>
<boot dev='hd'/>
<smbios mode='sysinfo'/>
</os>
<features>
<acpi/>
<apic/>
<vmcoreinfo state='on'/>
</features>
<cpu mode='host-passthrough' check='none' migratable='on'>
<topology sockets='2' dies='1' cores='1' threads='1'/>
</cpu>
<clock offset='utc'>
<timer name='pit' tickpolicy='delay'/>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2' cache='none'/>
<source file='/var/lib/nova/instances/ffc1b7ac-bc71-48ce-8ee5-fc21bdcdb933/disk' index='1'/>
<backingStore type='file' index='2'>
<format type='raw'/>
<source file='/var/lib/nova/instances/_base/8df7cd5716456d67e8d9c371b831d47232e9dfb1'/>
<backingStore/>
</backingStore>
<target dev='vda' bus='virtio'/>
<alias name='virtio-disk0'/>
<address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
</disk>
<controller type='usb' index='0' model='piix3-uhci'>
<alias name='usb'/>
<address type='pci' domain='0x0000' bus='0x03' slot='0x01' function='0x0'/>
</controller>
<controller type='sata' index='0'>
<alias name='ide'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pcie-root'>
<alias name='pcie.0'/>
</controller>
<controller type='pci' index='1' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='1' port='0x10'/>
<alias name='pci.1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
</controller>
<controller type='pci' index='2' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='2' port='0x11'/>
<alias name='pci.2'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
</controller>
<controller type='pci' index='3' model='pcie-to-pci-bridge'>
<model name='pcie-pci-bridge'/>
<alias name='pci.3'/>
<address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
</controller>
<controller type='pci' index='4' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='4' port='0x12'/>
<alias name='pci.4'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
</controller>
<controller type='pci' index='5' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='5' port='0x13'/>
<alias name='pci.5'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
</controller>
<controller type='pci' index='6' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='6' port='0x14'/>
<alias name='pci.6'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
</controller>
<controller type='pci' index='7' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='7' port='0x15'/>
<alias name='pci.7'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
</controller>
<interface type='bridge'>
<mac address='fa:16:3e:a4:ac:d4'/>
<source bridge='qbrc90edcd5-a6'/>
<target dev='tapc90edcd5-a6'/>
<model type='virtio'/>
<mtu size='1500'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
</interface>
<serial type='pty'>
<source path='/dev/pts/2'/>
<log file='/var/lib/nova/instances/ffc1b7ac-bc71-48ce-8ee5-fc21bdcdb933/console.log' append='off'/>
<target type='isa-serial' port='0'>
<model name='isa-serial'/>
</target>
<alias name='serial0'/>
</serial>
<console type='pty' tty='/dev/pts/2'>
<source path='/dev/pts/2'/>
<log file='/var/lib/nova/instances/ffc1b7ac-bc71-48ce-8ee5-fc21bdcdb933/console.log' append='off'/>
<target type='serial' port='0'/>
<alias name='serial0'/>
</console>
<input type='tablet' bus='usb'>
<alias name='input0'/>
<address type='usb' bus='0' port='1'/>
</input>
<input type='mouse' bus='ps2'>
<alias name='input1'/>
</input>
<input type='keyboard' bus='ps2'>
<alias name='input2'/>
</input>
<graphics type='vnc' port='5903' autoport='yes' listen='10.0.0.200'>
<listen type='address' address='10.0.0.200'/>
</graphics>
<audio id='1' type='none'/>
<video>
<model type='virtio' heads='1' primary='yes'/>
<alias name='video0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
</video>
<memballoon model='virtio'>
<stats period='10'/>
<alias name='balloon0'/>
<address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
</memballoon>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
<alias name='rng0'/>
<address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
</rng>
</devices>
<seclabel type='dynamic' model='apparmor' relabel='yes'>
<label>libvirt-ffc1b7ac-bc71-48ce-8ee5-fc21bdcdb933</label>
<imagelabel>libvirt-ffc1b7ac-bc71-48ce-8ee5-fc21bdcdb933</imagelabel>
</seclabel>
<seclabel type='dynamic' model='dac' relabel='yes'>
<label>+64055:+108</label>
<imagelabel>+64055:+108</imagelabel>
</seclabel>
</domain>
Windows:
openstack@ubuntik:~$ virsh dumpxml instance-00000032
<domain type='kvm' id='19'>
<name>instance-00000032</name>
<uuid>4053650a-0846-4751-89ca-4b1959fb34a6</uuid>
<metadata>
<nova:instance xmlns:nova="http://openstack.org/xmlns/libvirt/nova/1.1";>
<nova:package version="27.4.0"/>
<nova:name>windows11-secure-no-net</nova:name>
<nova:creationTime>2025-07-07 11:16:40</nova:creationTime>
<nova:flavor name="win11-secure-ide">
<nova:memory>8192</nova:memory>
<nova:disk>0</nova:disk>
<nova:swap>0</nova:swap>
<nova:ephemeral>0</nova:ephemeral>
<nova:vcpus>2</nova:vcpus>
</nova:flavor>
<nova:owner>
<nova:user uuid="25cbacbfed884ec08b0124620a8cf46e">admin</nova:user>
<nova:project uuid="d8accdbc14094a8f822692a5eef291f2">admin</nova:project>
</nova:owner>
<nova:ports/>
</nova:instance>
</metadata>
<memory unit='KiB'>8388608</memory>
<currentMemory unit='KiB'>8388608</currentMemory>
<vcpu placement='static'>2</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<sysinfo type='smbios'>
<system>
<entry name='manufacturer'>OpenStack Foundation</entry>
<entry name='product'>OpenStack Nova</entry>
<entry name='version'>27.4.0</entry>
<entry name='serial'>4053650a-0846-4751-89ca-4b1959fb34a6</entry>
<entry name='uuid'>4053650a-0846-4751-89ca-4b1959fb34a6</entry>
<entry name='family'>Virtual Machine</entry>
</system>
</sysinfo>
<os>
<type arch='x86_64' machine='pc-q35-6.2'>hvm</type>
<boot dev='hd'/>
<boot dev='cdrom'/>
<smbios mode='sysinfo'/>
</os>
<features>
<acpi/>
<apic/>
<vmcoreinfo state='on'/>
</features>
<cpu mode='host-passthrough' check='none' migratable='on'>
<topology sockets='2' dies='1' cores='1' threads='1'/>
</cpu>
<clock offset='utc'>
<timer name='pit' tickpolicy='delay'/>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type='block' device='cdrom'>
<driver name='qemu' type='raw' cache='none' io='native'/>
<source dev='/dev/sde' index='4'/>
<backingStore/>
<target dev='sda' bus='sata'/>
<readonly/>
<serial>240805e5-480e-47a2-999f-c2fe69642419</serial>
<alias name='sata0-0-0'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<disk type='block' device='cdrom'>
<driver name='qemu' type='raw' cache='none' io='native'/>
<source dev='/dev/sdf' index='3'/>
<backingStore/>
<target dev='sdb' bus='sata'/>
<readonly/>
<serial>52ce3473-acd4-47bb-af90-10efa7b2e2db</serial>
<alias name='sata0-0-1'/>
<address type='drive' controller='0' bus='0' target='0' unit='1'/>
</disk>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/var/lib/nova/instances/4053650a-0846-4751-89ca-4b1959fb34a6/disk.config' index='2'/>
<backingStore/>
<target dev='sdc' bus='sata'/>
<readonly/>
<alias name='sata0-0-2'/>
<address type='drive' controller='0' bus='0' target='0' unit='2'/>
</disk>
<disk type='block' device='disk'>
<driver name='qemu' type='raw' cache='none' io='native'/>
<source dev='/dev/sdd' index='1'/>
<backingStore/>
<target dev='vda' bus='virtio'/>
<serial>b467ac6d-e215-47f3-8d35-45aa469a4200</serial>
<alias name='virtio-disk0'/>
<address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
</disk>
<controller type='usb' index='0' model='piix3-uhci'>
<alias name='usb'/>
<address type='pci' domain='0x0000' bus='0x02' slot='0x01' function='0x0'/>
</controller>
<controller type='sata' index='0'>
<alias name='ide'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pcie-root'>
<alias name='pcie.0'/>
</controller>
<controller type='pci' index='1' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='1' port='0x10'/>
<alias name='pci.1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
</controller>
<controller type='pci' index='2' model='pcie-to-pci-bridge'>
<model name='pcie-pci-bridge'/>
<alias name='pci.2'/>
<address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
</controller>
<controller type='pci' index='3' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='3' port='0x11'/>
<alias name='pci.3'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
</controller>
<controller type='pci' index='4' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='4' port='0x12'/>
<alias name='pci.4'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
</controller>
<controller type='pci' index='5' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='5' port='0x13'/>
<alias name='pci.5'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
</controller>
<controller type='pci' index='6' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='6' port='0x14'/>
<alias name='pci.6'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
</controller>
<serial type='pty'>
<source path='/dev/pts/0'/>
<log file='/var/lib/nova/instances/4053650a-0846-4751-89ca-4b1959fb34a6/console.log' append='off'/>
<target type='isa-serial' port='0'>
<model name='isa-serial'/>
</target>
<alias name='serial0'/>
</serial>
<console type='pty' tty='/dev/pts/0'>
<source path='/dev/pts/0'/>
<log file='/var/lib/nova/instances/4053650a-0846-4751-89ca-4b1959fb34a6/console.log' append='off'/>
<target type='serial' port='0'/>
<alias name='serial0'/>
</console>
<input type='tablet' bus='usb'>
<alias name='input0'/>
<address type='usb' bus='0' port='1'/>
</input>
<input type='mouse' bus='ps2'>
<alias name='input1'/>
</input>
<input type='keyboard' bus='ps2'>
<alias name='input2'/>
</input>
<tpm model='tpm-tis'>
<backend type='emulator' version='2.0'>
<encryption secret='cdd94077-2edf-41cd-8875-52b53dd1476a'/>
</backend>
<alias name='tpm0'/>
</tpm>
<graphics type='vnc' port='5902' autoport='yes' listen='10.0.0.200'>
<listen type='address' address='10.0.0.200'/>
</graphics>
<audio id='1' type='none'/>
<video>
<model type='virtio' heads='1' primary='yes'/>
<alias name='video0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
</video>
<memballoon model='virtio'>
<stats period='10'/>
<alias name='balloon0'/>
<address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
</memballoon>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
<alias name='rng0'/>
<address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
</rng>
</devices>
<seclabel type='dynamic' model='apparmor' relabel='yes'>
<label>libvirt-4053650a-0846-4751-89ca-4b1959fb34a6</label>
<imagelabel>libvirt-4053650a-0846-4751-89ca-4b1959fb34a6</imagelabel>
</seclabel>
<seclabel type='dynamic' model='dac' relabel='yes'>
<label>+64055:+108</label>
<imagelabel>+64055:+108</imagelabel>
</seclabel>
</domain>
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2116092/+subscriptions
References
