Public bug reported: Hi,
I've been trying to get Secure Boot VMs working on my Openstack. But I'm running in to issues with firmware requiring SMM enabled. Versions: libvirt version: 6.0.0, package: 0ubuntu8.15 QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.18) Nova 23.1.1 (deployed via kolla, so kolla/ubuntu-source-nova-compute:wallaby is the image) ovmf 0~20191122.bd85bf54-2ubuntu3.3 There's an issue with the way Nova Libvirt driver handles secure boot and the firmware bit. It boils down to Nova Libvirt driver doesn't produce the correct XML to start a VM. Nova needs to either: 1) Take advantage of Libvirts auto firmware selection feature OR 2) Produce the correct XML I have produced 2 series of patch sets for both approaches. Neither patch set is production/merge ready but works on my systems and provides a base. 1. https://review.opendev.org/c/openstack/nova/+/825729 2. https://review.opendev.org/c/openstack/nova/+/825496 Context: http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026796.html http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026826.html https://specs.openstack.org/openstack/nova-specs/specs/wallaby/implemented/allow-secure-boot-for-qemu-kvm-guests.html https://that.guru/blog/uefi-secure-boot-in-libvirt/ https://libvirt.org/formatdomain.html#bios-bootloader ** Affects: nova Importance: Undecided Status: In Progress -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1958636 Title: nova / libvirt Secure Boot VM support not fully functional Status in OpenStack Compute (nova): In Progress Bug description: Hi, I've been trying to get Secure Boot VMs working on my Openstack. But I'm running in to issues with firmware requiring SMM enabled. Versions: libvirt version: 6.0.0, package: 0ubuntu8.15 QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.18) Nova 23.1.1 (deployed via kolla, so kolla/ubuntu-source-nova-compute:wallaby is the image) ovmf 0~20191122.bd85bf54-2ubuntu3.3 There's an issue with the way Nova Libvirt driver handles secure boot and the firmware bit. It boils down to Nova Libvirt driver doesn't produce the correct XML to start a VM. Nova needs to either: 1) Take advantage of Libvirts auto firmware selection feature OR 2) Produce the correct XML I have produced 2 series of patch sets for both approaches. Neither patch set is production/merge ready but works on my systems and provides a base. 1. https://review.opendev.org/c/openstack/nova/+/825729 2. https://review.opendev.org/c/openstack/nova/+/825496 Context: http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026796.html http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026826.html https://specs.openstack.org/openstack/nova-specs/specs/wallaby/implemented/allow-secure-boot-for-qemu-kvm-guests.html https://that.guru/blog/uefi-secure-boot-in-libvirt/ https://libvirt.org/formatdomain.html#bios-bootloader To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1958636/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp