)]}'
{"id":"openstack%2Fnova-specs~686804","triplet_id":"openstack%2Fnova-specs~master~I299903a5f3b3741cb2b2d0271087c263552d4134","project":"openstack/nova-specs","branch":"master","topic":"bp/add-emulated-virtual-tpm","hashtags":[],"change_id":"I299903a5f3b3741cb2b2d0271087c263552d4134","subject":"Spec: Ussuri: Encrypted Emulated Virtual TPM","status":"MERGED","created":"2019-10-04 18:03:53.000000000","updated":"2020-01-14 11:31:36.000000000","submitted":"2020-01-14 11:29:39.000000000","submitter":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"total_comment_count":295,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"686804-1579001379081-bbef5f2b","meta_rev_id":"60732f532745a421a434d5ea6f62dee818e811d2","_number":686804,"virtual_id_number":686804,"owner":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:gate","value":2,"date":"2020-01-14 11:29:38.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},{"value":0,"_account_id":9452,"name":"James Penick","email":"penick@verizonmedia.com","username":"epim"},{"value":0,"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},{"value":0,"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},{"value":0,"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},{"value":0,"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},{"value":0,"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},{"value":0,"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},{"value":0,"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},{"value":0,"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},{"value":0,"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},{"value":0,"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},{"value":0,"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":2,"date":"2020-01-09 17:08:33.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},{"value":0,"_account_id":9452,"name":"James Penick","email":"penick@verizonmedia.com","username":"epim"},{"value":0,"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},{"value":0,"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},{"value":0,"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},{"value":2,"date":"2020-01-14 10:42:00.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},{"value":1,"date":"2020-01-08 20:17:01.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},{"value":0,"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},{"value":0,"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},{"value":0,"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},{"value":1,"date":"2020-01-14 10:52:43.000000000","permitted_voting_range":{"min":1,"max":2},"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},{"value":0,"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},{"value":0,"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},{"value":0,"_account_id":9452,"name":"James Penick","email":"penick@verizonmedia.com","username":"epim"},{"value":0,"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},{"value":0,"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},{"value":0,"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},{"value":1,"date":"2020-01-14 10:42:00.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},{"value":0,"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},{"value":0,"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},{"value":0,"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},{"value":0,"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},{"value":0,"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},{"value":0,"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},{"value":0,"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true},"Review-Priority":{"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},{"value":0,"_account_id":9452,"name":"James Penick","email":"penick@verizonmedia.com","username":"epim"},{"value":0,"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},{"value":0,"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},{"value":0,"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},{"value":0,"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},{"value":0,"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},{"value":0,"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},{"value":0,"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},{"value":0,"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},{"value":0,"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},{"value":0,"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},{"value":0,"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"}],"values":{" 0":"Default Priority","+1":"Contributor Review Promise","+2":"Core Review Promise"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},{"_account_id":9452,"name":"James Penick","email":"penick@verizonmedia.com","username":"epim"},{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2019-10-04 23:58:14.000000000","updated_by":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"reviewer":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"state":"REVIEWER"},{"updated":"2019-11-01 18:23:14.000000000","updated_by":{"_account_id":9452,"name":"James Penick","email":"penick@verizonmedia.com","username":"epim"},"reviewer":{"_account_id":9452,"name":"James Penick","email":"penick@verizonmedia.com","username":"epim"},"state":"REVIEWER"},{"updated":"2019-11-14 20:46:41.000000000","updated_by":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"reviewer":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"state":"REVIEWER"},{"updated":"2019-11-14 20:46:48.000000000","updated_by":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"reviewer":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"state":"REVIEWER"},{"updated":"2019-11-19 13:34:15.000000000","updated_by":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"reviewer":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"state":"REVIEWER"},{"updated":"2019-11-19 21:34:06.000000000","updated_by":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"reviewer":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"state":"REVIEWER"},{"updated":"2019-11-28 16:28:37.000000000","updated_by":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"reviewer":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"state":"REVIEWER"},{"updated":"2019-12-04 12:52:50.000000000","updated_by":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"reviewer":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"state":"REVIEWER"},{"updated":"2020-01-08 20:17:01.000000000","updated_by":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"reviewer":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"state":"REVIEWER"},{"updated":"2020-01-09 17:08:33.000000000","updated_by":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"reviewer":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"state":"REVIEWER"},{"updated":"2020-01-14 10:42:00.000000000","updated_by":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"reviewer":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"state":"REVIEWER"},{"updated":"2020-01-14 10:52:43.000000000","updated_by":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"reviewer":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"state":"REVIEWER"},{"updated":"2020-01-14 11:29:38.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"}],"messages":[{"id":"6f7f82ea5bc5bbdb05200921b00cb9c2e919bbb5","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-10-04 18:03:53.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"4134bb5cb38e2ae0d213caf7bdb22bfb1f9ba930","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-10-04 18:04:23.000000000","message":"Patch Set 1: Workflow-1\n\nPS1 straight copy from train.\n\nNothing to see here yet...","accounts_in_message":[],"_revision_number":1},{"id":"0f23d9af96e34874a9c55f7a11c86a170c64579a","author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"date":"2019-10-04 18:17:31.000000000","message":"Patch Set 1:\n\n(5 comments)\n\nRnadom thoughts dump, with the caveat that I know close to nothing about TPM (had to look it up, in fact).","accounts_in_message":[],"_revision_number":1},{"id":"b758c1bddb996d88bab63d7583d0692ec89d516b","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-10-04 18:22:06.000000000","message":"Patch Set 1: Verified+1\n\nBuild succeeded (check pipeline).\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/c571ae745eff4625a8545733ad28dafe : SUCCESS in 11m 12s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/50722d436d9c4868aa386cfbecdfa5cc : SUCCESS in 4m 27s","accounts_in_message":[],"_revision_number":1},{"id":"780922b2299781ba986e8e87fab364fd57438b45","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-10-04 22:55:22.000000000","message":"Patch Set 1:\n\n(4 comments)","accounts_in_message":[],"_revision_number":1},{"id":"a8fa2a274f27a477522c26d5d6fc203e7ac165c7","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-10-04 22:55:41.000000000","message":"Uploaded patch set 2.","accounts_in_message":[],"_revision_number":2},{"id":"59da27ce26fa2233a35a35ae46c7bfa1e8e21769","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-10-04 22:56:14.000000000","message":"Uploaded patch set 3.","accounts_in_message":[],"_revision_number":3},{"id":"33522c21e463f25ba461bc0eaad08baabb212e54","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-10-04 22:57:42.000000000","message":"Patch Set 3: Workflow-1\n\nThis now differs enough from the train version that it\u0027s probably not worth looking at the delta from PS1.\n\nThere\u0027s also still a lot of TODOs.","accounts_in_message":[],"_revision_number":3},{"id":"b6fde28306b24db84a23e66b0d6cf0363c90c873","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-10-04 23:10:13.000000000","message":"Patch Set 3: Verified+1\n\nBuild succeeded (check pipeline).\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/5636da63fa7b42c8bebe7db3c23304a3 : SUCCESS in 8m 48s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/2f11b3ae3ba44e4fafaa03822bcf5688 : SUCCESS in 3m 01s","accounts_in_message":[],"_revision_number":3},{"id":"f4317a922d45e0c1a703793d5a5fe6e5cfcf9626","author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"date":"2019-10-04 23:44:20.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"22e54a0e71810463e0480d68e3f42962e7163092","author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"date":"2019-10-04 23:58:14.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"cbfbc3e49a496a677f57ff07b03eea17ae0a93dc","author":{"_account_id":9452,"name":"James Penick","email":"penick@verizonmedia.com","username":"epim"},"date":"2019-11-01 18:23:14.000000000","message":"Patch Set 3:\n\n(1 comment)\n\nThere\u0027s a couple ways you would use a tpm, and how you handle the secret is relevant to that. Here\u0027s a couple examples\n\nExample 1:\n\nThe instance in question is used as a component in a secure root of trust. This instance will communicate with an HSM to sign x509 CSRs, SSHCA certificates, or otherwise encrypt things.\n\nThe flow for provisioning that secret would be:\n1. User creates an instance\n\n2. User logs in and provisions the TPM, they are now the \u0027owner\u0027 of the vTPM\n  1. they \"take ownership\" of the tpm and supply a new ownership password in the process. (That master password is only used to provision new SRK, SK, etc keys inside of the TPM.)\n  2. The owner then provisions a storage key in the tpm (SRK) and supplies a -new secret- for that key.\n\n3. The owner now creates an asymmetric keypair and uses the tpm to seal the private key they just created. The original private key file is then deleted. Now what you have is a blob of the private key which has been encrypted by the TPM.\n  a. If the owner chose to seal the key with PCRs in the process, then the TPM will require both the PCR values to be correct as well as the SRK secret before decrypting the keyblob. This is useful because now the TPM data cannot just be moved to another machine and decrypted there. it will only work in this exact environment.\n\n3. The owner now works with whatever other security officers are necessary to access the HSM and place the public key created in the previous step into the HSM as a trusted auth credential\n\n4. With the TPM unlocked the application on the instance can now use the TPM to establish a mTLS connection to the HSM and request that the HSM sign things. \n\nIf the instance reboots, a human must log in and use their secret to unlock the TPM, then make a call to decrypt the keyblob. \n\nIn this example the secrets necessary to unlock the tpm and subsequently decrypt the private keys are known only to humans, and root access to the hypervisor would not give you the credentials necessary to decrypt the vTPM object, as the master password is needed for that.\n\nExample 2:\n\nThis is a mutation of example 1. The steps are the same, except that the secret to unlock the TPM is stored in a key managament service. In our environment we use HSMs to provide a unique x509 identity to every instance in our datacenters.\n\n1. When the instance is first created a x509 keypair is automatically provisioned at boot time and stored on the filesystem and signed by a secure root of trust\n2. Steps 1-3 are followed as above\n3. The SRK is stored in a key management service such as Barbican, KMS, or an in-house solution (hi). Access to that secret is granted to the instances x509 public key\n4. Now, on boot the instance will connect to the secure key management service to grab the SRK secret, use that to unlock the tpm, and subsequently decrypt the private key it uses for authentication with the HSM and store it in memory.\n\nThis flow has the advantage of not requiring human intervention should the instance reboot, which is highly advantageous if you have a power outage in a datacenter and the instances comprising your secure root of trust have all been restarted. They\u0027re each able to bootstrap themselves. \n The disadvantage is that if someone had root access to this instance they could fetch the SRK secret and use that to decrypt and steal the private key used to contact the HSM, and subsequently get things signed that shouldn\u0027t be. Of course if they have root access to the instance they could pluck the key out of memory anyway. \n\n--\n About decrypting the vTPM: My gut feeling is If the vTPM decryption key is readily available on the hypervisor, then there\u0027s no point in encrypting the tpm in the first place. I suppose one option would be to require the vTPM be decrypted from within the VM /prior/ to it being provisioned or subsequently unlocked. I don\u0027t know how that\u0027d work. \n\nOr perhaps the decryption key stored in barbican is good enough, and is fetched by the hypervisor as needed when the instance boots. I\u0027ll need to ask some of our security people to weigh in.","accounts_in_message":[],"_revision_number":3},{"id":"7eb27f445cfa256c21949b1eaca14badd59811d6","author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"date":"2019-11-01 20:11:43.000000000","message":"Patch Set 3:\n\n(2 comments)","accounts_in_message":[],"_revision_number":3},{"id":"18a8acc4d9cdd5e0bf6ff453e347b63d2bd9267d","author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"date":"2019-11-01 20:15:13.000000000","message":"Patch Set 3:\n\nRe: Penick\u0027s comments about the master password and such on the TPM, I believe that is a separate topic from the secret used by libvirt for encryption. The VM is just given a \"new\" TPM, AIUI, just like if you unboxed a server and started an OS on it. Libvirt\u0027s vTPM secret secures the underlying data structure which holds the TPM\u0027s state.","accounts_in_message":[],"_revision_number":3},{"id":"ff3115be3d7b429fd63344adb3a611f96590b52b","author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"date":"2019-11-01 20:34:44.000000000","message":"Patch Set 3:\n\n(1 comment)","accounts_in_message":[],"_revision_number":3},{"id":"b1ed198ed893f75b21dcde4944263a39f44db916","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-01 21:37:35.000000000","message":"Patch Set 3:\n\n(1 comment)","accounts_in_message":[],"_revision_number":3},{"id":"67d7cf5a58c6d5cb41d1d8671b347fd4793f1ce6","author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"date":"2019-11-04 14:54:29.000000000","message":"Patch Set 3:\n\n\u003e I get that nova could go get it from barbican, but I can\u0027t figure out how it\u0027s provided to libvirt.\n\nThat\u0027s documented in the libvirt docs[0]. \n\n\u003e A secret may also be defined via the virSecretDefineXML API. Once the secret is defined, a secret value will need to be set. The secret would be the passphrase used to decrypt the vTPM state. The following is a simple example of using virsh secret-set-value to set the secret value. The virSecretSetValue API may also be used to set a more secure secret without using printable/readable characters.\n\n[0] https://libvirt.org/formatsecret.html#vTPMUsageType","accounts_in_message":[],"_revision_number":3},{"id":"ce4dd6a3e5ae2bd212ca85c48c76ea27a56484b8","author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"date":"2019-11-04 14:55:26.000000000","message":"Patch Set 3:\n\nNow that I post that comment, I see you also linked the same docs. An existing secret would be provided in the same way as a new secret. :)","accounts_in_message":[],"_revision_number":3},{"id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-11 20:54:49.000000000","message":"Patch Set 3:\n\n(17 comments)","accounts_in_message":[],"_revision_number":3},{"id":"80b869bf39366275883e412676c04ba7cc4de542","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-11 23:41:43.000000000","message":"Uploaded patch set 4.","accounts_in_message":[],"_revision_number":4},{"id":"8cc9d43e15cb0d09de3e1e19dd7c34f942274404","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-11-11 23:49:35.000000000","message":"Patch Set 4: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttp://docs.openstack.org/infra/manual/developers.html#automated-testing\n\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/6dca974515204a66b166c3b8612e2d39 : SUCCESS in 7m 06s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/d0008bfeef1e4bd5b7722e5de1ed60c9 : FAILURE in 3m 24s","accounts_in_message":[],"_revision_number":4},{"id":"cd2decca336f85e3498a1ad58ad27b64c8487502","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-11 23:51:35.000000000","message":"Uploaded patch set 5.","accounts_in_message":[],"_revision_number":5},{"id":"e1cd18815c5cda4302478942227992ffa21a4677","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-11-11 23:59:22.000000000","message":"Patch Set 5: Verified+1\n\nBuild succeeded (check pipeline).\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/965c9c8da9c6422bb950c32ba44926ee : SUCCESS in 6m 57s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/f0246f926b854f8093fc664a25b77d49 : SUCCESS in 3m 10s","accounts_in_message":[],"_revision_number":5},{"id":"f83e9e47a01a108a65c7002ac683650c5ae75178","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-12 15:39:42.000000000","message":"Patch Set 5:\n\n(2 comments)","accounts_in_message":[],"_revision_number":5},{"id":"f9ca4369f1034424f53c69957bbc3e5a44c84812","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-12 18:05:57.000000000","message":"Patch Set 5:\n\n(1 comment)","accounts_in_message":[],"_revision_number":5},{"id":"e6eba6653b517c0de105d536d7ffe8e45de79813","author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"date":"2019-11-12 21:49:50.000000000","message":"Patch Set 5: Code-Review+1\n\nLooks like this satisfies my use case. Thanks! :)","accounts_in_message":[],"_revision_number":5},{"id":"57368b56cc9e7e54cd3090db37acf40170befb6d","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-14 20:38:39.000000000","message":"Patch Set 5:\n\n(1 comment)","accounts_in_message":[],"_revision_number":5},{"id":"13b4f70bf3de50ae9a0bff0f2389428829a4693a","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-14 20:45:58.000000000","message":"Uploaded patch set 6.","accounts_in_message":[],"_revision_number":6},{"id":"964e238de81a58b29807a5fb6dd9a363671b2979","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-14 20:46:03.000000000","message":"Patch Set 6:\n\n(3 comments)","accounts_in_message":[],"_revision_number":6},{"id":"9502dbdc52f54e6ad19361c029af38f6314471a8","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-11-14 20:59:03.000000000","message":"Patch Set 6: Verified+1\n\nBuild succeeded (check pipeline).\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/894bd8e5a4cc4ea9886dbe6fd2390523 : SUCCESS in 8m 09s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/03320a2a605e44588834de84101d3a07 : SUCCESS in 3m 37s","accounts_in_message":[],"_revision_number":6},{"id":"012d7f6b8ee133313adb61c2e9597c9cdce9fe3b","author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"date":"2019-11-15 18:20:49.000000000","message":"Patch Set 6: Code-Review+1\n\n(1 comment)","accounts_in_message":[],"_revision_number":6},{"id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"date":"2019-11-18 19:25:44.000000000","message":"Patch Set 6: Code-Review-1\n\n(13 comments)","accounts_in_message":[],"_revision_number":6},{"id":"c29e19ff1be428c7a9e2d0199fb19590c856eec9","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-19 20:30:06.000000000","message":"Uploaded patch set 7.","accounts_in_message":[],"_revision_number":7},{"id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-19 20:30:13.000000000","message":"Patch Set 6:\n\n(15 comments)","accounts_in_message":[],"_revision_number":6},{"id":"3f1160446aef9fa61ae8ea6eb549182b7bac128d","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-19 20:32:47.000000000","message":"Patch Set 7: Workflow-1\n\nThere are too many open questions about lifecycle operations (esp. shelve-offload). Need to address them (or declare non-support) before this can go.","accounts_in_message":[],"_revision_number":7},{"id":"98fee5e0b800c29e0311d9accb69a0d0456a1dc2","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-11-19 20:38:28.000000000","message":"Patch Set 7: Verified+1\n\nBuild succeeded (check pipeline).\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/1e97820c11814a8c9d30c061f3b4ec6d : SUCCESS in 7m 55s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/1e8136fa2eef4de79a84c772e2622338 : SUCCESS in 3m 33s","accounts_in_message":[],"_revision_number":7},{"id":"fe30f57c24c03bf62564d285853b3f9eee6df4e8","author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"date":"2019-11-19 21:31:26.000000000","message":"Patch Set 6:\n\n(1 comment)\n\nHaven\u0027t read/responded to everything, but wanted to pounce on the shelve stuff.","accounts_in_message":[],"_revision_number":6},{"id":"3027e2b6b593cb8a4ff83eb3ba003153415f01d7","author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"date":"2019-11-19 21:34:06.000000000","message":"Patch Set 7: Code-Review-1\n\n\u003e There are too many open questions about lifecycle operations (esp.\n \u003e shelve-offload). Need to address them (or declare non-support)\n \u003e before this can go.\n\nAs I said in my comment just now on the older set, I don\u0027t think excluding shelve/unshelve is reasonable as the line is now blurred between shelve and resize. So, yeah, gotta figure out the plan there before we move forward with this, IMHO.","accounts_in_message":[],"_revision_number":7},{"id":"e3b11eaf56123c947ff047f1b58d2e49d7970215","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-20 23:51:05.000000000","message":"Uploaded patch set 8.","accounts_in_message":[],"_revision_number":8},{"id":"f75f635a2d904220bd87400db10845f9002fac91","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-11-21 00:01:00.000000000","message":"Patch Set 8: Verified+1\n\nBuild succeeded (check pipeline).\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/f5bf78b754184b7f91478391d65706bf : SUCCESS in 8m 53s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/0d1953f5e0f24032b680d7b99beeb3b6 : SUCCESS in 4m 28s","accounts_in_message":[],"_revision_number":8},{"id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"date":"2019-11-21 03:13:42.000000000","message":"Patch Set 8: Code-Review-1\n\n(26 comments)\n\ni am largely ok with what is propsoed.\nthe spec hand waves a bit on one or two details which can likely be resolved in the implementation but i have some questions in line.","accounts_in_message":[],"_revision_number":8},{"id":"22a72b61b222da939e5e793595b358e4c840302e","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-21 17:54:24.000000000","message":"Patch Set 8:\n\n(23 comments)\n\nThanks for the thorough review, Sean.\n\nOther than having made some erroneous statements about how a few things work, which ought to shake out during implementation, I feel like the spirit/intent is still clear. I\u0027m going to wait to update until this has had a few more eyeballs.","accounts_in_message":[],"_revision_number":8},{"id":"b7199f1de8bc98109806e7ff252898aba54de17a","author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"date":"2019-11-22 01:09:09.000000000","message":"Patch Set 8:\n\n(10 comments)\n\nYep I think the overall directions of this is clear and makes sense","accounts_in_message":[],"_revision_number":8},{"id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-23 00:12:42.000000000","message":"Patch Set 8: Workflow-1\n\n(13 comments)\n\nI\u0027m going to rework this per https://review.opendev.org/#/c/686804/8/specs/ussuri/approved/add-emulated-virtual-tpm.rst@212 which should simplify some things.","accounts_in_message":[],"_revision_number":8},{"id":"003b1bbb4145bc0b0e44781ad92e92dc3486dd89","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-23 00:23:42.000000000","message":"Patch Set 8:\n\n(1 comment)","accounts_in_message":[],"_revision_number":8},{"id":"95e989b27c97d6654402e2ce07aeea7c5c446bc9","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-11-25 23:41:06.000000000","message":"Uploaded patch set 9.","accounts_in_message":[],"_revision_number":9},{"id":"730713c87ae9f91001308e9df9fdae6a1e5e7c10","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-11-25 23:50:21.000000000","message":"Patch Set 9: Verified+1\n\nBuild succeeded (check pipeline).\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/831360be0a1544d799ea221272c2e6a0 : SUCCESS in 8m 12s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/f3b9a6169c71465a9cc7ac7e8704985f : SUCCESS in 4m 02s","accounts_in_message":[],"_revision_number":9},{"id":"f9e5e974280f691c3bbc0a90921cb4a4a24a0dbf","author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"date":"2019-12-04 13:58:07.000000000","message":"Patch Set 9: Code-Review-1\n\n(8 comments)\n\nThe feature is complicated especially at the edges but as I think this is workable. I have couple of questions to be answered inline but if those are clarified / solved then I will +2 this.","accounts_in_message":[],"_revision_number":9},{"id":"37d414605d6c9a825dc41cebdf926f9e149393fe","author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"date":"2019-12-04 15:46:17.000000000","message":"Patch Set 9: Code-Review-1\n\n(21 comments)\n\nProbably enough here to warrant the -1","accounts_in_message":[],"_revision_number":9},{"id":"82fccd9cda593afffd4c607f5c6383cc76b677cb","author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"date":"2019-12-04 17:14:20.000000000","message":"Patch Set 9:\n\n(2 comments)","accounts_in_message":[],"_revision_number":9},{"id":"474f823ddf3cf98e06f7765a9229cbadfe9075b3","author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"date":"2019-12-04 17:38:42.000000000","message":"Patch Set 9:\n\n(5 comments)","accounts_in_message":[],"_revision_number":9},{"id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-12-04 19:09:12.000000000","message":"Patch Set 9:\n\n(26 comments)","accounts_in_message":[],"_revision_number":9},{"id":"27134929673da3630a91ea3a936cf142114560ae","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-12-04 19:13:48.000000000","message":"Uploaded patch set 10.","accounts_in_message":[],"_revision_number":10},{"id":"41456f1b2ae7f7a03fc368a732a16cbcafb8cf7f","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-12-04 19:24:01.000000000","message":"Patch Set 10: Verified+1\n\nBuild succeeded (check pipeline).\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/b9f6e45cd52c4dd389891a114eaf14db : SUCCESS in 7m 33s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/e3c37a3b6f56460dbde9fb98f6e90a8e : SUCCESS in 6m 02s","accounts_in_message":[],"_revision_number":10},{"id":"f55ab0fca4273b78f9195ea7a3dbbfb4f45d8c23","author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"date":"2019-12-05 13:17:29.000000000","message":"Patch Set 10: Code-Review+2\n\n(1 comment)\n\nMy questions were answered.","accounts_in_message":[],"_revision_number":10},{"id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-12-11 19:53:55.000000000","message":"Patch Set 10: Workflow-1\n\n(35 comments)\n\nIn offline conversations we\u0027ve decided to simplify a bit further by removing the backup/rebuild piece of this. The philosophy is that, when in doubt, this thing should pretty much behave like baremetal. E.g. if you restore a backup onto a baremetal box, the TPM stays in whatever state it was in most recently. If you restore onto a different box, you get a fresh (or no) TPM (more realistically in whatever state it was in just prior to the restore).\n\nSo we\u0027re only going to do the swift thing for shelve *offload* (because non-offloaded doesn\u0027t need it, because it\u0027s still on the host); and otherwise only support \"moving\" a vTPM for migration-y operations.","accounts_in_message":[],"_revision_number":10},{"id":"3582d4baca4b9c3ee6ea2f196cbf577d4f48d987","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-12-12 00:48:13.000000000","message":"Uploaded patch set 11.","accounts_in_message":[],"_revision_number":11},{"id":"a89c958882e8740ad087ca9159954fb8963521de","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-12-12 00:48:20.000000000","message":"Patch Set 10:\n\n(29 comments)","accounts_in_message":[],"_revision_number":10},{"id":"a448b19bad7cc78577e82b30fc35a58998424bf3","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-12-12 00:49:14.000000000","message":"Patch Set 11: Workflow-1\n\nOkay, don\u0027t read this yet, found out some new things I need to account for, need to rewrite my rewrite.\n\nhttp://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2019-12-12.log.html#t2019-12-12T00:16:24","accounts_in_message":[],"_revision_number":11},{"id":"fd7dba43c300f5d4a2d7b97bff7eb4ffad1b5ecd","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-12-12 01:02:29.000000000","message":"Patch Set 11: Verified+1\n\nBuild succeeded (check pipeline).\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/141d2c4dc6cf4b1aa41f1c433774ecf9 : SUCCESS in 9m 02s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/5be960d20b464fc4a893eb70b36ab09e : SUCCESS in 3m 47s","accounts_in_message":[],"_revision_number":11},{"id":"3e0171773fde321f3567973ec20faacbfd39839b","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-12-12 16:52:17.000000000","message":"Uploaded patch set 12.","accounts_in_message":[],"_revision_number":12},{"id":"9d7dd55897f96588e9e839e966b343a9c63dd8f9","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2019-12-12 16:52:47.000000000","message":"Patch Set 12:\n\nOkay, please diff with PS10 to preserve maximum sanity.","accounts_in_message":[],"_revision_number":12},{"id":"0a29e301206b14129ce73e3d22bb42d0a5687e6d","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-12-12 17:13:28.000000000","message":"Patch Set 12: Verified+1\n\nBuild succeeded (check pipeline).\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/3d714826247e4451ba3995de12ab4478 : SUCCESS in 9m 13s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/f94651a442734146bf7c76dda9fbac1c : SUCCESS in 4m 52s","accounts_in_message":[],"_revision_number":12},{"id":"54902ad4ac03913d93a0ecdcd26c5742e1dd7e47","author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"date":"2019-12-13 18:21:35.000000000","message":"Patch Set 12: Code-Review+2\n\nRead through the diff from PS 10. Still looks good to me.","accounts_in_message":[],"_revision_number":12},{"id":"67b52c3a6d0c59249f066a4d5cb78c4c8ba19b97","author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"date":"2020-01-07 22:17:56.000000000","message":"Patch Set 12: Code-Review+1\n\n(9 comments)\n\nThere are a few nits but over all im good with this.","accounts_in_message":[],"_revision_number":12},{"id":"7f84c12ae0f399d0f14686eccc80434bb4dcddca","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2020-01-07 22:38:48.000000000","message":"Patch Set 12:\n\n(3 comments)\n\nThanks Sean.","accounts_in_message":[],"_revision_number":12},{"id":"d6ad47d9179ff6ac8396c0b1660b99ca282ba7dd","author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"date":"2020-01-08 12:43:17.000000000","message":"Patch Set 12: Code-Review+1\n\n(7 comments)\n\nOne important question about blocking this at the API level (have pinged on IRC too). Can bump to +2 once I have the answer to that question. The rest are nice to knows.","accounts_in_message":[],"_revision_number":12},{"id":"502cf4cfd4b575c59657bfa2732db4a175693300","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2020-01-08 15:20:56.000000000","message":"Patch Set 12:\n\n(3 comments)","accounts_in_message":[],"_revision_number":12},{"id":"ce0c4ff7671e886f80b9a089c5c2d7267c469d6a","author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"date":"2020-01-08 15:21:49.000000000","message":"Uploaded patch set 13.","accounts_in_message":[],"_revision_number":13},{"id":"d58a19cde94e720a7be5563de980c2c1e4932e76","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-01-08 15:42:04.000000000","message":"Patch Set 13: Verified+1\n\nBuild succeeded (check pipeline).\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/d20f0db32e654b52960debbfacf9a11d : SUCCESS in 11m 47s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/d2938dcfa9254933831039ba4bf09452 : SUCCESS in 3m 31s","accounts_in_message":[],"_revision_number":13},{"id":"0e00ab26012c67e20f9078dce7dabf2f974acab6","author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"date":"2020-01-08 20:17:01.000000000","message":"Patch Set 13: Code-Review+1\n\nWow, this is really well-written now. Thanks, Eric!\n\nI can confirm that this will satisfy my use case and security requirements. The implementation details look sane to me, but I\u0027m not an expert in many of these areas.","accounts_in_message":[],"_revision_number":13},{"id":"17efcf2de175fa3fc4de6e132b4232d506c07ef6","author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"date":"2020-01-09 17:08:33.000000000","message":"Patch Set 13: Code-Review+2\n\ndiff between ps 12..13 looks good to me.","accounts_in_message":[],"_revision_number":13},{"id":"545fc2eab66e27167d7cdc37dff8b1ad2930bf3f","author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"date":"2020-01-14 10:41:14.000000000","message":"Patch Set 12:\n\n(1 comment)","accounts_in_message":[],"_revision_number":12},{"id":"808d045c5a8f2497bf394759d49ad724f2d8a5b4","author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"date":"2020-01-14 10:42:00.000000000","message":"Patch Set 13: Code-Review+2 Workflow+1\n\nI still have my doubts about not being able to request the feature via a trait and have everything wired up, since that works for VCPU and PCPU resources, but I can argue that at code time","accounts_in_message":[],"_revision_number":13},{"id":"271456f958fe32e3f6215139b4470ec027ee028e","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-01-14 10:42:12.000000000","message":"Patch Set 13: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":13},{"id":"65fc467c8f0342a313bfcfd027e28fdddb51312a","author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"date":"2020-01-14 10:52:09.000000000","message":"Patch Set 12:\n\n(2 comments)","accounts_in_message":[],"_revision_number":12},{"id":"2bf6e86e9924b29518831a7cda5e3ccf62fc04f9","author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"date":"2020-01-14 10:52:43.000000000","message":"Patch Set 13: Code-Review+1\n\nim still fine with this so let get it on its way","accounts_in_message":[],"_revision_number":13},{"id":"d12c814c3ec34a481b8ed91a93fbb6cc6d1daaa9","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-01-14 11:29:38.000000000","message":"Patch Set 13: Verified+2\n\nBuild succeeded (gate pipeline).\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/59152888eb344c13be4c2bc18c9e9bd8 : SUCCESS in 9m 56s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/d3ff5b62c35a4ea78bd114659f80d6a4 : SUCCESS in 3m 32s","accounts_in_message":[],"_revision_number":13},{"id":"9308f2fc42eb93298f8ec11aaf64d67f8fd6ba6f","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-01-14 11:29:39.000000000","message":"Change has been successfully merged by Zuul","accounts_in_message":[],"_revision_number":13},{"id":"f10abb5940a70030dab5d7c574e48108bb58ba58","tag":"autogenerated:zuul:promote","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2020-01-14 11:31:36.000000000","message":"Patch Set 13:\n\nBuild succeeded (promote pipeline).\n\n- promote-openstack-specs https://zuul.opendev.org/t/openstack/build/4ad03e7c0eee40c8a897ababb3b31848 : SUCCESS in 1m 35s","accounts_in_message":[],"_revision_number":13}],"current_revision_number":13,"current_revision":"8ca894147c84aa4432e95e7cbc49c7702308fe3c","revisions":{"59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6":{"kind":"REWORK","_number":1,"created":"2019-10-04 18:03:53.000000000","uploader":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"ref":"refs/changes/04/686804/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova-specs","ref":"refs/changes/04/686804/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/1"}}},"commit":{"parents":[{"commit":"fbfb289679267e72903fedb97614b586ac0d79bc","subject":"Add image-precache-support spec","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fbfb289679267e72903fedb97614b586ac0d79bc"}]}],"author":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"committer":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"subject":"WIP: Spec: Ussuri: Emulated Virtual TPM","message":"WIP: Spec: Ussuri: Emulated Virtual TPM\n\nThere are a class of applications which expect to use a TPM device to\nstore secrets. In order to run these applications in a virtual machine,\nit would be useful to expose a virtual TPM device within the guest.\nAccordingly, the suggestion is to add a placement resource which could\nbe requested in the flavor which would cause such a device to be added\nto the VM.\n\nBlueprint: add-emulated-virtual-tpm\n\nChange-Id: I299903a5f3b3741cb2b2d0271087c263552d4134\nPreviously-approved: train\nPreviously-approved: stein\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6"}]},"branch":"refs/heads/master"},"dace80e408c4dcb294eccc75ddbcf5a209679226":{"kind":"REWORK","_number":2,"created":"2019-10-04 22:55:41.000000000","uploader":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"ref":"refs/changes/04/686804/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova-specs","ref":"refs/changes/04/686804/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/2"}}},"commit":{"parents":[{"commit":"fbfb289679267e72903fedb97614b586ac0d79bc","subject":"Add image-precache-support spec","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fbfb289679267e72903fedb97614b586ac0d79bc"}]}],"author":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"committer":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 22:55:30.000000000","tz":-300},"subject":"WIP: Spec: Ussuri: Emulated Virtual TPM","message":"WIP: Spec: Ussuri: Emulated Virtual TPM\n\nThere are a class of applications which expect to use a TPM device to\nstore secrets. In order to run these applications in a virtual machine,\nit would be useful to expose a virtual TPM device within the guest.\nAccordingly, the suggestion is to add a placement resource which could\nbe requested in the flavor which would cause such a device to be added\nto the VM.\n\nBlueprint: add-emulated-virtual-tpm\n\nChange-Id: I299903a5f3b3741cb2b2d0271087c263552d4134\nPreviously-approved: train\nPreviously-approved: stein\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/dace80e408c4dcb294eccc75ddbcf5a209679226"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/dace80e408c4dcb294eccc75ddbcf5a209679226"}]},"branch":"refs/heads/master"},"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85":{"kind":"REWORK","_number":3,"created":"2019-10-04 22:56:14.000000000","uploader":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"ref":"refs/changes/04/686804/3","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova-specs","ref":"refs/changes/04/686804/3","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/3"}}},"commit":{"parents":[{"commit":"fbfb289679267e72903fedb97614b586ac0d79bc","subject":"Add image-precache-support spec","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fbfb289679267e72903fedb97614b586ac0d79bc"}]}],"author":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"committer":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 22:56:12.000000000","tz":-300},"subject":"WIP: Spec: Ussuri: Emulated Virtual TPM","message":"WIP: Spec: Ussuri: Emulated Virtual TPM\n\nThere are a class of applications which expect to use a TPM device to\nstore secrets. In order to run these applications in a virtual machine,\nit would be useful to expose a virtual TPM device within the guest.\nAccordingly, the suggestion is to add a placement resource which could\nbe requested in the flavor which would cause such a device to be added\nto the VM.\n\nBlueprint: add-emulated-virtual-tpm\n\nChange-Id: I299903a5f3b3741cb2b2d0271087c263552d4134\nPreviously-approved: train\nPreviously-approved: stein\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"}]},"branch":"refs/heads/master"},"e72d08cad9d1469f721c6cfc6610100ec4531466":{"kind":"REWORK","_number":4,"created":"2019-11-11 23:41:43.000000000","uploader":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"ref":"refs/changes/04/686804/4","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova-specs","ref":"refs/changes/04/686804/4","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/4"}}},"commit":{"parents":[{"commit":"fbfb289679267e72903fedb97614b586ac0d79bc","subject":"Add image-precache-support spec","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fbfb289679267e72903fedb97614b586ac0d79bc"}]}],"author":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"committer":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-11-11 23:41:28.000000000","tz":-360},"subject":"Spec: Ussuri: Encrypted Emulated Virtual TPM","message":"Spec: Ussuri: Encrypted Emulated Virtual TPM\n\nThere are a class of applications which expect to use a TPM device to\nstore secrets. In order to run these applications in a virtual machine,\nit would be useful to expose a virtual TPM device within the guest.\nAccordingly, the suggestion is to add flavor/image properties which\ncause such a device to be added to the VM.\n\nBlueprint: add-emulated-virtual-tpm\n\nChange-Id: I299903a5f3b3741cb2b2d0271087c263552d4134\nPreviously-approved: train\nPreviously-approved: stein\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/e72d08cad9d1469f721c6cfc6610100ec4531466"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/e72d08cad9d1469f721c6cfc6610100ec4531466"}]},"branch":"refs/heads/master"},"18da93caba3d4617c2de715a49c6d0dafdeb32d5":{"kind":"REWORK","_number":5,"created":"2019-11-11 23:51:35.000000000","uploader":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"ref":"refs/changes/04/686804/5","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova-specs","ref":"refs/changes/04/686804/5","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/5 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/5 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/5 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/5"}}},"commit":{"parents":[{"commit":"fbfb289679267e72903fedb97614b586ac0d79bc","subject":"Add image-precache-support spec","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fbfb289679267e72903fedb97614b586ac0d79bc"}]}],"author":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"committer":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-11-11 23:51:33.000000000","tz":-360},"subject":"Spec: Ussuri: Encrypted Emulated Virtual TPM","message":"Spec: Ussuri: Encrypted Emulated Virtual TPM\n\nThere are a class of applications which expect to use a TPM device to\nstore secrets. In order to run these applications in a virtual machine,\nit would be useful to expose a virtual TPM device within the guest.\nAccordingly, the suggestion is to add flavor/image properties which\ncause such a device to be added to the VM.\n\nBlueprint: add-emulated-virtual-tpm\n\nChange-Id: I299903a5f3b3741cb2b2d0271087c263552d4134\nPreviously-approved: train\nPreviously-approved: stein\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/18da93caba3d4617c2de715a49c6d0dafdeb32d5"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/18da93caba3d4617c2de715a49c6d0dafdeb32d5"}]},"branch":"refs/heads/master"},"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9":{"kind":"REWORK","_number":6,"created":"2019-11-14 20:45:58.000000000","uploader":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"ref":"refs/changes/04/686804/6","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova-specs","ref":"refs/changes/04/686804/6","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/6 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/6 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/6 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/6"}}},"commit":{"parents":[{"commit":"fbfb289679267e72903fedb97614b586ac0d79bc","subject":"Add image-precache-support spec","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fbfb289679267e72903fedb97614b586ac0d79bc"}]}],"author":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"committer":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-11-14 20:45:01.000000000","tz":-360},"subject":"Spec: Ussuri: Encrypted Emulated Virtual TPM","message":"Spec: Ussuri: Encrypted Emulated Virtual TPM\n\nThere are a class of applications which expect to use a TPM device to\nstore secrets. In order to run these applications in a virtual machine,\nit would be useful to expose a virtual TPM device within the guest.\nThis spec describes adding flavor/image properties which cause such a\ndevice to be added to the VM.\n\nBlueprint: add-emulated-virtual-tpm\n\nChange-Id: I299903a5f3b3741cb2b2d0271087c263552d4134\nPreviously-approved: train\nPreviously-approved: stein\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"}]},"branch":"refs/heads/master"},"d0266382cf5619c748bb559b7e5db6b651fe4b04":{"kind":"REWORK","_number":7,"created":"2019-11-19 20:30:06.000000000","uploader":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"ref":"refs/changes/04/686804/7","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova-specs","ref":"refs/changes/04/686804/7","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/7 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/7 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/7 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/7"}}},"commit":{"parents":[{"commit":"fbfb289679267e72903fedb97614b586ac0d79bc","subject":"Add image-precache-support spec","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fbfb289679267e72903fedb97614b586ac0d79bc"}]}],"author":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"committer":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-11-19 20:30:02.000000000","tz":-360},"subject":"Spec: Ussuri: Encrypted Emulated Virtual TPM","message":"Spec: Ussuri: Encrypted Emulated Virtual TPM\n\nThere are a class of applications which expect to use a TPM device to\nstore secrets. In order to run these applications in a virtual machine,\nit would be useful to expose a virtual TPM device within the guest.\nThis spec describes adding flavor/image properties which cause such a\ndevice to be added to the VM.\n\nBlueprint: add-emulated-virtual-tpm\n\nChange-Id: I299903a5f3b3741cb2b2d0271087c263552d4134\nPreviously-approved: train\nPreviously-approved: stein\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/d0266382cf5619c748bb559b7e5db6b651fe4b04"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/d0266382cf5619c748bb559b7e5db6b651fe4b04"}]},"branch":"refs/heads/master"},"fd2e2bd29c4930b3fa714f8c42b7346190b11160":{"kind":"REWORK","_number":8,"created":"2019-11-20 23:51:05.000000000","uploader":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"ref":"refs/changes/04/686804/8","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova-specs","ref":"refs/changes/04/686804/8","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/8 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/8 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/8 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/8"}}},"commit":{"parents":[{"commit":"fbfb289679267e72903fedb97614b586ac0d79bc","subject":"Add image-precache-support spec","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fbfb289679267e72903fedb97614b586ac0d79bc"}]}],"author":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"committer":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-11-20 23:50:52.000000000","tz":-360},"subject":"Spec: Ussuri: Encrypted Emulated Virtual TPM","message":"Spec: Ussuri: Encrypted Emulated Virtual TPM\n\nThere are a class of applications which expect to use a TPM device to\nstore secrets. In order to run these applications in a virtual machine,\nit would be useful to expose a virtual TPM device within the guest.\nThis spec describes adding flavor/image properties which cause such a\ndevice to be added to the VM.\n\nBlueprint: add-emulated-virtual-tpm\n\nChange-Id: I299903a5f3b3741cb2b2d0271087c263552d4134\nPreviously-approved: train\nPreviously-approved: stein\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fd2e2bd29c4930b3fa714f8c42b7346190b11160"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fd2e2bd29c4930b3fa714f8c42b7346190b11160"}]},"branch":"refs/heads/master"},"2d93e19afd50436588d13f76a8d1de5bbf8e1535":{"kind":"REWORK","_number":9,"created":"2019-11-25 23:41:06.000000000","uploader":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"ref":"refs/changes/04/686804/9","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova-specs","ref":"refs/changes/04/686804/9","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/9 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/9 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/9 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/9"}}},"commit":{"parents":[{"commit":"fbfb289679267e72903fedb97614b586ac0d79bc","subject":"Add image-precache-support spec","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fbfb289679267e72903fedb97614b586ac0d79bc"}]}],"author":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"committer":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-11-25 23:40:59.000000000","tz":-360},"subject":"Spec: Ussuri: Encrypted Emulated Virtual TPM","message":"Spec: Ussuri: Encrypted Emulated Virtual TPM\n\nThere are a class of applications which expect to use a TPM device to\nstore secrets. In order to run these applications in a virtual machine,\nit would be useful to expose a virtual TPM device within the guest.\nThis spec describes adding flavor/image properties which cause such a\ndevice to be added to the VM.\n\nBlueprint: add-emulated-virtual-tpm\n\nChange-Id: I299903a5f3b3741cb2b2d0271087c263552d4134\nPreviously-approved: train\nPreviously-approved: stein\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/2d93e19afd50436588d13f76a8d1de5bbf8e1535"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/2d93e19afd50436588d13f76a8d1de5bbf8e1535"}]},"branch":"refs/heads/master"},"c0800ea9d1957c636e4e129eba90b8a8b192c299":{"kind":"REWORK","_number":10,"created":"2019-12-04 19:13:48.000000000","uploader":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"ref":"refs/changes/04/686804/10","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova-specs","ref":"refs/changes/04/686804/10","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/10 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/10 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/10 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/10"}}},"commit":{"parents":[{"commit":"fbfb289679267e72903fedb97614b586ac0d79bc","subject":"Add image-precache-support spec","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fbfb289679267e72903fedb97614b586ac0d79bc"}]}],"author":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"committer":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-12-04 19:13:45.000000000","tz":-360},"subject":"Spec: Ussuri: Encrypted Emulated Virtual TPM","message":"Spec: Ussuri: Encrypted Emulated Virtual TPM\n\nThere are a class of applications which expect to use a TPM device to\nstore secrets. In order to run these applications in a virtual machine,\nit would be useful to expose a virtual TPM device within the guest.\nThis spec describes adding flavor/image properties which cause such a\ndevice to be added to the VM.\n\nBlueprint: add-emulated-virtual-tpm\n\nChange-Id: I299903a5f3b3741cb2b2d0271087c263552d4134\nPreviously-approved: train\nPreviously-approved: stein\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/c0800ea9d1957c636e4e129eba90b8a8b192c299"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/c0800ea9d1957c636e4e129eba90b8a8b192c299"}]},"branch":"refs/heads/master"},"09f017ae5a727254a36fc1539d8615efea70bc1b":{"kind":"REWORK","_number":11,"created":"2019-12-12 00:48:13.000000000","uploader":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"ref":"refs/changes/04/686804/11","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova-specs","ref":"refs/changes/04/686804/11","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/11 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/11 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/11 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/11"}}},"commit":{"parents":[{"commit":"fbfb289679267e72903fedb97614b586ac0d79bc","subject":"Add image-precache-support spec","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fbfb289679267e72903fedb97614b586ac0d79bc"}]}],"author":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"committer":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-12-12 00:48:09.000000000","tz":-360},"subject":"Spec: Ussuri: Encrypted Emulated Virtual TPM","message":"Spec: Ussuri: Encrypted Emulated Virtual TPM\n\nThere are a class of applications which expect to use a TPM device to\nstore secrets. In order to run these applications in a virtual machine,\nit would be useful to expose a virtual TPM device within the guest.\nThis spec describes adding flavor/image properties which cause such a\ndevice to be added to the VM.\n\nBlueprint: add-emulated-virtual-tpm\n\nChange-Id: I299903a5f3b3741cb2b2d0271087c263552d4134\nPreviously-approved: train\nPreviously-approved: stein\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/09f017ae5a727254a36fc1539d8615efea70bc1b"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/09f017ae5a727254a36fc1539d8615efea70bc1b"}]},"branch":"refs/heads/master"},"2a3984a22f5c659f86cb9756ba80ef5603c79ffe":{"kind":"REWORK","_number":12,"created":"2019-12-12 16:52:17.000000000","uploader":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"ref":"refs/changes/04/686804/12","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova-specs","ref":"refs/changes/04/686804/12","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/12 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/12 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/12 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/12"}}},"commit":{"parents":[{"commit":"fbfb289679267e72903fedb97614b586ac0d79bc","subject":"Add image-precache-support spec","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fbfb289679267e72903fedb97614b586ac0d79bc"}]}],"author":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"committer":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-12-12 16:52:12.000000000","tz":-360},"subject":"Spec: Ussuri: Encrypted Emulated Virtual TPM","message":"Spec: Ussuri: Encrypted Emulated Virtual TPM\n\nThere are a class of applications which expect to use a TPM device to\nstore secrets. In order to run these applications in a virtual machine,\nit would be useful to expose a virtual TPM device within the guest.\nThis spec describes adding flavor/image properties which cause such a\ndevice to be added to the VM.\n\nBlueprint: add-emulated-virtual-tpm\n\nChange-Id: I299903a5f3b3741cb2b2d0271087c263552d4134\nPreviously-approved: train\nPreviously-approved: stein\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/2a3984a22f5c659f86cb9756ba80ef5603c79ffe"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/2a3984a22f5c659f86cb9756ba80ef5603c79ffe"}]},"branch":"refs/heads/master"},"8ca894147c84aa4432e95e7cbc49c7702308fe3c":{"kind":"REWORK","_number":13,"created":"2020-01-08 15:21:49.000000000","uploader":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"ref":"refs/changes/04/686804/13","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova-specs","ref":"refs/changes/04/686804/13","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/13 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/13 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/13 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova-specs refs/changes/04/686804/13"}}},"commit":{"parents":[{"commit":"fbfb289679267e72903fedb97614b586ac0d79bc","subject":"Add image-precache-support spec","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/fbfb289679267e72903fedb97614b586ac0d79bc"}]}],"author":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2019-10-04 18:01:57.000000000","tz":-300},"committer":{"name":"Eric Fried","email":"openstack@fried.cc","date":"2020-01-08 15:21:44.000000000","tz":-360},"subject":"Spec: Ussuri: Encrypted Emulated Virtual TPM","message":"Spec: Ussuri: Encrypted Emulated Virtual TPM\n\nThere are a class of applications which expect to use a TPM device to\nstore secrets. In order to run these applications in a virtual machine,\nit would be useful to expose a virtual TPM device within the guest.\nThis spec describes adding flavor/image properties which cause such a\ndevice to be added to the VM.\n\nBlueprint: add-emulated-virtual-tpm\n\nChange-Id: I299903a5f3b3741cb2b2d0271087c263552d4134\nPreviously-approved: train\nPreviously-approved: stein\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/8ca894147c84aa4432e95e7cbc49c7702308fe3c"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova-specs/commit/8ca894147c84aa4432e95e7cbc49c7702308fe3c"}]},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[],"submit_requirements":[]}