)]}'
{"specs/ussuri/approved/allow-secure-boot-for-qemu-kvm-guests.rst":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":13,"context_line":"Problem description"},{"line_number":14,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Today, Nova\u0027s libvirt driver only has support for generic UEFI boot, but"},{"line_number":17,"context_line":"not Secure Boot (the goal of which is to: \"make sure no unsigned kernel"},{"line_number":18,"context_line":"code runs on the machine\") for QEMU and KVM guests.  Secure Boot"},{"line_number":19,"context_line":"protects guests from boot-time malware, and validates that the code"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_e8a6600d","line":16,"range":{"start_line":16,"start_character":67,"end_line":16,"end_character":68},"updated":"2020-01-27 11:47:24.000000000","message":"nit: drop","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":16,"context_line":"Today, Nova\u0027s libvirt driver only has support for generic UEFI boot, but"},{"line_number":17,"context_line":"not Secure Boot (the goal of which is to: \"make sure no unsigned kernel"},{"line_number":18,"context_line":"code runs on the machine\") for QEMU and KVM guests.  Secure Boot"},{"line_number":19,"context_line":"protects guests from boot-time malware, and validates that the code"},{"line_number":20,"context_line":"executed by the guest firmware is trusted."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"More precisely, the libvirt driver has the OVMF (the open source"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_4881b44c","line":19,"range":{"start_line":19,"start_character":38,"end_line":19,"end_character":39},"updated":"2020-01-27 11:47:24.000000000","message":"nit: drop","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"This specification proposes to extend the existing support for UEFI boot"},{"line_number":37,"context_line":"in Nova\u0027s libvirt driver to also support Secure Boot.  Refer to the"},{"line_number":38,"context_line":"sections :ref:`prop-change \u003cProposed change\u003e` :ref:`w-items \u003cWork items\u003e`"},{"line_number":39,"context_line":"for what needs to be done to support the Secure Boot for KVM / QEMU"},{"line_number":40,"context_line":"guests.  In this spec, we focus only the ``x86_64`` architecture."},{"line_number":41,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_e88f4073","line":38,"range":{"start_line":38,"start_character":9,"end_line":38,"end_character":73},"updated":"2020-01-27 11:47:24.000000000","message":"You don\u0027t need to do this. Just do\n\n  `Proposed change`__ and `Work items`__\n\nsince headings automatically get anchors","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"c52a454f15257d93338c83d032002bbdf3132214","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"This specification proposes to extend the existing support for UEFI boot"},{"line_number":37,"context_line":"in Nova\u0027s libvirt driver to also support Secure Boot.  Refer to the"},{"line_number":38,"context_line":"sections :ref:`prop-change \u003cProposed change\u003e` :ref:`w-items \u003cWork items\u003e`"},{"line_number":39,"context_line":"for what needs to be done to support the Secure Boot for KVM / QEMU"},{"line_number":40,"context_line":"guests.  In this spec, we focus only the ``x86_64`` architecture."},{"line_number":41,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_863726fe","line":38,"range":{"start_line":38,"start_character":9,"end_line":38,"end_character":73},"in_reply_to":"3fa7e38b_e88f4073","updated":"2020-02-04 16:18:31.000000000","message":"\u003e You don\u0027t need to do this. Just do\n \u003e \n \u003e `Proposed change`__ and `Work items`__\n \u003e \n \u003e since headings automatically get anchors\n\nAs I guessed below, what you suggested did not work out, I again got:\n\n\n    \"[...] Anonymous hyperlink mismatch: 3 references but \n    0 targets. See \"backrefs\" attribute for IDs.\"\n\nI\u0027m going to revert to using \u0027ref:\u0027 as indicated above.","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"5d182414cdfc363d2b18aa0b225b390170a36323","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"This specification proposes to extend the existing support for UEFI boot"},{"line_number":37,"context_line":"in Nova\u0027s libvirt driver to also support Secure Boot.  Refer to the"},{"line_number":38,"context_line":"sections :ref:`prop-change \u003cProposed change\u003e` :ref:`w-items \u003cWork items\u003e`"},{"line_number":39,"context_line":"for what needs to be done to support the Secure Boot for KVM / QEMU"},{"line_number":40,"context_line":"guests.  In this spec, we focus only the ``x86_64`` architecture."},{"line_number":41,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_3533fa61","line":38,"range":{"start_line":38,"start_character":9,"end_line":38,"end_character":73},"in_reply_to":"3fa7e38b_e88f4073","updated":"2020-02-04 13:37:16.000000000","message":"IIRC, I did that because it was complaining about duplicate labels (from a previous iteration of the spec); but probably that will go away because now we\u0027re no longer using any \u0027refs\u0027; let me try again.","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":37,"context_line":"in Nova\u0027s libvirt driver to also support Secure Boot.  Refer to the"},{"line_number":38,"context_line":"sections :ref:`prop-change \u003cProposed change\u003e` :ref:`w-items \u003cWork items\u003e`"},{"line_number":39,"context_line":"for what needs to be done to support the Secure Boot for KVM / QEMU"},{"line_number":40,"context_line":"guests.  In this spec, we focus only the ``x86_64`` architecture."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"NB: Nova\u0027s Hyper-V driver already has support for Secure Boot; it was"},{"line_number":43,"context_line":"added in commit: 29dab99 -- \"Hyper-V: Adds Hyper-V UEFI Secure Boot\""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_888a4c62","line":40,"range":{"start_line":40,"start_character":32,"end_line":40,"end_character":36},"updated":"2020-01-27 11:47:24.000000000","message":"only on","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":39,"context_line":"for what needs to be done to support the Secure Boot for KVM / QEMU"},{"line_number":40,"context_line":"guests.  In this spec, we focus only the ``x86_64`` architecture."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"NB: Nova\u0027s Hyper-V driver already has support for Secure Boot; it was"},{"line_number":43,"context_line":"added in commit: 29dab99 -- \"Hyper-V: Adds Hyper-V UEFI Secure Boot\""},{"line_number":44,"context_line":"[2]_."},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_a885c854","line":42,"range":{"start_line":42,"start_character":0,"end_line":42,"end_character":3},"updated":"2020-01-27 11:47:24.000000000","message":".. note::","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":94,"context_line":"  is non-trivial to tell whether that binary supports Secure Boot or"},{"line_number":95,"context_line":"  not."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"  Solution: Here is where libvirt\u0027s firmware auto-selection comes into"},{"line_number":98,"context_line":"  picture.  It takes advantage of a lot of work done in QEMU and OVMF,"},{"line_number":99,"context_line":"  and fixes the above mentioned problem by providing a robust interface."},{"line_number":100,"context_line":"  As in, libvirt can now pick up the *correct* OVMF binary, with Secure"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_08ec1c26","line":97,"range":{"start_line":97,"start_character":65,"end_line":97,"end_character":70},"updated":"2020-01-27 11:47:24.000000000","message":"nit: into the","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":116,"context_line":""},{"line_number":117,"context_line":"- Make Nova programatically query the getDomainCapabilities() API to"},{"line_number":118,"context_line":"  check if libvirt supports the relevant Secure Boot-related features."},{"line_number":119,"context_line":"  Introduce a _has_uefi_secure_boot_support() method to check if libvirt"},{"line_number":120,"context_line":"  can support the feature.  This can be done by checking for the"},{"line_number":121,"context_line":"  presence of ``efi`` and ``secure`` XML attributes from the output of"},{"line_number":122,"context_line":"  the getDomainCapabilities() API."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_c8d92484","line":119,"range":{"start_line":119,"start_character":14,"end_line":119,"end_character":43},"updated":"2020-01-27 11:47:24.000000000","message":"``literal``","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":119,"context_line":"  Introduce a _has_uefi_secure_boot_support() method to check if libvirt"},{"line_number":120,"context_line":"  can support the feature.  This can be done by checking for the"},{"line_number":121,"context_line":"  presence of ``efi`` and ``secure`` XML attributes from the output of"},{"line_number":122,"context_line":"  the getDomainCapabilities() API."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"- In the initial implementation, there will be no scheduler support to"},{"line_number":125,"context_line":"  isolate hosts that are not Secure Boot-capable, similar to existing"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_88dfac65","line":122,"range":{"start_line":122,"start_character":6,"end_line":122,"end_character":27},"updated":"2020-01-27 11:47:24.000000000","message":"``literal``","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":121,"context_line":"  presence of ``efi`` and ``secure`` XML attributes from the output of"},{"line_number":122,"context_line":"  the getDomainCapabilities() API."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"- In the initial implementation, there will be no scheduler support to"},{"line_number":125,"context_line":"  isolate hosts that are not Secure Boot-capable, similar to existing"},{"line_number":126,"context_line":"  basic UEFI boot support.  Nova will error-out if the host hypervisor"},{"line_number":127,"context_line":"  does not support Secure Boot."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Low-level background on different kinds of OVMF builds"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_08c5fc8f","line":127,"range":{"start_line":124,"start_character":0,"end_line":127,"end_character":31},"updated":"2020-01-27 11:47:24.000000000","message":"Can we use a combination of traits and compute capabilities for this? Namely, check if the compute node has the capability and then if so, check if it has the trait. Reject the host if either check returns False.","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"5d182414cdfc363d2b18aa0b225b390170a36323","unresolved":false,"context_lines":[{"line_number":121,"context_line":"  presence of ``efi`` and ``secure`` XML attributes from the output of"},{"line_number":122,"context_line":"  the getDomainCapabilities() API."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"- In the initial implementation, there will be no scheduler support to"},{"line_number":125,"context_line":"  isolate hosts that are not Secure Boot-capable, similar to existing"},{"line_number":126,"context_line":"  basic UEFI boot support.  Nova will error-out if the host hypervisor"},{"line_number":127,"context_line":"  does not support Secure Boot."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Low-level background on different kinds of OVMF builds"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_3561ba3d","line":127,"range":{"start_line":124,"start_character":0,"end_line":127,"end_character":31},"in_reply_to":"3fa7e38b_08c5fc8f","updated":"2020-02-04 13:37:16.000000000","message":"Potentially; need to explore it; any in-tree examples?  That said, I\u0027d like to keep the core initial implementation tight, and then build on it.","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":154,"context_line":"in your guests from *circumventing* the actual security of the Secure"},{"line_number":155,"context_line":"Boot operational mode, then you have to build *both* features into OVMF."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"NB: Different distributions ship different kinds of builds.  E.g."},{"line_number":158,"context_line":"Fedora ships both variants of OVMF firmware binaries: one without either"},{"line_number":159,"context_line":"SB or SMM, and the other with both SB or SMM. Other distributions ship"},{"line_number":160,"context_line":"different builds as well, and under different pathnames.  Even if they"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_e8bd0003","line":157,"range":{"start_line":157,"start_character":0,"end_line":157,"end_character":3},"updated":"2020-01-27 11:47:24.000000000","message":".. note::","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":159,"context_line":"SB or SMM, and the other with both SB or SMM. Other distributions ship"},{"line_number":160,"context_line":"different builds as well, and under different pathnames.  Even if they"},{"line_number":161,"context_line":"ship an SB+SMM OVMF build, the path name for the firmware binary may be"},{"line_number":162,"context_line":"different."},{"line_number":163,"context_line":""},{"line_number":164,"context_line":"OVMF binary files and variable store (\"VARS\") file paths"},{"line_number":165,"context_line":"--------------------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_a8b38834","line":162,"updated":"2020-01-27 11:47:24.000000000","message":"But libvirt takes care of this for us, right? i.e. we don\u0027t need to figure this stuff out. Can you mention that if so","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"5d182414cdfc363d2b18aa0b225b390170a36323","unresolved":false,"context_lines":[{"line_number":159,"context_line":"SB or SMM, and the other with both SB or SMM. Other distributions ship"},{"line_number":160,"context_line":"different builds as well, and under different pathnames.  Even if they"},{"line_number":161,"context_line":"ship an SB+SMM OVMF build, the path name for the firmware binary may be"},{"line_number":162,"context_line":"different."},{"line_number":163,"context_line":""},{"line_number":164,"context_line":"OVMF binary files and variable store (\"VARS\") file paths"},{"line_number":165,"context_line":"--------------------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_955bce87","line":162,"in_reply_to":"3fa7e38b_a8b38834","updated":"2020-02-04 13:37:16.000000000","message":"Yes, (the appropriate version of) libvirt does take care.  And yes, Nova doesn\u0027t need to figure out the path stuff, thankfully, anymore.  I\u0027ll mention it.","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":168,"context_line":"OVMF:"},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"- SUSE:"},{"line_number":171,"context_line":"   - package name: \"qemu-ovmf-x86_64\";"},{"line_number":172,"context_line":"   - ``/usr/share/qemu/ovmf-x86_64-opensuse-code.bin`` is the firmware"},{"line_number":173,"context_line":"     binary built with SB and SMM"},{"line_number":174,"context_line":"   - ``/usr/share/qemu/ovmf-x86_64-opensuse-vars.bin`` is the variable"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_283d588c","line":171,"range":{"start_line":171,"start_character":18,"end_line":171,"end_character":38},"updated":"2020-01-27 11:47:24.000000000","message":"``literal``","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":190,"context_line":"   - ``/usr/share/OVMF/OVMF_CODE.secboot.fd`` is the firmware binary,"},{"line_number":191,"context_line":"     built with SB plus SMM"},{"line_number":192,"context_line":"   - ``/usr/share/OVMF/OVMF_VARS.secboot.fd`` is the matching variable"},{"line_number":193,"context_line":"     store template"},{"line_number":194,"context_line":""},{"line_number":195,"context_line":"- Debian:"},{"line_number":196,"context_line":"   - package name: \"ovmf\" (x86_64)"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_2856b8ce","line":193,"updated":"2020-01-27 11:47:24.000000000","message":"What about RHEL 8?","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"5d182414cdfc363d2b18aa0b225b390170a36323","unresolved":false,"context_lines":[{"line_number":190,"context_line":"   - ``/usr/share/OVMF/OVMF_CODE.secboot.fd`` is the firmware binary,"},{"line_number":191,"context_line":"     built with SB plus SMM"},{"line_number":192,"context_line":"   - ``/usr/share/OVMF/OVMF_VARS.secboot.fd`` is the matching variable"},{"line_number":193,"context_line":"     store template"},{"line_number":194,"context_line":""},{"line_number":195,"context_line":"- Debian:"},{"line_number":196,"context_line":"   - package name: \"ovmf\" (x86_64)"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_55555651","line":193,"in_reply_to":"3fa7e38b_2856b8ce","updated":"2020-02-04 13:37:16.000000000","message":"Same as RHEL-7.6; I\u0027ll mention it.","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":192,"context_line":"   - ``/usr/share/OVMF/OVMF_VARS.secboot.fd`` is the matching variable"},{"line_number":193,"context_line":"     store template"},{"line_number":194,"context_line":""},{"line_number":195,"context_line":"- Debian:"},{"line_number":196,"context_line":"   - package name: \"ovmf\" (x86_64)"},{"line_number":197,"context_line":"   - ``/usr/share/OVMF/OVMF_CODE.fd`` is the firmware binary built with"},{"line_number":198,"context_line":"     SB plus SMM."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_e86bc082","line":195,"updated":"2020-01-27 11:47:24.000000000","message":"Version would be helpful. Above and below too","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":235,"context_line":"Other end user impact"},{"line_number":236,"context_line":"---------------------"},{"line_number":237,"context_line":""},{"line_number":238,"context_line":"None."},{"line_number":239,"context_line":""},{"line_number":240,"context_line":"Performance Impact"},{"line_number":241,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_88a56ca2","line":238,"range":{"start_line":238,"start_character":0,"end_line":238,"end_character":5},"updated":"2020-01-27 11:47:24.000000000","message":"Can you cold migrate an instance with secure boot? What about live migration? If so, could you note this here or somewhere else (\"There\u0027s no impact for cold or live migration\")","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"521b0758fa971ecf6dda97fb97344a10ae5c5ab8","unresolved":false,"context_lines":[{"line_number":235,"context_line":"Other end user impact"},{"line_number":236,"context_line":"---------------------"},{"line_number":237,"context_line":""},{"line_number":238,"context_line":"None."},{"line_number":239,"context_line":""},{"line_number":240,"context_line":"Performance Impact"},{"line_number":241,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_dbdf3765","line":238,"range":{"start_line":238,"start_character":0,"end_line":238,"end_character":5},"in_reply_to":"3fa7e38b_88a56ca2","updated":"2020-02-04 14:51:58.000000000","message":"Yes, no impact.  The only point I could think of is already taken care of by libvirt:  we should not (and we will not) enable the \"SMM\" flag on migration, as that will change guest ABI.  \n\nA libvirt developer double-confirmed that libvirt denies such an attempt; so we\u0027re good there.","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":245,"context_line":"Other deployer impact"},{"line_number":246,"context_line":"---------------------"},{"line_number":247,"context_line":""},{"line_number":248,"context_line":"None."},{"line_number":249,"context_line":""},{"line_number":250,"context_line":"Developer impact"},{"line_number":251,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_28a798bd","line":248,"range":{"start_line":248,"start_character":0,"end_line":248,"end_character":5},"updated":"2020-01-27 11:47:24.000000000","message":"Worth nothing that to use this, you\u0027ll need the minimum versions of libvirt and QEMU noted previously?","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"521b0758fa971ecf6dda97fb97344a10ae5c5ab8","unresolved":false,"context_lines":[{"line_number":245,"context_line":"Other deployer impact"},{"line_number":246,"context_line":"---------------------"},{"line_number":247,"context_line":""},{"line_number":248,"context_line":"None."},{"line_number":249,"context_line":""},{"line_number":250,"context_line":"Developer impact"},{"line_number":251,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_bbcefbb3","line":248,"range":{"start_line":248,"start_character":0,"end_line":248,"end_character":5},"in_reply_to":"3fa7e38b_28a798bd","updated":"2020-02-04 14:51:58.000000000","message":"Dependencies takes care of it; but I\u0027ll add it in here, too, with a reference to Dependencies section.","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":310,"context_line":"   with the firmware image, copies it into the guest\u0027s private path, and"},{"line_number":311,"context_line":"   asks the guest to use it."},{"line_number":312,"context_line":""},{"line_number":313,"context_line":"   NB-1: The paths for the UEFI binary are different for different"},{"line_number":314,"context_line":"   distributions — but libvirt will handle that for us."},{"line_number":315,"context_line":""},{"line_number":316,"context_line":"   NB-2: Q35 machine type is *mandatory* for Secure Boot with OVMF."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_c8912455","line":313,"range":{"start_line":313,"start_character":3,"end_line":313,"end_character":9},"updated":"2020-01-27 11:47:24.000000000","message":".. note::","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":377,"context_line":""},{"line_number":378,"context_line":"* QEMU \u003e\u003d2.4 to get Secure Boot support."},{"line_number":379,"context_line":""},{"line_number":380,"context_line":"* QEMU \u003e\u003d4.1.0 (releases in July/August 2019) to get the firmware"},{"line_number":381,"context_line":"  descriptor documents that conform to QEMU\u0027s ``firmware.json``"},{"line_number":382,"context_line":"  specification.  Here [10]_ are some examples of the said \"firmware"},{"line_number":383,"context_line":"  descriptor documents\".  (NB: This does *not* block the spec for Train,"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_88700c43","line":380,"range":{"start_line":380,"start_character":16,"end_line":380,"end_character":24},"updated":"2020-01-27 11:47:24.000000000","message":"released","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":380,"context_line":"* QEMU \u003e\u003d4.1.0 (releases in July/August 2019) to get the firmware"},{"line_number":381,"context_line":"  descriptor documents that conform to QEMU\u0027s ``firmware.json``"},{"line_number":382,"context_line":"  specification.  Here [10]_ are some examples of the said \"firmware"},{"line_number":383,"context_line":"  descriptor documents\".  (NB: This does *not* block the spec for Train,"},{"line_number":384,"context_line":"  and is a convenient-to-have.)"},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"* libvirt \u003e\u003d5.3 (releases in May 2019) for the firmware auto-selection"},{"line_number":387,"context_line":"  feature and the ability to query the availability of ``efi`` [11]_"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_e8750034","line":384,"range":{"start_line":383,"start_character":27,"end_line":384,"end_character":31},"updated":"2020-01-27 11:47:24.000000000","message":"I thought this was necessary so we wouldn\u0027t have to implement this logic ourselves? Even if not, s/Train/Ussuri/","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"9f8f3566e439214e66f38b32fca000e76a610360","unresolved":false,"context_lines":[{"line_number":380,"context_line":"* QEMU \u003e\u003d4.1.0 (releases in July/August 2019) to get the firmware"},{"line_number":381,"context_line":"  descriptor documents that conform to QEMU\u0027s ``firmware.json``"},{"line_number":382,"context_line":"  specification.  Here [10]_ are some examples of the said \"firmware"},{"line_number":383,"context_line":"  descriptor documents\".  (NB: This does *not* block the spec for Train,"},{"line_number":384,"context_line":"  and is a convenient-to-have.)"},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"* libvirt \u003e\u003d5.3 (releases in May 2019) for the firmware auto-selection"},{"line_number":387,"context_line":"  feature and the ability to query the availability of ``efi`` [11]_"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_fbe4730d","line":384,"range":{"start_line":383,"start_character":27,"end_line":384,"end_character":31},"in_reply_to":"3fa7e38b_e8750034","updated":"2020-02-04 15:02:40.000000000","message":"Correct; now that they\u0027re available in Debian and Ubuntu, the above \"NB\" can be removed (will do in next iteration):\n\n* Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug\u003d932269\n* Ubuntu: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/1836859\n* Fedora: https://src.fedoraproject.org/rpms/edk2/c/674b3c8a27a8.  (RHEL is taken care, too)","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ced22953fef9e0b94f229ee2bb26a1850f1cb974","unresolved":false,"context_lines":[{"line_number":383,"context_line":"  descriptor documents\".  (NB: This does *not* block the spec for Train,"},{"line_number":384,"context_line":"  and is a convenient-to-have.)"},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"* libvirt \u003e\u003d5.3 (releases in May 2019) for the firmware auto-selection"},{"line_number":387,"context_line":"  feature and the ability to query the availability of ``efi`` [11]_"},{"line_number":388,"context_line":"  firmware via the getDomainCapabilities() API."},{"line_number":389,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_488c542d","line":386,"range":{"start_line":386,"start_character":17,"end_line":386,"end_character":25},"updated":"2020-01-27 11:47:24.000000000","message":"released","commit_id":"af8247a921b888a3a2fc0eb7ecc03dba3853264c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"483272e6a63f1de5952708fe86fe900722262c41","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"This specification proposes to extend the existing support for UEFI boot"},{"line_number":37,"context_line":"in Nova\u0027s libvirt driver to also support Secure Boot.  Refer to the"},{"line_number":38,"context_line":"sections :ref:`proposed-change \u003cProposed change\u003e` and :ref:`w-items"},{"line_number":39,"context_line":"\u003cWork items\u003e` for what needs to be done to support the Secure Boot for"},{"line_number":40,"context_line":"KVM / QEMU guests.  In this spec, we focus only on the ``x86_64``"},{"line_number":41,"context_line":"architecture."},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_fa7f6adb","line":39,"range":{"start_line":38,"start_character":9,"end_line":39,"end_character":13},"updated":"2020-02-06 11:08:33.000000000","message":"These are backwards.\n\n  :ref:`Helpful string \u003canchor-name\u003e`\n\nso\n\n  :ref:`Proposed change \u003cproposed-change\u003e`\n\nAt the moment, the anchors are unused and the rendered doc says e.g. \"...and w-items for what...\"\n\nThe reason it\u0027s working is because of the auto-anchoring behavior that I mentioned in an earlier PS.","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ee26b8be86c77dd628fbc5018debf6155b4b010d","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"This specification proposes to extend the existing support for UEFI boot"},{"line_number":37,"context_line":"in Nova\u0027s libvirt driver to also support Secure Boot.  Refer to the"},{"line_number":38,"context_line":"sections :ref:`proposed-change \u003cProposed change\u003e` and :ref:`w-items"},{"line_number":39,"context_line":"\u003cWork items\u003e` for what needs to be done to support the Secure Boot for"},{"line_number":40,"context_line":"KVM / QEMU guests.  In this spec, we focus only on the ``x86_64``"},{"line_number":41,"context_line":"architecture."},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_3a60a20c","line":39,"range":{"start_line":38,"start_character":9,"end_line":39,"end_character":13},"in_reply_to":"3fa7e38b_fa7f6adb","updated":"2020-02-06 11:24:55.000000000","message":"Done","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"483272e6a63f1de5952708fe86fe900722262c41","unresolved":false,"context_lines":[{"line_number":54,"context_line":"  the guest side."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"* Secure Boot will prevent the Nova instance from running untrusted code"},{"line_number":57,"context_line":"  by requiring a trusted signature on UEFI binaries.  More detail on it,"},{"line_number":58,"context_line":"  refer to the \"Testing Secure Boot\" guide here [3]_."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"* Secure Boot will allow trustworthy code in Nova instances to: (a)"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_7a6b7a1b","line":57,"range":{"start_line":57,"start_character":54,"end_line":57,"end_character":58},"updated":"2020-02-06 11:08:33.000000000","message":"For more","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ee26b8be86c77dd628fbc5018debf6155b4b010d","unresolved":false,"context_lines":[{"line_number":54,"context_line":"  the guest side."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"* Secure Boot will prevent the Nova instance from running untrusted code"},{"line_number":57,"context_line":"  by requiring a trusted signature on UEFI binaries.  More detail on it,"},{"line_number":58,"context_line":"  refer to the \"Testing Secure Boot\" guide here [3]_."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"* Secure Boot will allow trustworthy code in Nova instances to: (a)"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_1a5da653","line":57,"range":{"start_line":57,"start_character":54,"end_line":57,"end_character":58},"in_reply_to":"3fa7e38b_7a6b7a1b","updated":"2020-02-06 11:24:55.000000000","message":"Done","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"483272e6a63f1de5952708fe86fe900722262c41","unresolved":false,"context_lines":[{"line_number":116,"context_line":"  This libvirt feature takes advantage of QEMU\u0027s firmware description"},{"line_number":117,"context_line":"  schema [7]_."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"- Make Nova programatically query the getDomainCapabilities() API to"},{"line_number":120,"context_line":"  check if libvirt supports the relevant Secure Boot-related features."},{"line_number":121,"context_line":"  Introduce a _has_uefi_secure_boot_support() method to check if libvirt"},{"line_number":122,"context_line":"  can support the feature.  This can be done by checking for the"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_7a44da9f","line":119,"range":{"start_line":119,"start_character":39,"end_line":119,"end_character":61},"updated":"2020-02-06 11:08:33.000000000","message":"``code``","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ee26b8be86c77dd628fbc5018debf6155b4b010d","unresolved":false,"context_lines":[{"line_number":116,"context_line":"  This libvirt feature takes advantage of QEMU\u0027s firmware description"},{"line_number":117,"context_line":"  schema [7]_."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"- Make Nova programatically query the getDomainCapabilities() API to"},{"line_number":120,"context_line":"  check if libvirt supports the relevant Secure Boot-related features."},{"line_number":121,"context_line":"  Introduce a _has_uefi_secure_boot_support() method to check if libvirt"},{"line_number":122,"context_line":"  can support the feature.  This can be done by checking for the"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_1a2b669b","line":119,"range":{"start_line":119,"start_character":39,"end_line":119,"end_character":61},"in_reply_to":"3fa7e38b_7a44da9f","updated":"2020-02-06 11:24:55.000000000","message":"Done","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"483272e6a63f1de5952708fe86fe900722262c41","unresolved":false,"context_lines":[{"line_number":118,"context_line":""},{"line_number":119,"context_line":"- Make Nova programatically query the getDomainCapabilities() API to"},{"line_number":120,"context_line":"  check if libvirt supports the relevant Secure Boot-related features."},{"line_number":121,"context_line":"  Introduce a _has_uefi_secure_boot_support() method to check if libvirt"},{"line_number":122,"context_line":"  can support the feature.  This can be done by checking for the"},{"line_number":123,"context_line":"  presence of ``efi`` and ``secure`` XML attributes from the output of"},{"line_number":124,"context_line":"  the ``$getDomainCapabilities()`` API."}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_1ac126fe","line":121,"range":{"start_line":121,"start_character":14,"end_line":121,"end_character":45},"updated":"2020-02-06 11:08:33.000000000","message":"``code``","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ee26b8be86c77dd628fbc5018debf6155b4b010d","unresolved":false,"context_lines":[{"line_number":118,"context_line":""},{"line_number":119,"context_line":"- Make Nova programatically query the getDomainCapabilities() API to"},{"line_number":120,"context_line":"  check if libvirt supports the relevant Secure Boot-related features."},{"line_number":121,"context_line":"  Introduce a _has_uefi_secure_boot_support() method to check if libvirt"},{"line_number":122,"context_line":"  can support the feature.  This can be done by checking for the"},{"line_number":123,"context_line":"  presence of ``efi`` and ``secure`` XML attributes from the output of"},{"line_number":124,"context_line":"  the ``$getDomainCapabilities()`` API."}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_7a4e1a91","line":121,"range":{"start_line":121,"start_character":14,"end_line":121,"end_character":45},"in_reply_to":"3fa7e38b_1ac126fe","updated":"2020-02-06 11:24:55.000000000","message":"Done","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"483272e6a63f1de5952708fe86fe900722262c41","unresolved":false,"context_lines":[{"line_number":125,"context_line":""},{"line_number":126,"context_line":"- In the initial implementation, there will be no scheduler support to"},{"line_number":127,"context_line":"  isolate hosts that are not Secure Boot-capable, similar to existing"},{"line_number":128,"context_line":"  basic UEFI boot support.  Nova will error-out if the host hypervisor"},{"line_number":129,"context_line":"  does not support Secure Boot."},{"line_number":130,"context_line":""},{"line_number":131,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_dacaae17","line":128,"range":{"start_line":128,"start_character":38,"end_line":128,"end_character":47},"updated":"2020-02-06 11:08:33.000000000","message":"nit: error out (or \"fail\")","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ee26b8be86c77dd628fbc5018debf6155b4b010d","unresolved":false,"context_lines":[{"line_number":125,"context_line":""},{"line_number":126,"context_line":"- In the initial implementation, there will be no scheduler support to"},{"line_number":127,"context_line":"  isolate hosts that are not Secure Boot-capable, similar to existing"},{"line_number":128,"context_line":"  basic UEFI boot support.  Nova will error-out if the host hypervisor"},{"line_number":129,"context_line":"  does not support Secure Boot."},{"line_number":130,"context_line":""},{"line_number":131,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_5a531e3b","line":128,"range":{"start_line":128,"start_character":38,"end_line":128,"end_character":47},"in_reply_to":"3fa7e38b_dacaae17","updated":"2020-02-06 11:24:55.000000000","message":"Done","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"483272e6a63f1de5952708fe86fe900722262c41","unresolved":false,"context_lines":[{"line_number":261,"context_line":""},{"line_number":262,"context_line":"To use this feature, the following are the version requirements:"},{"line_number":263,"context_line":"QEMU \u003e\u003d4.1.0, libvirt \u003e\u003d5.3, OVMF/EDK2 packages shipping the JSON"},{"line_number":264,"context_line":"descriptor files.  Details in the :ref:`Dependencies \u003cdeps\u003e` section."},{"line_number":265,"context_line":""},{"line_number":266,"context_line":"Developer impact"},{"line_number":267,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_bacfb224","line":264,"range":{"start_line":264,"start_character":35,"end_line":264,"end_character":60},"updated":"2020-02-06 11:08:33.000000000","message":"This one is correct","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"483272e6a63f1de5952708fe86fe900722262c41","unresolved":false,"context_lines":[{"line_number":321,"context_line":"      \u003c/os\u003e"},{"line_number":322,"context_line":""},{"line_number":323,"context_line":"   Note that Nova doesn\u0027t need to worry about the NVRAM store, from a"},{"line_number":324,"context_line":"   file management point of view — because with libvirt\u0027s firmware"},{"line_number":325,"context_line":"   auto-selection feature, it also detects the NVRAM store associated"},{"line_number":326,"context_line":"   with the firmware image, copies it into the guest\u0027s private path, and"},{"line_number":327,"context_line":"   asks the guest to use it."}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_5adebedb","line":324,"range":{"start_line":324,"start_character":32,"end_line":324,"end_character":34},"updated":"2020-02-06 11:08:33.000000000","message":"nit: ,","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ee26b8be86c77dd628fbc5018debf6155b4b010d","unresolved":false,"context_lines":[{"line_number":321,"context_line":"      \u003c/os\u003e"},{"line_number":322,"context_line":""},{"line_number":323,"context_line":"   Note that Nova doesn\u0027t need to worry about the NVRAM store, from a"},{"line_number":324,"context_line":"   file management point of view — because with libvirt\u0027s firmware"},{"line_number":325,"context_line":"   auto-selection feature, it also detects the NVRAM store associated"},{"line_number":326,"context_line":"   with the firmware image, copies it into the guest\u0027s private path, and"},{"line_number":327,"context_line":"   asks the guest to use it."}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_8da882da","line":324,"range":{"start_line":324,"start_character":32,"end_line":324,"end_character":34},"in_reply_to":"3fa7e38b_5adebedb","updated":"2020-02-06 11:24:55.000000000","message":"Done","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"483272e6a63f1de5952708fe86fe900722262c41","unresolved":false,"context_lines":[{"line_number":322,"context_line":""},{"line_number":323,"context_line":"   Note that Nova doesn\u0027t need to worry about the NVRAM store, from a"},{"line_number":324,"context_line":"   file management point of view — because with libvirt\u0027s firmware"},{"line_number":325,"context_line":"   auto-selection feature, it also detects the NVRAM store associated"},{"line_number":326,"context_line":"   with the firmware image, copies it into the guest\u0027s private path, and"},{"line_number":327,"context_line":"   asks the guest to use it."},{"line_number":328,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_1aea8676","line":325,"range":{"start_line":325,"start_character":25,"end_line":325,"end_character":26},"updated":"2020-02-06 11:08:33.000000000","message":"nit: drop","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ee26b8be86c77dd628fbc5018debf6155b4b010d","unresolved":false,"context_lines":[{"line_number":322,"context_line":""},{"line_number":323,"context_line":"   Note that Nova doesn\u0027t need to worry about the NVRAM store, from a"},{"line_number":324,"context_line":"   file management point of view — because with libvirt\u0027s firmware"},{"line_number":325,"context_line":"   auto-selection feature, it also detects the NVRAM store associated"},{"line_number":326,"context_line":"   with the firmware image, copies it into the guest\u0027s private path, and"},{"line_number":327,"context_line":"   asks the guest to use it."},{"line_number":328,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_eda1f6f7","line":325,"range":{"start_line":325,"start_character":25,"end_line":325,"end_character":26},"in_reply_to":"3fa7e38b_1aea8676","updated":"2020-02-06 11:24:55.000000000","message":"Done","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"483272e6a63f1de5952708fe86fe900722262c41","unresolved":false,"context_lines":[{"line_number":333,"context_line":""},{"line_number":334,"context_line":"3. For guests to truly get Secure Boot, we need to ensure that the"},{"line_number":335,"context_line":"   non-volatile store (\"VARS\") file (in the above example,"},{"line_number":336,"context_line":"   `fedora_VARS.secboot.fd`) has the default UEFI keys enrolled."},{"line_number":337,"context_line":""},{"line_number":338,"context_line":"   There are two ways to achieve that.  The first, use the \"VARS\""},{"line_number":339,"context_line":"   template file (*with* UEFI keys enrolled) that is shipped by your"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_fae68aaf","line":336,"range":{"start_line":336,"start_character":3,"end_line":336,"end_character":27},"updated":"2020-02-06 11:08:33.000000000","message":"``code``","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ee26b8be86c77dd628fbc5018debf6155b4b010d","unresolved":false,"context_lines":[{"line_number":333,"context_line":""},{"line_number":334,"context_line":"3. For guests to truly get Secure Boot, we need to ensure that the"},{"line_number":335,"context_line":"   non-volatile store (\"VARS\") file (in the above example,"},{"line_number":336,"context_line":"   `fedora_VARS.secboot.fd`) has the default UEFI keys enrolled."},{"line_number":337,"context_line":""},{"line_number":338,"context_line":"   There are two ways to achieve that.  The first, use the \"VARS\""},{"line_number":339,"context_line":"   template file (*with* UEFI keys enrolled) that is shipped by your"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_1a14c64f","line":336,"range":{"start_line":336,"start_character":3,"end_line":336,"end_character":27},"in_reply_to":"3fa7e38b_fae68aaf","updated":"2020-02-06 11:24:55.000000000","message":"Done","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"483272e6a63f1de5952708fe86fe900722262c41","unresolved":false,"context_lines":[{"line_number":412,"context_line":"This feature should be possible (assuming the earlier-mentioned"},{"line_number":413,"context_line":"minimum libvirt and QEMU versions are available) to test in the upstream"},{"line_number":414,"context_line":"gating environment.  Where the Nova instance should be able to boot a"},{"line_number":415,"context_line":"KVM guest with Secure Boot (using OVMF), and verify in `dmesg` that"},{"line_number":416,"context_line":"Secure Boot is *actually* in effect."},{"line_number":417,"context_line":""},{"line_number":418,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_7af29a6b","line":415,"range":{"start_line":415,"start_character":55,"end_line":415,"end_character":62},"updated":"2020-02-06 11:08:33.000000000","message":"``code``","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ee26b8be86c77dd628fbc5018debf6155b4b010d","unresolved":false,"context_lines":[{"line_number":412,"context_line":"This feature should be possible (assuming the earlier-mentioned"},{"line_number":413,"context_line":"minimum libvirt and QEMU versions are available) to test in the upstream"},{"line_number":414,"context_line":"gating environment.  Where the Nova instance should be able to boot a"},{"line_number":415,"context_line":"KVM guest with Secure Boot (using OVMF), and verify in `dmesg` that"},{"line_number":416,"context_line":"Secure Boot is *actually* in effect."},{"line_number":417,"context_line":""},{"line_number":418,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3fa7e38b_ada3fefc","line":415,"range":{"start_line":415,"start_character":55,"end_line":415,"end_character":62},"in_reply_to":"3fa7e38b_7af29a6b","updated":"2020-02-06 11:24:55.000000000","message":"Done","commit_id":"7a6c553b9da870943784ced493543b6a3a5df4c6"}]}