)]}'
{"specs/wallaby/approved/allow-secure-boot-for-qemu-kvm-guests.rst":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b2ac7b9020359f3b4b0558fe99d01d1127ed7a35","unresolved":false,"context_lines":[{"line_number":31,"context_line":"    [...]"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"The above only provides generic UEFI boot [1]_, but not Secure Boot."},{"line_number":34,"context_line":"Also it is not robust to hardcode OVMF binary file paths this way."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"This specification proposes to extend the existing support for UEFI boot"},{"line_number":37,"context_line":"in Nova\u0027s libvirt driver to also support Secure Boot.  Refer to the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_ad794afd","line":34,"updated":"2020-10-27 16:10:43.000000000","message":"Excellent explaination about the existing situation and what needs to be added, FWIW.\nPeople who didn\u0027t have a single context about UEFI support in Nova now know about it.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b2ac7b9020359f3b4b0558fe99d01d1127ed7a35","unresolved":false,"context_lines":[{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* And, as a refresher, benefits of using OVMF are listed in the"},{"line_number":65,"context_line":"  \"Motivation\" section of the OVMF white paper [4]_.  And for a more"},{"line_number":66,"context_line":"  detailed treatment of Secure Boot, refer to this [5]_."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_2d6d3a32","line":66,"updated":"2020-10-27 16:10:43.000000000","message":"++ again, great use cases !","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b2ac7b9020359f3b4b0558fe99d01d1127ed7a35","unresolved":false,"context_lines":[{"line_number":73,"context_line":"rough set of planned changes:"},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"- Reuse the existing Nova metadata property, ``os_secure_boot`` (added"},{"line_number":76,"context_line":"  for Hyper-V support) to allow user to request Secure Boot support."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"- In the initial implemetation, Nova will only support the default UEFI"},{"line_number":79,"context_line":"  keys, which will work with most distributions (Debian, Ubuntu, SUSE,"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_4d723613","line":76,"updated":"2020-10-27 16:10:43.000000000","message":"++","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b2ac7b9020359f3b4b0558fe99d01d1127ed7a35","unresolved":false,"context_lines":[{"line_number":82,"context_line":"  keys, then it is equivalent to you not trusting the filesystem where"},{"line_number":83,"context_line":"  your compute node is running.)  If later desired, we can reuse the"},{"line_number":84,"context_line":"  existing image metadata property, ``os_secure_boot_signature`` that"},{"line_number":85,"context_line":"  lets you specify bootloader\u0027s signature."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"- Make Nova use libvirt\u0027s interface for auto-selecting firmware"},{"line_number":88,"context_line":"  binaries; this was added in libvirt 5.2 [6]_.  Why?"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_8d656e48","line":85,"updated":"2020-10-27 16:10:43.000000000","message":"looks good to me as a first step.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"33ba7f1cf80e65f2c87799a030ab3061bfc6b6e7","unresolved":false,"context_lines":[{"line_number":82,"context_line":"  keys, then it is equivalent to you not trusting the filesystem where"},{"line_number":83,"context_line":"  your compute node is running.)  If later desired, we can reuse the"},{"line_number":84,"context_line":"  existing image metadata property, ``os_secure_boot_signature`` that"},{"line_number":85,"context_line":"  lets you specify bootloader\u0027s signature."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"- Make Nova use libvirt\u0027s interface for auto-selecting firmware"},{"line_number":88,"context_line":"  binaries; this was added in libvirt 5.2 [6]_.  Why?"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f621f24_1694f18a","line":85,"in_reply_to":"3f65232a_2e0891d7","updated":"2020-10-30 14:39:21.000000000","message":"OK, removing my +2 given the comments we told about the traits during the PTG.\n\nPlease provide traits for this and then the image metadata would ask for the trait.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"71ced59f875c5f00cde96f32e577539a12682a4d","unresolved":false,"context_lines":[{"line_number":82,"context_line":"  keys, then it is equivalent to you not trusting the filesystem where"},{"line_number":83,"context_line":"  your compute node is running.)  If later desired, we can reuse the"},{"line_number":84,"context_line":"  existing image metadata property, ``os_secure_boot_signature`` that"},{"line_number":85,"context_line":"  lets you specify bootloader\u0027s signature."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"- Make Nova use libvirt\u0027s interface for auto-selecting firmware"},{"line_number":88,"context_line":"  binaries; this was added in libvirt 5.2 [6]_.  Why?"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_2e0891d7","line":85,"in_reply_to":"3f65232a_8d656e48","updated":"2020-10-27 17:37:25.000000000","message":"ya putting this out of scope is good for an initally approach.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"71ced59f875c5f00cde96f32e577539a12682a4d","unresolved":false,"context_lines":[{"line_number":85,"context_line":"  lets you specify bootloader\u0027s signature."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"- Make Nova use libvirt\u0027s interface for auto-selecting firmware"},{"line_number":88,"context_line":"  binaries; this was added in libvirt 5.2 [6]_.  Why?"},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"  Problem: Today, Nova does not have a sensible way of knowing which"},{"line_number":91,"context_line":"  firmware binary to select.  All it sees is the firmware binary path"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_ae1ca113","line":88,"range":{"start_line":88,"start_character":37,"end_line":88,"end_character":42},"updated":"2020-10-27 17:37:25.000000000","message":"just as a note we are planning to move to libvirt 6.0 as our min version in wallaby so we shoudl  not need to check for this version when this is impleemnted.\ni woudl suggest making that move to 6.0.0 sooner rather then later.\n\nhttps://github.com/openstack/nova/blob/master/nova/virt/libvirt/driver.py#L225-L233\nMIN_LIBVIRT_VERSION \u003d (5, 0, 0)\nMIN_QEMU_VERSION \u003d (4, 0, 0)\n# TODO(berrange): Re-evaluate this at start of each release cycle\n# to decide if we want to plan a future min version bump.\n# MIN_LIBVIRT_VERSION can be updated to match this after\n# NEXT_MIN_LIBVIRT_VERSION  has been at a higher value for\n# one cycle\nNEXT_MIN_LIBVIRT_VERSION \u003d (6, 0, 0)\nNEXT_MIN_QEMU_VERSION \u003d (4, 2, 0)","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b2ac7b9020359f3b4b0558fe99d01d1127ed7a35","unresolved":false,"context_lines":[{"line_number":111,"context_line":"  ``MIN_QEMU_SECURE_BOOT_VERSION`` constants."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"  This libvirt feature takes advantage of QEMU\u0027s firmware description"},{"line_number":114,"context_line":"  schema [7]_."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"- Make Nova programatically query the ``getDomainCapabilities()`` API to"},{"line_number":117,"context_line":"  check if libvirt supports the relevant Secure Boot-related features."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_2d56da5d","line":114,"updated":"2020-10-27 16:10:43.000000000","message":"++","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b2ac7b9020359f3b4b0558fe99d01d1127ed7a35","unresolved":false,"context_lines":[{"line_number":122,"context_line":""},{"line_number":123,"context_line":"- In the initial implementation, there will be no scheduler support to"},{"line_number":124,"context_line":"  isolate hosts that are not Secure Boot-capable, similar to existing"},{"line_number":125,"context_line":"  basic UEFI boot support.  Nova will error out if the host hypervisor"},{"line_number":126,"context_line":"  does not support Secure Boot."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"Low-level background on different kinds of OVMF builds"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_0d84beb0","line":126,"range":{"start_line":125,"start_character":28,"end_line":126,"end_character":31},"updated":"2020-10-27 16:10:43.000000000","message":"meaning the instance will turn into ERROR state. Fair enough.\nPeople can use aggregates with image metadata (and a filter) to avoid this FWIW.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"c288d78f8bb33f6a967a8051c6de51580f82e982","unresolved":false,"context_lines":[{"line_number":122,"context_line":""},{"line_number":123,"context_line":"- In the initial implementation, there will be no scheduler support to"},{"line_number":124,"context_line":"  isolate hosts that are not Secure Boot-capable, similar to existing"},{"line_number":125,"context_line":"  basic UEFI boot support.  Nova will error out if the host hypervisor"},{"line_number":126,"context_line":"  does not support Secure Boot."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"Low-level background on different kinds of OVMF builds"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_a884985f","line":126,"range":{"start_line":125,"start_character":28,"end_line":126,"end_character":31},"in_reply_to":"3f65232a_0d84beb0","updated":"2020-10-27 16:18:47.000000000","message":"This would be exceptionally easy to do with a trait. While we can work around not having it, meaning it\u0027s not a blocker, I\u0027d suggest looking into adding traits similar to the vTPM work","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"ee32346cba95594d3423ee21db179d8d59f3c765","unresolved":false,"context_lines":[{"line_number":122,"context_line":""},{"line_number":123,"context_line":"- In the initial implementation, there will be no scheduler support to"},{"line_number":124,"context_line":"  isolate hosts that are not Secure Boot-capable, similar to existing"},{"line_number":125,"context_line":"  basic UEFI boot support.  Nova will error out if the host hypervisor"},{"line_number":126,"context_line":"  does not support Secure Boot."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"Low-level background on different kinds of OVMF builds"}],"source_content_type":"text/x-rst","patch_set":1,"id":"261925ce_32e66ca6","line":126,"range":{"start_line":125,"start_character":28,"end_line":126,"end_character":31},"in_reply_to":"3f65232a_6ee0c9fb","updated":"2020-12-11 11:07:42.000000000","message":"Okay, I\u0027ll add a work item about using traits.  Thanks.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"71ced59f875c5f00cde96f32e577539a12682a4d","unresolved":false,"context_lines":[{"line_number":122,"context_line":""},{"line_number":123,"context_line":"- In the initial implementation, there will be no scheduler support to"},{"line_number":124,"context_line":"  isolate hosts that are not Secure Boot-capable, similar to existing"},{"line_number":125,"context_line":"  basic UEFI boot support.  Nova will error out if the host hypervisor"},{"line_number":126,"context_line":"  does not support Secure Boot."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"Low-level background on different kinds of OVMF builds"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_6ee0c9fb","line":126,"range":{"start_line":125,"start_character":28,"end_line":126,"end_character":31},"in_reply_to":"3f65232a_a884985f","updated":"2020-10-27 17:37:25.000000000","message":"yes i do think a trait would make sense to avoid selecting host that dont have supprot for secure boot guests.\nit also has other uses such as isolated aggreates\n\nwe shoudl be ideally generating a required trait request automatically form the extra spec.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b2ac7b9020359f3b4b0558fe99d01d1127ed7a35","unresolved":false,"context_lines":[{"line_number":126,"context_line":"  does not support Secure Boot."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"Low-level background on different kinds of OVMF builds"},{"line_number":130,"context_line":"------------------------------------------------------"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"[Thanks: Laszlo Ersek, OVMF maintainer, for the below discussion.  I"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_cdbbe66f","line":129,"updated":"2020-10-27 16:10:43.000000000","message":"this whole section is absolutely worth reading for getting more knowledge, but honestly not needed for a spec.\nEither way, I liked it.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"71ced59f875c5f00cde96f32e577539a12682a4d","unresolved":false,"context_lines":[{"line_number":126,"context_line":"  does not support Secure Boot."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"Low-level background on different kinds of OVMF builds"},{"line_number":130,"context_line":"------------------------------------------------------"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"[Thanks: Laszlo Ersek, OVMF maintainer, for the below discussion.  I"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_4ebceddb","line":129,"in_reply_to":"3f65232a_cdbbe66f","updated":"2020-10-27 17:37:25.000000000","message":"yes that has been raised bfore but ya its fine i guess. it would make more sense to copy this into in tree docs at some point proably minus the names.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b2ac7b9020359f3b4b0558fe99d01d1127ed7a35","unresolved":false,"context_lines":[{"line_number":213,"context_line":"This is one of the tricky parts, but thankfully, the libvirt release 5.2"},{"line_number":214,"context_line":"vastly simplifies the OVMF file name handling — by providing an"},{"line_number":215,"context_line":"interface to auto-select firmware (which in turn, takes advantage of the"},{"line_number":216,"context_line":"firmware descriptor files from QEMU (provided by QEMU 2.9 and above)."},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"Alternatives"},{"line_number":219,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_6dac5234","line":216,"updated":"2020-10-27 16:10:43.000000000","message":"++","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b2ac7b9020359f3b4b0558fe99d01d1127ed7a35","unresolved":false,"context_lines":[{"line_number":218,"context_line":"Alternatives"},{"line_number":219,"context_line":"------------"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"None."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Data model impact"},{"line_number":224,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_4da7d650","line":221,"updated":"2020-10-27 16:10:43.000000000","message":"well, I\u0027d name one \"Keep your cloud untrustable ?\" (joking)","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"71ced59f875c5f00cde96f32e577539a12682a4d","unresolved":false,"context_lines":[{"line_number":218,"context_line":"Alternatives"},{"line_number":219,"context_line":"------------"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"None."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Data model impact"},{"line_number":224,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_ae8f812c","line":221,"in_reply_to":"3f65232a_4da7d650","updated":"2020-10-27 17:37:25.000000000","message":"well the alternitve would be to do this at the host level rather then per instance so you can force the user of secure booth but if we have a trait then we can use isolated aggreate to do that instead. \n\nhttps://docs.openstack.org/nova/latest/reference/isolate-aggregates.html\n\nby the way a referce like ^ woudl be good to capture the secure boot context information in outside of this spec.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"ee32346cba95594d3423ee21db179d8d59f3c765","unresolved":false,"context_lines":[{"line_number":218,"context_line":"Alternatives"},{"line_number":219,"context_line":"------------"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"None."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Data model impact"},{"line_number":224,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"c3475cf9_af2e5d93","line":221,"in_reply_to":"3f65232a_ae8f812c","updated":"2020-12-11 11:07:42.000000000","message":"Okay, I can reference that :-)","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b2ac7b9020359f3b4b0558fe99d01d1127ed7a35","unresolved":false,"context_lines":[{"line_number":235,"context_line":""},{"line_number":236,"context_line":"With this feature, KVM- and QEMU-based Nova instances can get Secure"},{"line_number":237,"context_line":"Boot support.  Thus protecting the guests from boot-time malware, and"},{"line_number":238,"context_line":"ensures the code that the firmware executes only trusted code."},{"line_number":239,"context_line":""},{"line_number":240,"context_line":"Notifications impact"},{"line_number":241,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_cd7006e0","line":238,"updated":"2020-10-27 16:10:43.000000000","message":"there is no security impact per se (in the terms of a nova spec section) but I got your point.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b2ac7b9020359f3b4b0558fe99d01d1127ed7a35","unresolved":false,"context_lines":[{"line_number":258,"context_line":""},{"line_number":259,"context_line":"To use this feature, the following are the version requirements:"},{"line_number":260,"context_line":"QEMU \u003e\u003d4.1.0, libvirt \u003e\u003d5.3, OVMF/EDK2 packages shipping the JSON"},{"line_number":261,"context_line":"descriptor files.  Details in the `Dependencies`_ section."},{"line_number":262,"context_line":""},{"line_number":263,"context_line":"Developer impact"},{"line_number":264,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_ed3b42e8","line":261,"updated":"2020-10-27 16:10:43.000000000","message":"Current minimums are below this but that\u0027s fine as the relnote will mention the prereqs.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"ee32346cba95594d3423ee21db179d8d59f3c765","unresolved":false,"context_lines":[{"line_number":258,"context_line":""},{"line_number":259,"context_line":"To use this feature, the following are the version requirements:"},{"line_number":260,"context_line":"QEMU \u003e\u003d4.1.0, libvirt \u003e\u003d5.3, OVMF/EDK2 packages shipping the JSON"},{"line_number":261,"context_line":"descriptor files.  Details in the `Dependencies`_ section."},{"line_number":262,"context_line":""},{"line_number":263,"context_line":"Developer impact"},{"line_number":264,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"aa7e8500_9f76dc77","line":261,"in_reply_to":"3f65232a_0eadd587","updated":"2020-12-11 11:07:42.000000000","message":"Yep, on versions, we now indeed have this in tree:\n\nNEXT_MIN_LIBVIRT_VERSION \u003d (6, 0, 0)\nNEXT_MIN_QEMU_VERSION \u003d (4, 2, 0)","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"71ced59f875c5f00cde96f32e577539a12682a4d","unresolved":false,"context_lines":[{"line_number":258,"context_line":""},{"line_number":259,"context_line":"To use this feature, the following are the version requirements:"},{"line_number":260,"context_line":"QEMU \u003e\u003d4.1.0, libvirt \u003e\u003d5.3, OVMF/EDK2 packages shipping the JSON"},{"line_number":261,"context_line":"descriptor files.  Details in the `Dependencies`_ section."},{"line_number":262,"context_line":""},{"line_number":263,"context_line":"Developer impact"},{"line_number":264,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_0eadd587","line":261,"in_reply_to":"3f65232a_ed3b42e8","updated":"2020-10-27 17:37:25.000000000","message":"current yes but the planned minium for wallaby will be libvirt 6.0 and qemu 4.2\n\nhttps://github.com/openstack/nova/blob/master/nova/virt/libvirt/driver.py#L225-L233\n\nso we shoudl be good.\n\nwe can certenly also not it in the reslease note but it will be more informational once we update the minium in code.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b2ac7b9020359f3b4b0558fe99d01d1127ed7a35","unresolved":false,"context_lines":[{"line_number":406,"context_line":"minimum libvirt and QEMU versions are available) to test in the upstream"},{"line_number":407,"context_line":"gating environment.  Where the Nova instance should be able to boot a"},{"line_number":408,"context_line":"KVM guest with Secure Boot (using OVMF), and verify in `dmesg` that"},{"line_number":409,"context_line":"Secure Boot is *actually* in effect."},{"line_number":410,"context_line":""},{"line_number":411,"context_line":""},{"line_number":412,"context_line":"Documentation Impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_ed14e250","line":409,"updated":"2020-10-27 16:10:43.000000000","message":"Functional testing should also be possible, I think.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"ee32346cba95594d3423ee21db179d8d59f3c765","unresolved":false,"context_lines":[{"line_number":406,"context_line":"minimum libvirt and QEMU versions are available) to test in the upstream"},{"line_number":407,"context_line":"gating environment.  Where the Nova instance should be able to boot a"},{"line_number":408,"context_line":"KVM guest with Secure Boot (using OVMF), and verify in `dmesg` that"},{"line_number":409,"context_line":"Secure Boot is *actually* in effect."},{"line_number":410,"context_line":""},{"line_number":411,"context_line":""},{"line_number":412,"context_line":"Documentation Impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"e3053c76_9a2440c0","line":409,"in_reply_to":"3f65232a_ced0fdfa","updated":"2020-12-11 11:07:42.000000000","message":"Yeah, it\u0027s more involved; but should be possible.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"71ced59f875c5f00cde96f32e577539a12682a4d","unresolved":false,"context_lines":[{"line_number":406,"context_line":"minimum libvirt and QEMU versions are available) to test in the upstream"},{"line_number":407,"context_line":"gating environment.  Where the Nova instance should be able to boot a"},{"line_number":408,"context_line":"KVM guest with Secure Boot (using OVMF), and verify in `dmesg` that"},{"line_number":409,"context_line":"Secure Boot is *actually* in effect."},{"line_number":410,"context_line":""},{"line_number":411,"context_line":""},{"line_number":412,"context_line":"Documentation Impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_ced0fdfa","line":409,"in_reply_to":"3f65232a_ed14e250","updated":"2020-10-27 17:37:25.000000000","message":"ya functional testing would only invovle extening the fake libvirt driver to support the api for getting the frimware version i think the rest should be in place.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b2ac7b9020359f3b4b0558fe99d01d1127ed7a35","unresolved":false,"context_lines":[{"line_number":474,"context_line":"   * - Release Name"},{"line_number":475,"context_line":"     - Description"},{"line_number":476,"context_line":"   * - Train"},{"line_number":477,"context_line":"     - Introduced"},{"line_number":478,"context_line":"   * - Wallaby"},{"line_number":479,"context_line":"     - Re-proposed"},{"line_number":480,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_cd5f6670","line":477,"updated":"2020-10-27 16:10:43.000000000","message":"well, this spec was approved for both Train and Ussuri.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"ee32346cba95594d3423ee21db179d8d59f3c765","unresolved":false,"context_lines":[{"line_number":474,"context_line":"   * - Release Name"},{"line_number":475,"context_line":"     - Description"},{"line_number":476,"context_line":"   * - Train"},{"line_number":477,"context_line":"     - Introduced"},{"line_number":478,"context_line":"   * - Wallaby"},{"line_number":479,"context_line":"     - Re-proposed"},{"line_number":480,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"5f293e34_d81d58a8","line":477,"in_reply_to":"3f65232a_68e72042","updated":"2020-12-11 11:07:42.000000000","message":"Yep, will adjust.","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"c288d78f8bb33f6a967a8051c6de51580f82e982","unresolved":false,"context_lines":[{"line_number":474,"context_line":"   * - Release Name"},{"line_number":475,"context_line":"     - Description"},{"line_number":476,"context_line":"   * - Train"},{"line_number":477,"context_line":"     - Introduced"},{"line_number":478,"context_line":"   * - Wallaby"},{"line_number":479,"context_line":"     - Re-proposed"},{"line_number":480,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f65232a_68e72042","line":477,"in_reply_to":"3f65232a_cd5f6670","updated":"2020-10-27 16:18:47.000000000","message":"+1","commit_id":"1c762680aea0aa0eddd5e1bc6964ae7a4c346ca3"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"c7146733dbdb254067510b7a4fe70dc70ef74505","unresolved":true,"context_lines":[{"line_number":110,"context_line":"  (4, 2, 0)``.  This allows us to use libvirt\u0027s formal interface that"},{"line_number":111,"context_line":"  allows auto-selecting firmware binaries—this also means relatively"},{"line_number":112,"context_line":"  much less \"scaffolding code\" in Nova."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"  The above libvirt feature takes advantage of QEMU\u0027s firmware"},{"line_number":115,"context_line":"  description schema [7]_."},{"line_number":116,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"8a3cb39d_05f16ba3","line":113,"updated":"2020-12-11 12:11:00.000000000","message":"+1","commit_id":"e11b401050f9c5468953809257f476939ded76ef"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"c7146733dbdb254067510b7a4fe70dc70ef74505","unresolved":true,"context_lines":[{"line_number":126,"context_line":"  basic UEFI boot support.  Nova will error out if the host hypervisor"},{"line_number":127,"context_line":"  does not support Secure Boot."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"  This can be done via introducing a \"trait\" to avoid selecting hosts"},{"line_number":130,"context_line":"  that does not have support for Secure Boot.  It also enables other"},{"line_number":131,"context_line":"  use cases such as filtering hosts by isolating \"aggregates\" [8]_."},{"line_number":132,"context_line":""},{"line_number":133,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1bc9a2b9_aeab4168","line":130,"range":{"start_line":129,"start_character":63,"end_line":130,"end_character":16},"updated":"2020-12-11 12:11:00.000000000","message":"nit: \"a host that does not\" or \"hosts that do not\"","commit_id":"e11b401050f9c5468953809257f476939ded76ef"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"9564b179c5959ce16315c1f45214d5c430bd92a5","unresolved":true,"context_lines":[{"line_number":126,"context_line":"  basic UEFI boot support.  Nova will error out if the host hypervisor"},{"line_number":127,"context_line":"  does not support Secure Boot."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"  This can be done via introducing a \"trait\" to avoid selecting hosts"},{"line_number":130,"context_line":"  that does not have support for Secure Boot.  It also enables other"},{"line_number":131,"context_line":"  use cases such as filtering hosts by isolating \"aggregates\" [8]_."},{"line_number":132,"context_line":""},{"line_number":133,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"c5e39d96_2c0e8006","line":130,"range":{"start_line":129,"start_character":63,"end_line":130,"end_character":16},"in_reply_to":"1bc9a2b9_aeab4168","updated":"2020-12-11 14:07:54.000000000","message":"Also fixed in next iteration; thanks!","commit_id":"e11b401050f9c5468953809257f476939ded76ef"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"c7146733dbdb254067510b7a4fe70dc70ef74505","unresolved":true,"context_lines":[{"line_number":384,"context_line":"   different distributions.  And Ubuntu and Debian are also working to"},{"line_number":385,"context_line":"   ship this script."},{"line_number":386,"context_line":""},{"line_number":387,"context_line":"5. Introduce a \"trait\" (needs update to \u0027os-traits\u0027 library) for Secure"},{"line_number":388,"context_line":"   Boot, so the image metadata can ask for the trait.  As noted earlier,"},{"line_number":389,"context_line":"   allows Nova to pick out only those hosts are Secure Boot-capable."},{"line_number":390,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"565fafa2_7d9ddd96","line":387,"updated":"2020-12-11 12:11:00.000000000","message":"\"The Introduction of a \"trait\" (for Secure Boot) requires an update to the\n\u0027os-traits\u0027 library, so the image metadata can ask for the trait.\nAs noted earlier, the trait allows Nova to pick out only those hosts\nare Secure Boot-capable. this will require os-traits to be installed\non the host runing plamcent and the placement-manage executable to be\nrun to register the new standard traits before nova is upgraded.\"\n\nyou didn\u0027t actully descibe the upgrade impact so if you are going to\nlist more than \"A new standard trait has been added\" and not assume the operator\nknow the implicaitons of that then you should describe the implications and what\nthey have to do.","commit_id":"e11b401050f9c5468953809257f476939ded76ef"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"c80fcf17669821edb23a1c43574b39f36b724a1d","unresolved":true,"context_lines":[{"line_number":384,"context_line":"   different distributions.  And Ubuntu and Debian are also working to"},{"line_number":385,"context_line":"   ship this script."},{"line_number":386,"context_line":""},{"line_number":387,"context_line":"5. Introduce a \"trait\" (needs update to \u0027os-traits\u0027 library) for Secure"},{"line_number":388,"context_line":"   Boot, so the image metadata can ask for the trait.  As noted earlier,"},{"line_number":389,"context_line":"   allows Nova to pick out only those hosts are Secure Boot-capable."},{"line_number":390,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"d5585bf7_cfaef280","line":387,"in_reply_to":"565fafa2_7d9ddd96","updated":"2020-12-11 14:07:03.000000000","message":"Okay, fair enough on the upgrade impact.  Will do the edit.","commit_id":"e11b401050f9c5468953809257f476939ded76ef"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"47c2face69a019d75429af554686463a59f4245d","unresolved":true,"context_lines":[{"line_number":384,"context_line":"   different distributions.  And Ubuntu and Debian are also working to"},{"line_number":385,"context_line":"   ship this script."},{"line_number":386,"context_line":""},{"line_number":387,"context_line":"5. Introduce a \"trait\" (needs update to \u0027os-traits\u0027 library) for Secure"},{"line_number":388,"context_line":"   Boot, so the image metadata can ask for the trait.  As noted earlier,"},{"line_number":389,"context_line":"   allows Nova to pick out only those hosts are Secure Boot-capable."},{"line_number":390,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a1cb29c_ccb98b46","line":387,"in_reply_to":"d5585bf7_cfaef280","updated":"2020-12-11 14:33:24.000000000","message":"I take it here you mean to sync the \u0027os-traits\u0027 into Placement via:\n`placement-manage os-traits sync`\n\nI\u0027ve updated the next iteration as such.","commit_id":"e11b401050f9c5468953809257f476939ded76ef"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"c7146733dbdb254067510b7a4fe70dc70ef74505","unresolved":true,"context_lines":[{"line_number":481,"context_line":"History"},{"line_number":482,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":483,"context_line":""},{"line_number":484,"context_line":".. list-table:: Revisions"},{"line_number":485,"context_line":"   :header-rows: 1"},{"line_number":486,"context_line":""},{"line_number":487,"context_line":"   * - Release Name"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f945fa64_4a4a9e86","line":484,"updated":"2020-12-11 12:11:00.000000000","message":"/home/zuul/src/opendev.org/openstack/nova-specs/doc/source/specs/wallaby/approved/allow-secure-boot-for-qemu-kvm-guests.rst:484:Error parsing content block for the \"list-table\" directive: uniform two-level bullet list expected, but row 2 does not contain the same number of items as row 1 (3 vs 2).\n\nthis is where the docs issue is reported.","commit_id":"e11b401050f9c5468953809257f476939ded76ef"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"c7146733dbdb254067510b7a4fe70dc70ef74505","unresolved":true,"context_lines":[{"line_number":487,"context_line":"   * - Release Name"},{"line_number":488,"context_line":"     - Description"},{"line_number":489,"context_line":"   * - Train"},{"line_number":490,"context_line":"     - Ussuri"},{"line_number":491,"context_line":"     - Introduced"},{"line_number":492,"context_line":"   * - Wallaby"},{"line_number":493,"context_line":"     - Re-proposed"}],"source_content_type":"text/x-rst","patch_set":2,"id":"a0ac074f_61ea1203","line":490,"updated":"2020-12-11 12:11:00.000000000","message":"but this is actully the issue\n\nit should be\n\n   * - Train\n     - Introduced\n   * - Ussuri\n     - Re-proposed","commit_id":"e11b401050f9c5468953809257f476939ded76ef"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"c80fcf17669821edb23a1c43574b39f36b724a1d","unresolved":true,"context_lines":[{"line_number":487,"context_line":"   * - Release Name"},{"line_number":488,"context_line":"     - Description"},{"line_number":489,"context_line":"   * - Train"},{"line_number":490,"context_line":"     - Ussuri"},{"line_number":491,"context_line":"     - Introduced"},{"line_number":492,"context_line":"   * - Wallaby"},{"line_number":493,"context_line":"     - Re-proposed"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e536fb0b_41a549ac","line":490,"in_reply_to":"a0ac074f_61ea1203","updated":"2020-12-11 14:07:03.000000000","message":"Ah, thanks!  Fixed.","commit_id":"e11b401050f9c5468953809257f476939ded76ef"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"eb7eca72334af819da81385274b034773840d9ad","unresolved":true,"context_lines":[{"line_number":389,"context_line":"   allows Nova to pick out only those hosts are Secure Boot-capable."},{"line_number":390,"context_line":"   This requires \u0027os-traits\u0027 to be installed on the host running"},{"line_number":391,"context_line":"   ``placement`` service, and synchronize the new traits into Placement"},{"line_number":392,"context_line":"   service by ``placement-manage os-traits sync``placement-manage`` ."},{"line_number":393,"context_line":""},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":3,"id":"dd8754dd_71fc00cf","line":392,"range":{"start_line":392,"start_character":14,"end_line":392,"end_character":67},"updated":"2020-12-11 14:39:05.000000000","message":"i think you ment just  ``placement-manage os-traits sync``.","commit_id":"a26e4e382d15c57fd2d858c60267d04ff814455e"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"5d0841764369651fc314399dec58bdf26775c12e","unresolved":true,"context_lines":[{"line_number":388,"context_line":"   Boot, so the image metadata can ask for the trait.  As noted earlier,"},{"line_number":389,"context_line":"   allows Nova to pick out only those hosts are Secure Boot-capable."},{"line_number":390,"context_line":"   This requires \u0027os-traits\u0027 to be installed (or upgraded if need be) on"},{"line_number":391,"context_line":"   the host running ``placement`` service.  Followed by a restart ofthe"},{"line_number":392,"context_line":"   ``placement`` service—this will synchronize the traits into the"},{"line_number":393,"context_line":"   Placement database."},{"line_number":394,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"9a6b644c_2620ecc6","line":391,"range":{"start_line":391,"start_character":66,"end_line":391,"end_character":71},"updated":"2020-12-11 15:11:32.000000000","message":"nit: of the","commit_id":"f182af28fa995a9d1c84b83c1b3d75958bc12d1a"},{"author":{"_account_id":6962,"name":"Kashyap Chamarthy","email":"kchamart@redhat.com","username":"kashyapc"},"change_message_id":"93bf37cb57950135250885571745a48762be7a0a","unresolved":false,"context_lines":[{"line_number":388,"context_line":"   Boot, so the image metadata can ask for the trait.  As noted earlier,"},{"line_number":389,"context_line":"   allows Nova to pick out only those hosts are Secure Boot-capable."},{"line_number":390,"context_line":"   This requires \u0027os-traits\u0027 to be installed (or upgraded if need be) on"},{"line_number":391,"context_line":"   the host running ``placement`` service.  Followed by a restart ofthe"},{"line_number":392,"context_line":"   ``placement`` service—this will synchronize the traits into the"},{"line_number":393,"context_line":"   Placement database."},{"line_number":394,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"d3e417db_c0931627","line":391,"range":{"start_line":391,"start_character":66,"end_line":391,"end_character":71},"in_reply_to":"9a6b644c_2620ecc6","updated":"2020-12-11 15:40:16.000000000","message":"Fixed in next iter :-)","commit_id":"f182af28fa995a9d1c84b83c1b3d75958bc12d1a"}]}