)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"faff0ee67503c40da1108b05f637f45e1cde4f3e","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"1b3c6a86_55d70369","updated":"2025-01-10 08:44:26.000000000","message":"The host level config direction is OK to me, as well as the image prop /extra spec. However I think the proposal is missing the mechanism to tell the user what mode they are opting into. So I\u0027m -1 due to that.","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"6104a5b3a9f791cca6fc08db7c8822c12834d896","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"8878e7ac_6309f0aa","updated":"2025-01-09 20:41:14.000000000","message":"Yes.","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"25f4131d5017a76033c787f02442f43d131acd2d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"0046fc0d_ea3f336d","updated":"2025-01-09 20:55:46.000000000","message":"i can accpet this version","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"}],"specs/2025.1/approved/vtpm-live-migration.rst":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"5a7db3ff08b137764e07c510f63251fc62ed4e55","unresolved":true,"context_lines":[{"line_number":123,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Because the security of the vTPM secret (either in Barbican or in Libvirt)"},{"line_number":126,"context_line":"affects what operations can be performance on an instance, users should be able"},{"line_number":127,"context_line":"to specify what level of security they require, and operators need to specify"},{"line_number":128,"context_line":"what level of security they\u0027re willing to support. There also needs to be a"},{"line_number":129,"context_line":"default level applied to an instance if nothing is explicitly specified."}],"source_content_type":"text/x-rst","patch_set":1,"id":"d266359f_9d8b787d","line":126,"range":{"start_line":126,"start_character":31,"end_line":126,"end_character":42},"updated":"2025-01-10 00:03:20.000000000","message":"nit: performed","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"16d6a6709207089fa8e682d9c2dfe041d08611ea","unresolved":false,"context_lines":[{"line_number":123,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Because the security of the vTPM secret (either in Barbican or in Libvirt)"},{"line_number":126,"context_line":"affects what operations can be performance on an instance, users should be able"},{"line_number":127,"context_line":"to specify what level of security they require, and operators need to specify"},{"line_number":128,"context_line":"what level of security they\u0027re willing to support. There also needs to be a"},{"line_number":129,"context_line":"default level applied to an instance if nothing is explicitly specified."}],"source_content_type":"text/x-rst","patch_set":1,"id":"c538c263_70d1447c","line":126,"range":{"start_line":126,"start_character":31,"end_line":126,"end_character":42},"in_reply_to":"d266359f_9d8b787d","updated":"2025-01-10 14:57:40.000000000","message":"Done","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"6104a5b3a9f791cca6fc08db7c8822c12834d896","unresolved":true,"context_lines":[{"line_number":126,"context_line":"affects what operations can be performance on an instance, users should be able"},{"line_number":127,"context_line":"to specify what level of security they require, and operators need to specify"},{"line_number":128,"context_line":"what level of security they\u0027re willing to support. There also needs to be a"},{"line_number":129,"context_line":"default level applied to an instance if nothing is explicitly specified."},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"Three possible security levels are proposed. They are presented in the table"},{"line_number":132,"context_line":"below."}],"source_content_type":"text/x-rst","patch_set":1,"id":"d3123967_469829ac","line":129,"updated":"2025-01-09 20:41:14.000000000","message":"This may be the single most useful paragraph I\u0027ve read in the last ten minutes. But seriously, I think this sums up days of discussion nicely, and the delta here in this revision patch makes it easy to digest what we just discussed.","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"6104a5b3a9f791cca6fc08db7c8822c12834d896","unresolved":true,"context_lines":[{"line_number":148,"context_line":"   * - ``host``"},{"line_number":149,"context_line":"     - The Libvirt secret is persistent and retrievable."},{"line_number":150,"context_line":"     - This is \"medium\" security. API-level admins and the Nova service user do"},{"line_number":151,"context_line":"       not have access to the secret, but it can be accessed by users with"},{"line_number":152,"context_line":"       sufficient privileges on the compute host."},{"line_number":153,"context_line":"     - The instance can be live migrated because Nova can read the secret back"},{"line_number":154,"context_line":"       from Libvirt on the source host and send it to the destination over RPC."}],"source_content_type":"text/x-rst","patch_set":1,"id":"5ceb7e27_8ef48ae9","line":151,"range":{"start_line":151,"start_character":52,"end_line":151,"end_character":69},"updated":"2025-01-09 20:41:14.000000000","message":"I still think this sounds too much like other _openstack_ users would have access to them.","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"faff0ee67503c40da1108b05f637f45e1cde4f3e","unresolved":true,"context_lines":[{"line_number":149,"context_line":"     - The Libvirt secret is persistent and retrievable."},{"line_number":150,"context_line":"     - This is \"medium\" security. API-level admins and the Nova service user do"},{"line_number":151,"context_line":"       not have access to the secret, but it can be accessed by users with"},{"line_number":152,"context_line":"       sufficient privileges on the compute host."},{"line_number":153,"context_line":"     - The instance can be live migrated because Nova can read the secret back"},{"line_number":154,"context_line":"       from Libvirt on the source host and send it to the destination over RPC."},{"line_number":155,"context_line":"       Security over the wire is left as the operator\u0027s responsibility, but TLS or"}],"source_content_type":"text/x-rst","patch_set":1,"id":"6047263f_9f8910ad","line":152,"updated":"2025-01-10 08:44:26.000000000","message":"Yeah if we implement it right then no openstack user can get the secret directly, even though the nova-compute binary can read it back from libvirt for an openstack user\u0027s (owner, or admin) request. We have to be careful in the implementation (today and in the future) not to expose the secret read back from libvirt to the outside world. E.g. not log it, not store it on disk, and when sent to the dest host make sure it is not in plain text. The later might be just documentation to ask the deployer to use TLS in rabbit for now, but I could imagine an extra layer of security here in the future based on the mutual trust between compute nodes via the exchanged nova ssh keypair. So even if rabbit persist the message on disk the message is encrypted.","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"615829daf9b1802719f4a52f73ad7fbf6156c71c","unresolved":false,"context_lines":[{"line_number":149,"context_line":"     - The Libvirt secret is persistent and retrievable."},{"line_number":150,"context_line":"     - This is \"medium\" security. API-level admins and the Nova service user do"},{"line_number":151,"context_line":"       not have access to the secret, but it can be accessed by users with"},{"line_number":152,"context_line":"       sufficient privileges on the compute host."},{"line_number":153,"context_line":"     - The instance can be live migrated because Nova can read the secret back"},{"line_number":154,"context_line":"       from Libvirt on the source host and send it to the destination over RPC."},{"line_number":155,"context_line":"       Security over the wire is left as the operator\u0027s responsibility, but TLS or"}],"source_content_type":"text/x-rst","patch_set":1,"id":"467d8904_80a41729","line":152,"in_reply_to":"0eaca7cc_4381d3bb","updated":"2025-01-10 14:01:09.000000000","message":"yeah, it is not for this spec, but for a future enhancement.","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"27add6acd65555f409f78d0974e1fa7c32669254","unresolved":true,"context_lines":[{"line_number":149,"context_line":"     - The Libvirt secret is persistent and retrievable."},{"line_number":150,"context_line":"     - This is \"medium\" security. API-level admins and the Nova service user do"},{"line_number":151,"context_line":"       not have access to the secret, but it can be accessed by users with"},{"line_number":152,"context_line":"       sufficient privileges on the compute host."},{"line_number":153,"context_line":"     - The instance can be live migrated because Nova can read the secret back"},{"line_number":154,"context_line":"       from Libvirt on the source host and send it to the destination over RPC."},{"line_number":155,"context_line":"       Security over the wire is left as the operator\u0027s responsibility, but TLS or"}],"source_content_type":"text/x-rst","patch_set":1,"id":"0eaca7cc_4381d3bb","line":152,"in_reply_to":"6047263f_9f8910ad","updated":"2025-01-10 11:14:28.000000000","message":"we discussed that a few ptg ago. i raised the idea of using ssh keys shared between the computes to encypt or sign all rpcs in general, that was unrelated to this specific use case but more a generic security enhancement to add application level signing/encryption.\n\nwe could do that in the future but again i don\u0027t think we can reasonably do that this cycle.","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"25f4131d5017a76033c787f02442f43d131acd2d","unresolved":true,"context_lines":[{"line_number":171,"context_line":"a fallback. Called ``[compute]vtpm_secret_security`` with a default value of"},{"line_number":172,"context_line":"``host``, an instance with no image property or flavor extra spec will have its"},{"line_number":173,"context_line":"host\u0027s ``vtpm_secret_security`` policy persisted in its ``system_metadata``"},{"line_number":174,"context_line":"upon booting on that host."},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"Operators ae able to specify what level they support by using the new"},{"line_number":177,"context_line":"``[compute]supported_vtpm_secret_security`` config option. This is a"}],"source_content_type":"text/x-rst","patch_set":1,"id":"d3e5ba09_48287c72","line":174,"updated":"2025-01-09 20:55:46.000000000","message":"... on that host as if it was request in the image.","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"6104a5b3a9f791cca6fc08db7c8822c12834d896","unresolved":true,"context_lines":[{"line_number":170,"context_line":"consequence of this new extra spec, a new host configuration option is added as"},{"line_number":171,"context_line":"a fallback. Called ``[compute]vtpm_secret_security`` with a default value of"},{"line_number":172,"context_line":"``host``, an instance with no image property or flavor extra spec will have its"},{"line_number":173,"context_line":"host\u0027s ``vtpm_secret_security`` policy persisted in its ``system_metadata``"},{"line_number":174,"context_line":"upon booting on that host."},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"Operators ae able to specify what level they support by using the new"},{"line_number":177,"context_line":"``[compute]supported_vtpm_secret_security`` config option. This is a"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ddbf3abb_2021d93e","line":174,"range":{"start_line":173,"start_character":40,"end_line":174,"end_character":26},"updated":"2025-01-09 20:41:14.000000000","message":"Hopefully using the image param...","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"6104a5b3a9f791cca6fc08db7c8822c12834d896","unresolved":true,"context_lines":[{"line_number":173,"context_line":"host\u0027s ``vtpm_secret_security`` policy persisted in its ``system_metadata``"},{"line_number":174,"context_line":"upon booting on that host."},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"Operators ae able to specify what level they support by using the new"},{"line_number":177,"context_line":"``[compute]supported_vtpm_secret_security`` config option. This is a"},{"line_number":178,"context_line":"per compute host list option that can take the value of one or more of the"},{"line_number":179,"context_line":"security levels from the previous table. Its default value is all three levels."}],"source_content_type":"text/x-rst","patch_set":1,"id":"e4b450a5_cdc009e5","line":176,"range":{"start_line":176,"start_character":10,"end_line":176,"end_character":12},"updated":"2025-01-09 20:41:14.000000000","message":"\"are\"","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"25f4131d5017a76033c787f02442f43d131acd2d","unresolved":true,"context_lines":[{"line_number":179,"context_line":"security levels from the previous table. Its default value is all three levels."},{"line_number":180,"context_line":"These values are exposed as driver capability traits. The"},{"line_number":181,"context_line":"``hw_vtpm_secret_Security`` image property and flavor extra spec are translated"},{"line_number":182,"context_line":"to required traits to match the driver capabilities."},{"line_number":183,"context_line":""},{"line_number":184,"context_line":"The behavior of an instance during live migratioon is defined by its persisted"},{"line_number":185,"context_line":"``hw_vtpm_secret_security`` (either explicitly set by the user, or added by"}],"source_content_type":"text/x-rst","patch_set":1,"id":"bf55688f_5e46aeb7","line":182,"updated":"2025-01-09 20:55:46.000000000","message":"+1","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"6104a5b3a9f791cca6fc08db7c8822c12834d896","unresolved":true,"context_lines":[{"line_number":181,"context_line":"``hw_vtpm_secret_Security`` image property and flavor extra spec are translated"},{"line_number":182,"context_line":"to required traits to match the driver capabilities."},{"line_number":183,"context_line":""},{"line_number":184,"context_line":"The behavior of an instance during live migratioon is defined by its persisted"},{"line_number":185,"context_line":"``hw_vtpm_secret_security`` (either explicitly set by the user, or added by"},{"line_number":186,"context_line":"default by Nova from the host\u0027s config option). Instances with ``user`` cannot"},{"line_number":187,"context_line":"be live migrated. For instances with ``host``, the source compute host reads"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2b50734c_437f0c75","line":184,"range":{"start_line":184,"start_character":40,"end_line":184,"end_character":50},"updated":"2025-01-09 20:41:14.000000000","message":"\"migration\"","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"25f4131d5017a76033c787f02442f43d131acd2d","unresolved":false,"context_lines":[{"line_number":195,"context_line":"------------"},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"A lot, apparently, because this specs keeps getting re-written every time we"},{"line_number":198,"context_line":"have a call about it."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"Data model impact"},{"line_number":201,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"94987df7_062b0264","line":198,"updated":"2025-01-09 20:55:46.000000000","message":":)","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"6104a5b3a9f791cca6fc08db7c8822c12834d896","unresolved":true,"context_lines":[{"line_number":195,"context_line":"------------"},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"A lot, apparently, because this specs keeps getting re-written every time we"},{"line_number":198,"context_line":"have a call about it."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"Data model impact"},{"line_number":201,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"d1e01294_f05ade76","line":198,"updated":"2025-01-09 20:41:14.000000000","message":"Sorry :(","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"faff0ee67503c40da1108b05f637f45e1cde4f3e","unresolved":true,"context_lines":[{"line_number":208,"context_line":""},{"line_number":209,"context_line":"No new microversion. The flavor extra spec validation code is updated to allow"},{"line_number":210,"context_line":"``hw:vtpm_secret_security``."},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"Security impact"},{"line_number":213,"context_line":"---------------"},{"line_number":214,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"26c40bb1_f4ef9eed","line":211,"updated":"2025-01-10 08:44:26.000000000","message":"We talked about having a clear indication to the user about the host config and therefore the behavior they are opt into it when doing the one of user operations that signal consent and allows nova to apply the changes in either libvirt or barbican with the user token. I think this is now missing from the proposal.","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"c65ec478107012ab4c141bd79812528a74f7761d","unresolved":true,"context_lines":[{"line_number":208,"context_line":""},{"line_number":209,"context_line":"No new microversion. The flavor extra spec validation code is updated to allow"},{"line_number":210,"context_line":"``hw:vtpm_secret_security``."},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"Security impact"},{"line_number":213,"context_line":"---------------"},{"line_number":214,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"2fc04aad_b66fcdb5","line":211,"in_reply_to":"26c40bb1_f4ef9eed","updated":"2025-01-10 11:21:10.000000000","message":"That\u0027s true, but to be fair that\u0027s also missing from the previous version of this (the pach below this one) - that\u0027s kinda what I\u0027m asking on [1]. Even with the previous version, with one possible value for the config option being exposed as a trait:\n\n1. I think only visible to admins with default placement policy?\n2. Even if normal users can see RP traits, they\u0027re not supposed to know which host they\u0027re on, so they can\u0027t lookup the correct RP.\n3. That\u0027s super convoluted and not discoverable.\n\nI\u0027m not saying this justifies not having this indication, I\u0027m saying that it\u0027s a problem we just haven\u0027t solved yet at all, AFAIR.\n\nIn terms of solutions for indicating to users what they\u0027re being opted in to... Short of adding a new field to `Show Server` I\u0027m not sure what we can do...\n\n[1] https://review.opendev.org/c/openstack/nova-specs/+/936775/11/specs/2025.1/approved/vtpm-live-migration.rst#286","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"27add6acd65555f409f78d0974e1fa7c32669254","unresolved":true,"context_lines":[{"line_number":208,"context_line":""},{"line_number":209,"context_line":"No new microversion. The flavor extra spec validation code is updated to allow"},{"line_number":210,"context_line":"``hw:vtpm_secret_security``."},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"Security impact"},{"line_number":213,"context_line":"---------------"},{"line_number":214,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a25a7f0_68c609d2","line":211,"in_reply_to":"26c40bb1_f4ef9eed","updated":"2025-01-10 11:14:28.000000000","message":"so the simplest way to do that is to just add teh embeded image properteis to server show which is useful anyway but we wanted to leave that for a sepreate review to next cycle\n\nbasically the assertion we are makign is if you care then you shoudl set it in the image or select a flavor with the policy you want","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"615829daf9b1802719f4a52f73ad7fbf6156c71c","unresolved":true,"context_lines":[{"line_number":208,"context_line":""},{"line_number":209,"context_line":"No new microversion. The flavor extra spec validation code is updated to allow"},{"line_number":210,"context_line":"``hw:vtpm_secret_security``."},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"Security impact"},{"line_number":213,"context_line":"---------------"},{"line_number":214,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"d1ad5d7d_189d921a","line":211,"in_reply_to":"2fc04aad_b66fcdb5","updated":"2025-01-10 14:01:09.000000000","message":"\u003e basically the assertion we are makign is if you care then you shoudl set it in the image or select a flavor with the policy you want\n\nThat is true for new VMs. But not applicable for existing VMs. \n\n\u003e the config option being exposed as a trait\n\nyeah that is not really available to the end user\n\n\u003e so the simplest way to do that is to just add teh embeded image properteis to server show which is useful anyway but we wanted to leave that for a sepreate review to next cycle\n\nThis seems to me the way forward. Can we include this into the current scope or is it just too much too late?","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"e3ea0277b3f123c018c00d556e1c7f063f3a0f96","unresolved":true,"context_lines":[{"line_number":208,"context_line":""},{"line_number":209,"context_line":"No new microversion. The flavor extra spec validation code is updated to allow"},{"line_number":210,"context_line":"``hw:vtpm_secret_security``."},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"Security impact"},{"line_number":213,"context_line":"---------------"},{"line_number":214,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"d73c712f_cfd545ef","line":211,"in_reply_to":"9292aca7_fc29ba14","updated":"2025-01-10 14:39:48.000000000","message":"Okay I guess we missed the step between the operator choosing the default policy and the user knowing if that\u0027s okay with them or not. I thought we were covered because the user still has to take action on it first, but I see now that they won\u0027t know what they\u0027re agreeing to, so fair enough.\n\nI think we\u0027ve identified that showing the image meta to the user is helpful in multiple cases, so I think that\u0027s a good thing to do. I hate to block this on that, but if that\u0027s the consensus then I\u0027m on board with it. I think it should be fairly straightforward.","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"43af3ed483d3258cd354b4777f3615611b4e95cb","unresolved":true,"context_lines":[{"line_number":208,"context_line":""},{"line_number":209,"context_line":"No new microversion. The flavor extra spec validation code is updated to allow"},{"line_number":210,"context_line":"``hw:vtpm_secret_security``."},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"Security impact"},{"line_number":213,"context_line":"---------------"},{"line_number":214,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"d4254697_1d1eca91","line":211,"in_reply_to":"d1ad5d7d_189d921a","updated":"2025-01-10 14:08:09.000000000","message":"ill defer to artom on that.\n\nif he thinks he can also do that by FF im happy to pull it in.\n\nfor existing vms I was ok saying we update them to user as part fo the upgrade but i dont recall dan\u0027s opinion on that.\n\nas this spec is currently written that just means makign the default for the new config option be `user` not `host` whic im also ok with since we are defaulting to the most secure. we can alwasy change that default in a future release if we think the operator UX improvement is warranted.","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"eca77e069be48b6396b3e4d912f04490e8a31e62","unresolved":true,"context_lines":[{"line_number":208,"context_line":""},{"line_number":209,"context_line":"No new microversion. The flavor extra spec validation code is updated to allow"},{"line_number":210,"context_line":"``hw:vtpm_secret_security``."},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"Security impact"},{"line_number":213,"context_line":"---------------"},{"line_number":214,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"9292aca7_fc29ba14","line":211,"in_reply_to":"d4254697_1d1eca91","updated":"2025-01-10 14:22:57.000000000","message":"Updating existing VMs to user doesn\u0027t work for operators that don\u0027t want to support user. \n\nThe image properties in server show feels like a separated but related spec that can be done independently/in parallel. I wouldn\u0027t mind if someone else works on it at the same time as my work on vtpm live migration. @ratailor@redhat.com or @auniyal@redhat.com?\n\nthe spec itself should be fairly simple, and under normal circumstances I\u0027d get it proposed today, but I\u0027m not in a position to :(","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"74878c424f75a503dbcd935efbd813a47482a8c9","unresolved":true,"context_lines":[{"line_number":208,"context_line":""},{"line_number":209,"context_line":"No new microversion. The flavor extra spec validation code is updated to allow"},{"line_number":210,"context_line":"``hw:vtpm_secret_security``."},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"Security impact"},{"line_number":213,"context_line":"---------------"},{"line_number":214,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"daf103de_c21cc57d","line":211,"in_reply_to":"d73c712f_cfd545ef","updated":"2025-01-10 14:58:41.000000000","message":"Let\u0027s have a separate spec for the API impact. I\u0027m fine not blocking as that will provide a way forward.","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"faff0ee67503c40da1108b05f637f45e1cde4f3e","unresolved":true,"context_lines":[{"line_number":257,"context_line":"``hw_vtpm_secret_security`` set in their ``system_metadata``, either explicitly"},{"line_number":258,"context_line":"by the user or implicitly by Nova as  a fallback default, as described in the"},{"line_number":259,"context_line":"`\u003cProposed change_\u003e_` section. Any instances without this set are pre-existing"},{"line_number":260,"context_line":"instances, and need to be upgraded. They are updraded to the value of the"},{"line_number":261,"context_line":"``[compute]default_vtpm_secret_security`` value. Just persisting this in their"},{"line_number":262,"context_line":"``system_metadata`` is not enough - their owner also needs to performa an"},{"line_number":263,"context_line":"operation with their token on the instance so that Nova can either convert the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2645e619_8dbc9bf0","line":260,"range":{"start_line":260,"start_character":45,"end_line":260,"end_character":53},"updated":"2025-01-10 08:44:26.000000000","message":"nit: upgraded","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"16d6a6709207089fa8e682d9c2dfe041d08611ea","unresolved":false,"context_lines":[{"line_number":257,"context_line":"``hw_vtpm_secret_security`` set in their ``system_metadata``, either explicitly"},{"line_number":258,"context_line":"by the user or implicitly by Nova as  a fallback default, as described in the"},{"line_number":259,"context_line":"`\u003cProposed change_\u003e_` section. Any instances without this set are pre-existing"},{"line_number":260,"context_line":"instances, and need to be upgraded. They are updraded to the value of the"},{"line_number":261,"context_line":"``[compute]default_vtpm_secret_security`` value. Just persisting this in their"},{"line_number":262,"context_line":"``system_metadata`` is not enough - their owner also needs to performa an"},{"line_number":263,"context_line":"operation with their token on the instance so that Nova can either convert the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"6c4477db_d1fac5df","line":260,"range":{"start_line":260,"start_character":45,"end_line":260,"end_character":53},"in_reply_to":"2645e619_8dbc9bf0","updated":"2025-01-10 14:57:40.000000000","message":"Done","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"6104a5b3a9f791cca6fc08db7c8822c12834d896","unresolved":true,"context_lines":[{"line_number":259,"context_line":"`\u003cProposed change_\u003e_` section. Any instances without this set are pre-existing"},{"line_number":260,"context_line":"instances, and need to be upgraded. They are updraded to the value of the"},{"line_number":261,"context_line":"``[compute]default_vtpm_secret_security`` value. Just persisting this in their"},{"line_number":262,"context_line":"``system_metadata`` is not enough - their owner also needs to performa an"},{"line_number":263,"context_line":"operation with their token on the instance so that Nova can either convert the"},{"line_number":264,"context_line":"Libvirt secret to non-private and persistent in the case of ``host``, or create"},{"line_number":265,"context_line":"a new Barbican secret with the same contents, but owned by the Nova service"}],"source_content_type":"text/x-rst","patch_set":1,"id":"6c2a32a5_df5add7c","line":262,"range":{"start_line":262,"start_character":62,"end_line":262,"end_character":70},"updated":"2025-01-09 20:41:14.000000000","message":"\"perform\"","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"25f4131d5017a76033c787f02442f43d131acd2d","unresolved":true,"context_lines":[{"line_number":266,"context_line":"user, in the case of ``deployment``. Operators have no choice but to"},{"line_number":267,"context_line":"communicate this to their users, at which point users have a choice to either"},{"line_number":268,"context_line":"opt in to the new security level, or refuse by not touching their instances or"},{"line_number":269,"context_line":"deleting them outright."},{"line_number":270,"context_line":""},{"line_number":271,"context_line":"Implementation"},{"line_number":272,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"88dd8379_2f095b68","line":269,"updated":"2025-01-09 20:55:46.000000000","message":"by the way im not sure if we want to say what the operation will be but i assume hard reboot.\n\nsince it need to be an user initciated operation that a normal user can do that regenerates the xml\n\nso with the other limiation of vtpm today that really only one of:\nstart/stop, hard reboot, suspend/resume or resize.","commit_id":"c857cb8d117eb70732264855892914be0ec9c704"}]}