)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"4313b07e2dbc7f95c1cd0ef8a6027b3a82784ee1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"83b8dc66_412dd76f","updated":"2025-04-16 23:06:27.000000000","message":"openstack-tox-docs failed with [1]:\n\n2025-04-16 22:52:58.075768 | ubuntu-noble | /home/zuul/src/opendev.org/openstack/nova-specs/doc/source/specs/2025.2/approved/vtpm-live-migration.rst:37: WARNING: duplicate label problem-description, other instance in /home/zuul/src/opendev.org/openstack/nova-specs/doc/source/specs/2025.1/approved/vtpm-live-migration.rst\n\nHow am I supposed to avoid this?\n\n[1] https://zuul.opendev.org/t/openstack/build/1cfc176322f74c14a350ac23ff144bc8/log/job-output.txt#1590","commit_id":"897686e0ad91320a1d45b0902ebd071121bd66dd"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"a2550447887045ea4c89aed28e32a99ce0d35438","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"63b1fdd1_e77c8caa","updated":"2025-05-22 11:24:47.000000000","message":"Looks good.","commit_id":"dc39d0f679751e191c71f038638836599bf03c41"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"720af212241b21e26e486eedf9f7eb9337216721","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"5c34e78a_0c496156","updated":"2025-05-14 09:16:12.000000000","message":"Thx for reproposing this spec.","commit_id":"dc39d0f679751e191c71f038638836599bf03c41"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d371ee8b20b68ac0fcb68b61d0299839cf7fd30f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"204aa899_e33fe798","updated":"2025-05-29 16:03:03.000000000","message":"there are one or two nits but i think im happy for this to proceed and we can have follow ups for those minor nits if need","commit_id":"7fcbff551658b5b1940fc5e0593f50a2a8907a35"}],"specs/2025.2/approved/vtpm-live-migration.rst":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"a2550447887045ea4c89aed28e32a99ce0d35438","unresolved":true,"context_lines":[{"line_number":336,"context_line":"Dependencies"},{"line_number":337,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":338,"context_line":""},{"line_number":339,"context_line":"* Libivrt version 7.1.0. This can be enforced dynamically in code."},{"line_number":340,"context_line":""},{"line_number":341,"context_line":"Testing"},{"line_number":342,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"cf570b3c_13bab12a","line":339,"range":{"start_line":339,"start_character":2,"end_line":339,"end_character":9},"updated":"2025-05-22 11:24:47.000000000","message":"nit: Libvirt","commit_id":"dc39d0f679751e191c71f038638836599bf03c41"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d371ee8b20b68ac0fcb68b61d0299839cf7fd30f","unresolved":false,"context_lines":[{"line_number":336,"context_line":"Dependencies"},{"line_number":337,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":338,"context_line":""},{"line_number":339,"context_line":"* Libivrt version 7.1.0. This can be enforced dynamically in code."},{"line_number":340,"context_line":""},{"line_number":341,"context_line":"Testing"},{"line_number":342,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"d49af620_20170a38","line":339,"range":{"start_line":339,"start_character":2,"end_line":339,"end_character":9},"in_reply_to":"cf570b3c_13bab12a","updated":"2025-05-29 16:03:03.000000000","message":"Done","commit_id":"dc39d0f679751e191c71f038638836599bf03c41"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d371ee8b20b68ac0fcb68b61d0299839cf7fd30f","unresolved":false,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":"Thus, this spec requires vTPM state storage to be not shared, and declares live"},{"line_number":61,"context_line":"migration with shared vTPM state storage to be untested. This will be"},{"line_number":62,"context_line":"documented."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Libvirt support"},{"line_number":65,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"ec1952e6_ffa2341d","line":62,"updated":"2025-05-29 16:03:03.000000000","message":"ack, so its a bit more complicated then that when you consider containers too.\n\nif we assumed that libvirt was on shared storate. nova-comptue if its deployed in a contianer may not even be able to check that becasue its view of the filesytem may not allow it to observe that.\n\nthe tpm data is truely internal state of libvirt in that regard so documenting this limitation is really all we can do unless we add a config option for an operator to tell us otherwise.\n\ngiven qemu has the ablity to transfer the tpm data when it is live migrating i think declaring shared storage supprot out of scope is perfectly valid adn teh right way to proceed at this time.","commit_id":"7fcbff551658b5b1940fc5e0593f50a2a8907a35"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d371ee8b20b68ac0fcb68b61d0299839cf7fd30f","unresolved":true,"context_lines":[{"line_number":222,"context_line":"In the ``host`` case, anyone with sufficient access to the compute host can"},{"line_number":223,"context_line":"read vTPM secrets. While this is not great, it\u0027s also something the user opts"},{"line_number":224,"context_line":"in to, and the compute host are assumed to be secured by the cloud operator."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"In the ``deployment`` case, a compromise of the Nova service user leads to an"},{"line_number":227,"context_line":"exposure of all vTPM secrets. Once again, this is something the user opts in"},{"line_number":228,"context_line":"to, and the Nova service user is assumed to be secure."}],"source_content_type":"text/x-rst","patch_set":4,"id":"a09fe86a_d0b4e682","line":225,"updated":"2025-05-29 16:03:03.000000000","message":"there is one other security asspect for host. the transfer of the secrete via rpc means that if you are not security the rpc bus with tls or while the message is on the queue its technially retirivable.\n\nbut you would need very low level access to rabbit to explit that.\n\nwe coudl add a note to this affect but i would be happy enough just noting that in the docs.","commit_id":"7fcbff551658b5b1940fc5e0593f50a2a8907a35"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d371ee8b20b68ac0fcb68b61d0299839cf7fd30f","unresolved":true,"context_lines":[{"line_number":271,"context_line":"communicate this to their users, at which point users have a choice to either"},{"line_number":272,"context_line":"opt in to the new security level, or refuse by not touching their instances or"},{"line_number":273,"context_line":"deleting them outright. In order to see what secret security level has been set"},{"line_number":274,"context_line":"on their instances by the operators, this spec depends on the `Image props in"},{"line_number":275,"context_line":"server show \u003chttps://review.opendev.org/c/openstack/nova-specs/+/938910\u003e`_"},{"line_number":276,"context_line":"spec, which will allow users to see the embedded image properties set on their"},{"line_number":277,"context_line":"instance, and determine the vTPM secret security level that way."},{"line_number":278,"context_line":""},{"line_number":279,"context_line":"User confirmation mechanism"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1a6e8cc5_389037cf","line":276,"range":{"start_line":274,"start_character":62,"end_line":276,"end_character":4},"updated":"2025-05-29 16:03:03.000000000","message":"nit: this landed last cycle but its ok to keep","commit_id":"7fcbff551658b5b1940fc5e0593f50a2a8907a35"}]}