)]}'
{"id":"openstack%2Fnova~828978","triplet_id":"openstack%2Fnova~stable%2Fvictoria~I1ceb01a6f4d8d6e1d04fd18c62beee051f41cdf0","project":"openstack/nova","branch":"stable/victoria","topic":"sf321893v1-victoria","hashtags":[],"change_id":"I1ceb01a6f4d8d6e1d04fd18c62beee051f41cdf0","subject":"libvirt: disable secure boot on non-q35 or with os secure_boot options","status":"ABANDONED","created":"2022-02-13 22:25:07.000000000","updated":"2022-02-13 22:26:06.000000000","total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"meta_rev_id":"e30ac092289f3890a297895cf8cab4554d1f4e01","_number":828978,"virtual_id_number":828978,"owner":{"_account_id":28621,"name":"Mauricio Faria de Oliveira","email":"mfo@canonical.com","username":"mfo"},"actions":{},"labels":{"Verified":{"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true},"Review-Priority":{"values":{" 0":"Default Priority","+1":"Contributor Review Promise","+2":"Core Review Promise"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{},"pending_reviewers":{},"reviewer_updates":[],"messages":[{"id":"ac656491ffbaa8ea1262085b34af63633acd324a","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":28621,"name":"Mauricio Faria de Oliveira","email":"mfo@canonical.com","username":"mfo"},"date":"2022-02-13 22:25:07.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"e30ac092289f3890a297895cf8cab4554d1f4e01","tag":"autogenerated:gerrit:abandon","author":{"_account_id":28621,"name":"Mauricio Faria de Oliveira","email":"mfo@canonical.com","username":"mfo"},"date":"2022-02-13 22:26:06.000000000","message":"Abandoned\n\nresubmit","accounts_in_message":[],"_revision_number":1}],"current_revision_number":1,"current_revision":"41227b7127e05cb583f781cc0877ad4e453a2c29","revisions":{"41227b7127e05cb583f781cc0877ad4e453a2c29":{"kind":"REWORK","_number":1,"created":"2022-02-13 22:25:07.000000000","uploader":{"_account_id":28621,"name":"Mauricio Faria de Oliveira","email":"mfo@canonical.com","username":"mfo"},"ref":"refs/changes/78/828978/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova","ref":"refs/changes/78/828978/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova refs/changes/78/828978/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova refs/changes/78/828978/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova refs/changes/78/828978/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova refs/changes/78/828978/1"}}},"commit":{"parents":[{"commit":"9b3d69c18525c4308ffd3dbb619c6ed8789eb9f0","subject":"Merge \"Add a WA flag waiting for vif-plugged event during reboot\" into stable/victoria","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/9b3d69c18525c4308ffd3dbb619c6ed8789eb9f0"}]}],"author":{"name":"Mauricio Faria de Oliveira","email":"mfo@canonical.com","date":"2022-01-20 14:37:19.000000000","tz":-180},"committer":{"name":"Mauricio Faria de Oliveira","email":"mfo@canonical.com","date":"2022-02-13 22:07:25.000000000","tz":-180},"subject":"libvirt: disable secure boot on non-q35 or with os secure_boot options","message":"libvirt: disable secure boot on non-q35 or with os secure_boot options\n\nImpact:\n\u003d\u003d\u003d\n\nCurrently, setting hw_firwmare_type\u003duefi on Ubuntu 20.04\nmight create _unbootable_ servers on Ussuri and Victoria.\n\nWallaby and later are fixed with refactoring, as part of\nthe Secure Boot implementation, but that\u0027s risky; see\ncommit 9fff6893ce2e (\"libvirt: Use firmware metadata files\nto configure instance\") and others.\n\nIssue:\n\u003d\u003d\u003d\n\nThe issue is that if UEFI is enabled, SB can be enabled\nif loader OVMF_CODE.secboot.fd exists (eg, Ubuntu 20.04);\nsee commit 363710b65543 (\"libvirt: Handle alternative\nUEFI firmware binary paths\").\n\nThis is unintended and might prevent guest from booting\nbecause SB requires an q35 machine type, SMM feature in\nlibvirt XML, SB-ready image etc. (Neither is enabled by\ndefault nor guaranteed to be available or functional.)\n\nApproach:\n\u003d\u003d\u003d\n\nWell, SB support _isn\u0027t_ implemented in Ussuri/Victoria,\nonly later in Wallaby. The first commit above fixes the\nissue because it removes hardcoded firmware/loader path\nfrom second commit above.\n\nAs SB isn\u0027t supported, could we just ignore .secboot.fd?\n\nBut let\u0027s not change default behavior ~2 years into LTS.\n\nFix:\n\u003d\u003d\u003d\n\nSo, ignore .secboot.fd loader IF not q35. And since q35\nmay be set for AMD SEV, check `os.secure_boot` property/\nextra spec for `disabled` to ignore .secboot.fd as well\n(as listed in future `doc/source/admin/secure-boot.rst`),\nand users can explicitly disable it to boot UEFI on q35.\n\n(And as SB is not supported, do not check for both must\nmatch [`disabled`/`required`] as `required` isn\u0027t valid;\nthus if either image/flavor sets `disabled`, disable it).\n\nInfo:\n\u003d\u003d\u003d\n\n    [0] https://docs.openstack.org/nova/wallaby/admin/uefi.html\n    [1] https://docs.openstack.org/nova/wallaby/admin/secure-boot.html\n    [2] https://docs.openstack.org/nova/wallaby/user/flavors.html\n    [3] https://specs.openstack.org/openstack/nova-specs/specs/wallaby/implemented/allow-secure-boot-for-qemu-kvm-guests.html\n\nTests:\n\u003d\u003d\u003d\n\n    Original:\n\n    - Boots: BIOS / pc\n    - Boots: BIOS / q35\n\n    - Fails: UEFI / pc  / OVMF_CODE.secboot.fd\n    - Fails: UEFI / q35 / OVMF_CODE.secboot.fd\n\n    Patched:\n\n    - Boots: BIOS / pc\n    - Boots: BIOS / q35\n\n    - Boots: UEFI / pc  / OVMF_CODE.fd          # FIXED!\n    - Fails: UEFI / q35 / OVMF_CODE.secboot.fd  # No change by default.\n\n    - Boots: UEFI / q35 / OVMF_CODE.fd / os_secure_boot\u003ddisabled (image)\n    - Boots: UEFI / q35 / OVMF_CODE.fd / os:secure_boot\u003ddisabled (flavor)\n\nLogs: (included for PC with UEFI only; broken/fixed case)\n\u003d\u003d\u003d\n\n    $ openstack image set --property hw_firmware_type\u003duefi bionic\n    $ openstack server create --image bionic --flavor m1.small --network private srv\n\nBefore:\n\n    $ juju run --app nova-compute \u0027for guest in $(virsh list --name); do \\\n      virsh dumpxml $guest; done | grep -e nova:name -e machine\u003d -e loader\u0027\n          \u003cnova:name\u003esrv\u003c/nova:name\u003e\n        \u003ctype arch\u003d\u0027x86_64\u0027 machine\u003d\u0027pc-i440fx-4.2\u0027\u003ehvm\u003c/type\u003e\n        \u003cloader readonly\u003d\u0027yes\u0027 type\u003d\u0027pflash\u0027\u003e/usr/share/OVMF/OVMF_CODE.secboot.fd\u003c/loader\u003e\n\n    Guest doesn\u0027t boot; nothing in the console log:\n\n    $ openstack console log show srv | grep -i -e efi -e bios\n    $ openstack console log show srv | wc -l\n    0\n\n    QEMU looping / 100% CPU:\n\n    $ juju run --app nova-compute \u0027top -b -d1 -n5 | grep qemu\u0027\n      67205 libvirt+  ... 100.0   1.4   1:18.35\tqemu-sy+\n      67205 libvirt+  ... 100.0   1.4   1:19.36\tqemu-sy+\n      67205 libvirt+  ...  99.0   1.4   1:20.36\tqemu-sy+\n      67205 libvirt+  ... 101.0   1.4   1:21.37\tqemu-sy+\n      67205 libvirt+  ... 100.0   1.4   1:22.38\tqemu-sy+\n\nAfter:\n\n    $ juju run --app nova-compute \u0027for guest in $(virsh list --name); do \\\n      virsh dumpxml $guest; done | grep -e nova:name -e machine\u003d -e loader\u0027\n          \u003cnova:name\u003esrv\u003c/nova:name\u003e\n        \u003ctype arch\u003d\u0027x86_64\u0027 machine\u003d\u0027pc-i440fx-4.2\u0027\u003ehvm\u003c/type\u003e\n        \u003cloader readonly\u003d\u0027yes\u0027 type\u003d\u0027pflash\u0027\u003e/usr/share/OVMF/OVMF_CODE.fd\u003c/loader\u003e\n\n    Guest booted; details in the console log:\n\n    $ openstack console log show srv | grep -i -e efi -e bios\n    ...\n    Creating boot entry \"Boot0003\" with label \"ubuntu\" for file \"\\EFI\\ubuntu\\shimx64.efi\"\n    ...\n    [    0.000000] efi: EFI v2.70 by EDK II\n    [    0.000000] efi:  SMBIOS\u003d0x7fbcd000  ACPI\u003d0x7fbfa000  ACPI\n    2.0\u003d0x7fbfa014  MEMATTR\u003d0x7eb30018\n    [    0.000000] SMBIOS 2.8 present.\n    [    0.000000] DMI: OpenStack Foundation OpenStack Nova, BIOS 0.0.0 02/06/2015\n    ...\n\nNote that the XML snippet for the loader is aligned with Wallaby,\nin which just setting hw_firmware_type\u003duefi works out of the box:\n\n    $ juju run --app nova-compute \u0027for guest in $(virsh list --name); do \\\n      virsh dumpxml $guest; done | grep -e nova:name -e machine\u003d -e loader\u0027\n        \u003cnova:name\u003esrv\u003c/nova:name\u003e\n      \u003ctype arch\u003d\u0027x86_64\u0027 machine\u003d\u0027pc-i440fx-4.2\u0027\u003ehvm\u003c/type\u003e\n      \u003cloader readonly\u003d\u0027yes\u0027 secure\u003d\u0027no\u0027 type\u003d\u0027pflash\u0027\u003e/usr/share/OVMF/OVMF_CODE.fd\u003c/loader\u003e\n\nCloses-Bug: #1960758\nSigned-off-by: Mauricio Faria de Oliveira \u003cmfo@canonical.com\u003e\nChange-Id: I1ceb01a6f4d8d6e1d04fd18c62beee051f41cdf0\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/41227b7127e05cb583f781cc0877ad4e453a2c29"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/41227b7127e05cb583f781cc0877ad4e453a2c29"}]},"branch":"refs/heads/stable/victoria"}},"requirements":[],"submit_records":[],"submit_requirements":[]}