)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"4e039ba3aa7e6bc83f084c9ebe17e2c826427a0c","unresolved":true,"context_lines":[{"line_number":20,"context_line":"again, or just delete it."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"The code that persists the TPM secret security is written in a"},{"line_number":23,"context_line":"forward-compatible way, and will be used in future patches to"},{"line_number":24,"context_line":"handle new instances that are booted without specifying a secret"},{"line_number":25,"context_line":"security policy in their impage properties or extra specs."},{"line_number":26,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"e6325c93_863722dd","line":23,"updated":"2025-03-28 17:36:36.000000000","message":"Okay, maybe this is the hint you\u0027re giving us. Yeah I think it might could be a little more obvious, but fair enough.","commit_id":"b29f4e3185e014f6594742d8647ee6c2416d01ef"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"77979e54314dbb830f5dec3305900112c4a8a495","unresolved":false,"context_lines":[{"line_number":20,"context_line":"again, or just delete it."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"The code that persists the TPM secret security is written in a"},{"line_number":23,"context_line":"forward-compatible way, and will be used in future patches to"},{"line_number":24,"context_line":"handle new instances that are booted without specifying a secret"},{"line_number":25,"context_line":"security policy in their impage properties or extra specs."},{"line_number":26,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"01366e7b_d6c8174c","line":23,"in_reply_to":"e6325c93_863722dd","updated":"2025-05-01 20:53:25.000000000","message":"Done","commit_id":"b29f4e3185e014f6594742d8647ee6c2416d01ef"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"4e039ba3aa7e6bc83f084c9ebe17e2c826427a0c","unresolved":true,"context_lines":[{"line_number":22,"context_line":"The code that persists the TPM secret security is written in a"},{"line_number":23,"context_line":"forward-compatible way, and will be used in future patches to"},{"line_number":24,"context_line":"handle new instances that are booted without specifying a secret"},{"line_number":25,"context_line":"security policy in their impage properties or extra specs."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"To enable all of this, two new config options are added:"},{"line_number":28,"context_line":"[libvirt]default_tpm_secret_security and"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"9af8db0b_91da2e8a","line":25,"range":{"start_line":25,"start_character":25,"end_line":25,"end_character":31},"updated":"2025-03-28 17:36:36.000000000","message":"\"image\"\n\nThere\u0027s your excuse to revise this again and obviousify the hint a little :)","commit_id":"b29f4e3185e014f6594742d8647ee6c2416d01ef"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"fd46aa2938b208dae4780362133d68c86505ff72","unresolved":false,"context_lines":[{"line_number":22,"context_line":"The code that persists the TPM secret security is written in a"},{"line_number":23,"context_line":"forward-compatible way, and will be used in future patches to"},{"line_number":24,"context_line":"handle new instances that are booted without specifying a secret"},{"line_number":25,"context_line":"security policy in their impage properties or extra specs."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"To enable all of this, two new config options are added:"},{"line_number":28,"context_line":"[libvirt]default_tpm_secret_security and"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"e749453a_d6270ea1","line":25,"range":{"start_line":25,"start_character":25,"end_line":25,"end_character":31},"in_reply_to":"9af8db0b_91da2e8a","updated":"2025-03-28 17:45:37.000000000","message":"Done","commit_id":"b29f4e3185e014f6594742d8647ee6c2416d01ef"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c40b11527a2f93f08faa5045c9bfb6ff3d5d8f3a","unresolved":false,"context_lines":[{"line_number":17,"context_line":"hard reboot their instance for it to take effect. Subsequent patches"},{"line_number":18,"context_line":"will actually do the work of confirming the policy upon hard reboot."},{"line_number":19,"context_line":"If the user disagrees, they can either never touch their instance"},{"line_number":20,"context_line":"again, or just delete it."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"The new _set_tpm_secret_security() method takes an argument that"},{"line_number":23,"context_line":"will be used in future patches:"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":10,"id":"21236d9a_3408296f","line":20,"updated":"2025-07-29 16:51:06.000000000","message":"++ thanks for explaining that","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"4452e4230598f597723ce2e317f6438dd293e25b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"e9a11069_077b592d","updated":"2025-03-27 18:23:06.000000000","message":"Personally, I think this is a fine place to put the two conf knobs at the bottom of this stack","commit_id":"3f27e753c008fa5329e6f9d579bdf07961c96ee8"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"18cb02d24661ad963d1affd7c3e268d48b2c04b1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"028dd619_e89eda83","in_reply_to":"e9a11069_077b592d","updated":"2025-03-28 15:17:12.000000000","message":"Sure.","commit_id":"3f27e753c008fa5329e6f9d579bdf07961c96ee8"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"e6ca280659747e850c2d88e70080ec80eb32b0da","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"d061eef6_eabfee42","updated":"2025-07-28 18:26:03.000000000","message":"I\u0027m just getting my bearings on this so apologies if my question is obvious(ly stupid)","commit_id":"8d4624f1cad7c8d6a2462ff9f3ba335f42710484"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c40b11527a2f93f08faa5045c9bfb6ff3d5d8f3a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"50a5e6ed_ed3c7d5d","updated":"2025-07-29 16:51:06.000000000","message":"-1 for missing coverage and a small optimization at startup.","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9dad0c54ba923b354d4c7bc7489438573a2d6712","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"f0787f0a_0c3e1264","updated":"2025-07-29 13:54:46.000000000","message":"One nit on the test coverage but otherwise looks good to me. I need to review the rest of the series of course.","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"2fa0b81f8b5165e4cc3ec53aa30751aba4ade55e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"67744d4e_b03592dd","updated":"2025-08-01 20:19:51.000000000","message":"Thanks for changing the logic. I\u0027ll +1 this for now while I look at the rest, but this seems good to me now.","commit_id":"8e88c33e519720185522ba53f04b98fb00233d9b"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"3815e5c6a9f512fbf7b8bd7582aaaf23cad84dd8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"c3278dcd_339805e9","updated":"2025-07-30 06:12:36.000000000","message":"still some concerns and some open question about the metadata key that we would have for tracking an unconfirmed policy.","commit_id":"8e88c33e519720185522ba53f04b98fb00233d9b"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"42baddc538c7ff39731c3b1c21ca846f45da1021","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":14,"id":"55d02111_dac003b3","updated":"2025-08-26 09:38:42.000000000","message":"this looks good to me but I have to review the upper patches now","commit_id":"3f2fa4efaafe9a77422ffcbad682021652ef4114"}],"nova/compute/manager.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"4452e4230598f597723ce2e317f6438dd293e25b","unresolved":true,"context_lines":[{"line_number":1041,"context_line":"                )"},{"line_number":1042,"context_line":"                raise exception.InvalidConfiguration(msg)"},{"line_number":1043,"context_line":""},{"line_number":1044,"context_line":"    def _ensure_tpm_secret_security(self, instance, confirmed, save\u003dTrue):"},{"line_number":1045,"context_line":"        \"\"\"Ensure that if the instance has a TPM device, a TPM secret security"},{"line_number":1046,"context_line":"        has been set, either by the admin in the flavor or the user in the"},{"line_number":1047,"context_line":"        image. If nothing is set, apply the default from this host\u0027s"}],"source_content_type":"text/x-python","patch_set":3,"id":"07062f51_13c3d8d0","line":1044,"range":{"start_line":1044,"start_character":52,"end_line":1044,"end_character":72},"updated":"2025-03-27 18:23:06.000000000","message":"I don\u0027t really understand why `confirmed` and `save` are controllable via this interface...maybe I\u0027ll find out later.","commit_id":"3f27e753c008fa5329e6f9d579bdf07961c96ee8"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"18cb02d24661ad963d1affd7c3e268d48b2c04b1","unresolved":true,"context_lines":[{"line_number":1041,"context_line":"                )"},{"line_number":1042,"context_line":"                raise exception.InvalidConfiguration(msg)"},{"line_number":1043,"context_line":""},{"line_number":1044,"context_line":"    def _ensure_tpm_secret_security(self, instance, confirmed, save\u003dTrue):"},{"line_number":1045,"context_line":"        \"\"\"Ensure that if the instance has a TPM device, a TPM secret security"},{"line_number":1046,"context_line":"        has been set, either by the admin in the flavor or the user in the"},{"line_number":1047,"context_line":"        image. If nothing is set, apply the default from this host\u0027s"}],"source_content_type":"text/x-python","patch_set":3,"id":"320ff13e_bcff01f4","line":1044,"range":{"start_line":1044,"start_character":52,"end_line":1044,"end_character":72},"in_reply_to":"07062f51_13c3d8d0","updated":"2025-03-28 15:17:12.000000000","message":"I\u0027ll expand on the docstring.","commit_id":"3f27e753c008fa5329e6f9d579bdf07961c96ee8"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"df01f21fdb5739669f2a5c6f8ef09ef5abf272b1","unresolved":true,"context_lines":[{"line_number":1041,"context_line":"                )"},{"line_number":1042,"context_line":"                raise exception.InvalidConfiguration(msg)"},{"line_number":1043,"context_line":""},{"line_number":1044,"context_line":"    def _ensure_tpm_secret_security(self, instance, confirmed, save\u003dTrue):"},{"line_number":1045,"context_line":"        \"\"\"Ensure that if the instance has a TPM device, a TPM secret security"},{"line_number":1046,"context_line":"        has been set, either by the admin in the flavor or the user in the"},{"line_number":1047,"context_line":"        image. If nothing is set, apply the default from this host\u0027s"}],"source_content_type":"text/x-python","patch_set":3,"id":"8a1c00b0_45a9da0d","line":1044,"range":{"start_line":1044,"start_character":52,"end_line":1044,"end_character":72},"in_reply_to":"320ff13e_bcff01f4","updated":"2025-03-28 17:32:50.000000000","message":"What I meant was, I\u0027m not sure why they\u0027re params at all since you only call this once and with default or literal values for them. Does this get used further up in the stack in more places where the values of these are ever different?","commit_id":"3f27e753c008fa5329e6f9d579bdf07961c96ee8"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"77979e54314dbb830f5dec3305900112c4a8a495","unresolved":true,"context_lines":[{"line_number":1041,"context_line":"                )"},{"line_number":1042,"context_line":"                raise exception.InvalidConfiguration(msg)"},{"line_number":1043,"context_line":""},{"line_number":1044,"context_line":"    def _ensure_tpm_secret_security(self, instance, confirmed, save\u003dTrue):"},{"line_number":1045,"context_line":"        \"\"\"Ensure that if the instance has a TPM device, a TPM secret security"},{"line_number":1046,"context_line":"        has been set, either by the admin in the flavor or the user in the"},{"line_number":1047,"context_line":"        image. If nothing is set, apply the default from this host\u0027s"}],"source_content_type":"text/x-python","patch_set":3,"id":"6f1879fe_e826e9b4","line":1044,"range":{"start_line":1044,"start_character":52,"end_line":1044,"end_character":72},"in_reply_to":"510fcd7a_b856da42","updated":"2025-05-01 20:53:25.000000000","message":"Honestly I think it would be better if this method didn\u0027t save anything ever and not have a \"save\" kwarg. If the instance should be saved afterward, the caller should just save it. At least for me that would be more intuitive and explicit.","commit_id":"3f27e753c008fa5329e6f9d579bdf07961c96ee8"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"ce6a62a108949aa1104b2d257d6a414bc8f5c704","unresolved":false,"context_lines":[{"line_number":1041,"context_line":"                )"},{"line_number":1042,"context_line":"                raise exception.InvalidConfiguration(msg)"},{"line_number":1043,"context_line":""},{"line_number":1044,"context_line":"    def _ensure_tpm_secret_security(self, instance, confirmed, save\u003dTrue):"},{"line_number":1045,"context_line":"        \"\"\"Ensure that if the instance has a TPM device, a TPM secret security"},{"line_number":1046,"context_line":"        has been set, either by the admin in the flavor or the user in the"},{"line_number":1047,"context_line":"        image. If nothing is set, apply the default from this host\u0027s"}],"source_content_type":"text/x-python","patch_set":3,"id":"dbc04509_550edd21","line":1044,"range":{"start_line":1044,"start_character":52,"end_line":1044,"end_character":72},"in_reply_to":"6f1879fe_e826e9b4","updated":"2025-06-14 06:19:12.000000000","message":"Done","commit_id":"3f27e753c008fa5329e6f9d579bdf07961c96ee8"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"bd992f000584a0b9661d96c02830cd00134eb436","unresolved":true,"context_lines":[{"line_number":1041,"context_line":"                )"},{"line_number":1042,"context_line":"                raise exception.InvalidConfiguration(msg)"},{"line_number":1043,"context_line":""},{"line_number":1044,"context_line":"    def _ensure_tpm_secret_security(self, instance, confirmed, save\u003dTrue):"},{"line_number":1045,"context_line":"        \"\"\"Ensure that if the instance has a TPM device, a TPM secret security"},{"line_number":1046,"context_line":"        has been set, either by the admin in the flavor or the user in the"},{"line_number":1047,"context_line":"        image. If nothing is set, apply the default from this host\u0027s"}],"source_content_type":"text/x-python","patch_set":3,"id":"510fcd7a_b856da42","line":1044,"range":{"start_line":1044,"start_character":52,"end_line":1044,"end_character":72},"in_reply_to":"8a1c00b0_45a9da0d","updated":"2025-03-28 17:34:23.000000000","message":"Oh, right - the latter. I should update the commit message, eh?","commit_id":"3f27e753c008fa5329e6f9d579bdf07961c96ee8"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"e6ca280659747e850c2d88e70080ec80eb32b0da","unresolved":true,"context_lines":[{"line_number":1067,"context_line":"            # If the instance already has a secret security policy set, there"},{"line_number":1068,"context_line":"            # is nothing to do."},{"line_number":1069,"context_line":"            return False"},{"line_number":1070,"context_line":"        if hardware.get_vtpm_constraint(instance.flavor, instance.image_meta):"},{"line_number":1071,"context_line":"            security \u003d hardware.get_tpm_secret_security_constraint("},{"line_number":1072,"context_line":"                instance.flavor, instance.image_meta)"},{"line_number":1073,"context_line":"            security \u003d (security or"}],"source_content_type":"text/x-python","patch_set":9,"id":"d3aa56b6_402a5627","line":1070,"updated":"2025-07-28 18:26:03.000000000","message":"When will this ever be non-None in practice? This flag was just introduced in the previous patch, which means only instances that were booted between the last patch and this one could return anything, right? Also, since the body of the conditional here is setting the provisional policy, shouldn\u0027t we always be running it if L1066 doesn\u0027t catch us?","commit_id":"8d4624f1cad7c8d6a2462ff9f3ba335f42710484"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"c262b2a9533fa475a0d6aae3c6e832acf597c322","unresolved":false,"context_lines":[{"line_number":1067,"context_line":"            # If the instance already has a secret security policy set, there"},{"line_number":1068,"context_line":"            # is nothing to do."},{"line_number":1069,"context_line":"            return False"},{"line_number":1070,"context_line":"        if hardware.get_vtpm_constraint(instance.flavor, instance.image_meta):"},{"line_number":1071,"context_line":"            security \u003d hardware.get_tpm_secret_security_constraint("},{"line_number":1072,"context_line":"                instance.flavor, instance.image_meta)"},{"line_number":1073,"context_line":"            security \u003d (security or"}],"source_content_type":"text/x-python","patch_set":9,"id":"dfaa6951_3a933fa8","line":1070,"in_reply_to":"59c3e5a6_c7d1095e","updated":"2025-07-29 03:13:31.000000000","message":"Done","commit_id":"8d4624f1cad7c8d6a2462ff9f3ba335f42710484"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"a1063cc80ee2e27577ab3537b1b6539640a95686","unresolved":true,"context_lines":[{"line_number":1067,"context_line":"            # If the instance already has a secret security policy set, there"},{"line_number":1068,"context_line":"            # is nothing to do."},{"line_number":1069,"context_line":"            return False"},{"line_number":1070,"context_line":"        if hardware.get_vtpm_constraint(instance.flavor, instance.image_meta):"},{"line_number":1071,"context_line":"            security \u003d hardware.get_tpm_secret_security_constraint("},{"line_number":1072,"context_line":"                instance.flavor, instance.image_meta)"},{"line_number":1073,"context_line":"            security \u003d (security or"}],"source_content_type":"text/x-python","patch_set":9,"id":"f6e9ec2d_be741595","line":1070,"in_reply_to":"cdcdd681_c4d965fd","updated":"2025-07-28 19:46:10.000000000","message":"Ah I see, they\u0027re named almost the same thing. Can we get a comment explaining what we\u0027re doing here?","commit_id":"8d4624f1cad7c8d6a2462ff9f3ba335f42710484"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"d71f1f15dc7fce09bb75e97b88803ebf80c458f3","unresolved":true,"context_lines":[{"line_number":1067,"context_line":"            # If the instance already has a secret security policy set, there"},{"line_number":1068,"context_line":"            # is nothing to do."},{"line_number":1069,"context_line":"            return False"},{"line_number":1070,"context_line":"        if hardware.get_vtpm_constraint(instance.flavor, instance.image_meta):"},{"line_number":1071,"context_line":"            security \u003d hardware.get_tpm_secret_security_constraint("},{"line_number":1072,"context_line":"                instance.flavor, instance.image_meta)"},{"line_number":1073,"context_line":"            security \u003d (security or"}],"source_content_type":"text/x-python","patch_set":9,"id":"cdcdd681_c4d965fd","line":1070,"in_reply_to":"d3aa56b6_402a5627","updated":"2025-07-28 19:05:56.000000000","message":"I got mixed up by this too before but for this part, this is the existing TPM extra specs/image properties `hw(:|_)tpm_version` and `hw(:|_)tpm_model` so we will go in here to set defaults in the system metadata for existing vTPM instances only.\n\nThe new extra spec is on the next line.\n\nIf these should be set for all existing instances including non-vTPM ones then that just wasn\u0027t what I expected and I can change it.","commit_id":"8d4624f1cad7c8d6a2462ff9f3ba335f42710484"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"c4d0d3e6b8b98dfd6a4f0c9b98686b8c4a32ebc3","unresolved":true,"context_lines":[{"line_number":1067,"context_line":"            # If the instance already has a secret security policy set, there"},{"line_number":1068,"context_line":"            # is nothing to do."},{"line_number":1069,"context_line":"            return False"},{"line_number":1070,"context_line":"        if hardware.get_vtpm_constraint(instance.flavor, instance.image_meta):"},{"line_number":1071,"context_line":"            security \u003d hardware.get_tpm_secret_security_constraint("},{"line_number":1072,"context_line":"                instance.flavor, instance.image_meta)"},{"line_number":1073,"context_line":"            security \u003d (security or"}],"source_content_type":"text/x-python","patch_set":9,"id":"59c3e5a6_c7d1095e","line":1070,"in_reply_to":"f6e9ec2d_be741595","updated":"2025-07-28 20:05:20.000000000","message":"Sure, I\u0027ll add one.","commit_id":"8d4624f1cad7c8d6a2462ff9f3ba335f42710484"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"a1063cc80ee2e27577ab3537b1b6539640a95686","unresolved":true,"context_lines":[{"line_number":1707,"context_line":"            # For existing instances, set TPM security with confirmed\u003dFalse"},{"line_number":1708,"context_line":"            # until hard reboot."},{"line_number":1709,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"},{"line_number":1710,"context_line":"                instance.save()"},{"line_number":1711,"context_line":""},{"line_number":1712,"context_line":"        # NOTE(gibi): If ironic and vcenter virt driver slow start time"},{"line_number":1713,"context_line":"        # becomes problematic here then we should consider adding a config"}],"source_content_type":"text/x-python","patch_set":9,"id":"0898e396_a587aae1","line":1710,"updated":"2025-07-28 19:46:10.000000000","message":"Is there some other use of the above method that requires no save behavior? Seems like making this behave more like L1726 would make more sense.","commit_id":"8d4624f1cad7c8d6a2462ff9f3ba335f42710484"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9dad0c54ba923b354d4c7bc7489438573a2d6712","unresolved":false,"context_lines":[{"line_number":1707,"context_line":"            # For existing instances, set TPM security with confirmed\u003dFalse"},{"line_number":1708,"context_line":"            # until hard reboot."},{"line_number":1709,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"},{"line_number":1710,"context_line":"                instance.save()"},{"line_number":1711,"context_line":""},{"line_number":1712,"context_line":"        # NOTE(gibi): If ironic and vcenter virt driver slow start time"},{"line_number":1713,"context_line":"        # becomes problematic here then we should consider adding a config"}],"source_content_type":"text/x-python","patch_set":9,"id":"ae79c2c1_fc519127","line":1710,"in_reply_to":"07bc485a_0157c76a","updated":"2025-07-29 13:54:46.000000000","message":"Acknowledged","commit_id":"8d4624f1cad7c8d6a2462ff9f3ba335f42710484"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"c4d0d3e6b8b98dfd6a4f0c9b98686b8c4a32ebc3","unresolved":true,"context_lines":[{"line_number":1707,"context_line":"            # For existing instances, set TPM security with confirmed\u003dFalse"},{"line_number":1708,"context_line":"            # until hard reboot."},{"line_number":1709,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"},{"line_number":1710,"context_line":"                instance.save()"},{"line_number":1711,"context_line":""},{"line_number":1712,"context_line":"        # NOTE(gibi): If ironic and vcenter virt driver slow start time"},{"line_number":1713,"context_line":"        # becomes problematic here then we should consider adding a config"}],"source_content_type":"text/x-python","patch_set":9,"id":"07bc485a_0157c76a","line":1710,"in_reply_to":"0898e396_a587aae1","updated":"2025-07-28 20:05:20.000000000","message":"There is in the second patch after this one, when adding the `host` security policy:\n\nhttps://review.opendev.org/c/openstack/nova/+/941795/12/nova/compute/manager.py#2691\n\n(Although maybe it should go into the next patch instead? The `user` security policy didn\u0027t get set in the system metadata in the next patch originally.)\n\nI couldn\u0027t think of a cleaner way to deal with the instance save so I\u0027m open to other ideas. The original version of this patch had a boolean keyword arg to pass save\u003dTrue|False","commit_id":"8d4624f1cad7c8d6a2462ff9f3ba335f42710484"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c40b11527a2f93f08faa5045c9bfb6ff3d5d8f3a","unresolved":false,"context_lines":[{"line_number":1049,"context_line":"        is set, apply the default from this host\u0027s configuration."},{"line_number":1050,"context_line":""},{"line_number":1051,"context_line":"        NOTE: The caller is responsible for saving the instance afterwards if"},{"line_number":1052,"context_line":"        desired."},{"line_number":1053,"context_line":""},{"line_number":1054,"context_line":"        :param instance: The instance object."},{"line_number":1055,"context_line":"        :param confirmed: Whether the TPM secret security policy has been"}],"source_content_type":"text/x-python","patch_set":10,"id":"08199160_905af9bc","line":1052,"updated":"2025-07-29 16:51:06.000000000","message":"++ thanks for adding that","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9dad0c54ba923b354d4c7bc7489438573a2d6712","unresolved":false,"context_lines":[{"line_number":1073,"context_line":"        if hardware.get_vtpm_constraint(instance.flavor, instance.image_meta):"},{"line_number":1074,"context_line":"            # If the instance has a TPM, check if a secret security policy has"},{"line_number":1075,"context_line":"            # been specified from the tpm_secret_security the extra spec or"},{"line_number":1076,"context_line":"            # image property."},{"line_number":1077,"context_line":"            security \u003d hardware.get_tpm_secret_security_constraint("},{"line_number":1078,"context_line":"                instance.flavor, instance.image_meta)"},{"line_number":1079,"context_line":"            # If one was not specified, take the configured default."}],"source_content_type":"text/x-python","patch_set":10,"id":"1e294193_f5debbc6","line":1076,"updated":"2025-07-29 13:54:46.000000000","message":"Thanks, hopefully this will make the next read more obvious that we are checking different conditions above and below.","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c40b11527a2f93f08faa5045c9bfb6ff3d5d8f3a","unresolved":false,"context_lines":[{"line_number":1077,"context_line":"            security \u003d hardware.get_tpm_secret_security_constraint("},{"line_number":1078,"context_line":"                instance.flavor, instance.image_meta)"},{"line_number":1079,"context_line":"            # If one was not specified, take the configured default."},{"line_number":1080,"context_line":"            security \u003d (security or"},{"line_number":1081,"context_line":"                        CONF.libvirt.default_tpm_secret_security)"},{"line_number":1082,"context_line":"            # Then set them in the instance system metadata."},{"line_number":1083,"context_line":"            instance.system_metadata.update({"}],"source_content_type":"text/x-python","patch_set":10,"id":"15af292d_9f9f9c3d","line":1080,"range":{"start_line":1080,"start_character":24,"end_line":1080,"end_character":35},"updated":"2025-07-29 16:51:06.000000000","message":"fortunately ``security`` can be None","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c40b11527a2f93f08faa5045c9bfb6ff3d5d8f3a","unresolved":true,"context_lines":[{"line_number":1711,"context_line":""},{"line_number":1712,"context_line":"        self._validate_pinning_configuration(instances)"},{"line_number":1713,"context_line":"        self._validate_vtpm_configuration(instances)"},{"line_number":1714,"context_line":"        for instance in instances:"},{"line_number":1715,"context_line":"            # For existing instances, set TPM security with confirmed\u003dFalse"},{"line_number":1716,"context_line":"            # until hard reboot."},{"line_number":1717,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"}],"source_content_type":"text/x-python","patch_set":10,"id":"4e4b7134_f44b357e","line":1714,"updated":"2025-07-29 16:51:06.000000000","message":"just some optimisation for a host with a large number of instances in it : \nwe just iterate over the list of existing instances already in L1713 ``_validate_vtpm_configuration()``, why couldn\u0027t we just try to iterate again literally in the next line and just amend the above method to stuff the right tpm secret policy whenever needed ?\n\nI mean, surely we can even call ``_set_tpm_secret_security()`` in ``_validate_vtpm_configuration()``, right?","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"aff55d755eef8c6bbdc19be3a4523f844087a17f","unresolved":true,"context_lines":[{"line_number":1711,"context_line":""},{"line_number":1712,"context_line":"        self._validate_pinning_configuration(instances)"},{"line_number":1713,"context_line":"        self._validate_vtpm_configuration(instances)"},{"line_number":1714,"context_line":"        for instance in instances:"},{"line_number":1715,"context_line":"            # For existing instances, set TPM security with confirmed\u003dFalse"},{"line_number":1716,"context_line":"            # until hard reboot."},{"line_number":1717,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"}],"source_content_type":"text/x-python","patch_set":10,"id":"565be8a4_3e9c506a","line":1714,"in_reply_to":"4e4b7134_f44b357e","updated":"2025-07-29 16:58:08.000000000","message":"Sure, I\u0027ll look at doing that.","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"c3b96013d358f2d992828c326b90bcd7b79dc955","unresolved":true,"context_lines":[{"line_number":1711,"context_line":""},{"line_number":1712,"context_line":"        self._validate_pinning_configuration(instances)"},{"line_number":1713,"context_line":"        self._validate_vtpm_configuration(instances)"},{"line_number":1714,"context_line":"        for instance in instances:"},{"line_number":1715,"context_line":"            # For existing instances, set TPM security with confirmed\u003dFalse"},{"line_number":1716,"context_line":"            # until hard reboot."},{"line_number":1717,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"}],"source_content_type":"text/x-python","patch_set":10,"id":"76b6c21e_2beff313","line":1714,"in_reply_to":"565be8a4_3e9c506a","updated":"2025-07-29 19:29:05.000000000","message":"This is why I was asking about the save flag. We\u0027re also iterating all the instances on L1732 below. It seems like maybe we\u0027re due for a refactoring here, where we iterate all the instances, make changes as necessary and then save dirty ones at the end. Otherwise we\u0027re iterating and saving multiple times per instance.","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e07d4d366dcaa62d4fdc3cd409671401e30b1bbe","unresolved":false,"context_lines":[{"line_number":1711,"context_line":""},{"line_number":1712,"context_line":"        self._validate_pinning_configuration(instances)"},{"line_number":1713,"context_line":"        self._validate_vtpm_configuration(instances)"},{"line_number":1714,"context_line":"        for instance in instances:"},{"line_number":1715,"context_line":"            # For existing instances, set TPM security with confirmed\u003dFalse"},{"line_number":1716,"context_line":"            # until hard reboot."},{"line_number":1717,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"}],"source_content_type":"text/x-python","patch_set":10,"id":"ab0c6d3d_ba43596a","line":1714,"in_reply_to":"67440c1d_8b302b42","updated":"2025-08-09 01:26:24.000000000","message":"Done","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"ad2a78fc8d5bdd753f9d49c5d842685bbfa78f3e","unresolved":true,"context_lines":[{"line_number":1711,"context_line":""},{"line_number":1712,"context_line":"        self._validate_pinning_configuration(instances)"},{"line_number":1713,"context_line":"        self._validate_vtpm_configuration(instances)"},{"line_number":1714,"context_line":"        for instance in instances:"},{"line_number":1715,"context_line":"            # For existing instances, set TPM security with confirmed\u003dFalse"},{"line_number":1716,"context_line":"            # until hard reboot."},{"line_number":1717,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"}],"source_content_type":"text/x-python","patch_set":10,"id":"67440c1d_8b302b42","line":1714,"in_reply_to":"75d11b97_49b9b76e","updated":"2025-07-31 03:16:10.000000000","message":"OK. I have got the change staged locally and I\u0027ll save it to upload at the same time as the next major changes requested, to avoid sending 9 patches through CI again right now.","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"110c220ee72d6664345fd103a0a19b8f2b30461f","unresolved":true,"context_lines":[{"line_number":1711,"context_line":""},{"line_number":1712,"context_line":"        self._validate_pinning_configuration(instances)"},{"line_number":1713,"context_line":"        self._validate_vtpm_configuration(instances)"},{"line_number":1714,"context_line":"        for instance in instances:"},{"line_number":1715,"context_line":"            # For existing instances, set TPM security with confirmed\u003dFalse"},{"line_number":1716,"context_line":"            # until hard reboot."},{"line_number":1717,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"}],"source_content_type":"text/x-python","patch_set":10,"id":"a252ca52_fb2aa1da","line":1714,"in_reply_to":"76b6c21e_2beff313","updated":"2025-07-29 19:38:41.000000000","message":"It\u0027s true, we iterate all the instances on L1712 and 1713 also. It would make sense to decompose each one to operate on one instance and iterate the instances once here instead. And like you said only save the ones that have changes pending.","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"6590e0317aa2829681df88ae2b881354320028a8","unresolved":true,"context_lines":[{"line_number":1711,"context_line":""},{"line_number":1712,"context_line":"        self._validate_pinning_configuration(instances)"},{"line_number":1713,"context_line":"        self._validate_vtpm_configuration(instances)"},{"line_number":1714,"context_line":"        for instance in instances:"},{"line_number":1715,"context_line":"            # For existing instances, set TPM security with confirmed\u003dFalse"},{"line_number":1716,"context_line":"            # until hard reboot."},{"line_number":1717,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"}],"source_content_type":"text/x-python","patch_set":10,"id":"b507466f_69765243","line":1714,"in_reply_to":"a252ca52_fb2aa1da","updated":"2025-07-30 00:18:37.000000000","message":"\u003e we just iterate over the list of existing instances already in L1713 `_validate_vtpm_configuration()`\n\nI found that `_validate_vtpm_configuration()` doesn\u0027t work the way it appeared on the surface.\n\nIt\u0027s actually sort of a negative check -- it returns immediately without iterating anything if the compute host supports vTPM. If the compute host does _not_ support vTPM, it iterates the instances and if an instance has requested a vTPM, it raises `exception.InvalidConfiguration`, breaking the loop.\n\nBased on this, I am just going to leave the proposed code as-is, unless someone has a different preference.","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"3815e5c6a9f512fbf7b8bd7582aaaf23cad84dd8","unresolved":true,"context_lines":[{"line_number":1711,"context_line":""},{"line_number":1712,"context_line":"        self._validate_pinning_configuration(instances)"},{"line_number":1713,"context_line":"        self._validate_vtpm_configuration(instances)"},{"line_number":1714,"context_line":"        for instance in instances:"},{"line_number":1715,"context_line":"            # For existing instances, set TPM security with confirmed\u003dFalse"},{"line_number":1716,"context_line":"            # until hard reboot."},{"line_number":1717,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"}],"source_content_type":"text/x-python","patch_set":10,"id":"75d11b97_49b9b76e","line":1714,"in_reply_to":"b507466f_69765243","updated":"2025-07-30 06:12:36.000000000","message":"Well, you\u0027re right, in the current code we only iterate if the compute doesn\u0027t support vTPM so we could bloab an exception if some instance was asking for some vTPM support.\n\nCouldn\u0027t we just refactor that logic, which is very similar to what we are going to iterate : since the condition of having the compute configured for vTPM support is no longer self-sufficient, we should somehow consider the other way : purely drop ``_validate_vtpm_configuration`` and cast the ``exception.InvalidConfiguration`` as soon as we find some instance that requests for a vTPM *and* the compute isn\u0027t configured for it.","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c40b11527a2f93f08faa5045c9bfb6ff3d5d8f3a","unresolved":false,"context_lines":[{"line_number":1713,"context_line":"        self._validate_vtpm_configuration(instances)"},{"line_number":1714,"context_line":"        for instance in instances:"},{"line_number":1715,"context_line":"            # For existing instances, set TPM security with confirmed\u003dFalse"},{"line_number":1716,"context_line":"            # until hard reboot."},{"line_number":1717,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"},{"line_number":1718,"context_line":"                instance.save()"},{"line_number":1719,"context_line":""}],"source_content_type":"text/x-python","patch_set":10,"id":"ce4a05a4_da94c503","line":1716,"updated":"2025-07-29 16:51:06.000000000","message":"I had to read the spec to understand the need : https://specs.openstack.org/openstack/nova-specs/specs/2025.2/approved/vtpm-live-migration.html#user-confirmation-mechanism","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"3815e5c6a9f512fbf7b8bd7582aaaf23cad84dd8","unresolved":true,"context_lines":[{"line_number":1081,"context_line":"            if confirmed:"},{"line_number":1082,"context_line":"                updates \u003d {\u0027image_hw_tpm_secret_security\u0027: security}"},{"line_number":1083,"context_line":"            else:"},{"line_number":1084,"context_line":"                updates \u003d {\u0027provisional_tpm_secret_security\u0027: security}"},{"line_number":1085,"context_line":""},{"line_number":1086,"context_line":"            instance.system_metadata.update(updates)"},{"line_number":1087,"context_line":"            return True"}],"source_content_type":"text/x-python","patch_set":12,"id":"f6876ba9_6e34d785","line":1084,"range":{"start_line":1084,"start_character":28,"end_line":1084,"end_character":59},"updated":"2025-07-30 06:12:36.000000000","message":"any reason why you changed how to persist whether the user confirmed ?\n\nI\u0027d be a bit unhappy with duplicating the same information in two different metadatas but when reviewing https://review.opendev.org/c/openstack/nova/+/955847/6..8/nova/virt/libvirt/driver.py quickly, I see that you actually void the provisional metadata key when setting the confirmed one.\n\nNote : I actually like the wording change. Even if the user confirmed the policy, it would only be fully defined after an instance reboot which can be way later after the user confirmed.\n\nThat said, you\u0027ll have to amend the spec : https://specs.openstack.org/openstack/nova-specs/specs/2025.2/approved/vtpm-live-migration.html#user-confirmation-mechanism\n\nCurrent approved proposal is ```\nIn order to track whether instances’ vTPM secret security policies are currently active, a new flag tpm_secret_security_confirmed will be set in the instance system_metadata with a value of True or False.\n```","commit_id":"8e88c33e519720185522ba53f04b98fb00233d9b"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"42baddc538c7ff39731c3b1c21ca846f45da1021","unresolved":false,"context_lines":[{"line_number":1081,"context_line":"            if confirmed:"},{"line_number":1082,"context_line":"                updates \u003d {\u0027image_hw_tpm_secret_security\u0027: security}"},{"line_number":1083,"context_line":"            else:"},{"line_number":1084,"context_line":"                updates \u003d {\u0027provisional_tpm_secret_security\u0027: security}"},{"line_number":1085,"context_line":""},{"line_number":1086,"context_line":"            instance.system_metadata.update(updates)"},{"line_number":1087,"context_line":"            return True"}],"source_content_type":"text/x-python","patch_set":12,"id":"7a281f57_986f6f54","line":1084,"range":{"start_line":1084,"start_character":28,"end_line":1084,"end_character":59},"in_reply_to":"527d1cdf_4c62d8c2","updated":"2025-08-26 09:38:42.000000000","message":"ack","commit_id":"8e88c33e519720185522ba53f04b98fb00233d9b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"569d1c963d9415ba7c39ca2d07113fcd4a59cd3b","unresolved":true,"context_lines":[{"line_number":1081,"context_line":"            if confirmed:"},{"line_number":1082,"context_line":"                updates \u003d {\u0027image_hw_tpm_secret_security\u0027: security}"},{"line_number":1083,"context_line":"            else:"},{"line_number":1084,"context_line":"                updates \u003d {\u0027provisional_tpm_secret_security\u0027: security}"},{"line_number":1085,"context_line":""},{"line_number":1086,"context_line":"            instance.system_metadata.update(updates)"},{"line_number":1087,"context_line":"            return True"}],"source_content_type":"text/x-python","patch_set":12,"id":"527d1cdf_4c62d8c2","line":1084,"range":{"start_line":1084,"start_character":28,"end_line":1084,"end_character":59},"in_reply_to":"f6876ba9_6e34d785","updated":"2025-07-30 14:20:54.000000000","message":"...because I asked for it. See my comments on the next patch in the series regarding the mess we create in sysmeta and the double-variable logic we have to live with forever (or clean up later) if we do what was described in the spec.","commit_id":"8e88c33e519720185522ba53f04b98fb00233d9b"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"3815e5c6a9f512fbf7b8bd7582aaaf23cad84dd8","unresolved":true,"context_lines":[{"line_number":1718,"context_line":"        # rebooting the instance."},{"line_number":1719,"context_line":"        for instance in instances:"},{"line_number":1720,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"},{"line_number":1721,"context_line":"                instance.save()"},{"line_number":1722,"context_line":""},{"line_number":1723,"context_line":"        # NOTE(gibi): If ironic and vcenter virt driver slow start time"},{"line_number":1724,"context_line":"        # becomes problematic here then we should consider adding a config"}],"source_content_type":"text/x-python","patch_set":12,"id":"cc13cdf5_765cb76a","line":1721,"updated":"2025-07-30 06:12:36.000000000","message":"I second Dan on his concerns about save() being costly (RPC roundtrips at least) and I would appreciate if we could just do that once for all.","commit_id":"8e88c33e519720185522ba53f04b98fb00233d9b"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"42baddc538c7ff39731c3b1c21ca846f45da1021","unresolved":false,"context_lines":[{"line_number":1718,"context_line":"        # rebooting the instance."},{"line_number":1719,"context_line":"        for instance in instances:"},{"line_number":1720,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"},{"line_number":1721,"context_line":"                instance.save()"},{"line_number":1722,"context_line":""},{"line_number":1723,"context_line":"        # NOTE(gibi): If ironic and vcenter virt driver slow start time"},{"line_number":1724,"context_line":"        # becomes problematic here then we should consider adding a config"}],"source_content_type":"text/x-python","patch_set":12,"id":"c1a246da_3cb5432f","line":1721,"in_reply_to":"cc13cdf5_765cb76a","updated":"2025-08-26 09:38:42.000000000","message":"Done","commit_id":"8e88c33e519720185522ba53f04b98fb00233d9b"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"42baddc538c7ff39731c3b1c21ca846f45da1021","unresolved":false,"context_lines":[{"line_number":1067,"context_line":"            # security policy will not take effect until the user confirms it"},{"line_number":1068,"context_line":"            # by hard rebooting the instance."},{"line_number":1069,"context_line":"            if self._set_tpm_secret_security(instance, confirmed\u003dFalse):"},{"line_number":1070,"context_line":"                instance.save()"},{"line_number":1071,"context_line":""},{"line_number":1072,"context_line":"    def _set_tpm_secret_security("},{"line_number":1073,"context_line":"            self, instance: \u0027objects.Instance\u0027, confirmed: bool) -\u003e bool:"}],"source_content_type":"text/x-python","patch_set":14,"id":"d2ba8b1d_9b8964ad","line":1070,"updated":"2025-08-26 09:38:42.000000000","message":"thanks for the change","commit_id":"3f2fa4efaafe9a77422ffcbad682021652ef4114"}],"nova/tests/unit/virt/libvirt/test_driver.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9dad0c54ba923b354d4c7bc7489438573a2d6712","unresolved":true,"context_lines":[{"line_number":23176,"context_line":"            \u0027COMPUTE_SECURITY_TPM_SECRET_SECURITY_HOST\u0027,"},{"line_number":23177,"context_line":"            \u0027COMPUTE_SECURITY_TPM_SECRET_SECURITY_DEPLOYMENT\u0027"},{"line_number":23178,"context_line":"        ):"},{"line_number":23179,"context_line":"            self.assertIn(trait, self.pt.data(self.cn_rp[\u0027uuid\u0027]).traits)"},{"line_number":23180,"context_line":""},{"line_number":23181,"context_line":"    @mock.patch.object("},{"line_number":23182,"context_line":"        fakelibvirt.virConnect, \u0027_domain_capability_devices\u0027, new\u003d"}],"source_content_type":"text/x-python","patch_set":10,"id":"5cc96877_30f47ca3","line":23179,"updated":"2025-07-29 13:54:46.000000000","message":"No test for the more interesting case where less than \"all of them\" are configured (i.e. not the default). Also could we get one that tests if none of them are configured? I believe that\u0027s allowed by the config, so we should make sure it is properly handled I think.","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"aa391113e711073189cb80884e88ef1df0f496d7","unresolved":false,"context_lines":[{"line_number":23176,"context_line":"            \u0027COMPUTE_SECURITY_TPM_SECRET_SECURITY_HOST\u0027,"},{"line_number":23177,"context_line":"            \u0027COMPUTE_SECURITY_TPM_SECRET_SECURITY_DEPLOYMENT\u0027"},{"line_number":23178,"context_line":"        ):"},{"line_number":23179,"context_line":"            self.assertIn(trait, self.pt.data(self.cn_rp[\u0027uuid\u0027]).traits)"},{"line_number":23180,"context_line":""},{"line_number":23181,"context_line":"    @mock.patch.object("},{"line_number":23182,"context_line":"        fakelibvirt.virConnect, \u0027_domain_capability_devices\u0027, new\u003d"}],"source_content_type":"text/x-python","patch_set":10,"id":"2a873ba9_8f35b9db","line":23179,"in_reply_to":"25e3c606_3de9a916","updated":"2025-07-30 01:15:54.000000000","message":"Done","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"4bf4a259c7b43e1cf95ace84aa182bfee24101d5","unresolved":true,"context_lines":[{"line_number":23176,"context_line":"            \u0027COMPUTE_SECURITY_TPM_SECRET_SECURITY_HOST\u0027,"},{"line_number":23177,"context_line":"            \u0027COMPUTE_SECURITY_TPM_SECRET_SECURITY_DEPLOYMENT\u0027"},{"line_number":23178,"context_line":"        ):"},{"line_number":23179,"context_line":"            self.assertIn(trait, self.pt.data(self.cn_rp[\u0027uuid\u0027]).traits)"},{"line_number":23180,"context_line":""},{"line_number":23181,"context_line":"    @mock.patch.object("},{"line_number":23182,"context_line":"        fakelibvirt.virConnect, \u0027_domain_capability_devices\u0027, new\u003d"}],"source_content_type":"text/x-python","patch_set":10,"id":"25e3c606_3de9a916","line":23179,"in_reply_to":"5cc96877_30f47ca3","updated":"2025-07-29 16:47:22.000000000","message":"Yes it is allowed to have none configured, I\u0027ll add a test for that.","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"}],"nova/virt/hardware.py":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c40b11527a2f93f08faa5045c9bfb6ff3d5d8f3a","unresolved":true,"context_lines":[{"line_number":2069,"context_line":") -\u003e ty.Optional[str]:"},{"line_number":2070,"context_line":"    return _get_unique_flavor_image_meta("},{"line_number":2071,"context_line":"        \u0027tpm_secret_security\u0027, flavor, image_meta)"},{"line_number":2072,"context_line":""},{"line_number":2073,"context_line":""},{"line_number":2074,"context_line":"def get_secure_boot_constraint("},{"line_number":2075,"context_line":"    flavor: \u0027objects.Flavor\u0027,"}],"source_content_type":"text/x-python","patch_set":10,"id":"998d6814_d4f2ae51","line":2072,"updated":"2025-07-29 16:51:06.000000000","message":"I don\u0027t see any test for that method, and I\u0027d appreciate if we could check that it returns None by default.","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"aff55d755eef8c6bbdc19be3a4523f844087a17f","unresolved":true,"context_lines":[{"line_number":2069,"context_line":") -\u003e ty.Optional[str]:"},{"line_number":2070,"context_line":"    return _get_unique_flavor_image_meta("},{"line_number":2071,"context_line":"        \u0027tpm_secret_security\u0027, flavor, image_meta)"},{"line_number":2072,"context_line":""},{"line_number":2073,"context_line":""},{"line_number":2074,"context_line":"def get_secure_boot_constraint("},{"line_number":2075,"context_line":"    flavor: \u0027objects.Flavor\u0027,"}],"source_content_type":"text/x-python","patch_set":10,"id":"dab48272_a51497b5","line":2072,"in_reply_to":"998d6814_d4f2ae51","updated":"2025-07-29 16:58:08.000000000","message":"Good point, I\u0027ll add it.","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"aa391113e711073189cb80884e88ef1df0f496d7","unresolved":false,"context_lines":[{"line_number":2069,"context_line":") -\u003e ty.Optional[str]:"},{"line_number":2070,"context_line":"    return _get_unique_flavor_image_meta("},{"line_number":2071,"context_line":"        \u0027tpm_secret_security\u0027, flavor, image_meta)"},{"line_number":2072,"context_line":""},{"line_number":2073,"context_line":""},{"line_number":2074,"context_line":"def get_secure_boot_constraint("},{"line_number":2075,"context_line":"    flavor: \u0027objects.Flavor\u0027,"}],"source_content_type":"text/x-python","patch_set":10,"id":"3f5a7daa_08106c20","line":2072,"in_reply_to":"dab48272_a51497b5","updated":"2025-07-30 01:15:54.000000000","message":"Done","commit_id":"0d5aab2da36d74e7dd69133d1ca162415b2918eb"}]}