)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"63ca6c09250b7089848449ed73a4b8c78d37e6e0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":22,"id":"9634e971_e727b884","updated":"2025-12-03 04:36:27.000000000","message":"The docs and reno got split out to:\n\n* https://review.opendev.org/c/openstack/nova/+/941483\n* https://review.opendev.org/c/openstack/nova/+/925771\n* https://review.opendev.org/c/openstack/nova/+/962052\n\nand the changes are applied there.","commit_id":"fa728ca10eef4d19b8e27da4b5c5f3e4f55dc7d3"},{"author":{"_account_id":20733,"name":"Rajesh Tailor","email":"ratailor@redhat.com","username":"rajesht"},"change_message_id":"cbb8918623a64197b51be581dc1943cbf6662339","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":22,"id":"2d96bc80_d9589b87","updated":"2025-11-24 13:53:07.000000000","message":"some minor nits, otherwise LGTM.","commit_id":"fa728ca10eef4d19b8e27da4b5c5f3e4f55dc7d3"}],"doc/source/admin/emulated-tpm.rst":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"617a1620126b6a3adfc81ef9b81dab7190819948","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Starting in the 22.0.0 (Victoria) release, Nova supports adding an emulated"},{"line_number":8,"context_line":"virtual `Trusted Platform Module`__ (vTPM) to guests."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"Starting in the 33.0.0 (2026.1 Gazpacho), Nova supports live migration of"},{"line_number":11,"context_line":"guests with emulated vTPM for certain TPM secret security modes."},{"line_number":12,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"cf52b598_6425e419","line":9,"updated":"2025-10-03 05:28:35.000000000","message":"Note to self: I should add a `versionadded` thingy here too.","commit_id":"6e6bfe67f0203fc90156fa88394c8f693347fa36"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"b76d7669d4b5a7531bf167281d0f9c90a412872e","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Starting in the 22.0.0 (Victoria) release, Nova supports adding an emulated"},{"line_number":8,"context_line":"virtual `Trusted Platform Module`__ (vTPM) to guests."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"Starting in the 33.0.0 (2026.1 Gazpacho), Nova supports live migration of"},{"line_number":11,"context_line":"guests with emulated vTPM for certain TPM secret security modes."},{"line_number":12,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"a8bd08c5_33f0b533","line":9,"in_reply_to":"cf52b598_6425e419","updated":"2025-10-10 03:35:52.000000000","message":"Done","commit_id":"6e6bfe67f0203fc90156fa88394c8f693347fa36"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e5e0478181c6cf4b005f928be8d538de7c14eb9e","unresolved":true,"context_lines":[{"line_number":9,"context_line":""},{"line_number":10,"context_line":".. versionadded:: 33.0.0 (2026.1 Gazpacho)"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Starting in the 33.0.0 (2026.1 Gazpacho), Nova supports live migration of"},{"line_number":13,"context_line":"guests with emulated vTPM for the ``host`` and ``deployment`` TPM secret"},{"line_number":14,"context_line":"security modes."},{"line_number":15,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"65580fd0_2371d170","line":12,"range":{"start_line":12,"start_character":23,"end_line":12,"end_character":40},"updated":"2025-10-31 21:34:48.000000000","message":"(2026.1 Gazpacho) release","commit_id":"57f434102225c3c60d1f82f13f747046b9a76cf1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"389c5f00d7b2a813516fbed041728cbd50c9feb5","unresolved":false,"context_lines":[{"line_number":9,"context_line":""},{"line_number":10,"context_line":".. versionadded:: 33.0.0 (2026.1 Gazpacho)"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Starting in the 33.0.0 (2026.1 Gazpacho), Nova supports live migration of"},{"line_number":13,"context_line":"guests with emulated vTPM for the ``host`` and ``deployment`` TPM secret"},{"line_number":14,"context_line":"security modes."},{"line_number":15,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"f5bdf957_7df25853","line":12,"range":{"start_line":12,"start_character":23,"end_line":12,"end_character":40},"in_reply_to":"65580fd0_2371d170","updated":"2025-11-10 23:32:22.000000000","message":"Done","commit_id":"57f434102225c3c60d1f82f13f747046b9a76cf1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e5e0478181c6cf4b005f928be8d538de7c14eb9e","unresolved":true,"context_lines":[{"line_number":137,"context_line":"     - Specify the TPM model, ``tpm-tis`` (the default) or ``tpm-crb`` (only"},{"line_number":138,"context_line":"       valid with version ``2.0``."},{"line_number":139,"context_line":"   * - ``hw:tpm_secret_security``"},{"line_number":140,"context_line":"     - N/A"},{"line_number":141,"context_line":"     - Specify the TPM secret security mode, ``user`` (the default) or ``host``"},{"line_number":142,"context_line":"       or ``deployment``."},{"line_number":143,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"6c43361a_ca1ff4eb","line":140,"range":{"start_line":140,"start_character":7,"end_line":140,"end_character":10},"updated":"2025-10-31 21:34:48.000000000","message":"Maybe just leave this blank.","commit_id":"57f434102225c3c60d1f82f13f747046b9a76cf1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"389c5f00d7b2a813516fbed041728cbd50c9feb5","unresolved":false,"context_lines":[{"line_number":137,"context_line":"     - Specify the TPM model, ``tpm-tis`` (the default) or ``tpm-crb`` (only"},{"line_number":138,"context_line":"       valid with version ``2.0``."},{"line_number":139,"context_line":"   * - ``hw:tpm_secret_security``"},{"line_number":140,"context_line":"     - N/A"},{"line_number":141,"context_line":"     - Specify the TPM secret security mode, ``user`` (the default) or ``host``"},{"line_number":142,"context_line":"       or ``deployment``."},{"line_number":143,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"703bd3aa_f10b415e","line":140,"range":{"start_line":140,"start_character":7,"end_line":140,"end_character":10},"in_reply_to":"6c43361a_ca1ff4eb","updated":"2025-11-10 23:32:22.000000000","message":"Done","commit_id":"57f434102225c3c60d1f82f13f747046b9a76cf1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e5e0478181c6cf4b005f928be8d538de7c14eb9e","unresolved":true,"context_lines":[{"line_number":175,"context_line":"   $ openstack server resize --flavor $FLAVOR $SERVER"},{"line_number":176,"context_line":""},{"line_number":177,"context_line":"   $ openstack server resize confirm $SERVER"},{"line_number":178,"context_line":""},{"line_number":179,"context_line":".. warning::"},{"line_number":180,"context_line":"   The TPM secret security mode for the server cannot be changed after the"},{"line_number":181,"context_line":"   resize is confirmed."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":""},{"line_number":184,"context_line":"Limitations"}],"source_content_type":"text/x-rst","patch_set":13,"id":"40a1d0a9_8cd29fb1","line":181,"range":{"start_line":178,"start_character":0,"end_line":181,"end_character":23},"updated":"2025-10-31 21:34:48.000000000","message":"Remove this, no longer true in the latest PS.","commit_id":"57f434102225c3c60d1f82f13f747046b9a76cf1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"389c5f00d7b2a813516fbed041728cbd50c9feb5","unresolved":false,"context_lines":[{"line_number":175,"context_line":"   $ openstack server resize --flavor $FLAVOR $SERVER"},{"line_number":176,"context_line":""},{"line_number":177,"context_line":"   $ openstack server resize confirm $SERVER"},{"line_number":178,"context_line":""},{"line_number":179,"context_line":".. warning::"},{"line_number":180,"context_line":"   The TPM secret security mode for the server cannot be changed after the"},{"line_number":181,"context_line":"   resize is confirmed."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":""},{"line_number":184,"context_line":"Limitations"}],"source_content_type":"text/x-rst","patch_set":13,"id":"bade085d_92a5ea9f","line":181,"range":{"start_line":178,"start_character":0,"end_line":181,"end_character":23},"in_reply_to":"40a1d0a9_8cd29fb1","updated":"2025-11-10 23:32:22.000000000","message":"Done","commit_id":"57f434102225c3c60d1f82f13f747046b9a76cf1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e5e0478181c6cf4b005f928be8d538de7c14eb9e","unresolved":true,"context_lines":[{"line_number":191,"context_line":"  disabled. The exception is live migration, which can be performed by the"},{"line_number":192,"context_line":"  admin if the server has TPM secret security mode ``host`` or ``deployment``."},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"* Rebuild, evacuation, shelving and rescuing of servers with vTPMs is"},{"line_number":195,"context_line":"  not currently supported. Live migration with vTPMs is only supported for the"},{"line_number":196,"context_line":"  ``host`` and ``deployment`` TPM secret security modes."},{"line_number":197,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"a848d8c5_1e146a81","line":194,"range":{"start_line":194,"start_character":11,"end_line":194,"end_character":44},"updated":"2025-10-31 21:34:48.000000000","message":"evacuate, shelve, and rescue","commit_id":"57f434102225c3c60d1f82f13f747046b9a76cf1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"389c5f00d7b2a813516fbed041728cbd50c9feb5","unresolved":false,"context_lines":[{"line_number":191,"context_line":"  disabled. The exception is live migration, which can be performed by the"},{"line_number":192,"context_line":"  admin if the server has TPM secret security mode ``host`` or ``deployment``."},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"* Rebuild, evacuation, shelving and rescuing of servers with vTPMs is"},{"line_number":195,"context_line":"  not currently supported. Live migration with vTPMs is only supported for the"},{"line_number":196,"context_line":"  ``host`` and ``deployment`` TPM secret security modes."},{"line_number":197,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"03b59d39_199a0ff0","line":194,"range":{"start_line":194,"start_character":11,"end_line":194,"end_character":44},"in_reply_to":"a848d8c5_1e146a81","updated":"2025-11-10 23:32:22.000000000","message":"Done","commit_id":"57f434102225c3c60d1f82f13f747046b9a76cf1"},{"author":{"_account_id":20733,"name":"Rajesh Tailor","email":"ratailor@redhat.com","username":"rajesht"},"change_message_id":"cbb8918623a64197b51be581dc1943cbf6662339","unresolved":true,"context_lines":[{"line_number":88,"context_line":"     - The passphrase in the key manager is associated with the credentials of"},{"line_number":89,"context_line":"       the owner of the server (the user who initially created it). The libvirt"},{"line_number":90,"context_line":"       secret is not ``private`` and not ``ephemeral``, which means it can be"},{"line_number":91,"context_line":"       retrieved via the libvirt API or ``virsh`` and it exists on disk. A"},{"line_number":92,"context_line":"       server with this security mode can be live migrated by a user other than"},{"line_number":93,"context_line":"       the owner of the server, such as an admin. To transport the TPM secret"},{"line_number":94,"context_line":"       to the destination host during a live migration, the libvirt secret is"},{"line_number":95,"context_line":"       sent over RPC."},{"line_number":96,"context_line":"   * - ``deployment``"}],"source_content_type":"text/x-rst","patch_set":22,"id":"cc94d0ed_dc22ad11","line":93,"range":{"start_line":91,"start_character":73,"end_line":93,"end_character":48},"updated":"2025-11-24 13:53:07.000000000","message":"is owner (user who created the server initially) not allowed to live-migrate this instance ?\n\nor should we modify it to reflect that it can also be live-migrated by other users such as admin.\n\n``A server with this security mode can also be live migrated by a user other than the owner of the server, such as an admin.``","commit_id":"fa728ca10eef4d19b8e27da4b5c5f3e4f55dc7d3"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"63ca6c09250b7089848449ed73a4b8c78d37e6e0","unresolved":false,"context_lines":[{"line_number":88,"context_line":"     - The passphrase in the key manager is associated with the credentials of"},{"line_number":89,"context_line":"       the owner of the server (the user who initially created it). The libvirt"},{"line_number":90,"context_line":"       secret is not ``private`` and not ``ephemeral``, which means it can be"},{"line_number":91,"context_line":"       retrieved via the libvirt API or ``virsh`` and it exists on disk. A"},{"line_number":92,"context_line":"       server with this security mode can be live migrated by a user other than"},{"line_number":93,"context_line":"       the owner of the server, such as an admin. To transport the TPM secret"},{"line_number":94,"context_line":"       to the destination host during a live migration, the libvirt secret is"},{"line_number":95,"context_line":"       sent over RPC."},{"line_number":96,"context_line":"   * - ``deployment``"}],"source_content_type":"text/x-rst","patch_set":22,"id":"db1a509d_81ac2e3c","line":93,"range":{"start_line":91,"start_character":73,"end_line":93,"end_character":48},"in_reply_to":"cc94d0ed_dc22ad11","updated":"2025-12-03 04:36:27.000000000","message":"Done","commit_id":"fa728ca10eef4d19b8e27da4b5c5f3e4f55dc7d3"},{"author":{"_account_id":20733,"name":"Rajesh Tailor","email":"ratailor@redhat.com","username":"rajesht"},"change_message_id":"cbb8918623a64197b51be581dc1943cbf6662339","unresolved":true,"context_lines":[{"line_number":96,"context_line":"   * - ``deployment``"},{"line_number":97,"context_line":"     - The passphrase in the key manager is associated with the credentials of"},{"line_number":98,"context_line":"       the Nova service user (not the user who initially create it). The"},{"line_number":99,"context_line":"       libvirt secret is both ``private`` and ``ephemeral``. A server with this"},{"line_number":100,"context_line":"       security mode can be live migrated by a user other than the owner of the"},{"line_number":101,"context_line":"       server, such as an admin. To transport the TPM secret to the destination"},{"line_number":102,"context_line":"       host during a live migration, the secret is retrieved via the key"},{"line_number":103,"context_line":"       manager service REST API and a libvirt secret is created from it."},{"line_number":104,"context_line":""}],"source_content_type":"text/x-rst","patch_set":22,"id":"e1c01206_9b0c4541","line":101,"range":{"start_line":99,"start_character":61,"end_line":101,"end_character":31},"updated":"2025-11-24 13:53:07.000000000","message":"ditto","commit_id":"fa728ca10eef4d19b8e27da4b5c5f3e4f55dc7d3"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"63ca6c09250b7089848449ed73a4b8c78d37e6e0","unresolved":false,"context_lines":[{"line_number":96,"context_line":"   * - ``deployment``"},{"line_number":97,"context_line":"     - The passphrase in the key manager is associated with the credentials of"},{"line_number":98,"context_line":"       the Nova service user (not the user who initially create it). The"},{"line_number":99,"context_line":"       libvirt secret is both ``private`` and ``ephemeral``. A server with this"},{"line_number":100,"context_line":"       security mode can be live migrated by a user other than the owner of the"},{"line_number":101,"context_line":"       server, such as an admin. To transport the TPM secret to the destination"},{"line_number":102,"context_line":"       host during a live migration, the secret is retrieved via the key"},{"line_number":103,"context_line":"       manager service REST API and a libvirt secret is created from it."},{"line_number":104,"context_line":""}],"source_content_type":"text/x-rst","patch_set":22,"id":"900c2fbc_112cd94e","line":101,"range":{"start_line":99,"start_character":61,"end_line":101,"end_character":31},"in_reply_to":"e1c01206_9b0c4541","updated":"2025-12-03 04:36:27.000000000","message":"Done","commit_id":"fa728ca10eef4d19b8e27da4b5c5f3e4f55dc7d3"},{"author":{"_account_id":20733,"name":"Rajesh Tailor","email":"ratailor@redhat.com","username":"rajesht"},"change_message_id":"cbb8918623a64197b51be581dc1943cbf6662339","unresolved":true,"context_lines":[{"line_number":184,"context_line":"  supported, as the user\u0027s credentials are required to unlock the virtual"},{"line_number":185,"context_line":"  device files on the host. Thus the admin may need to decide whether to grant"},{"line_number":186,"context_line":"  the user additional policy roles; if not, those operations are effectively"},{"line_number":187,"context_line":"  disabled. The exception is live migration, which can be performed by the"},{"line_number":188,"context_line":"  admin if the server has TPM secret security mode ``host`` or ``deployment``."},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"* Rebuild, evacuate, shelve, and rescue of servers with vTPMs is not currently"}],"source_content_type":"text/x-rst","patch_set":22,"id":"ce7d7a6d_222ac4f3","line":187,"range":{"start_line":187,"start_character":44,"end_line":187,"end_character":67},"updated":"2025-11-24 13:53:07.000000000","message":"IMO it should be ``which can only be performed`` if only admin is allowed to live-migrate.","commit_id":"fa728ca10eef4d19b8e27da4b5c5f3e4f55dc7d3"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"63ca6c09250b7089848449ed73a4b8c78d37e6e0","unresolved":false,"context_lines":[{"line_number":184,"context_line":"  supported, as the user\u0027s credentials are required to unlock the virtual"},{"line_number":185,"context_line":"  device files on the host. Thus the admin may need to decide whether to grant"},{"line_number":186,"context_line":"  the user additional policy roles; if not, those operations are effectively"},{"line_number":187,"context_line":"  disabled. The exception is live migration, which can be performed by the"},{"line_number":188,"context_line":"  admin if the server has TPM secret security mode ``host`` or ``deployment``."},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"* Rebuild, evacuate, shelve, and rescue of servers with vTPMs is not currently"}],"source_content_type":"text/x-rst","patch_set":22,"id":"6b4b4cf7_27e0541a","line":187,"range":{"start_line":187,"start_character":44,"end_line":187,"end_character":67},"in_reply_to":"ce7d7a6d_222ac4f3","updated":"2025-12-03 04:36:27.000000000","message":"Done","commit_id":"fa728ca10eef4d19b8e27da4b5c5f3e4f55dc7d3"}],"releasenotes/notes/vtpm-live-migration-4ef9ab54cd6e3a0b.yaml":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"4daf4ab650f537e83bfd7c0b8dcad14351274b4b","unresolved":true,"context_lines":[{"line_number":8,"context_line":"    security modes by resizing to a flavor which has set"},{"line_number":9,"context_line":"    ``hw:tpm_secret_security``. Operators may choose which TPM security modes"},{"line_number":10,"context_line":"    they want to support by setting the"},{"line_number":11,"context_line":"    ``[libvirt]supported_tpm_security_modes`` configuration option on compute"},{"line_number":12,"context_line":"    hosts. See the documentation for details:"},{"line_number":13,"context_line":"    https://docs.openstack.org/nova/latest/admin/emulated-tpm.html"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"e32db389_a6a61445","line":11,"range":{"start_line":11,"start_character":15,"end_line":11,"end_character":43},"updated":"2025-10-31 21:21:06.000000000","message":"This is supposed to be `supported_tpm_secret_security` 😑","commit_id":"57f434102225c3c60d1f82f13f747046b9a76cf1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"389c5f00d7b2a813516fbed041728cbd50c9feb5","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    security modes by resizing to a flavor which has set"},{"line_number":9,"context_line":"    ``hw:tpm_secret_security``. Operators may choose which TPM security modes"},{"line_number":10,"context_line":"    they want to support by setting the"},{"line_number":11,"context_line":"    ``[libvirt]supported_tpm_security_modes`` configuration option on compute"},{"line_number":12,"context_line":"    hosts. See the documentation for details:"},{"line_number":13,"context_line":"    https://docs.openstack.org/nova/latest/admin/emulated-tpm.html"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"d1c60599_c7a321ac","line":11,"range":{"start_line":11,"start_character":15,"end_line":11,"end_character":43},"in_reply_to":"e32db389_a6a61445","updated":"2025-11-10 23:32:22.000000000","message":"Done","commit_id":"57f434102225c3c60d1f82f13f747046b9a76cf1"}]}