)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"385a1b241acdfc06ebceb6ff8108cb3bf072bb6c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"5ef5a6eb_60023789","updated":"2026-01-14 05:50:34.000000000","message":"recheck bug #2067733","commit_id":"9f62af3253f06d79b82b85eed52af5663f9bd936"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"e618bf3bc4ee454cfb6039ee92fbf40af43cd31a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"46ed11b5_02b33e60","updated":"2026-02-04 15:31:05.000000000","message":"Soft -1 to highlight a nit about a missing parenthesis and the fact that the release note could be improved; see inline comments.\nIn my view, this patch improves the behavior, so we should move forward with it. \n\nRegarding the series, I have only found minor issues. We benefit from better separation of concerns, and the introduction of new security models should be easier. I think the goal of the series is achieved.","commit_id":"3d1af986ad6889957e45f41ed91b322ab7551133"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"6f9f6a08a0bd80e0e441ee29bb0038094d30c14b","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"094988f2_7e0d3466","updated":"2026-02-25 11:31:46.000000000","message":"@rene.ribaud@gmail.com @gibizer@gmail.com\nI propose to carry forward this patch to the next 26.02 release, and to continue the discussion.\n\nThis is because I believe it\u0027s difficult to provide sufficiently comprehensive solutions in the release notes for users to perform an upgrade while mitigating [this problem](https://review.opendev.org/c/openstack/nova/+/971300/2/releasenotes/notes/mem-encryption-locked-memory-conflict-643b646a05e76589.yaml#7), as I mentioned in [my last comment](https://review.opendev.org/c/openstack/nova/+/971300/comment/38cefa10_41c945d8/). \nAt this moment, I assume that adding appropriate logic is required to address this problem clearly and comprehensively. \n\nFurthermore, I will separate this patch from [the generalize-sev-code series](https://review.opendev.org/q/topic:%22bp/generalize-sev-code%22), as this patch is not a refactoring; rather, it changes behavior.","commit_id":"457a5cdc8ee62ab41b7c99bb3a0e2a5bbf1b4ed6"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"5bc88fa19f281c05d205c1435788e92606f1ab82","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"782f911d_cecec55c","updated":"2026-02-20 07:36:32.000000000","message":"recheck grenade-skip-level-always failed due to missing pkg resource","commit_id":"457a5cdc8ee62ab41b7c99bb3a0e2a5bbf1b4ed6"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"962f0e81f58707c78ef0cf450e7356e4ddeb2d0f","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"406a4595_102e1447","in_reply_to":"094988f2_7e0d3466","updated":"2026-03-19 18:06:22.000000000","message":"Fine with me.\nIf you can separate this patch from the serie it will be good.\nTo my mind the rest looks good and could be merged.","commit_id":"457a5cdc8ee62ab41b7c99bb3a0e2a5bbf1b4ed6"}],"nova/virt/hardware.py":[{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"e618bf3bc4ee454cfb6039ee92fbf40af43cd31a","unresolved":true,"context_lines":[{"line_number":1548,"context_line":"            raise exception.FlavorImageLockedMemoryConflict("},{"line_number":1549,"context_line":"                \"Memory encryption %(model)s requests locked memory but \""},{"line_number":1550,"context_line":"                \"flavor or image denies locked memory. \""},{"line_number":1551,"context_line":"                \"(flavor\u003d%(flavor_val)s image\u003d%(image_val)s\""},{"line_number":1552,"context_line":"                % {\u0027model\u0027: me_config.model,"},{"line_number":1553,"context_line":"                   \u0027flavor_val\u0027: locked_memory_flavor,"},{"line_number":1554,"context_line":"                   \u0027image_val\u0027: locked_memory_image})"}],"source_content_type":"text/x-python","patch_set":5,"id":"db2c60e1_aecfb8c0","line":1551,"range":{"start_line":1551,"start_character":58,"end_line":1551,"end_character":59},"updated":"2026-02-04 15:31:05.000000000","message":"Nit: Missing \u0027)\u0027 parenthesis. Not an issue because in a string.","commit_id":"3d1af986ad6889957e45f41ed91b322ab7551133"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"36de6c2ca38c5a256191b7ca80665646e9c772d3","unresolved":true,"context_lines":[{"line_number":1548,"context_line":"            raise exception.FlavorImageLockedMemoryConflict("},{"line_number":1549,"context_line":"                \"Memory encryption %(model)s requests locked memory but \""},{"line_number":1550,"context_line":"                \"flavor or image denies locked memory. \""},{"line_number":1551,"context_line":"                \"(flavor\u003d%(flavor_val)s image\u003d%(image_val)s\""},{"line_number":1552,"context_line":"                % {\u0027model\u0027: me_config.model,"},{"line_number":1553,"context_line":"                   \u0027flavor_val\u0027: locked_memory_flavor,"},{"line_number":1554,"context_line":"                   \u0027image_val\u0027: locked_memory_image})"}],"source_content_type":"text/x-python","patch_set":5,"id":"de5b9502_fe6349a3","line":1551,"range":{"start_line":1551,"start_character":58,"end_line":1551,"end_character":59},"in_reply_to":"db2c60e1_aecfb8c0","updated":"2026-02-09 10:03:15.000000000","message":"Updated","commit_id":"3d1af986ad6889957e45f41ed91b322ab7551133"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"34987b5ae7db19d0c2ed8f7fb1a2d2644cd935e8","unresolved":false,"context_lines":[{"line_number":1548,"context_line":"            raise exception.FlavorImageLockedMemoryConflict("},{"line_number":1549,"context_line":"                \"Memory encryption %(model)s requests locked memory but \""},{"line_number":1550,"context_line":"                \"flavor or image denies locked memory. \""},{"line_number":1551,"context_line":"                \"(flavor\u003d%(flavor_val)s image\u003d%(image_val)s\""},{"line_number":1552,"context_line":"                % {\u0027model\u0027: me_config.model,"},{"line_number":1553,"context_line":"                   \u0027flavor_val\u0027: locked_memory_flavor,"},{"line_number":1554,"context_line":"                   \u0027image_val\u0027: locked_memory_image})"}],"source_content_type":"text/x-python","patch_set":5,"id":"c8b1dbc8_06cf39d0","line":1551,"range":{"start_line":1551,"start_character":58,"end_line":1551,"end_character":59},"in_reply_to":"de5b9502_fe6349a3","updated":"2026-02-19 17:47:59.000000000","message":"Done","commit_id":"3d1af986ad6889957e45f41ed91b322ab7551133"}],"releasenotes/notes/mem-encryption-locked-memory-conflict-643b646a05e76589.yaml":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"755b964d2b8e7bfe00292e6628a6770471f0a2c4","unresolved":true,"context_lines":[{"line_number":4,"context_line":"    Creating AMD SEV/SEV-ES guests will now fail if ``hw:locked_memory\u003dFalse``"},{"line_number":5,"context_line":"    extra spec of flavor or ``hw_locked_memory\u003dFalse`` image property is set."},{"line_number":6,"context_line":"    Such extra spec and property conflict because AMD SEV/SEV-ES requires"},{"line_number":7,"context_line":"    guest memory explicitly locked down."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"38cefa10_41c945d8","line":7,"updated":"2026-01-18 10:53:55.000000000","message":"I think it is reasonable to make this a hard failure for new instances. But I\u0027m wondering what happens with existing SEV/ SEV ES instances that was booted with flavor/image asking for no locking. Today those are running with locked memory afaik. And today they can be moved around etc. After this change will these VM become stuck? That would be a problem for me.","commit_id":"9f62af3253f06d79b82b85eed52af5663f9bd936"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"b55eee3a0834b543e78f9f49f340344aff29f828","unresolved":true,"context_lines":[{"line_number":4,"context_line":"    Creating AMD SEV/SEV-ES guests will now fail if ``hw:locked_memory\u003dFalse``"},{"line_number":5,"context_line":"    extra spec of flavor or ``hw_locked_memory\u003dFalse`` image property is set."},{"line_number":6,"context_line":"    Such extra spec and property conflict because AMD SEV/SEV-ES requires"},{"line_number":7,"context_line":"    guest memory explicitly locked down."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"13a79def_1ac1194f","line":7,"in_reply_to":"028a38e0_aab13bb8","updated":"2026-04-13 04:45:33.000000000","message":"\u003e ack we can hold this patch until the PTG, Taketani Ryo OK for you ?\n\nYes. I have entered it as [an item for the PTG](https://etherpad.opendev.org/p/nova-2026.2-ptg#L184). I would like to resume this  after the policy has been discussed there.","commit_id":"9f62af3253f06d79b82b85eed52af5663f9bd936"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"89346faeecc6cd4d90f8a655b1daf04f17867c3d","unresolved":true,"context_lines":[{"line_number":4,"context_line":"    Creating AMD SEV/SEV-ES guests will now fail if ``hw:locked_memory\u003dFalse``"},{"line_number":5,"context_line":"    extra spec of flavor or ``hw_locked_memory\u003dFalse`` image property is set."},{"line_number":6,"context_line":"    Such extra spec and property conflict because AMD SEV/SEV-ES requires"},{"line_number":7,"context_line":"    guest memory explicitly locked down."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"028a38e0_aab13bb8","line":7,"in_reply_to":"030cb73e_fb691e5e","updated":"2026-04-10 15:29:53.000000000","message":"ack we can hold this patch until the PTG, @taketani.ryo@fujitsu.com OK for you ?","commit_id":"9f62af3253f06d79b82b85eed52af5663f9bd936"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"3ed9ecf795648550fe4c7e037b49e1c9c4bf6f2a","unresolved":true,"context_lines":[{"line_number":4,"context_line":"    Creating AMD SEV/SEV-ES guests will now fail if ``hw:locked_memory\u003dFalse``"},{"line_number":5,"context_line":"    extra spec of flavor or ``hw_locked_memory\u003dFalse`` image property is set."},{"line_number":6,"context_line":"    Such extra spec and property conflict because AMD SEV/SEV-ES requires"},{"line_number":7,"context_line":"    guest memory explicitly locked down."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"030cb73e_fb691e5e","line":7,"in_reply_to":"234cde01_ac41f726","updated":"2026-04-02 16:23:40.000000000","message":"I suggest to bring this up on the next PTG","commit_id":"9f62af3253f06d79b82b85eed52af5663f9bd936"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"0667d8b578a2aa8f7c5b0cc4673599ba1e6df6d0","unresolved":true,"context_lines":[{"line_number":4,"context_line":"    Creating AMD SEV/SEV-ES guests will now fail if ``hw:locked_memory\u003dFalse``"},{"line_number":5,"context_line":"    extra spec of flavor or ``hw_locked_memory\u003dFalse`` image property is set."},{"line_number":6,"context_line":"    Such extra spec and property conflict because AMD SEV/SEV-ES requires"},{"line_number":7,"context_line":"    guest memory explicitly locked down."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"52482a48_2a43e651","line":7,"in_reply_to":"38cefa10_41c945d8","updated":"2026-01-20 10:34:47.000000000","message":"\u003e But I\u0027m wondering what happens with existing SEV/ SEV ES instances that was booted with flavor/image asking for no locking. Today those are running with locked memory afaik. And today they can be moved around etc. After this change will these VM become stuck? That would be a problem for me.\n\nThank you for a comment. You are correct that applying this patch during a cluster version update (or similar scenario) could lead to a situation where existing SEV VMs, which were previously booted with `hw_locked_memory\u003dFalse` on the old OpenStack cluster, would fail to launch after the update. This patch does not address this problem currently.\n\nI guess that resolving this issue would require an invasive change than originally intended for these refactorings. Therefore, I propose to withdraw this patch for now and relegate this challenge to future work.","commit_id":"9f62af3253f06d79b82b85eed52af5663f9bd936"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"311c07468580f4945bbf21c511ee8d9813b8c142","unresolved":true,"context_lines":[{"line_number":4,"context_line":"    Creating AMD SEV/SEV-ES guests will now fail if ``hw:locked_memory\u003dFalse``"},{"line_number":5,"context_line":"    extra spec of flavor or ``hw_locked_memory\u003dFalse`` image property is set."},{"line_number":6,"context_line":"    Such extra spec and property conflict because AMD SEV/SEV-ES requires"},{"line_number":7,"context_line":"    guest memory explicitly locked down."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"234cde01_ac41f726","line":7,"in_reply_to":"50af4cc6_c296a2f6","updated":"2026-02-24 06:55:03.000000000","message":"Before applying this patch, users can provision VMs with all four property patterns listed below. However, after applying this patch, users will no longer be able to provision VMs with any of these four patterns:\n\n1. image.\"hw_mem_encryption\" \u003d\u003d \"true\" and image.\"hw_locked_memory\" \u003d\u003d \"false\"\n2. flavor.\"hw:mem_encryption\" \u003d\u003d \"true\" and flavor.\"hw:locked_memory\" \u003d\u003d \"false\"\n3. image.\"hw_mem_encryption\" \u003d\u003d \"true\" and flavor.\"hw:locked_memory\" \u003d\u003d \"false\"\n4. flavor.\"hw:mem_encryption\" \u003d\u003d \"true\" and image.\"hw_locked_memory\" \u003d\u003d \"false\"\n\nI agree that your suggestion to include guidance in the release notes for addressing patterns 1 and 2 in advance is very helpful for users.\n\nHowever, I\u0027m struggling to come up with a clear and comprehensive release note statement or action required for users to address these more complex cross-property patterns (3 and 4) without risking broader impact.\n\nI don\u0027t think your suggestion fully adapts to patterns 3 and 4 for a critical reason: removing or modifying `hw:locked_memory \u003d\u003d \"false\"` to resolve the conflict for instances with `mem_encryption \u003d\u003d true` would inadvertently affect other VMs that do not have `mem_encryption \u003d\u003d true` but rely on the existing `hw:locked_memory` setting. This could lead to unintended consequences for a broader set of virtual machines.","commit_id":"9f62af3253f06d79b82b85eed52af5663f9bd936"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"e618bf3bc4ee454cfb6039ee92fbf40af43cd31a","unresolved":true,"context_lines":[{"line_number":4,"context_line":"    Creating AMD SEV/SEV-ES guests will now fail if ``hw:locked_memory\u003dFalse``"},{"line_number":5,"context_line":"    extra spec of flavor or ``hw_locked_memory\u003dFalse`` image property is set."},{"line_number":6,"context_line":"    Such extra spec and property conflict because AMD SEV/SEV-ES requires"},{"line_number":7,"context_line":"    guest memory explicitly locked down."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"c3b344e7_c89ef273","line":7,"in_reply_to":"52482a48_2a43e651","updated":"2026-02-04 15:31:05.000000000","message":"I think this patch improve the global behavior, and now make a silent error sound (which is from my point of view really better).\n\nI also agree that resolving completely the issue is not the aim of this series. We could identify the bug in launchpad and use a follow up patch.\n\nSo I\u0027ll go for it, despite what Gibi has highlighted.\n\nWe can also mitigate that risk and improve this release note by adding something like (warning: the bash block was asked to AI and I have not verified it, but it looks ok):\n```\n      **Action required:** Before upgrading, operators should audit their flavors\n      and images for this conflicting configuration:\n\n      .. code-block:: bash\n\n         # Find conflicting flavors\n         openstack flavor list --long -f json | jq \u0027.[] | select(.properties.\"hw:mem_encryption\" \u003d\u003d \"true\" and .properties.\"hw:locked_memory\" \u003d\u003d \"false\")\u0027\n\n         # Fix by removing the conflicting extra spec\n         openstack flavor unset \u003cflavor\u003e --property hw:locked_memory\n ```\n\nI could also warm about this change in the cycle highlights.","commit_id":"9f62af3253f06d79b82b85eed52af5663f9bd936"},{"author":{"_account_id":35307,"name":"Taketani Ryo","email":"taketani.ryo@fujitsu.com","username":"r-taketn0517"},"change_message_id":"b9714de7ff5bc8c027fa273a4be218c258f6f6bf","unresolved":true,"context_lines":[{"line_number":4,"context_line":"    Creating AMD SEV/SEV-ES guests will now fail if ``hw:locked_memory\u003dFalse``"},{"line_number":5,"context_line":"    extra spec of flavor or ``hw_locked_memory\u003dFalse`` image property is set."},{"line_number":6,"context_line":"    Such extra spec and property conflict because AMD SEV/SEV-ES requires"},{"line_number":7,"context_line":"    guest memory explicitly locked down."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"d9384aed_63bf3faa","line":7,"in_reply_to":"c3b344e7_c89ef273","updated":"2026-02-10 10:55:42.000000000","message":"I have published bug report in the launchpad and linked it with this patch.\nI think that your suggestion address these two specific patterns:\n\n* `image.\"hw_mem_encryption\" \u003d\u003d \"true\"` and `image.\"hw_locked_memory\" \u003d\u003d \"false\"`\n* `flavor.\"hw:mem_encryption\" \u003d\u003d \"true\"` and `flavor.\"hw:locked_memory\" \u003d\u003d \"false\"`\n\nHowever, it does not fully resolve the issue for these crucial cross-property patterns:\n\n* `image.\"hw_mem_encryption\" \u003d\u003d \"true\"` and `flavor.\"hw:locked_memory\" \u003d\u003d \"false\"`\n* `flavor.\"hw:mem_encryption\" \u003d\u003d \"true\"` and `image.\"hw_locked_memory\" \u003d\u003d \"false\"`\n\nAt this moment, I don\u0027t have a comprehensive and clear solution to fully address this problem..","commit_id":"9f62af3253f06d79b82b85eed52af5663f9bd936"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"34987b5ae7db19d0c2ed8f7fb1a2d2644cd935e8","unresolved":true,"context_lines":[{"line_number":4,"context_line":"    Creating AMD SEV/SEV-ES guests will now fail if ``hw:locked_memory\u003dFalse``"},{"line_number":5,"context_line":"    extra spec of flavor or ``hw_locked_memory\u003dFalse`` image property is set."},{"line_number":6,"context_line":"    Such extra spec and property conflict because AMD SEV/SEV-ES requires"},{"line_number":7,"context_line":"    guest memory explicitly locked down."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"50af4cc6_c296a2f6","line":7,"in_reply_to":"d9384aed_63bf3faa","updated":"2026-02-19 17:47:59.000000000","message":"My suggestion would be to mention in the release notes how to identify invalid configurations (all canditades) and how to fix them before performing an upgrade. This could help users anticipate issues.","commit_id":"9f62af3253f06d79b82b85eed52af5663f9bd936"}]}